this post was submitted on 22 May 2026

17 points (94.7% liked)

Linux Gaming

25929 readers

117 users here now

Discussions and news about gaming on the GNU/Linux family of operating systems (including the Steam Deck). Potentially a $HOME away from home for disgruntled /r/linux_gaming denizens of the redditarian demesne.

This page can be subscribed to via RSS.

Original /r/linux_gaming pengwing by uoou.

No memes/shitposts/low-effort posts, please.

Resources

Help:

Launchers/Game Library Managers:

General:

Discord:

IRC:

Gaming on Linux

Matrix:

Telegram:

Gaming on Linux

founded 2 years ago

MODERATORS

monolalia@lemmy.world

Steam in a Docker container - What am I doing wrong? (feddit.org)

submitted 1 day ago by Lemmchen@feddit.org to c/linux_gaming@lemmy.world

38 comments fedilink hide all child comments

System:

Debian 13 KDE (actually MX Linux, but doesn't seem to matter)  
Wayland (xwayland installed as well)  
Docker 29.5.2

Dockerfile:

FROM debian:trixie

ENV DEBIAN_FRONTEND=noninteractive
ENV LANG=en_US.UTF-8
ENV LANGUAGE=en_US:en
ENV LC_ALL=en_US.UTF-8

# Set locale
RUN apt-get update && apt-get install -y --no-install-recommends \
        locales && \
    apt-get clean && \
    sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
    locale-gen

# Install Wayland-specific packages
RUN apt-get update && apt-get install -y --no-install-recommends \
        dbus \
        libwayland-client0 \
        libwayland-egl1 && \
    apt-get clean

# Install X-specific packages
RUN apt-get update && apt-get install -y --no-install-recommends \
        dbus-x11 && \
    apt-get clean

# Add contrib, default is only main
RUN sed -i 's/^Components:.*/Components: main contrib/g' /etc/apt/sources.list.d/debian.sources

# Add 32-bit arch for Steam libraries
RUN dpkg --add-architecture i386

# Install Steam
RUN apt-get update && apt-get install -y --no-install-recommends \
        steam-installer \
        pciutils && \
    apt-get clean

# Additional
# TODO: What is really needed?
RUN apt-get update && apt-get install -y --no-install-recommends \
        vulkan-tools \
        mesa-utils \
        x11-xserver-utils \
        libvulkan1 \
        mesa-vulkan-drivers && \
    apt-get clean

# TODO: Does `-storebeta` even work?
# https://developer.valvesoftware.com/wiki/Command_line_options_(Steam)
CMD ["/usr/games/steam", "-storebeta"]

To run the container:

xhost +
sudo docker run -it --name steam \
    -e XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR \
    -e WAYLAND_DISPLAY=$WAYLAND_DISPLAY \
    -v $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY \
    -e DISPLAY=$DISPLAY \
    -v /tmp/.X11-unix:/tmp/.X11-unix \
    --privileged steam:trixie

(The --privileged part is only temporary until I found out which capabilities are actually needed. Please don't run your containers with --privileged.)

I get the GUI dialogs to download Steam just fine, so at least some display forwarding is working:

The installation works fine, but when starting Steam it seems like it's not able to find Vulkan devices and then doesn't open any Steam window. (The container is not stopping and I'm seeing repeated ./steamwebhelper output after this.)

[...]
Running query: 1 - GpuTopology
CVulkanTopology: failed create vulkan instance: -9
CVulkanTopology: failed to create vulkan instanceFailed to query vulkan gpu topology

Failed to query vulkan gpu topology
Response: 
Exit code: -2
[...]
Vulkan missing requested extension 'VK_KHR_surface'.
Vulkan missing requested extension 'VK_KHR_xlib_surface'.
BInit - Unable to initialize Vulkan!
[...]

However, Vulkan is clearly working fine in the container, as this commands displays the cube rendering just fine:

$ sudo docker exec -it steam vkcube
Selected WSI platform: xcb
Selected GPU 0: AMD Radeon RX 550 / 550 Series (RADV POLARIS12), type: DiscreteGpu

(I've also tried it on another (pure) Debian machine with a 2080Ti, but I've got the same issue.)

I've created other GUI containers in the past (Firefox for example) and didn't have these problems.

