Chroot 32-bit + Skype + PulseAudio = problems (solved!)

I recently was struggling a little bit with running Skype in my distro. The problem was that I had to configure chroot environment (because my native OS is 64-bit and Skype is a 32-bit application), and then also solve some problems with PulseAudio to get sound.

OK, so here are my findings and some useful shell scripts. First, we have to make sure that all important pieces of native system are also available in chrooted environment. Hence chroot_mount.sh script:

#!/bin/sh -x
CHROOTPATH="/mychroot"

cp -L /etc/resolv.conf $CHROOTPATH/etc/
mount --bind /dev $CHROOTPATH/dev
mount --bind /dev/pts $CHROOTPATH/dev/pts
mount --bind /dev/shm $CHROOTPATH/dev/shm
mount --bind /tmp $CHROOTPATH/tmp
mount -t proc proc $CHROOTPATH/proc
mount -t sysfs none $CHROOTPATH/sys
mount --bind /var/lib/dbus $CHROOTPATH/var/lib/dbus
mount --bind /var/run/dbus $CHROOTPATH/var/run/dbus
mount --bind /run/udev $CHROOTPATH/run/udev
mount --bind /home $CHROOTPATH/home

Run it from root. (Obviously, you have to create /mychroot dir earlier and install there base system. This part is out of scope of this blog post.)

After using your chrooted environment you may also want to umount all resources. Hence chroot_umount.sh script:

#!/bin/sh -x
CHROOTPATH="/mychroot"

umount $CHROOTPATH/dev/pts
umount $CHROOTPATH/dev/shm
umount $CHROOTPATH/dev
umount $CHROOTPATH/tmp
umount $CHROOTPATH/proc
umount $CHROOTPATH/sys
umount $CHROOTPATH/home
umount $CHROOTPATH/var/lib/dbus
umount $CHROOTPATH/var/run/dbus
umount $CHROOTPATH/run/udev

Then you have to configure PulseAudio so it can be used from different user than logged in (I prefer to run closed-source apps, like Skype, from a separate account.) Here is my ~/.pulse/default.pa file on main account:

.nofail
.fail
load-module module-device-restore
load-module module-stream-restore
load-module module-card-restore
load-module module-augment-properties
.ifexists module-udev-detect.so
load-module module-udev-detect
.else
load-module module-detect
.endif
.ifexists module-jackdbus-detect.so
.nofail
load-module module-jackdbus-detect
.fail
.endif
.ifexists module-bluetooth-discover.so
load-module module-bluetooth-discover
.endif
.ifexists module-esound-protocol-unix.so
load-module module-esound-protocol-unix
.endif
load-module module-native-protocol-unix
.ifexists module-gconf.so
.nofail
load-module module-gconf
.fail
.endif
load-module module-default-device-restore
load-module module-rescue-streams
load-module module-always-sink
load-module module-intended-roles
load-module module-suspend-on-idle
.ifexists module-console-kit.so
load-module module-console-kit
.endif
.ifexists module-systemd-login.so
load-module module-systemd-login
.endif
load-module module-position-event-sounds
load-module module-role-cork
load-module module-filter-heuristics
load-module module-filter-apply
.ifexists module-dbus-protocol.so
load-module module-dbus-protocol
.endif
load-module module-switch-on-port-available
load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1

On the secondary account I have only this in ~/.pulse/client.conf file:

default-server = 127.0.0.1

Also I have skype-wrapper.sh there in the PATH:

#!/bin/sh -x
export PULSE_SERVER=127.0.0.1
PULSE_LATENCY_MSEC=60 skype

Why it is needed? Well, without first line (export PULSE_SERVER=127.0.0.1) there was no sound and paplay always was saying Connection refused. Read PulseAudio’s FAQ about details how do the PulseAudio libraries decide where to connect to.

The second line (PULSE_LATENCY_MSEC=60 skype) was/is important to work around the bug in Skype that was adding some “funny” effects, like no sound at all or only some noises. Read this post from PulseAudio developer to learn more. I experienced these problems with PulseAudio 4.0 and Skype 4.2.0.11. This line works like a charm and all works OK.

OK, now when everything is configured (remember also to install and configure dchroot) you can run 32-bit Skype on a separate account by only running this command on your main account:
$ su -c 'dchroot -d skype-wrapper.sh' - user2
where “user2” is your secondary account.
You can make it an alias or put it in a one-line shell script to save some typing each time when you want to run Skype.

Advertisements

3 thoughts on “Chroot 32-bit + Skype + PulseAudio = problems (solved!)

  1. If you experience a problem with the message:
    Invalid MIT-MAGIC-COOKIE-1 keyError: Can't open display: :0.0
    or similar, then just copy the file .Xauthority from the currently logged in user to the user you’re running Skype on. Do it as root and remember to set permissions/ownership of the file, if necessary.

    • Hi, mn3m0nic, thanks for your comment.

      Actually, I wasn’t using chroot for security purposes, but because of necessity — Skype/Microsoft in their infinite wisdom don’t provide Skype for Linux 64-bit. It is possible to workaround this by installing some 32-bit libraries (which is easy in eg. Ubuntu – at least that’s what I heard), but I choose chroot method, because I know it works in my distro and I am too lazy to research how to do it with 32-bit libs (I am not even sure if these libs are readily available for my distro…).

      But you are right that chrooting gives additional security, in the sense of adding some layer of separation from “base” system. And your point about mounting full HOME dir instead of just a HOME dir of a chosen user (note that I use a separate user in my instructions above) is valid. Not so with /dev, unfortunately — it seems that Skype requires mounted /dev. It was dumping core without it for me.

      Security-wise, using Skype is probably not the best idea anyway. I use it only occasionally, when necessity arises: eg. for contacting family members, when they really want to talk on Skype, or if some prospective employer wants to conduct an interview via Skype (it happens sometimes).
      It is insecure, because it is a total black-box: closed-source, additionally using various obfuscation methods to hide what it is really doing (at least that was true in some earlier versions, but I doubt anything changed for better in this area). In addition, documents revealed by Edward Snowden show that NSA is intercepting Skype communication, see article in Guardian, eg.: “In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism”.

      To summarize and give some additional info related with my instructions above:
      in the first script (chroot_mount.sh) it is indeed beneficial to replace the line

      mount --bind /home $CHROOTPATH/home
      

      with

      mount --bind /home/[PATH TO USER DIR] $CHROOTPATH/home/[PATH TO USER DIR]
      

      where you should replace [PATH TO USER DIR] to a path of a chosen user’s HOME dir (in my above text it was user2). You should create this dir in CHROOTPATH/home if it doesn’t exist, and set appropriate permissions.

      Similar change should be done in chroot_umount.sh script: replace the line

      umount $CHROOTPATH/home
      

      with

      umount $CHROOTPATH/home/[PATH TO USER DIR]
      

      And one more thing (mainly for myself ;): I noticed that right after closing Skype it is not possibe to cleanly unmount all directories mounted in chroot environment: you can see something like umount: [SOMEDIR]: target is busy. To fix this, you need first check what keeps using mounted resources, and kill processes that are doing that. Something like lsof -n | grep [YOURCHROOTMOUNTPOINT] shows you list of guilty processes. In my case it was always dbus-launch, so I just found out what is PID of this process (it is in the second column of lsof output) and then I killed it with kill [PID], where [PID] is a process ID of dbus-launch. After few seconds all resources were freed and umounting everything was successfull.

Leave a Reply / Skomentuj

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s