diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b1f7750..a5ca665e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,33 +6,39 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. Project website: https://github.com/mviereck/x11docker -## [Unreleased] +## [4.2.0](https://github.com/mviereck/x11docker/releases/tag/v4.2.0) - 2018-05-04 ### Added - `--group-add`: New option to add groups to container user. Needed instead of ` -- --group-add` to cover user switching setups, too. - `--showid`: New option to show container ID on stdout. - `--runfromhost`: Replaces deprecated `--add` to have a meaningful option name. + - `--runasroot`: New option to run command as root in container on startup. + Similar to already existing `--exe`, but integrates with container. ### Changed - `--gpu`: Support for automatical installation of NVIDIA drivers in container. Limited to `glibc` based image systems. [(#41)](https://github.com/mviereck/x11docker/issues/41) - - `elogind` support for `--sysvinit`, `--openrc`, `--runit` and `--dbus-system`. + - `elogind` support for `--sysvinit`, `--openrc` and `--runit`. See also [elogind in container: elogind#52](https://github.com/elogind/elogind/issues/52) - `--systemd`: If host does not run `systemd`, create `/sys/fs/cgroup/systemd`. - `--dbus-system`: wait for bus socket to be ready before continuing. - `--tini`: Use `tini-static` from `~/.local/share/x11docker` or `/usr/local/share/x11docker` if available. Show message for this possibility if `/usr/bin/docker-init` is missing. (Widespread docker packaging issue). - [(#42)](https://github.com/mviereck/x11docker/issues/42) + [(#23)](https://github.com/mviereck/x11docker/issues/23) + - Avoid user switching except for `--systemd`, `--sysvinit`, `--openrc` and + `--runit`. [(#42)](https://github.com/mviereck/x11docker/issues/42) - Outsourced `x11docker.png` from `x11docker-gui`. - No default output of container ID on stdout anymore. Use `--showid` instead. - `--silent`: Do not show error messages except in logfile. + - `--weston[-xwayland] --fullscreen`: Use X backend if possible to prevent + possible crash with nested fullscreen weston in host drm weston. + - Disabled forwarding of `stdin` to container, has not been reliable. ### Deprecated - `--add` changed its option name to `--runfromhost`. ### Fixed - Don't share or link `/tmp/.Xn-lock` as usefulness is in doubt. Avoids issues with `x11docker/xwayland`. - - Forward `stdin` again. (Had been disappeared in a subshell) - `--stdout --showid:` Make sure container ID is shown first. ## [4.1.1](https://github.com/mviereck/x11docker/releases/tag/v4.1.1) - 2018-04-12 diff --git a/README.md b/README.md index 02b74b23..e14f0678 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,13 @@ # x11docker: Run GUI applications in docker ![x11docker logo](x11docker.png) ## Avoiding X security leaks and hardening container security -Running graphical applications or desktop environments in docker images is effectively similar to running a snapshot of a virtual machine that is set back to it origin state on every restart. Advantage: It needs much less resources than a virtual machine, and it is easier to share host resources like hardware acceleration, sound and clipboard. Persistant data storage is possible with shared host folders. Persistant system changes can be done in Dockerfile. +Running graphical applications or desktop environments in docker images is +effectively similar to running a snapshot of a virtual machine that is +set back to it origin state on every restart. +Advantage: It needs much less resources than a virtual machine, and it is +easier to share host resources like hardware acceleration, sound and clipboard. +Persistant data storage is possible with shared host folders. +Persistant system changes can be done in Dockerfile. - Avoids X security leaks by running [additional X servers](#choice-of-x-servers-and-wayland-compositors). - Improves container [security](#security): - Restricts container capabilities to bare minimum. @@ -19,8 +25,8 @@ Running graphical applications or desktop environments in docker images is effec - Supports [init systems](#init-system) `tini`, `runit`, `openrc`, `SysVinit` and `systemd` in container. - Developed on debian 9. Tested on fedora 25, CentOS 7, openSUSE 42.3, Ubuntu 16.04, Manjaro 17, Mageia 6 and Arch Linux. - Easy to use. [Examples](#examples): - - `x11docker jess/cathode` - - `x11docker --desktop --size 320x240 x11docker/lxde` + - `x11docker jess/cathode` + - `x11docker --desktop --size 320x240 x11docker/lxde` ![x11docker-gui screenshot](/../screenshots/screenshot-retroterm.png?raw=true "Cathode retro term in docker") ![LXDE in xpra](/../screenshots/screenshot-lxde-small.png?raw=true "LXDE desktop in docker") @@ -90,31 +96,43 @@ _Basics:_ - Already installed on most systems with an X server: `xrandr`, `xauth` and `xdpyinfo`. _Advanced usage:_ + - **Clipboard** sharing with option `--clipboard` needs `xclip`. (Not needed for `--xpra`, `--nxagent` and `--hostdisplay`). Image