I've been seeing a lot of bazzite recommendations recently, and it sure sounds great. An atomic fedora, gaming optimisations out of the box. It just works.
We'll that's not been my experience for V-rising, and I wanted to share it incase others anyone else encounters the issues I did.
First and foremost I am sure there major issue is the game, more than any given distro. I've been happily running arch on my home PC for 7 years. Its been great, no issues, I've loved it. As my free time decreased, that computer had become just for gaming. The maintenance debt was building up, I knew the dream run with arch must end. That end was V rising, crashed frequently, all kinds of stage behaviour. I assumed a vulkan issue, but couldn't easily find a fix, and didn't want to waste any more time on it.
I went with Bazzite, but to no avail. The crashing problem got worse. Only now i had to deal with the sluggish flatpack versions of things. Its not that bad, but us a was a very noticeable change.
If it had just been me, I think this is whereui would have given up. But I was playing with my wife and mate online, both of whom also use Linux and weren't having the crashing issue. On my wifes computer i had recently installed bazzite. It did have issues, mostly flickering which i chalked up to a too early switch to Wayland on a gtx1080. My mate was on mint, with a 3060 and v rising was working perfectly.
I switched to mint (I am running and a 5700xt), and my problems were fixed just like that.
Next was to solve the wife's woes, so I switched her to mint too. Which resulted in v rising not being able to load, freezing up the computer every attempted requiring a X restart. Didn't matter which version of the nvidia drivers i used. The flickering was gone though, so that was something. Pop-os was the solution, took a bit of understanding popshops preferred order of events to get nvidia drivers installed, but now all is fine.
So the lesson I think i might have learned, old hardware and new (vulkan) games require unidentified settings to work and easiest solution is just distro hop till success. Big shout out to steams transfer over network functionality (i also needed to install bg3 each new distro, it ran fine on every combination but bazzite was noticably more flaky).
It doesn't matter, but does any one have and ideas as to why v rising caused such headaches? 7 years a Linux gaming, and nothing has required more than a few hours of tinkering at most to get to work until this.
Tldr. Needed a safe space to debreif, everything worked out in the end.
SteamOS currently runs 6.1, which is an LTS kernel, it just isn't the latest LTS kernel (that's 6.6 released at the end of 2023). Steam also makes modifications to the kernel they use in SteamOS, so they have their own versions custom built for Steam Decks. I should revise my previous statement slightly. Debian Bookworm is on 6.1 as well, but SteamOS 3.6 (in beta) uses 6.5 (which is non-LTS). Debian skips every other LTS kernel because they release every 2 years, but SteamOS (eventually) upgrades each LTS kernel or some non-LTS between? They did the same thing with 5.13 a couple years ago (5.10 and 5.15 are LTS). I don't really follow their releases since I don't own a Steam Deck, so I don't really know the rationale there. Funnily enough, looking through posts about it online, it seems that SteamOS is sometimes ahead of Debian on the minor kernel version and sometimes behind (when they're on an LTS kernel). Currently, they are behind Debian on minor release (6.1.52 vs 6.1.76). Very strange, no idea what's going on there.
Hm, interesting. I don't recall experiencing anything like that personally since I hardly use anything from RPMFusion, but that does seem frustrating. Looks like it was fixed very quickly, at least.
Ah yeah, I've heard about that. I can't remember the last time I installed Cisco's openh264 though since I started using VLC, which can handle video and audio formats without installing extra codecs. I think MPV can do the same? I'm not sure what comes with my browser, but it is packaged as a flatpak and seems to run media just fine. Maybe there is some other use for openh264 that I'm not aware of that just doesn't come up in my normal use, but I don't think I've installed any media codecs in Fedora for a couple years now. Granted, I don't play videos often (but I do play MP4s when I do), and all my music is in FLAC format, so I'm probably an edge case. I also don't game, but I remember seeing something recently in this sub where someone may have had codec issues while playing a game.
Well, Fedora is a community project, so it's very difficult for anything individual maintainers do to come back to Fedora so long as the name isn't put on it directly. If I were to speculate, most of the RPMFusion maintainers are Fedora community contributors (and I imagine they likely wouldn't work at Red Hat, given Red Hat's apprehension towards copyrighted material). I don't think it's really any different legally speaking from a Fedora contributor working on a personal project on the side. The fact that you can manually add the repo to Fedora doesn't connect the two in a legally binding sense. So as long as it isn't being funded by Fedora, and their branding is absent, then it shouldn't really matter. I don't know about the actual legal aspects of the packages they are distributing, or what country/countries RPMFusion repos are hosted in, but so long as nobody is profiting/losing substantial profit, it likely isn't even worth pursuing any legal recourse to begin with.
