Debian Administration

Debian amd64: iceweasel with i386 plugins, outside a chroot

If you weren't already convinced that closed source sucked before, then surely the experience of trying to browse the net with an amd64 machine will have won you over; I could ponder on how much Microsoft is paying Adobe not to release a 64-bit version of their flash plugin— but why Sun is categorically refusing to address our cry for a 64-bit java plugin for mozilla based browsers for this many years is beyond me.

There are three approaches to work around this conspiracy:

1. Install everything in a 32-bit chroot and run the browser there.
2. Use the 64-bit version of the browser and use a wrapper for the 32-bit plugins.
3. Use a 32-bit version of the browser without chroot (a bi-arch approach).

I used option 1 (the chroot) for a while, but that approach has several annoying disadvantages:

• Every external application started by iceweasel necessarily also runs inside the 32-bit chroot. It is neat that you can assign programs to handle files with certain extensions, but in most cases you want to run those applications in your normal 64-bit environment of course (ie xmms, azureus, mplayer).
• If you download a file, you can only download it to the 32-bit chroot. Of course you can bind mount several directories like your home directory - but not every directory can be shared like that, and all too often I found myself downloading to my home directory just to make the file accessible, having to manually copy it in to it's final destination from a 64-bit shell.

I tried option 2, but it was a horror. Maybe some day that option will mature, but right now it's just not working for me.

That leaves option 3. However, the main disadvantage of that option is that you simply can't install i386 debian packages on an amd64 system. Therefore you have to fall-back to tar-balls and install everything manually. I tried this too, with as result that anti-aliasing didn't work anymore and java simply froze iceweasel.

The Best Of Both Worlds

The approach that I chose in the end is as follows: I installed everything that has to be of i386 architecture in a 32-bit chroot (as in option 1), using apt-get (or aptitude or whatever you like) and used a small wrapper and environment variables to run the browser in the 64-bit environment with a linux32 personality (as in option 3).

This turns out to a simple and painless procedure.

First, create an i386 chroot inside of which we will later install iceweasel. This chroot will be much smaller than that of option 1 above, because we won't need to install libraries that are already available from ia32 packages for the amd64 architecture.

You'll need some packages:

sudo apt-get install debootstrap

Creating the chroot

Choose the root of the chroot and it's handle:

CHROOT="/opt/firefox-chroot";   # The directory of the chroot.
CHROOTNAME="firefox";           # The name as listed by schroot -l.

We need these too. You can set them to whatever works for you but the following should set them automatically (as usually, in my HOWTO's, just copy&paste the whole block to your (non-root) shell prompt):

HELPVAR=$(apt-cache policy coreutils | egrep '^[[:space:][:digit:]]*http:' | \
    sed -r 's/^[[:space:]]*//;s/[[:space:]]+/,/g' | sort -rn | head -n 1)
SUITE=$(echo "$HELPVAR" | cut -d, -f 3 | sed -e 's%/.*%%')
DEBIANMIRROR=$(grep "^deb $(echo "$HELPVAR" | cut -d, -f 2).*$SUITE" /etc/apt/sources.list | \
    sed -r 's/^[[:space:]]*//;s/[[:space:]]+/,/g;s%/,%,%g;s%,%/,%g' | cut -d, -f 2)
echo -e "SUITE = \"$SUITE\"\nDEBIANMIRROR = \"$DEBIANMIRROR\""

This should set $SUITE to something like 'lenny' and $DEBIANMIRROR to something like 'http://ftp.debian.org/debian/'.

If SUITE is 'unstable', 'testing' or 'stable' then debootstrap won't work without providing the current codename. Therefore, try to extract that:

CODENAME=$SUITE
if test ! -e /usr/share/debootstrap/scripts/$SUITE; then
  CODENAME=$(sed -ne 's/^Codename: \([a-z]*\)$/\1/p' /var/lib/apt/lists/$(echo "$DEBIANMIRROR" | sed -e "s%http://*%%;s%/%_%g")dists_"$SUITE"_Release)
fi
echo "CODENAME = $CODENAME"

Create the new directory and install the base system into it:

sudo mkdir "$CHROOT"
sudo debootstrap --arch i386 $SUITE "$CHROOT" $DEBIANMIRROR /usr/share/debootstrap/scripts/$CODENAME

This installs about 180 MB in $CHROOT.

Since we won't run iceweasel inside the chroot, there is no need to do (bind) mounts, or install home directories or whatever— but we still need a few more packages to be installed.

Enter the chroot as root:

sudo chroot "$CHROOT"

Before running apt-get, you might want to fix a few things:

In order to get rid of the message "WARNING: The following packages cannot be authenticated!", run the following command:

apt-get update

This will retrieve the missing Release.gpg.

If you want to get rid of the warnings:

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = (unset),
        LC_ALL = (unset),
        LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory

then run the following commands (this installs an additional 18 MB):

LANG= apt-get install locales
eval `locale 2> /dev/null`
sed -ri 's/^([^#].*)/# \1/;s/^# ('$LC_CTYPE'($| .*))/\1/' /etc/locale.gen
locale-gen

[ If you don't want that, then you can temporarily suppress these messages by doing instead:

eval `LANG= locale`

but you'd need to do that every time you enter the chroot for maintenance. ]

Next, edit /etc/apt/sources.list and add a line for security updates (as usual, just copy&paste the whole block to the shell prompt (outside the chroot)):

exit # Leave the chroot
if ! grep 'security\.debian\.org' $CHROOT/etc/apt/sources.list; then
  sudo sh -c 'echo "# Security updates." >> '"$CHROOT"'/etc/apt/sources.list; \
  echo "deb http://security.debian.org/ '"$SUITE"'/updates main contrib" >> '"$CHROOT"'/etc/apt/sources.list'
fi

Also add contrib and non-free, as we'll need that for the plugins later on:

sudo sed -ri 's/^(deb '$(echo $DEBIANMIRROR | sed 's/\/$//;s/\([$/.]\)/\\\1/g')' '$SUITE' main)$/\1 contrib non-free/' $CHROOT/etc/apt/sources.list

and update the chroot

sudo chroot $CHROOT apt-get update
sudo chroot $CHROOT apt-get dist-upgrade

A More General chroot

If you are just creating the chroot for running iceweasel, then you can skip this paragraph. However, I can imagine that some people are using this page to set up a more general chroot, for other purposes; therefore I decided to add this paragraph that describes how to finish the chroot so it can be used in general, just to have all information in one place.

First you'll want to bind mount a few directories. Add the (output of) the following to your /etc/fstab (the real one, not the one in the chroot!).

exit # Leave the chroot
cat << EOF
# $CHROOTNAME chroot
/proc    $CHROOT/proc    none    bind     0 0
/dev     $CHROOT/dev     none    bind     0 0
/tmp     $CHROOT/tmp     none    bind     0 0
/home    $CHROOT/home    none    bind     0 0
EOF

and possibly other directories. Try to avoid any directories that debian installs files in however, or the chroot will overwrite your system files (and vica versa) of course.

WARNING: If you 'rm -rf' the $CHROOT directory then everything (still) bind mounted will be deleted as well! A 'bind mount' is not normally visible with 'df', you will need to do 'df -a' to see it (I lost my home directory this way, while doing tests in order to write this howto)!

After adding those lines, they are still not mounted until you reboot; so mount them manually this time:

sudo mount $CHROOT/proc
sudo mount $CHROOT/dev
sudo mount $CHROOT/tmp
sudo mount $CHROOT/home

Note that you can also bind mount from the command line without adding the extra configuration lines to /etc/fstab. You'll need --rbind for /dev, because otherwise /dev/pts isn't included. For example,

sudo mount --bind /proc $CHROOT/proc
sudo mount --rbind /dev $CHROOT/dev
sudo mount --bind /tmp $CHROOT/tmp

You'll want to use schroot to switch to the chroot as a normal user:

sudo apt-get install schroot

Finally, fix your /etc/schroot/schroot.conf and possibly setup a little wrapper and symlinks as is described in Running applications inside a chroot using schroot.

Okay, back to installing iceweasel.

Installing Iceweasel

Enter the chroot and install iceweasel (this drags in another 130 MB) and fix /usr/lib/iceweasel/iceweasel not to be anal about where it's installed:

sudo chroot $CHROOT
apt-get --yes install libgconf2-4
apt-get --yes install iceweasel
sed -i 's/^MOZ_DIST_BIN=.*/MOZ_DIST_BIN="$(dirname $0)"/' /usr/lib/iceweasel/iceweasel

Setting Up A Wrapper

Leave the chroot and install some needed libraries:

exit              # Leave the chroot
sudo apt-get install ia32-libs-gtk

Installing iceweasel already dragged in so many libraries into the chroot, that ia32-libs-gtk is only really need for /usr/lib/gtk-2.0/2.10.0/engines/libclearlooks.so. I can imagine that it's possible to remove (a lot of) libraries from the chroot because they are already installed as some ia32 package in your amd64 environment, but at this moment I'm too lazy to look into that (for the few cents worth of diskspace).

Next, create the wrapper to start iceweasel; for example, create a file /usr/local/bin/firefox as follows:

sudo sh -c 'cat > /usr/local/bin/firefox << EOF
#!/bin/sh
export GTK_PATH="/usr/lib32/gtk-2.0"
CHROOT="'$CHROOT'"
export LD_LIBRARY_PATH="/lib32:/usr/lib32:\$CHROOT/lib:\$CHROOT/usr/lib"
linux32 "\$CHROOT/usr/lib/iceweasel/iceweasel" "\$@"
EOF'
sudo chmod +x /usr/local/bin/firefox

This should create a file with content like the following:

#!/bin/sh
export GTK_PATH="/usr/lib32/gtk-2.0"
CHROOT="/opt2/firefox-chroot"
export LD_LIBRARY_PATH="/lib32:/usr/lib32:$CHROOT/lib:$CHROOT/usr/lib"
linux32 "$CHROOT/usr/lib/iceweasel/iceweasel" "$@"

At this point everything should work except plugins: It's using your normal home directory, and thus ~/.mozilla and thus your bookmarks, preferences, cookies, passwords etc. Also anti-aliasing should work fine already at this point, as well as "File Type / Download Actions" (Preferences -> Content -> File Types, Manage...), which will run your external applications as 64-bit applications now.

Note that the wrapper sets LD_LIBRARY_PATH to both, [/usr]/lib32 as well as $CHROOT[/usr]/lib, both containing 32-bit libraries. The latter are needed because not all needed 32-bit libraries are provided by ia32-libs and ia32-libs-gtk. But why prepend the path with the lib32 ones? Surely every needed 32-bit library could be installed in the chroot? The reason for this is that some of the libraries contain hardcoded paths, or should I say, one library contains a hardcoded path... $CHROOT/usr/lib/libgdk_pixbuf-2.0.so.0 contains the hardcoded path /usr/lib/gtk-2.0/2.10.0/loaders. This causes it to read the files in /usr/lib/gtk-2.0/2.10.0/loader-files.d, which contain libraries paths in /usr/lib, 64-bit libraries. Therefore it is needed to load libraries from /usr/lib32 before $CHROOT/usr/lib.

Installing Plugins

Installing plugins, which are loaded when the browser is already running, should be easy. The only remaining problem might be hard-coded paths for externally run programs (like java_vm). Flash should not give any problems, so lets start with that.

Installing The Flash Plugin

Fonts

Flash applications often use Microsoft core fonts, and simply don't display any text if you don't have them (which can be very confusing). Therefore, you better install them as well (in the amd64 root):

sudo apt-get install msttcorefonts

After you installed the plugin, you can test if that worked here. Besides TEXT1, TEXT2 and TEXT3, you should see a TEXT4.

The whole point of the chroot is to make it easy to install and update the plugins. So, just enter the chroot and install the plugin the debian way:

sudo chroot $CHROOT apt-get install flashplugin-nonfree

Unfortunately the debian "maintainers" decided to remove this plugin from debian as of lenny. The plugin is now only available if you're using etch or when you're using unstable. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457291 for their reasons.

If the above didn't work then you'll have to use the package from unstable (codename: sid). Once lenny has become stable, and you are using stable you should use the backport (see below).

If you're using testing— then you might want to create the backport yourself, because backports.org is for 'stable', following the instructions below (adapted from 6.4.10 Port a package to the stable system from the debian reference manual). However, you might want to try to just use the 'stable' backport (hoping your libs are compatible; what they usually should be because 'testing' is newer than 'stable').

In order to compile the backport yourself do the following:

exit # Leave chroot
if ! grep '^deb-src.*unstable' $CHROOT/etc/apt/sources.list; then
  sudo sh -c 'echo "# Sources from unstable." >> '"$CHROOT"'/etc/apt/sources.list; \
  echo "deb-src '"$DEBIANMIRROR"' unstable main contrib non-free" >> '"$CHROOT"'/etc/apt/sources.list'
fi
sudo chroot $CHROOT
apt-get update
apt-get --yes install build-essential fakeroot devscripts debhelper;  # Installs 65 MB.
cd /usr/src
mkdir flashplugin-nonfree
cd flashplugin-nonfree
apt-get source flashplugin-nonfree
cd flashplugin-nonfree-*
apt-get --yes build-dep flashplugin-nonfree
dpkg-buildpackage -rfakeroot -us -uc
dpkg -i ../flashplugin-nonfree_*_i386.deb
apt-get purge build-essential fakeroot devscripts debhelper
apt-get autoremove;                                             # Free 65 MB again.
cd /usr/src
rm -rf flashplugin-nonfree

A disadvantage of this method is that it won't upgrade flash when a new release is available.

In order to use backports.org do the following (adapted from here). I'd urge you to use pinning so that upgrading later on will be automatic.

exit # Leave chroot
STABLECODENAME=etch;  # Change this if needed!
if ! grep '^deb http://www\.backports\.org' $CHROOT/etc/apt/sources.list; then
  sudo sh -c 'echo "# Stable backports." >> '"$CHROOT"'/etc/apt/sources.list; \
  echo "deb http://www.backports.org/debian '"$STABLECODENAME"'-backports main contrib non-free" >> '"$CHROOT"'/etc/apt/sources.list'
fi
sudo chroot $CHROOT
apt-get update
wget -O - http://backports.org/debian/archive.key | apt-key add -
exit
sudo chroot $CHROOT apt-get --yes --force-yes -t '"$STABLECODENAME"'-backports install flashplugin-nonfree

Since the support from debian is basically gone, you might also opt for the alternative to download the flashplayer from Adobe yourself and simply drop it in ~/.mozilla/plugins/libflashplayer.so.

Note that flash player 9.0 r115 (which you will get if you download it now) and later have stricter policy files which can cause your client to not be able to connect anymore to certain servers. See for example here and Adobes article on the matter. Version 9.0 r48 and r31 work fine for me. You can obtain the version of your current libflashplayer.so with:

strings $CHROOT/usr/lib/iceweasel/plugins/libflashplayer.so | grep -e "^Shockwave Flash [.\d+]*" | sed -e "s/Shockwave Flash //g"

The version is also visible in about:plugins

Download install_flash_player_9_linux.tar.gz from http://www.adobe.com/ and save and extract the tar-ball, change directory to the extracted content and run as non-root:

linux32 ./flashplayer-installer

to install the plugin in ~/.mozilla/plugins, or run as root to install system wide (the wrapper must be system wide too then, of course). In the latter case enter <CHROOT>/usr/lib/iceweasel as browser directory, where you should replace <CHROOT> with the value of your $CHROOT.

Finally, you want to test it of course. Try this cool site.

Installing An Embedded PDF Viewer Plugin

I wasted two days trying to get acroread to work, but it's broken. Seriously, this is not incompetence; Adobe's acrobat reader really sucks.