Does anybody have an idea and can point me in the right direction?

top 38 comments

sorted by: hot top controversial new old

[–] jacksilver@lemmy.world 3 points 12 hours ago (1 children)

I've used this setup - https://github.com/Steam-Headless/docker-steam-headless

[–] Lemmchen@feddit.org 1 points 2 hours ago

This suggests passing through dbus to the container. I will take a look at that.

[–] pHr34kY@lemmy.world 47 points 23 hours ago (1 children)

What am I doing wrong?

Putting Steam in a container. Did you even consider the pressure buildup?

[–] slazer2au@lemmy.world 27 points 22 hours ago

Yea, where is your relief Valve?

[–] savvywolf@pawb.social 3 points 14 hours ago

Steam still uses a 32 bit client, are you sure you have all the 32 bit graphics drivers installed?

[–] Lexam@lemmy.world 16 points 23 hours ago (1 children)

But why?

[–] NegativeLookAhead@lemmy.ml 6 points 22 hours ago (1 children)

Yes OP, why

[–] Lemmchen@feddit.org 6 points 22 hours ago (2 children)

Proprietary software bad.
Proprietary software in containment not so bad.

[–] BennyTheExplorer@lemmy.world 9 points 22 hours ago (1 children)

Wouldn't it be a bit easier to use the Flatpak?

The entire point of Flatpak is to run Linux Software in a container.

[–] Lemmchen@feddit.org 3 points 22 hours ago* (last edited 22 hours ago) (3 children)

In case you haven't noted, this isn't about ease of use. (Also Steam isn't verified on Flathub and I only use verified apps.)

[–] savvywolf@pawb.social 2 points 14 hours ago (1 children)

I'm curious as to the reasoning behind wanting only verified apps. If Steam was verified, then that means Valve vouches for the security of the package. But if you're going to this level of sandboxing you presumably don't trust Valve enough to trust anything they say is secure.

[–] Lemmchen@feddit.org 1 points 2 hours ago

I trust Valve not to exfiltrate my Steam credentials or account details (credit card number, home address). I wouldn't trust a third party with that.

[–] Kangae_Hishiryo@scribe.disroot.org 4 points 18 hours ago

Then create your own Flatpak or use Bubblewrap (that's what Flatpak uses under the hood). Along with OpenSnitch and some good DNS (I particularily recommend HaGeZi's server, and hBlock for hosts-level blocking) it should be (sufficiently) good.

[–] Limonene@lemmy.world 1 points 17 hours ago (2 children)

Flatpak doesn't have digital signatures anyway, so effectively nothing is verified on Flathub

[–] moonpiedumplings@programming.dev 1 points 7 hours ago

This is not true. Flatpak does sign the packages, after the build on their end, similar to what F-droid does.

Flatpak refuses to install unsigned apps by default.

Now, they don't have per developer digital signatures that would ensure that a program is directly from the developer. But those lowkey suck, those are for proprietary software where we can't do reproducible builds to ensure that the build matches the source code.

For proprietary apps, it's more difficult since often the build works by downloading the package, which can be a deb, an rpm, or a targz or etc and extracting it inside flatpak's build process. For example, steam does this.

So you would have to figure out how to make flatpak sign and verify each form of distribution that it is abstracting, in addition to actually getting the developers to sign their stuff.

[–] Lemmchen@feddit.org 3 points 16 hours ago

If true that's somewhat disturbing, but I still care about verified publishers nonetheless..

[–] NegativeLookAhead@lemmy.ml 3 points 20 hours ago

What specifically are you concerned about? There are easier ways to prevent or limit system resource access.

[–] xylol@leminal.space 7 points 22 hours ago

I'd maybe check out steam-headless container and check that out

https://github.com/Steam-Headless/docker-steam-headless

[–] unmagical@lemmy.ml 4 points 22 hours ago (1 children)

Running Steam in a docker container.

It sounds like a hypervisor setup would be a better approach for your use case.

[–] Lemmchen@feddit.org 2 points 21 hours ago* (last edited 21 hours ago)

Then I have to pass my GPU to the VM exclusively. There are also memory latency problems. Plus I have to reserve ressources from my host system. I've been a user of VFIO setups in the past.

