[winswitch] Xpra Xorg launch sequence: using a unix domain socket in /tmp/.X11-unix
Antoine Martin
totaam at gmail.com
Mon Jul 20 03:46:44 BST 2015
I think the wiki could do with some improvements with regards to running
xpra with containers (feel free to edit), until then:
* make sure mmap is enabled (and you can even use a trimmed down build
without any video codecs, which is much safer)
* disable compression
The performance should be very close to native, if not then something is
not setup right.
Cheers
Antoine
It appears that I have fixed my imediate problem. I was sharing
/tmp/.X11-unix using docker volumes, and I needed to run chmod 1777
/tmp/.X11-unix on it to get the permissions the way Xorg wants them :)
Tim
On Sat, Jul 18, 2015 at 10:08:25PM +0200, Timothy Hobbs wrote:
> Dear list,
>
> I am the creator of subuser.org. Subuser is a free open source software
project (LGPL3) which aims to allow a person to run desktop applications
inside Docker containers. Subuser has several aims. One is to make it
easier to publish desktop applications on linux by improving portability.
Another is to make the desktop more secure by containing those desktop
applications within their respective containers.
>
> Right now, the seccond goal is not met. Desktop applications communicate
with the host's X11 server by sharing the /tmp/.X11-unix folder with it.
This works well, but is completely insecure. I have been waiting for
wayland to come out in order to provide a secure solution. However, spurred
on by the success of OZ, written by subgraph.com I have begun to reconsider
xpra as an intermediate option.
>
> As I want to maintain portability and ease of creating subuser Docker
images, I do not wish to install the xpra server in each Docker image which
contains a desktop application. In order to maintain this sepparation of
requirements, I have come up with the following architecture involving 3
containers:
>
> ------------- -------------
> |desktop app| <--/tmp/.X11-unix--> |xpra server| Untrusted
> ------------- -------------
> ^
> | ~/.xpra
> v
> ------------- -------------
> | host | <--/tmp/.X11-unix--> |xpra client| Trusted
> ------------- -------------
>
> This allows me to run 3 containers.
>
> 1) contains the untrusted desktop application
> 2) contains an untrusted xpra server
> 3) contains a trusted xpra client
>
> I can use an up-to-date version of xpra, as I do not need to have xpra
installed on the host.
>
> The only problem, is that when I run
>
> $ xpra start :100 --start-child=xterm
>
> I don't end up with a unix domain socket in the xpra server's
/tmp/.X11-unix directory. This is despite the fact that I have -nolisten
tcp set in xpra.conf:
>
> xvfb=Xorg -dpi 96 -noreset -nolisten tcp +extension GLX +extension RANDR
+extension RENDER -logfile ${HOME}/.xpra/Xorg.${DISPLAY}.log -config
/etc/xpra/xorg.conf
>
> I am confused as to why this is happening, and how I can get a unix
domain socket to work with. I cannot use a UDP socket due to the
difficulties of sharing UDP sockets between containers.
>
> I have been testing this settup on xpra version 0.14.10
>
> Thank you in advance for your help,
>
> Timothy Hobbs
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
_______________________________________________
shifter-users mailing list
shifter-users at lists.devloop.org.uk
http://lists.devloop.org.uk/mailman/listinfo/shifter-users
More information about the shifter-users
mailing list