Anbox

From ArchWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Related articles

Anbox is a container-based software for running Android on GNU/Linux distributions.

Prerequisite

To use anbox-style packages you need two kernel modules named 'binder' and 'ashmem'.

They are not activated in Arch Linux's default kernel (linux), thus you need to either install a kernel which ships these modules or (re)build a kernel, or use dkms to install the kernel modules seperately. See below for further details.

You might also need to configure your bootloader to use a different kernel. Please refer to the wiki page of your bootloader how to boot with the new kernel. Booting into another kernel (version) is one of the few occasions when you have to reboot a Linux system. You should boot into the kernel that includes the modules before starting Anbox.

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: The following sections are a bit messed up, so some things including below topics should be discussed and changed (if necessary):

1. Which installation methods are still working? 2. Distinction between binder and binderfs. 3. Which loading procedures are necessary?

4. Duplication of information should be avoided. (Discuss in Talk:Anbox)

Module installation options

To get a compatible kernel, you have the following options:

Using Linux-Zen

The linux-zen kernel includes the necessary modules out of the box.

Installing anbox-modules-dkms

The anbox dkms modules have been forked and updated to work for kernels up to and including version 5.15. Please note, that using KProbes may have security implications and you should be aware of certain risks involved with this software, see Security.

If you wish to use anbox related projects, anbox-modules-dkmsAUR is an actively maintained fork and works on latest kernels.

The anbox-modules-dkmsAUR package will install both binder & ashmem as kernel modules.

Run the following commands as root to activate binder and ashmem: 

# modprobe binder_linux devices=binder,hwbinder,vndbinder,anbox-binder,anbox-hwbinder,anbox-vndbinder
# modprobe ashmem_linux

After loading the modules, you may also need to mount binder: 

# mkdir -p /dev/binderfs
# mount -t binder binder /dev/binderfs
Security

In an LWN news post, Jonathan Corbet noted that kallsyms_lookup_name() was to be unexported. See https://lwn.net/Articles/813350/

"One of the basic rules of kernel-module development is that modules can only access symbols (functions and data structures) that have been explicitly exported. Even then, many symbols are restricted so that only modules with a GPL-compatible license can access them."

This caused anbox-modules to no longer build, as this was an out-of-tree user of kallsyms_lookup_name()

Therefore, to use anbox related software with kernel modules, there is a maintained fork of anbox-modules by C. Hoff which explains the issue, with anbox in mind:

On kernel 5.7 and later, kallsyms_lookup_name() can no longer be called from a kernel module for reasons described here: https://lwn.net/Articles/813350/ As binder really needs to use kallsysms_lookup_name() to access some kernel functions that otherwise wouldn't be accessible, KProbes are used on later kernels to get the address of kallsysms_lookup_name(). The function is afterwards used just as before. This is a very dirty hack though and the much better solution would be if all the functions that are currently resolved with kallsysms_lookup_name() would get an EXPORT_SYMBOL() annotation to make them directly accessible to kernel modules.

See also, https://github.com/anbox/anbox-modules/pull/76.

Building a kernel

The necessary modules are included in the source code of most regular kernels, but need to be activated in the kernel config file. After that you need to (re)build the kernel, see Kernel#Compilation.

Add or modify the following options in the kernel config file: 

CONFIG_ASHMEM=y
CONFIG_ANDROID=y
CONFIG_ANDROID_BINDER_IPC=y
CONFIG_ANDROID_BINDERFS=y
CONFIG_ANDROID_BINDER_DEVICES="binder,hwbinder,vndbinder"
CONFIG_SW_SYNC=y
CONFIG_UHID=m

With your new kernel, you will need to append the following to your boot arguments:

binder.devices=binder,hwbinder,vndbinder,anbox-binder,anbox-hwbinder,anbox-vndbinder

When setting compilation options, you have 2 options available: binder and binderfs. Instructions for both are provided below:

Using binder

The modules can either be compiled into the kernel (y), into modules (m), or not at all (n). Also, not all combinations in the configuration are possible, and some options will require other options.

The configuration options below will compile ashmem and binder into the kernel, while the last option specifies that there will be three devices created in the /dev/ directory, when the binder module is loaded. 