[–] moonpiedumplings@programming.dev 3 points 22 hours ago (1 children)

Use distrobox. https://www.mulle-kybernetik.com/weblog/2023/steam_in_distrobox.html or similar steps

Adjust distrobox's sandboxing from the working setup it will give you to something more secure, since it gives access to the entire home directory and other stuff you might not want.

Or just read distrobox configs and copy what you need to docker.

[–] Lemmchen@feddit.org 2 points 22 hours ago* (last edited 21 hours ago) (1 children)

Distrobox basically has no isolation at all. Giving it another home directory doesn't restrict access to the real home directory. Other directories are also not restricted (/media, /mnt, /var/log). --unshare-all doesn't change anything about that fact.

[–] moonpiedumplings@programming.dev 2 points 21 hours ago (1 children)

Thankfully distrobox is just an open source wrapper around podman/docker, so you can make it more isolated if you want.

[–] Lemmchen@feddit.org 1 points 21 hours ago (2 children)

AFAIK no such configuration options exist for distrobox. It's intentionally designed to not offer any isolation.

[–] Kangae_Hishiryo@scribe.disroot.org 1 points 18 hours ago

You can just then manually edit its configuration files.

Or use Bwrap along with that.

[–] moonpiedumplings@programming.dev 2 points 21 hours ago

Or just read distrobox configs and copy what you need to docker.

[–] tomiant@piefed.social 1 points 20 hours ago

I can't assist you but I'm intrigued about the process. Can't see any particularly helpful ideas here, you'd probably have better success at the docker forums, they're pretty good.

[–] Kangae_Hishiryo@scribe.disroot.org -2 points 18 hours ago (1 children)

The first thing is why Docker, when Podman exists and it's way better?

[–] scrubbles@poptalk.scrubbles.tech 1 points 18 hours ago (1 children)

Because that's not what OP asked.

[–] Kangae_Hishiryo@scribe.disroot.org 5 points 17 hours ago (1 children)

What I'm trying to do is just question the OP about that

[–] scrubbles@poptalk.scrubbles.tech -3 points 17 hours ago (1 children)

I'll level with you, it comes off as oblivious with a touch of arrogance. Its the same energy in the Mac vs windows arguments. What would help would be explaining why you believe podman would be a better solution to OPs problem.

[–] Kangae_Hishiryo@scribe.disroot.org 5 points 17 hours ago* (last edited 16 hours ago) (1 children)

Mainly because its rootles nature, but also because it follows better the minimun privilege philosophy in a broader way than just simply being rootless.

I also didn't intend to speak arrogantly or patronizingly, I'm truly sorry if it turned out that way.

[–] scrubbles@poptalk.scrubbles.tech 3 points 16 hours ago (1 children)

Live and learn. We all want people to be running the best technology out there, but when someone is struggling with a problem, it doesn't come across as helpful to suggest switching to something else completely without just reason why it would solve their specific problem.

[–] Kangae_Hishiryo@scribe.disroot.org 4 points 16 hours ago* (last edited 16 hours ago)

Yeah, although Podman it's totally compatible with both Docker syntax and Dockerfiles, but I get you, I'll be more cautious on the future.

Thanks for the advice! And again, sorry if I caused any trouble.

[–] terabyterex@lemmy.world -1 points 22 hours ago

What am I doing wrong?

I think it's possible you have few misconceptions of things. There are only negatives.

[–] just_another_person@lemmy.world -2 points 23 hours ago (1 children)

Lolwut

[–] nix98@lemmy.world 3 points 22 hours ago (1 children)

Oh boy. While I would recommend using flatpak or bwrap if you want a sandbox, my guess is you probably need to give the container access to the devices in /dev, like:

    --device /dev/dri/:/dev/dri/

    --device /dev/dri/renderD128:/dev/dri/renderD128

You might also need to make sure the user inside the container actually has access to that device.

I'd suggest looking at Jellyfin's Hardware Acceleration Docs since it goes into detail on getting hardware acceleration working within docker.

[–] Lemmchen@feddit.org 1 points 2 hours ago

I don't think you responded to the comment you actually wanted to, but:

--privileged implies access to all host devices, so any --device directive should be redundant.
Regarding the user permissions, the current user in the container is root which should theoretically have all access it needs, but it's a good suggestion and I'm going to take a look at it.