-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to output sound with PulseAudio 7.0 #69
Comments
I'll leave it for two weeks for Arch to stabilize, and I'll fix it. Thanks. |
Having the same issue. Check here: https://bugs.freedesktop.org/show_bug.cgi?id=92141 to take a look at what I've already found out with the help of the pulseaudio developers. Starting firejail deletes pulseaudio shm files in /dev/shm causing it to stop working. |
No, for a regular user firejail doesn't touch shm. Try like this:
I have created a file, now I start firejail:
The file is still visible in the sandbox. Now I exit firejail and check the file again:
After closing the sandbox, the file is still there. Firejail modifies /dev/shm in two cases: if the sandbox is run as root, or if --private-dev option is used. In both cases a tmpfs filesystem is mounted on top of /dev/shm directory. Processes running outside the sandbox will see the real /dev/shm. Firejail never deletes files from /dev/shm directory. Try a simple bash session using firefox profile, and take a look at dev shm.
You should have the same thing as before starting firejail. |
I start firejail with --seccomp enabled, could this be the cause? Because I know one thing for sure, it definitely seems to be firejail that deletes these shm files. I have been trying to find where exactly the issue lies, and unless I run
which is the default way I run firefox, pulseaudio does not have issues. Starting firefox without firejail does not cause any problems either. I'm not running firejail as root either. Have you taken a look at the link I provided? Maybe that could help clear things up a bit. |
Allow me to comment on my findings regarding the progress in this thread. All of the following is tested and ran as a normal, non-privileged user. Some incompatability between PulseAudio 7 and firejail prevent it from outputting audio in programs that used to function successfully like chromium and firefox. Both chromium and firefox were launched with the following options to test this:
This should, I believe, launch firejail with the least restrictive setup possible. No seccomp, no capability dropping, no blacklisting of directories. The debug messages also reflect this, and never once mention tampering with /dev/shm. After launching: There are infact, no pulse-shm-* files located in the /dev/shm directory. Before launching, on my specific system, there we about 4 instances of various shm files. Restarting pulseaudio via: restores these pulse-shm-* files, but does not restore sound output. However, this does not mean that firejail is destroying /dev/shm. When launching keepass, which does not use pulseaudio in any way, using firejail, the /dev/shm directory stays intact. Do note, that applying the pulseaudio work around of adding srbchannel=no into the default.pa file does appear to resolve the issue, although it is not the best solution as it does not allow one to take advantage of the progress in pulseaudio development with the newer version 7. As a tl;dr
|
OK, there seems to be a workaround. Use it until I get a chance to find the problem. I am installing Arch right now. |
Just a little advice: If this is just about fixing the bug, you might want to use antergos instead of arch. It's basically the same but you don't have the hassle of dealing with the arch install. |
Thanks for the antergos idea! |
Evolution Installer is another solution for easy and quick (5mins) arch installation. |
writing srbchannel = no into the /etc/pulse/default.pa makes it impossible to start the daemon. |
Please note that the srbchannel option needs to be added as described in the pulseaudio bugtracker thread linked above, not simply written into the file. If the proper addition of the srbchannel option prevents pulseaudio startup, that it a bug for pulseaudio, not firejail. |
srbchannel=no crashes pulseaudio. With pulseaudio out of the picture, the system defaults to ALSA. I got "firejail firefox" running fine after adding "srbchannel=no" in /etc/pulse/default.pa and system restart. The inconvenience is that I had to replace pavucontrol with gnome-alsamixer. I'll look to see what is going on. Antegos/Arch is running fine here! |
I added a description of the problem and workarounds on the main page of the project. |
Hello, Is there an expected time for this issue to be resolved? I absolutely need Pulseaudio to be 100% working, for work. Regards, |
Unfortunately this is a PulseAudio 7.0 bug. I don't see any way to get around it at sandbox level. There are two workarounds described in "known bugs" section here: https://github.com/netblue30/firejail I'll keep this discussion open in case somebody figures it out. |
Hi, Yes, the fixed seems to be working, and it doesn't seem to be breaking Pulse :) Have you contacted pulseaudio developers? Thanks and keep up the good work, |
A PulseAudio developer here. I'd be interested to hear more details about why you think this is a PulseAudio bug. |
Hmm... I have a likely explanation for the bug. Whenever PulseAudio creates a new shm file, it also cleans up any files that are left by crashed processes that didn't clean up the files they created. Each shm file contains the pid of the process that created it. The cleanup is triggered, if kill(pid, 0) fails with ESRCH, that is, if the pid does not exist. If firejail creates a new pid namespace, then processes outside the sandbox aren't visible to processes in the sandbox, and a sandboxed process will "clean up" all shm files. So yes, this is a PulseAudio bug after all. With pid namespaces, we can't assume that a process is dead if kill() fails with ESRCH. This will be resolved when we get memfd support in PulseAudio (currently being worked on). I'm not sure that it will be ready before the next release, so some other fix may be needed. I don't yet what that fix might be, though. Not cleaning up the shm files isn't really a good solution. |
Hi. There is a fix on the main page that currecntly works. I read some people saying it breaks pulse, but for what I could see everything is working fine here. Ardour, Steam, pavucontrol, simplescreenrecorder, all working fine.
Could you elaborate? |
@tanuk is there a way to manually clean up shm files ? thanks ! |
Hi tanuk, thank you for your help. memfd is fine, we can wait until then. There is a workaround by disabling shm in PulseAudio - I guess in this case the client/server communication goes over the Unix socket. And there is also ALSA used as backup by Firefox and most other programs - I just have to explain to users to turn up the volume using alsamixer or some equivalent. |
I mean that if it's hard to figure out which shm files are safe to remove, we could solve this by simply not cleaning up leaked shm files, but leaking resources is not cool.