Yeah, that's fair. There are definitely bugs that pop up every once and awhile, but for the most part they're minor (at least the ones I notice). This kernel bug is among the more major bugs I've seen with Fedora in the past few years, but I only know about it from this post; I haven't experienced it myself. I imagine there have been similar things (or worse) like this that have gone over my head as I didn't experience them myself. Perhaps my experience has also been more stable because I've been using GNOME up until Fedora 40. I do find my experience with Fedora to be much more stable than Arch, but that is to be expected given their release models. I can only recall having experienced 1 or 2 bugs in the past year on Fedora, which is less than I experienced when I used Ubuntu many, many years ago, and the bugs were fixed much faster than they were on Ubuntu, where it would often take months for a patched version of the package to enter the Ubuntu repos. That's all anecdotal, however.
The reason I usually recommend Fedora to people (and uBlue images by extension) is that it sits on some middle ground between the rolling release bleeding edge distros like Arch, and the stable, LTS, frozen for 2 years distros like Debian. I have grievances with both of those models that are addressed with Fedora, and that's what makes it a good distro for me. My experience with bugs hasn't really been any more common than when I was using LTS distros, but that may be a fluke. I will likely be moving one of my servers to Debian in the future though, because it makes sense for its purpose. Different release models benefit different uses (and people), of course.
I use celluloid flatpak which has native wayland and pipewire support. Its an MPV GUI.
But browsers should be installed as an RPM, because Flatpak uses the same seccomp filter for all apps. That isnt even really secure, but prevents browsers from spawning user namespace sandboxes. Which means they have very little process isolation.
User namespaces are not the only method of sandboxing in Linux. I use Mullvad browser, which is a fork of Firefox maintained in tandem with the Tor browser (without Tor integration), so I'll mainly discuss Firefox. Here are some relevant comments on Firefox's internal sandbox in flatpaks:
Firefox's internal sandbox is designed to function properly without user namespaces or chroot
Firefox uses nested seccomp filters to achieve process isolation
The TL;DR is that Firefox uses seccomp-bpf on each process (with per-process nested seccomp filters) to intercept all syscalls for sandboxing, which does not require the use of user namespaces. User namespaces are used where possible, simply to add an additional layer of padding as a method of defense in depth. Since the syscalls are already intercepted and handled with seccomp-bpf, it could easily be argued that this is redundant and unnecessary given the way the Firefox sandbox works, based on the comments of the Firefox developer I linked to.
Chromium browsers had very bad issues with sandboxing, as they assumed that user namespaces would always be available (which breaks on any distro with them disabled in the kernel, as was the case with Debian and Arch just a few years ago, or any install that uses the linux-hardened kernel), and Chromium does not use seccomp-bpf for their process isolation like Firefox (or at least it didn't when the bugzilla I linked to was made). I believe those issues have been fixed however, and Chromium-based browsers (at least the ones that implement the patch or something similar) should also have proper process isolation in flatpaks now. I don't follow that very closely since I don't use Chromium-based browsers, though. Here's the flatpak Chromium patch that uses
flatpak-spawn
to fix process isolation in Chromium-based browsers for reference. It was mentioned in one of the Firefox bugzilla pages I linked to earlier. Since it isn't an upstream fix, I wouldn't trust that all Chromium-based browsers use it, but that's an issue to bring up with Google (assuming it hasn't been fixed upstream in the past couple years). Firefox specifically designed their sandbox to work in these situations where Chromium may fail.Mullvad Browser isn't available as an RPM (or even DEB), and while they have a tar.xz download that I imagine just installs the browser in the folder it's extracted to (not source tarball; it's all pre-compiled), I have no idea if that receives automatic updates, and I've never used a Linux app packaged like that, so I choose to use the flatpak instead.
Late reply, had this in my inbox for a while.
Interesting bugzilla thread indeed.
seccomp vs userns
I dont know about the security difference between nested seccomp filters and user namespaces. I dont know how good the achieved process isolation is.
But I can imagine that the Firefox approach is better.
chromium
Also note that Chromium has a setuid sandbox mode which is kept as fallback. Found that through secureblue.
I know that bubblejail is currently broken for me, I will uninstall it, remove the configs and reinstall it again.
I think running FF with userns enabled AND isolated with bubblejail is best, and it is possible.
flatpak and seccomp
Flatpak has a real issue with their loose and kinda random badness-enumerating seccomp filter. See this issue
The problem is, app devs dont know shit about seccomp, some other project (was it GNOME?) just uses the Flatpak filter because they also dont know enough about it.
It would be best to have a modular approach, with "security building blocks".
Browsers have the "
base
" set of rules, which is the most unrestricted there is, allowing user namespaces.All apps by default get the "
standard
" set which is base, without userns.And there can be a more secure one for
strong
andverystrong
isolation.browser updates
Firefox has a builtin updater, Distros just remove that. So the Mullvad Tarball and also an official Firefox or Thunderbird tarball will autoupdate.
But as the app lies in an insecure location, its source could be modified. So it is always best to have apps somewhere only root can change.
Same for flatpaks actually,
--user
flatpaks are installed to the user homedir without any permissions and could be tampered with by any process.