From cc94d998daa59821578c4ff02c881cef98212b2f Mon Sep 17 00:00:00 2001 From: Glenn Van Loon Date: Mon, 16 Mar 2026 11:16:47 +0100 Subject: [PATCH 1/5] Print exact command in debug message when not dryrun --- src/zwift.sh | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/src/zwift.sh b/src/zwift.sh index fb7b65d6..f0ece8fb 100755 --- a/src/zwift.sh +++ b/src/zwift.sh @@ -670,19 +670,29 @@ fi declare -a container_command container_command=("${CONTAINER_TOOL}" run "${container_args[@]}" "${IMAGE}:${VERSION}" "${entrypoint_args[@]}") -# DRYRUN: print the exact command that would be executed, then exit -if [[ ${DRYRUN} -eq 1 ]]; then - msgbox ok "DRYRUN:" - msgbox ok "environment variables (${container_env_file}):" +# Print the exact command that would be executed + +print_container_command() { + local msg_type="${1:?}" + + msgbox "${msg_type}" "environment variables (${container_env_file}):" for env_var in "${container_env_vars[@]}"; do env_var="${env_var//\\/\\\\}" # escape backslashes env_var="${env_var//ZWIFT_USERNAME=*/ZWIFT_USERNAME=💜💜💜💜💜💜}" # redact username env_var="${env_var//ZWIFT_PASSWORD=*/ZWIFT_PASSWORD=💜💜💜💜💜💜}" # redact password - msgbox ok " • ${env_var}" + msgbox "${msg_type}" " • ${env_var}" done - msgbox ok "${CONTAINER_TOOL} command:" - msgbox ok " $(printf '%q ' "${container_command[@]}")" + msgbox "${msg_type}" "${CONTAINER_TOOL} command:" + msgbox "${msg_type}" " $(printf '%q ' "${container_command[@]}")" +} + +if [[ ${DRYRUN} -eq 1 ]]; then + msgbox ok "DRYRUN:" + print_container_command ok exit 0 +else + msgbox debug "Starting ${CONTAINER_TOOL} container with the following arguments:" + print_container_command debug fi # Create a volume if not already exists, this is done now as From e29a5f40f255d87da4b62687083510ad74c75cc8 Mon Sep 17 00:00:00 2001 From: Glenn Van Loon Date: Mon, 16 Mar 2026 13:34:03 +0100 Subject: [PATCH 2/5] Make default graphics config more readable --- src/zwift.sh | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/zwift.sh b/src/zwift.sh index f0ece8fb..1f2011f6 100755 --- a/src/zwift.sh +++ b/src/zwift.sh @@ -425,7 +425,18 @@ if [[ ${ZWIFT_OVERRIDE_GRAPHICS} -eq 1 ]]; then zwift_graphics_config="${zwift_user_graphics_config}" # Create graphics.txt file if it does not exist. elif [[ ! -f ${zwift_graphics_config} ]]; then - echo -e "res 1920x1080(0x)\nsres 2048x2048\nset gSSAO=1\nset gFXAA=1\nset gSunRays=1\nset gHeadlight=1\nset gFoliagePercent=1.0\nset gSimpleReflections=0\nset gLODBias=0\nset gShowFPS=0" > "${zwift_graphics_config}" + { + echo "res 1920x1080(0x)" + echo "sres 2048x2048" + echo "set gSSAO=1" + echo "set gFXAA=1" + echo "set gSunRays=1" + echo "set gHeadlight=1" + echo "set gFoliagePercent=1.0" + echo "set gSimpleReflections=0" + echo "set gLODBias=0" + echo "set gShowFPS=0" + } > "${zwift_graphics_config}" msgbox warning "Created ${zwift_graphics_config} with default values, edit this file to tweak the zwift graphics settings" 0 fi From 215702759b20c98c34854f7036445620fe3e8307 Mon Sep 17 00:00:00 2001 From: Glenn Van Loon Date: Mon, 16 Mar 2026 16:45:55 +0100 Subject: [PATCH 3/5] Don't ask for DRYRUN output VERBOSE=3 already shows the container environment variables and command. --- .github/ISSUE_TEMPLATE/help.yaml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/help.yaml b/.github/ISSUE_TEMPLATE/help.yaml index 1ea29c03..75ef8fdd 100644 --- a/.github/ISSUE_TEMPLATE/help.yaml +++ b/.github/ISSUE_TEMPLATE/help.yaml @@ -13,7 +13,7 @@ body: options: - label: I have given details of my install including Distribution, Wayland/ XOrg, Parameters Used, echo $XAUTHORITY, etc. required: true - - label: I have provided logs showing any errors, if available (use `VERBOSITY=3 ZWIFT_FG=1 zwift` and `DRYRUN=1 zwift`) + - label: I have provided logs showing any errors, if available (use `VERBOSITY=3 ZWIFT_FG=1 zwift`) required: true - label: I have filled out the issue template to the best of my ability. required: true @@ -31,17 +31,9 @@ body: label: Zwift Logs description: The output of launching zwift. value: | - - Zwift foreground logs: - ```text Place VERBOSITY=3 ZWIFT_FG=1 zwift output here ``` - - - Zwift dry run logs: - - ```text - Place DRYRUN=1 zwift output here - ``` validations: required: true - type: textarea From 6fa131106bf336313fd7af125c58328d42514c3c Mon Sep 17 00:00:00 2001 From: Glenn Van Loon Date: Sat, 4 Apr 2026 11:33:43 +0200 Subject: [PATCH 4/5] Refactor container security flags --- src/zwift.sh | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/src/zwift.sh b/src/zwift.sh index 1f2011f6..7a45b369 100755 --- a/src/zwift.sh +++ b/src/zwift.sh @@ -472,27 +472,22 @@ else container_args+=(-d) fi -# Setup container security flags # Detect if SELinux is actively enforcing -_selinux_enforcing() { +is_selinux_active() { local enforce_file=/sys/fs/selinux/enforce - if [[ -f ${enforce_file} ]]; then - [[ $(< "${enforce_file}") == "1" ]] - else - return 1 - fi + [[ -f ${enforce_file} ]] && [[ $(< "${enforce_file}") == "1" ]] } # Setup container security flags -if [[ ${PRIVILEGED_CONTAINER:-0} -eq 1 ]]; then - # Explicit opt-in to privileged mode - container_args+=(--privileged --security-opt label=disable) # privileged container, less secure -elif _selinux_enforcing; then - # SELinux is active, use label-based security - container_args+=(--security-opt label=type:container_runtime_t) # more secure +if [[ ${PRIVILEGED_CONTAINER} -eq 1 ]]; then + msgbox warning "PRIVILEGED_CONTAINER is set, running container in privileged mode" + container_args+=(--privileged --security-opt label=disable) +elif is_selinux_active; then + msgbox info "SELinux is active, using secure container flags" + container_args+=(--security-opt label=type:container_runtime_t) else - # Not SELinux (e.g. AppArmor/none), default to privileged for GPU compatibility - container_args+=(--privileged --security-opt label=disable) # privileged container, less secure + msgbox warning "Not using SELinux, running container in privileged mode to be able to access the GPU" + container_args+=(--privileged --security-opt label=disable) fi # Append extra arguments provided by user From 0b79711188aefdbe7e86f58817bf11566e72b84c Mon Sep 17 00:00:00 2001 From: Glenn Van Loon Date: Sat, 4 Apr 2026 11:37:03 +0200 Subject: [PATCH 5/5] Use getenforce to check if SELinux is active --- src/zwift.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/zwift.sh b/src/zwift.sh index 7a45b369..8a4ad6ab 100755 --- a/src/zwift.sh +++ b/src/zwift.sh @@ -474,8 +474,8 @@ fi # Detect if SELinux is actively enforcing is_selinux_active() { - local enforce_file=/sys/fs/selinux/enforce - [[ -f ${enforce_file} ]] && [[ $(< "${enforce_file}") == "1" ]] + local enforcing + command_exists getenforce && enforcing="$(getenforce)" && [[ ${enforcing} == "Enforcing" ]] } # Setup container security flags