CONFIG_ASHMEM=y
CONFIG_ANDROID=y
CONFIG_ANDROID_BINDER_IPC=y
CONFIG_ANDROID_BINDERFS=y
CONFIG_ANDROID_BINDER_DEVICES="binder,hwbinder,vndbinder"
CONFIG_SW_SYNC=y
CONFIG_UHID=m

When building a kernel from the AUR, one can update the configuration with the following steps:

  1. run makepkg --nobuild, which will download the sources, verify and extract them and run the prepare() function.
  2. edit the .config file (with the dot in the filename), which is located at the base of the kernel directory.
  3. at the end of the prepare() function was probably a command which regenerates the makefiles with information from the configuration, possibly make olddefconfig. Move that to the build() function, or execute it yourself.
  4. run makepkg --noextract, which will continue from the place where makepkg --nobuild stopped.
Using binderfs

Not everybody was happy with the binder module in Linux. To address the issues, binderfs was created. One has to choose between the old and the new way when compiling the kernel. With the options below, one will use binderfs instead.

With the kernel sources comes also a simple script to set configuration options. It will not do dependency checks, just like when editing the configuration by hand. When being in the same directory where the .config file lies, one can execute the following commands: 

scripts/config --module  CONFIG_ASHMEM
scripts/config --enable  CONFIG_ANDROID
scripts/config --enable  CONFIG_ANDROID_BINDER_IPC
scripts/config --enable  CONFIG_ANDROID_BINDERFS
scripts/config --set-str CONFIG_ANDROID_BINDER_DEVICES ""

When building a kernel from the AUR, it is enough to insert these lines at the right place in the PKGBUILD, usually in prepare().

Loading the kernel modules

Load binder

When a kernel provides them as build-in, you do not need to manually load them. The linux-zen kernel is one of those and loading is not required. If the used kernel has them build as modules, they need to be explicitly loaded as Anbox does not load them on demand; starting an app will fail if they are not loaded.

To load the kernel modules, see above: #Installing anbox-modules-dkms

To automatically load them at boot, one can load them via the systemd-modules-load.service. To do so, create a file inside /etc/modules-load.d/, which contains the lines: 

/etc/modules-load.d/anbox.conf
ashmem_linux
binder_linux

Mounting binderfs

If your kernel uses binderfs, there is one more step to do: Mounting a binder filesystem.

Firstly, you will need a mountpoint. By default, Anbox will look at /dev/binderfs. You can create that directory now, but it will be removed at boot time.

You can use systemd-tmpfiles to create this directory at boot time. For that, create a file in /etc/tmpfiles.d/ with the content: 

/etc/tmpfiles.d/anbox.conf
d! /dev/binderfs 0755 root root

Secondly, you need to mount the binder filesystem. This can be done by 

# mount -t binder none /dev/binderfs

To mount it always at boot, add a line in the fstab. Using the option nofail here will not greet you with a recovery shell when you are booting a kernel without binderfs support (such as the standard kernel). 

/etc/fstab
none                         /dev/binderfs binder   nofail  0      0

Installation

Install an Android Image

Note: The images are outdated (based on Android 7.1). For now there are no newer images available from upstream. See also Talk:Anbox#Anbox-Images outdated.

Install one of these images:

Tip:
  • To run arm-only apps on anbox style projects, you will need either Houdini or libndk translations which allows all of x86_64, arm64-v8a, x86, armeabi-v7a, or armeabi applications to run on x86_64. See Installing apps.
  • If you want Google apps, you will most likely need a "Play Services" alternative, which is exactly what the The Open GApps Project provides OpenGApps.

Install Anbox

Install the anbox-gitAUR package.

Afterwards, start/enable anbox-container-manager.service.

You have now all the required steps done to use Anbox! In the menu of your desktop environment, you should find several entries in the category Others, which can now be launched.

The first call will take longer. Behind the scenes, anbox session-manager will be launched. For testing purposes, you can also execute anbox session-manager manually in a terminal. That is very useful if anbox crashes and you want to report or fix the bug. Just launch it, and wait until it crashes (if ever).

There is also a systemd unit for users, which can be used to start the session-manager on bootup; start/enable the anbox-session-manager.service user unit. An advantage of this unit is that logs can be found in the event of a crash: 

$ journalctl --user -b -u anbox-session-manager

Keep in mind though, that when it crashes and you start a new app, it will also start the session-manager, but it will be run independently from systemd.

Network

Via NetworkManager

If you are using NetworkManager you can use it to configure the networking.

Execute the following command to create the bridge connection: 

$ nmcli con add type bridge ifname anbox0 -- connection.id anbox-net ipv4.method shared ipv4.addresses 192.168.250.1/24
  • ifname anbox0 specifies the bridge interface name, in this case anbox0. Do not change this as Anbox will only detect the bridge interface if it is named anbox0.
  • connection.id anbox-net specifies the name of the connection to be anbox-net when it appears in NetworkManager. You can change this if you wish.
  • ipv4.method shared instructs NetworkManager to create a NAT network and route outgoing packets according to the system routing rules. For that, the dnsmasq package is required. dnsmasq does not needs to be configured or be started as systemd service, it will be used behind the scenes by NetworkManager — if it is not available, this step will fail silently. You can leave this and the ipv4.addresses parameter out if you wish to attach the Anbox container directly to a specific network, see Network bridge#With NetworkManager. If you choose this option, you must also change the network configuration of the container in anbox-container-manager.service, see the next bullet point.
  • ipv4.addresses 192.168.250.1/24 specifies the default gateway and subnet of the NAT network. If you wish to change this (e.g. to 192.168.42.1/24) you must also indicate the new subnet to anbox in the anbox-container-manager.service using: --container-network-address=192.168.42.2/24 --container-network-gateway=192.168.42.1

NetworkManager will automatically setup the bridge every reboot so you only need to execute the command once.

Via systemd-networkd

The package anbox-gitAUR provides configuration files for systemd-networkd in /usr/lib/systemd/network/ to enable networking in anbox.

Therefore, you can start/enable systemd-networkd before starting anbox-container-manager.service.

Via anbox-bridge script

Alternatively you can use the anbox-bridge script used by the project.

You must execute anbox-bridge every time before starting anbox-container-manager.service in order to get network working in Anbox. The easiest solution for that is to create a drop-in file for the service. 

/etc/systemd/system/anbox-container-manager.service.d/enable-anbox-bridge.conf
[Service]
ExecStartPre=/usr/bin/anbox-bridge start
ExecStopPost=/usr/bin/anbox-bridge stop

Usage

You can run the Android applications on your desktop's launcher on Other category.

If you want to use adb to debug, install android-tools. The anbox session-manager must already be running when launching it. 

$ adb shell

Installing apps

Unless you picked an image with Houdini, Anbox does not have support for ARM applications. So apps must have a x86_64 architecture.

You can also add support for x86_64, arm64-v8a, x86, armeabi-v7a, armeabi apps by extracting the nativebridge ndk translations from the Android Emulator.

Example tools include:

Through adb

To install /path/to/app.apk 

$ adb install /path/to/app.apk

To get the list of installed applications 

$ adb shell pm list packages

Note that output will be similar to package:app.name, where app.name is different from the one displayed in the Anbox container.

To uninstall app.name 

$ adb uninstall app.name

If app.name is a system app 

$ adb uninstall --user 0 app.name

Through apps stores

Apps can be easily installed through apps stores. In anbox-image-gappsAUR PlayStore is included.

Sensor data

Via dbus different sensors can be set. Documentation on that can be found at dbus.md.

Temperature data

That is the example from the author (PRs #1522 & #1540): 

$ dbus-send --session --dest=org.anbox --print-reply /org/anbox org.freedesktop.DBus.Properties.Set string:org.anbox.Sensors string:Temperature variant:double:25.1

GPS data

(introduced by PR #1606)

GPS sensor data can also be manipulated.

If your PC has a WWAN card, you can use gpsd and the code from the PR to feed Anbox with GPS data. You do not need to have a SIM-Card for GPS.

Otherwise, you can also look at the PR to learn how to feed it fake data with the help of [1].

Root shell

With this script from the Anbox project one can get a root shell inside the Android container.

It is not part of the anbox-gitAUR package, and it also does not use adb.

Tips and tricks

Android developer options

Some extra steps need to be done besides unlocking them the same way you do on an android phone. When installing the android image, some modifications to products/anbox.xml are required:

  • <unavailable-feature name="android.hardware.usb.host" /> is the reason why they are not available.
  • <feature name="android.software.backup" /> will be needed too, to avoid a NullPointerException.

(reference: Github issue #444)

Getting debugging information

Obviously, it is helpful to have debugging symbols in the Anbox build. For that, when compiling Anbox, add options=('!strip') to the PKGBUILD, as by default they are removed. And, use either -DCMAKE_BUILD_TYPE=RelWithDebInfo or -DCMAKE_BUILD_TYPE=Debug in the cmake call.

But there is more to it! Anbox uses backward-cpp. If you do not delete the build files for Anbox, it will print pretty stack traces when crashing, which point out the places in the source code.

Also see the remarks in Install Anbox.

Troubleshooting

If you run into issues, take a look at the official Issue Tracker: [2]

Old CPUs

Anbox requires support for SSE 4.1/4.2 and SSSE 3, because Android wants that too. Some older CPUs do not provide that, so you probably cannot use Anbox, see: Anbox Github Issue 499.

Secure Boot error

If you get this error message: 

modprobe: ERROR: could not insert 'ashmem_linux': Operation not permitted

Secure Boot is likely blocking the module. You can either disable Secure Boot or sign the ashmem module yourself.

More info can be found in the Anbox Github Docs.

See also