I recently was struggling a little bit with running Skype in my distro. The problem was that I had to configure chroot environment (because my native OS is 64-bit and Skype is a 32-bit application), and then also solve some problems with PulseAudio to get sound.
OK, so here are my findings and some useful shell scripts. First, we have to make sure that all important pieces of native system are also available in chroot
ed environment. Hence chroot_mount.sh script:
#!/bin/sh -x CHROOTPATH="/mychroot" cp -L /etc/resolv.conf $CHROOTPATH/etc/ mount --bind /dev $CHROOTPATH/dev mount --bind /dev/pts $CHROOTPATH/dev/pts mount --bind /dev/shm $CHROOTPATH/dev/shm mount --bind /tmp $CHROOTPATH/tmp mount -t proc proc $CHROOTPATH/proc mount -t sysfs none $CHROOTPATH/sys mount --bind /var/lib/dbus $CHROOTPATH/var/lib/dbus mount --bind /var/run/dbus $CHROOTPATH/var/run/dbus mount --bind /run/udev $CHROOTPATH/run/udev mount --bind /home $CHROOTPATH/home
Run it from root. (Obviously, you have to create /mychroot dir earlier and install there base system. This part is out of scope of this blog post.)
After using your chroot
ed environment you may also want to umount all resources. Hence chroot_umount.sh script:
#!/bin/sh -x CHROOTPATH="/mychroot" umount $CHROOTPATH/dev/pts umount $CHROOTPATH/dev/shm umount $CHROOTPATH/dev umount $CHROOTPATH/tmp umount $CHROOTPATH/proc umount $CHROOTPATH/sys umount $CHROOTPATH/home umount $CHROOTPATH/var/lib/dbus umount $CHROOTPATH/var/run/dbus umount $CHROOTPATH/run/udev
Then you have to configure PulseAudio so it can be used from different user than logged in (I prefer to run closed-source apps, like Skype, from a separate account.) Here is my ~/.pulse/default.pa
file on main account:
.nofail .fail load-module module-device-restore load-module module-stream-restore load-module module-card-restore load-module module-augment-properties .ifexists module-udev-detect.so load-module module-udev-detect .else load-module module-detect .endif .ifexists module-jackdbus-detect.so .nofail load-module module-jackdbus-detect .fail .endif .ifexists module-bluetooth-discover.so load-module module-bluetooth-discover .endif .ifexists module-esound-protocol-unix.so load-module module-esound-protocol-unix .endif load-module module-native-protocol-unix .ifexists module-gconf.so .nofail load-module module-gconf .fail .endif load-module module-default-device-restore load-module module-rescue-streams load-module module-always-sink load-module module-intended-roles load-module module-suspend-on-idle .ifexists module-console-kit.so load-module module-console-kit .endif .ifexists module-systemd-login.so load-module module-systemd-login .endif load-module module-position-event-sounds load-module module-role-cork load-module module-filter-heuristics load-module module-filter-apply .ifexists module-dbus-protocol.so load-module module-dbus-protocol .endif load-module module-switch-on-port-available load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1
On the secondary account I have only this in ~/.pulse/client.conf
file:
default-server = 127.0.0.1
Also I have skype-wrapper.sh
there in the PATH
:
#!/bin/sh -x export PULSE_SERVER=127.0.0.1 PULSE_LATENCY_MSEC=60 skype
Why it is needed? Well, without first line (export PULSE_SERVER=127.0.0.1
) there was no sound and paplay
always was saying Connection refused. Read PulseAudio’s FAQ about details how do the PulseAudio libraries decide where to connect to.
The second line (PULSE_LATENCY_MSEC=60 skype
) was/is important to work around the bug in Skype that was adding some “funny” effects, like no sound at all or only some noises. Read this post from PulseAudio developer to learn more. I experienced these problems with PulseAudio 4.0 and Skype 4.2.0.11. This line works like a charm and all works OK.
OK, now when everything is configured (remember also to install and configure dchroot
) you can run 32-bit Skype on a separate account by only running this command on your main account:
$ su -c 'dchroot -d skype-wrapper.sh' - user2
where “user2” is your secondary account.
You can make it an alias or put it in a one-line shell script to save some typing each time when you want to run Skype.
If you experience a problem with the message:
Invalid MIT-MAGIC-COOKIE-1 keyError: Can't open display: :0.0
or similar, then just copy the file
.Xauthority
from the currently logged in user to the user you’re running Skype on. Do it as root and remember to set permissions/ownership of the file, if necessary.Hello.
Why you mounting your real home dir and dev to chroot filesystem?
If you do it many of your security benefits chrooting skype are lost.
Hi, mn3m0nic, thanks for your comment.
Actually, I wasn’t using chroot for security purposes, but because of necessity — Skype/Microsoft in their infinite wisdom don’t provide Skype for Linux 64-bit. It is possible to workaround this by installing some 32-bit libraries (which is easy in eg. Ubuntu – at least that’s what I heard), but I choose chroot method, because I know it works in my distro and I am too lazy to research how to do it with 32-bit libs (I am not even sure if these libs are readily available for my distro…).
But you are right that chrooting gives additional security, in the sense of adding some layer of separation from “base” system. And your point about mounting full HOME dir instead of just a HOME dir of a chosen user (note that I use a separate user in my instructions above) is valid. Not so with /dev, unfortunately — it seems that Skype requires mounted /dev. It was dumping core without it for me.
Security-wise, using Skype is probably not the best idea anyway. I use it only occasionally, when necessity arises: eg. for contacting family members, when they really want to talk on Skype, or if some prospective employer wants to conduct an interview via Skype (it happens sometimes).
It is insecure, because it is a total black-box: closed-source, additionally using various obfuscation methods to hide what it is really doing (at least that was true in some earlier versions, but I doubt anything changed for better in this area). In addition, documents revealed by Edward Snowden show that NSA is intercepting Skype communication, see article in Guardian, eg.: “In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism”.
To summarize and give some additional info related with my instructions above:
in the first script (chroot_mount.sh) it is indeed beneficial to replace the line
with
where you should replace [PATH TO USER DIR] to a path of a chosen user’s HOME dir (in my above text it was user2). You should create this dir in CHROOTPATH/home if it doesn’t exist, and set appropriate permissions.
Similar change should be done in chroot_umount.sh script: replace the line
with
And one more thing (mainly for myself ;): I noticed that right after closing Skype it is not possibe to cleanly unmount all directories mounted in chroot environment: you can see something like umount: [SOMEDIR]: target is busy. To fix this, you need first check what keeps using mounted resources, and kill processes that are doing that. Something like
lsof -n | grep [YOURCHROOTMOUNTPOINT]
shows you list of guilty processes. In my case it was alwaysdbus-launch
, so I just found out what is PID of this process (it is in the second column oflsof
output) and then I killed it withkill [PID]
, where [PID] is a process ID ofdbus-launch
. After few seconds all resources were freed and umounting everything was successfull.