You can simply remove the files from /dev/shm, if you can figure out which of the files are not being used any more. @netblue30 If the workaround isn't applied automatically, a very big portion of your users will waste time wondering why their audio doesn't work, and probably not everyone will find the workaround. Are you really ok with that? When firejail starts, maybe it could automatically copy ~/.config/pulse/client.conf to a temporary location, add "enable-shm = no" to the copy, and set the PULSE_CLIENTCONFIG environment variable to point to the modified configuration file? |
@tanuk Thanks for the idea, I'll try it out. |
OK, the fix is in. So far it seems to be working on Debian jessie and Antergos/Arch. Let me know if you see any problems. Thanks! |
Uhm as I am relatively new to linux (and arch): I am not getting a firejail update on arch so that I could test the new fix? |
@Utini2000 I think it's the same fix that is present on the main page here. If you want, you could contact the AUR maintainer so that he/she can update fifrejail for you. Or, you download the PKGBUILD and just edit it so that it fetches the new source (if there's one). |
updated to the latest git. the fix works for a while, but eventually i run into the same issue (pavucontrol can't connect, keyboard volume controls stop working), and have to "pulseaudio -k" and restart to regain control. |
Yes, I have been using desktop files so far. So you are saying that those scripts under /usr/local/bin always take precedence regardless if the desktop files are located in /usr/share/applications or ~/.local/share/applications? I didn't know that. EDIT: I guess that was a dumb question. echo $PATH gives:
So, yes, /usr/local/bin should take precedence, indeed. |
I'm not sure that I understand. I start firejail thunderbird and click a link but firejail --tree shows, e.g. the following:
This doesn't look as if firefox is in the same sandbox as thunderbird ... ? |
@curiosity-seeker What firejail version are you running? Start thunderbird/icedove from a terminal and click on a link:
You'll get that warning "an existing sandbox was detected. /usr/bin/iceweasel #83 will run without any additional sandboxing features in a /bin/sh shell". It means firejail started the browser (firefox/iceweasel) directly, without any shell. "firejail --tree" in this moment looks like this:
|
@netblue30 : I'm using 0.9.30 on Manjaro (=Arch derivative)
I did that, and this is what I get:
And firejail --tree shows:
Thus, it seems that the behaviour is different from your system. |
That's interesting! You could get something like this if you already have firefox running in another window when you click on the link in thunderbird (I have a writeup here: https://l3net.wordpress.com/projects/firejail/firejail-faq/#firefox). There seem to be something else going on, I'll try it here on my Arch box. |
No, Firefox was definitely not running! |
The communication seems to go over DBus. Thunderbird sends a message, and somebody (?) starts the browser, so the browser ends up in a different sandbox. |
Thanks for that info! It's all right as long as Firefox is sandboxed. |
So is the "enable-shm = no" in client.conf workaround no longer needed? The last time I tried without the workaround (10 Oct), I still had the same issues with Pulseaudio. |
Yes, if you are running firejail version 0.9.32 or 0.9.34-rc1 it should be fixed. |
It's still not working for me. If I remove the "enable-shm = no" in ~/.config/pulse/client.conf, and restart Pulseaudio, I still end up with the same issue as before. Steps: If I put the enable-shm=no back in place, then things work properly. |
In firefox.profile, if you also whitelist ~/.config/pulse, does it work? It might be that we still need "enable-shm = no" |
OK, I've got it on Arch. It looks like we still need "enable-shm = no" in ~/.config/pulse/client.config. PulseAudio cannot mix various clients with and without "enable-shm = no". Leave ~/.config/pulse/client.config in place. I'll update the documentation and the announcements. Thank you for reporting it. |
Similar issue here with firejail from master on Fedora 23. I don't have problems playing music but I am seeing warnings like these: |
This also affects PulseAudio 8 on Ubuntu 16.04. The |
Thanks for letting me know. |
Confirming this on Fedora 23 with firejail-0.9.28-1 from default install. Starting firefox in firejail causes the pulseaudio to stop working. Pulseaudio seems to be running but plays nothing. Any attempt to play anything results in PA is dead for all applications until |
You need to move to 0.9.40, there were a lot of fixes for PulseAudio since 0.9.28. Also, you would need to configure pulse this way: https://firejail.wordpress.com/support/known-problems/#pulseaudio |
If someone is running PA 9.0, it would be nice to get a confirmation that setting enable-memfd = yes in /etc/pulse/daemon.conf fixes this issue too. The option was added in PA 9.0, but it's off by default. It will be enabled by default at some point, probably in PA 10.0. The option changes the shared memory functionality so that the /dev/shm/* files aren't used any more. |
Thanks @tanuk |
I can confirm that using PulseAudio 9.0 and enabling the I can also confirm that I do not have |
Thanks, issue closed. |
With the upgrade to PulseAudio 7.0 on Archlinux, audio in Chromium 45 and other applications which use pulseaudio fail to work properly.
In the case of chromium, launching with the default sandbox and no profile/seccomp chomium will launch and instantly report a failure that it is unable to open a slave. Firejail worked fine on PulseAudio 6.
Aside from the debug output of firejail the only other noteworthy output that Chromium spews is the failure to open a slave, which I have found is something dealing with ALSA on the system.
A similar outcome can be observed when launching firefox with no profile, as well as any other application which may use pulseaudio.
Oddly enough, things like Steam work fine at outputting audio via Pulse, but seem to fail when attempting to record audio input via a microphone in firejail, even though this functionality was working under PulseAudio 6.
Apologies for the very vague bug report, I am rather confused about where the source of the problem exactly is.
Firejail version 0.9.30
PulseAudio version 7.0
The text was updated successfully, but these errors were encountered: