Netflix and firejail [solved]
-
Netflix works perfectly in Vivaldi 2.3.1440.60. However, when V is run in firejail it displays
Whoops...
Please visit chrome://components, locate the WidevineCdm component, and click the "Check for update" button.Has anyone managed to fix this minor annoyance?
Thanks.MX-Linux 18.1 Vivaldi 2.3.1440.60 firejail 0.9.58.2
-
@wognath Hello there. Sorry i can't solve it, but just as a fyi to give you hope that there "must" be a solution... i run all my browsers in FJ [.58 same as you, but have done so for several years now in all the older versions], & stream NF most nights. My [Manjaro] V & V-SS installations come from the
herecura
repo [he's a trusted Arch Dev/Maintainer]. As well as providing V & V-SS [built afaik with Widevine included] he also builds the necessary ffmpeg packages, which i also use. For me, this combo of V, FJ & NF works faultlessly. Before Manjaro i ran openSUSE Tumbleweed KDE, & its packaged V & FJ also worked fine for me with NF. Before that i ran Maui, with same result. Intuitively therefore i suspect [with absolutely zero evidence in my hands, of course] that your issue is related specifically to MX-Linux rather than FJ & V per se.I hope maybe @ruario might happen along & solve it for you. Good luck.
-
Hi Steffie, great to hear from you! I suspect you're right and that the issue will disappear after some upgrade or other. Netflix plays in firejail firefox so I have tried some simple changes in the vivaldi firejail profile (noblacklist /var/opt/vivaldi for example), but no luck so far. Anyway it's not causing any problem, just puzzlement. I hope ruario can explain.
P.S. I'm amazed you find enough good movies to stream Netflix every night! I'm finding it harder and harder to browse through junk (and negotiate a choice with my wife); one of these days I'll cancel . I feel about amazon the way you do about g**gle, though, so that's not going to be an alternative.
-
@wognath At the moment i am using the default FJ.58 Profiles for both my Vivaldis, but across my history with FJ there's been various versions when their default profile files for some of my programs buggered-up & broke some [sometimes all] functionality for me. At those times i had to expend many hours learning by my pig-ignorant trial-&-error experimentation, selectively commenting-out line by line in the then-new profile, to discover what command/s was/were the culprit/s. Often that got a result. Other times i found i had to actually fully revert to that pgm's profile file from one or other prior FJ versions [ie, i did not downgrade my FJ version, but i replaced its specific profile file for the troublesome pgm with the older one (i keep copies each time FJ versions bump, for this reason)]. So if you want to burn some minutes/hours, additional to what you already tried, you could do your own experiments for your FJ V profile files via older versions.
The oldest FJ backups i keep unfortunately only go back to .50 [i had not thought of doing it before], so if you like to test, here's that version's two relevant profiles for V-Stable.
/home/steffie/.config/firejail/Previous FJ Profile Versions/0.9.50/vivaldi-stable.profile:
# Firejail profile alias for vivaldi # This file is overwritten after every install/update # Redirect include /etc/firejail/vivaldi.profile
/home/steffie/.config/firejail/Previous FJ Profile Versions/0.9.50/vivaldi.profile:
# Firejail profile for vivaldi # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/vivaldi.local # Persistent global definitions include /etc/firejail/globals.local noblacklist ~/.cache/vivaldi noblacklist ~/.config/vivaldi include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc mkdir ~/.cache/vivaldi mkdir ~/.config/vivaldi whitelist ${DOWNLOADS} whitelist ~/.cache/vivaldi whitelist ~/.config/vivaldi include /etc/firejail/whitelist-common.inc caps.keep sys_chroot,sys_admin netfilter nodvd nogroups notv shell none private-dev # private-tmp - problems with multiple browser sessions noexec ${HOME} noexec /tmp
Eg, for ages i've had to use a custom FJ profile for
keepassxc
, & in FJ.58 specifically i had to create my ownthunderbird
profile to defeat my erstwhile years of being unable to open TB email links in V... & yay now finally i can.Wrt the NF library/ies, fyi:
- I don't get to go to the cinema, so what you might regard as "old" movies are "new" to me in NF.
- I feast also on NF series [binge binge binge], both external & inhouse.
- I use a VPN, hence i geododge to access NF servers all over the place. Eg, I watched
Outlander
S3 & recently S4, at the Paris server, coz the Sydney server didn't have them. Other times for other stuff, the servers in Toronto, LA, London, Amsterdam etc have served me well.
-
Thanks for the detailed answer, Steffie. Your profile did not work here, but you have given me a starting point. I'll report back if I solve this by rational or irrational changes to firejail profiles.
By the way, in AntiX-base, a close relative of MXLinux, firefox in firejail 9.44.8 would not open any web page or even local files, but everything (including Netflix) works after update to latest LTS.i geododge to access NF servers all over the place...Paris...Sydney...Toronto, LA, London, Amsterdam etc.
Wow, that is impressive! Watching Netflix properly is more complicated than I thought. I was recently out of the US and started watching a series which mysteriously vanished when I returned home. The peseta drops...
-
Bump for a non-update
ruario wroteRunning inside firejail is not supported.
to which steffie replied (on page 4)
I totally understand & respect that from your perspective FJ might be unsupported [albeit considering the merit of FJ that's an unfortunate policy position]...
+1
My firejail 0.9.58.2 vivaldi.profile is just as Steffie gave on p.4 of same topic, that is, ${HOME}/.local/lib/vivaldi has both noblacklist and whitelist entries. H.264 videos run in firejail vivaldi but not widevine
I posted a request for help to https://firejail.wordpress.com/support/#comments
but 2 weeks later, my comment is still awaiting moderation.
-
@wognath Should have continued reading that thread
@Steffie found an FJ profile modification/update Vivaldi 2.4 RC 1 โ Vivaldi Browser snapshot 1488.26
-
@TbGbe With that FJ profile, H.264 videos play, but netflix videos, which require widevine, fail.
-
@wognath I still feel pretty buzzed with yesterday's discovery, so now i feel sad on your behalf that it's still not good there. It is clearly officially redundant now, but might it be worthwhile [in desperation] for you to run Ruari's bash script https://gist.github.com/ruario/3c873d43eb20553d5014bd4d29fe37f1 ?
2 weeks later, my comment is still awaiting moderation
I've had similar experience in the past. Tis frustrating.
-
@wognath I've seen discussion that firejail blocks the home directory. Could that be related?
-
@Ayespy In broad-brush overview, that is true, but on an application by application basis it's far more granular than that. Over the months & years the FJ Dev/s have released a plethora of "profile" files dedicated to individual applications [eg, there's one dedicated to Chromium, another for V-Stable, another for V-SS, one for Thunderbird, etc]. The combo of the base FJ code itself, & the app-specific profile, controls which specific places in
${HOME}/
become "available for use", such that the desired app runs correctly yet all the other User-files remain off-limits to that app [thus providing another layer of protection by isolation].In my experience since i discovered FJ a few years ago, most of the time it works swimmingly, but every now & then... especially with a rapidly-changing target like browsers generally & V specifically... what worked fine "last week" might abruptly stop working with "this week's" new version of the target app. The scenario about which i'd been recently posting in the last few SS threads was a case in point... FJ had not changed, but V did, in such a way that it no longer "played nice" with FJ. That mod which i worked out in the FJ V-SS profile file had never been needed before, but something changed within 2.4.1476.4+ which caused streaming in V in FJ to break. My mod "unlocked" another part of
${HOME}/
that previously had not been applicable.I sincerely hope a similar [or any] solution will emerge asap for @wognath .
-
Because the Netflix error message says to update widevine, I re-ran the update-widevine script, this time in a terminal, and noticed
Widevine (4.10.1196.0) is already installed and does not need to be updated Redirecting "./libwidevinecdm.so" to "/home/spot/.local/lib/vivaldi/libwidevinecdm.so" ln: cannot remove './libwidevinecdm.so': Permission denied
I reran the command with sudo ... and... after trying 1001 rational and irrational changes, I'm back to the default firejail profile, and Netflix works.
Thanks for all the help.
Sincerely,
man facepalmingP.S. presumably this script runs during install since V played Netflix videos without firejail. Weird that it had to be re-run to enable widevine with firejail.
It is necessary to run sudo /opt/vivaldi/update-widevine again after each update.
-