Fortunately, there is an open source alternative and that means that if that doesn't work, we can fix it!

Firstly install mozplugger in the firefox chroot, and evince on your amd64:

sudo chroot $CHROOT apt-get --yes install mozplugger
sudo apt-get install evince

This should immediately allow you to watch movies inside the browser (provided you have mplayer installed in your amd64 environment); try to open some .avi from your harddisk with the browser. Also have a look at about:plugins again. Wait, ... watching PDF and postscript works too. It just all works! I love open source.

Installing The Java Plugin

More closed source... Yes, java is open source these days, but the plugin isn't: Sun refuses to release a 64-bit plugin for java, and when that was really open source, it would have been ported long ago.

The following commands will make java work:

sudo chroot $CHROOT
apt-get --yes install libnss-mdns
export LD_LIBRARY_PATH=/usr/lib/jvm/java-6-sun/jre/lib/i386/jli
apt-get --yes --force-yes install sun-java6-bin

The export is needed as work around for bug #435293 in the Debian bug tracking system. The package libnss-mdns is needed because otherwise java just hangs firefox with 100% cpu usage. You don't want to know what I all needed to do to find that THAT was needed! Unfortunately, I still don't know WHY it is needed, rather unsatisfactory.

Finally, we need:

exit # Leave chroot
sudo update-alternatives --install /usr/lib/mozilla-firefox/plugins/libjavaplugin.so firefox-javaplugin.so $CHROOT/usr/lib/jvm/java-6-sun/jre/plugin/i386/ns7/libjavaplugin_oji.so 100
sudo update-alternatives --set firefox-javaplugin.so $CHROOT/usr/lib/jvm/java-6-sun/jre/plugin/i386/ns7/libjavaplugin_oji.so

The first update-alternatives command (see man update-alternatives) creates (or appends to) a group firefox-javaplugin.so with generic name /usr/lib/mozilla-firefox/plugins/libjavaplugin.so and possible value $CHROOT/usr/lib/jvm/java-6-sun/jre/plugin/i386/ns7/libjavaplugin_oji.so. The group is created in automatic mode, using the (arbitrarily chosen) priority 100. The second update-alternatives command sets the group in manual mode and permanently links it to the given value. In effect, the result is that a symbolic link /usr/lib/mozilla-firefox/plugins/libjavaplugin.so points to /etc/alternatives/firefox-javaplugin.so which in turn points to $CHROOT/usr/lib/jvm/java-6-sun/jre/plugin/i386/ns7/libjavaplugin_oji.so.

So why is this needed? Well, when run, iceweasel tries to load all shared libraries in $CHROOT/usr/lib/mozilla-firefox/plugins, the installation of sun-java6-bin in the chroot created an alternative with the name /usr/lib/mozilla-firefox/plugins in the chroot that points to /etc/alternatives/firefox-javaplugin.so, exactly as we just did thus (and even if it didn't do that; firefox simply loads everything from /usr/lib/mozilla-firefox/plugins in the amd64 root!). Therefore, either by reading the link $CHROOT/usr/lib/mozilla-firefox/plugins or by reading a hardcoded path /usr/lib/mozilla-firefox/plugins, it is refered to /etc/alternatives/firefox-javaplugin.so in the amd64 root! Hence, we need to add this alternative/symlink and point it back to the correct shared library in the chroot. There is a minor problem with this however. Suppose one day you run 'apt-get update & apt-get upgrade' in the chroot, and it changes the symbolic link— then our manually added link will not change along and java will simply not work anymore. In that case you will have to update this alternative manually. It is unlikely that it will change however: the name of the package is sun-java6-bin, containing the '6', so at most the 'ns7' part might change one day to 'ns8'?

The most up to date version of this HOWTO can be found on my home page, together with more debian related HOWTO's from myself.

Regards, Carlo Wood

Add Comment Printable version

 

<<< Redirect if a website root is empty? Struggling to implement PCI compliance >>>