Silverblue will not work with CodeMeter

The WiBu team told me that CodeMeter will not be able to run on Silverblue because the containerized isolation is in contradiction to their CmAct security concept.

This means that software like the Fluendo OnePlay DVD player will not be able to run on Silverblue.

Here the original answer:

“Silverblue basiert auf Flatpak und Ostree die die verschieden Anwendungen in eine Art von Container isoliert, und genau das ist hier das Problem diese Atomare Isolierung steht im Widerspruch mit dem CmAct Schutzsystem das Zugriff auf verschieden Bereiche haben muss und es wird nicht möglich sein CmAct auf SilverBlue einzusetzen.
Also wird CmAct Konzept bedingt nicht auf Silverblue funktionieren.”

I have no previous familiarity with WiBu CodeMeter, but from a brief browse of their documentation, I don’t see any fundamental reason that it couldn’t be made to work fine in the Silverblue context. It looks like the person who wrote back to you has some familiarity with Flatpak, and OSTree, which is great, but they may not be aware of rpm-ostree’s ability to layer additional RPMs onto the system.

If the the system components (udev rules, system service) were layered onto the system, then the capabilities could be made available to Flatpak’ed applications in multiple ways - most cleanly by a custom Flatpak Portal, but that’s not the only possible approach.

Given sufficient customer/developer demand, there shouldn’t be any technical barriers. And if both the system components and the applications were layered, it might even work today.

One thing I can tell you clearly is that it does not work.

They wanted me to install the latest version CodeMeter-6.70.3164-501.x86_64 which I tried.

I have a license for the Fluendo One Play DVD player (this is the only reason I was investigating this problem).

CodeMeter cannot read the license - so I started to discuss with the Fluendo support and then directly with WiBu.

The strange thing is: if I create a container with podman and run CodeMeter within the container then it works - CodeMeter can read the license.

But this does not help me because I cannot start an application with a graphical interface (I also would need to start the Fluendo player itself) within a container (or at least I have no idea how I should do this).

So I am using VLC now instead of Fluendo.

If you use the toolbox application, which automatically set up a Fedora container, then it should automatically set up graphics passthrough.

It’s more than likely the case. I run various Win based packages with CodeMeter protection and they are particular about unrestricted system access. I could see the immutable OS causing issues for the licensing scheme.

Well, if this would work it sounds interesting. But I end up only with error messages.

I tried this:

[fansari@bat ~]$ fedora-toolbox -v create
/usr/bin/fedora-toolbox: checking if image fedora-toolbox-fansari:29 already exists
/usr/bin/fedora-toolbox: checking if container fedora-toolbox-fansari:29 already exists
Error: error looking up container “fedora-toolbox-fansari:29”: no container with name or ID fedora-toolbox-fansari:29 found: no such container
/usr/bin/fedora-toolbox: trying to create container fedora-toolbox-fansari:29
Trying to pull docker.io/library/fedora-toolbox-fansari:29...Failed
Trying to pull registry.fedoraproject.org/fedora-toolbox-fansari:29...Failed
Trying to pull quay.io/fedora-toolbox-fansari:29...Failed
Trying to pull registry.access.redhat.com/fedora-toolbox-fansari:29...Failed
Trying to pull registry.centos.org/fedora-toolbox-fansari:29...Failed
Error: unable to pull fedora-toolbox-fansari:29: 5 errors occurred:
* Error determining manifest MIME type for docker://fedora-toolbox-fansari:29: Error reading manifest 29 in docker.io/library/fedora-toolbox-fansari: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

    * Error determining manifest MIME type for docker://registry.fedoraproject.org/fedora-toolbox-fansari:29: Error reading manifest 29 in registry.fedoraproject.org/fedora-toolbox-fansari: manifest unknown: manifest unknown
    * Error determining manifest MIME type for docker://quay.io/fedora-toolbox-fansari:29: Error reading manifest 29 in quay.io/fedora-toolbox-fansari: error parsing HTTP 404 response body: invalid character '<' looking for beginning of value: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>404 Not Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>\n"
    * Error determining manifest MIME type for docker://registry.access.redhat.com/fedora-toolbox-fansari:29: Error reading manifest 29 in registry.access.redhat.com/fedora-toolbox-fansari: unknown: Not Found
    * Error determining manifest MIME type for docker://registry.centos.org/fedora-toolbox-fansari:29: Error reading manifest 29 in registry.centos.org/fedora-toolbox-fansari: manifest unknown: manifest unknown

/usr/bin/fedora-toolbox: failed to create container fedora-toolbox-fansari:29

Next I used this:

[fansari@bat toolbox]$ ./toolbox -v create
toolbox: Fedora generational core is f29
toolbox: base image is fedora-toolbox:29
toolbox: customized user-specific image is fedora-toolbox-fansari:29
toolbox: container is fedora-toolbox-fansari:29
toolbox: checking value /var/run/.heim_org.h5l.kcm-socket (Stream) of property Listen in sssd-kcm.socket
toolbox: parsing value /var/run/.heim_org.h5l.kcm-socket (Stream) of property Listen in sssd-kcm.socket
toolbox: checking if image fedora-toolbox-fansari:29 already exists
Error: error getting image “fedora-toolbox-fansari:29”: unable to find a name and tag match for fedora-toolbox-fansari in repotags: no such image
toolbox: looking for image localhost/fedora-toolbox:29
ERRO[0000] exit status 1
toolbox: looking for image registry.fedoraproject.org/f29/fedora-toolbox:29
toolbox: base image fedora-toolbox:29 resolved to registry.fedoraproject.org/f29/fedora-toolbox:29
toolbox: trying to create working container toolbox-working-container-b178f4f4-524a-11e9-8779-1c1b0d6163d2
toolbox: trying to configure working container toolbox-working-container-b178f4f4-524a-11e9-8779-1c1b0d6163d2
passwd: Note: deleting a password also unlocks the password.
passwd: Note: deleting a password also unlocks the password.
toolbox: trying to create image fedora-toolbox-fansari:29
Getting image source signatures
Copying blob da22bd5bfb28 [======================================] 269.7MiB / 269.7MiB
Copying blob 2b1e21e196ae [======================================] 160.5MiB / 160.5MiB
Copying blob e06601cab6a2 [======================================] 370.0KiB / 370.0KiB
Copying config acfcc0baf5 [======================================] 1.4KiB / 1.4KiB
Writing manifest to image destination
Storing signatures
ERRO[0001] exit status 1
ERRO[0000] exit status 1
toolbox: failed to create image fedora-toolbox-fansari:29

fedora-toolbox is just an older version of toolbox. At a glance I can’t figure out why toolbox would have failed, what happens if you run it again?

I always end up with errors so I have opened bugs reports.

https://pagure.io/fedora-silverblue/issue/9

Today I got it running. I let CodeMeter run in the toolbox container and OnePlay on the host itself. This combination works. OnePlay can read the licence. Thank you guys!