Solved Firefox in a jail - webgl not working

chrbr · Aug 9, 2023

Dear community,
I have a Dell Latitude E5430 which works fine with the i915kms loaded running FreeBSD-13.2-RELEASE. A jail runs the same version, too. The jail has been created with mkjail. The firefox is firefox-esr-102.14.0_1,1 installed from the latest repository using pkg. The jail is connected to the host by the lo1 interface. There is no NAT to the hosts PHY. For http and https tinyproxy is installed on the host and listen on port 8181 and forwards the traffic to the PHY. That works so far beside one detail.

By opening https://get.webgl.org/ one can see if the browser supports webgl. If I install firefox on the host webgl is supported. If I run firefox in the jail webgl does not work, even if I install almost everything which runs on the host. I did that to see if just some libraries are missing.

It seems to me as if the firefox browser must interact with the X stuff on the host to make webgl functional. Unfortunately I am not keen to run firefox on the host. I prefer to keep the host clean and lean. The home directory of the user on the host should be free from the firefox stuff, too.

Has anybody a working solution how to run firefox in a jail with webgl funtional? Or would that work with a different browser running in a jail? This is no serious issue but it would be nice to fix that.

Thank you for your kind help in advance,
Christoph

Holger · Aug 10, 2023

You may need to adjust the devfs ruleset in for your jail, so that the devices for hardware acceleration become available.

Step 1: Edit /etc/devfs.rules and add the following lines:

Code:

[devfsrules_drm=10]
add include $devfsrules_jail
add path dri unhide
add path dri/* unhide
add path drm unhide
add path drm/* unhide

This will add a ruleset unhiding the necessary devices for hardware acceleration.

Step 2: Let your jail use these new rules. I don't know what mkjail does, but with plain jails edit /etc/jail.conf and adjust the settings for your jail (assuming your jail is named “firefox-jail”):

Code:

firefox-jail {
        …
        devfs_ruleset=10;
        …
}

The full jail config may look like follows (I use this config to run the Vice emulator inside a jail, which uses OpenGL, so my situation is similar to yours):

Code:

firefox-jail {
        host.hostname="…";
        ip4.addr="lo1|10.10.0.4/24";
        path="/jail/firefox-jail";
        mount.devfs;
        devfs_ruleset=10;
        allow.raw_sockets=1;
        exec.clean;
        exec.start="sh /etc/rc";
        exec.stop="sh /etc/rc.shutdown";
        mount.fstab="/jail/firefox-jail/etc/fstab.jail";
}

You may ignore the line with mount.fstab for now, but if you need to mount extra directories into your jails, it might become relevant.

Hope that helps!

chrbr · Aug 10, 2023

Hello Holger,
thank you for your advise. There is one positive side effect compared to my previous setup. Previously I could not view a TV station because some driver has been missing. That works now. But the webgl stuff still does not work. mkjail just makes, updates or deletes jails. They are almost empty in terms of configuration. mkjail is not invoked when running a jail. The jails are as plain jails.

How to run the jails? I use jailme with the user IDs of the hosts user and the jail user are similar.

Is it simple to run the vice emulator? It might be perfect as a working setup for my reference. I have seen a few libretro-vice* packages in the repository.

BTW: Here is the output when starting firefox.

Code:

Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: ManageChildProcess failed
 (t=0.518731) [GFX1-]: glxtest: ManageChildProcess failed 
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: ManageChildProcess failed 
(t=0.518731) |[1][GFX1-]: glxtest: libEGL initialize failed 
(t=0.518986) [GFX1-]: glxtest: libEGL initialize failed 
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: ManageChildProcess failed (
t=0.518731) |[1][GFX1-]: glxtest: libEGL initialize failed 
(t=0.518986) |[2][GFX1-]: glxtest: X error, error_code=8, request_code=152, minor_code=5
 (t=0.519005) [GFX1-]: glxtest: X error, error_code=8, request_code=152, minor_code=5 
console.error: ({}) console.error: "Experiment next-generation-accessibility-engine-powering-screen-readers 
has unknown featureId: accessibilityCache" 
console.error: "Experiment next-generation-accessibility-engine-powering-screen-readers-and-other-ats-copy 
has unknown featureId: accessibilityCache" 
console.error: "Experiment next-generation-accessibility-engine-powering-screen-readers-and-other-ats-copy 
has unknown featureId: accessibilityCache"

Kind regards,
Christoph

Holger · Aug 10, 2023

Please install graphics/mesa-dri and graphics/glx-utils inside your jail. Check if glxgears works to see if OpenGL is available. Also, please check the following:

Code:

$ glxinfo | grep rendering
direct rendering: Yes

I am not sure, though, if a working accelerated OpenGL installation is equivalent to WebGL. But it's worth a try, I guess.

chrbr · Aug 10, 2023

Hi Holger,
on the host I can see the output you have posted. In the jail I access with jailme the result is

Code:

% jailme fox glxinfo | grep rendering
libGL error: failed to open /dev/dri/card0: Permission denied
libGL error: failed to open /dev/dri/card0: Permission denied
libGL error: failed to load driver: crocus
direct rendering: Yes

glxgears on the jail outputs the same error. There is one additional screen with the rotating gear. Now I have an additional jail I access via ssh and x11-forwarding. xterm works but glxinfo and glxgears hang.

Holger · Aug 10, 2023

You may need to add your jail user to the video group.

chrbr · Aug 10, 2023

Dear Holger,

that did the trick for firefox started with jailme. It still fails for the firefox in a jail controlled with ssh. But the ssh method is not required. When looking back it sounds very reasonable to invite the jail user to the video group because it is required for the host as well. Tomorrow I will try what happens if I delete the two additional ports and report back.

Thank you for your very kind and professional help!
Kind regards,
Christoph

chrbr · Aug 11, 2023

Hello Holger and lurkers,
I have tested without the two additional ports. graphics/mesa-dri is required. Webgl works without graphics/graphics which means that it is not required. But since it is a tiny port and useful for debugging one should install graphics/glx-utils, too.
Again many thanks to Holger. This thread is an additional proof of the high value of the community in this forum.
Kind regards,
Christoph

chrbr · Sep 8, 2023

Hello community,
some time ago I have tried VNET jails instead of the standard ones. At that time the issue with Webgl has been resolved already. Beside the interfacing which has been configured in /etc/jail.conf and the necessary setup on the host with bridge and epair in /etc/rc.conf everything has been similar to the setup with jails communicating via lo1.

In the jail glxinfo and glxgears have been working fine. But https://get.webgl.org/ reported no function instead of showing the rotating cube. That applied for firefox and chromium. It made no difference if the browsers have been started via jailme or ssh. It also made no difference if the communication from the jail to the outer world is established by NAT or by using a proxy. Just the glxtest failed which is run be the browser at startup.

For firefox the fix is to set webgl.force-enabled to true in about:config. This parameter had no effect in the initial situation when I have started this thread. Therefore it has been more about desperate than ratio to try that again. If there is an explanation why the glxtext by firefox fails when the jail is connected via VNET it would be interesting to know. For chromium I have not searched for a method to force webgl.