clipboard sharing is possible with `--xpra` and `--hostdisplay`. + - **Sound**: + - Option `--alsa` has no dependencies. + - You can install ALSA libraries in image to support virtual devices (debian images: `libasound2`). + - Option `--pulseaudio` needs `pulseaudio` on host _and_ in image. - **Hardware acceleration** with option `--gpu` - - Beside `xpra`, also install `Xwayland`, `weston` and `xdotool`. (Not needed for `--xorg` and `--hostdisplay`) - - Works best with open source drivers on host and OpenGL/Mesa in image. - - With closed source drivers on host, you need the very same driver version in image. - For a possible automated install of nvidia driver in container try out latest master version. + - Works best with open source drivers on host and OpenGL/Mesa in image. In most cases everything will work out of the box with just setting `--gpu`. + - To provide good X isolation: Beside `xpra`, also install `Xwayland`, `weston` and `xdotool` on host. Without these, you still can use `--hostdisplay` and `--xorg`. - Packages for OpenGL/Mesa in image: - debian and Ubuntu images: `mesa-utils mesa-utils-extra`. - CentOS and fedora images: `glx-utils mesa-dri-drivers` - Alpine and NixOS images: `mesa-demos mesa-dri-ati mesa-dri-intel mesa-dri-nouveau mesa-dri-swrast` - Arch Linux images: `mesa-demos` - - **Sound**: - - Option `--alsa` has no dependencies. - - You can install ALSA libraries in image to support virtual devices (debian images: `libasound2`). - - Option `--pulseaudio` needs `pulseaudio` on host _and_ in image. - - **Clipboard** sharing with option `--clipboard` needs `xclip`. (Not needed for `--xpra`, `--nxagent` and `--hostdisplay`). Image clipboard sharing is possible with `--xpra` and `--hostdisplay`. - - Rarer needed dependencies for special options: - - `--nxagent` provides a fast and lightweight alternative to `xpra` and `Xephyr`. Needs [`nxagent`](https://packages.debian.org/experimental/nxagent) to be installed. - - `--kwin` and `--kwin-xwayland` need `kwin_wayland`, included in modern `kwin` packages. - - `--xdummy` needs dummy video driver `xserver-xorg-video-dummy` (debian) or `xorg-x11-drv-dummy` (fedora). - - `--xvfb` needs `Xvfb` - - `--xfishtank` needs `xfishtank` to show a fish tank. - - `--dbus` is needed only for QT5 application in Wayland. It needs `dbus-launch` (package `dbus-x11`) in image. - - `--starter` needs `xdg-user-dir` to locate your `Desktop` folder for starter icons. - - `--install`, `--update` and `--remove` need `unzip` and `xdg-icon-resource`. - - List of all host packages for all possible x11docker options (debian package names): `xpra xserver-xephyr xvfb weston xwayland nxagent kwin xserver-xorg-video-dummy xfishtank xclip xdg-utils xauth xdotool xrandr unzip`, further (deeper surgery in system): `pulseaudio xserver-xorg-legacy`. + - Proprietary closed source drivers from NVIDIA corporation need some manual setup and have some restrictions. Consider to use free `nouveau` driver instead. + - x11docker can automatically install closed source nvidia drivers in container at every container startup. It gives some instructions in terminal output. + - The image should contain `modprobe` (package `kmod`) and `xz`. x11docker installs them if they are missing, but that slows down container startup. + - You need the very same driver version as on host. It must not be a `deb` or `rpm` package but an `NVIDIA_[...].run` file. Store it at one of the following locations: + - `~/.local/share/x11docker` (current user only) + - `/usr/local/share/x11docker` (system wide) + - Look at NVIDIA driver download page or try the direct download link provided in x11docker terminal output. + - Closed source driver installation fails on image systems that are not based on `glibc`. This affects especially [Alpine](https://alpinelinux.org/) based images. + NVIDIA corporation does not provide the source code that would allow you to use your hardware with different systems. + - Alternativly, you can install a driver version matching your host setup in image yourself. Note that this image will not be portable anymore. + - Consider to say: "Closed source sucks". + +_Rarer needed dependencies for special options:_ + - `--nxagent` provides a fast and lightweight alternative to `xpra` and `Xephyr`. Needs [`nxagent`](https://packages.debian.org/experimental/nxagent) to be installed. + - `--kwin` and `--kwin-xwayland` need `kwin_wayland`, included in modern `kwin` packages. + - `--xdummy` needs dummy video driver `xserver-xorg-video-dummy` (debian) or `xorg-x11-drv-dummy` (fedora). + - `--xvfb` needs `Xvfb` + - `--xfishtank` needs `xfishtank` to show a fish tank. + - `--dbus` is needed only for QT5 application in Wayland. It needs `dbus-launch` (package `dbus-x11`) in image. + - `--starter` needs `xdg-user-dir` to locate your `Desktop` folder for starter icons. + - `--install`, `--update` and `--remove` need `unzip` and `xdg-icon-resource`. + +_List of all host packages for all possible x11docker options (debian package names):_ + - `xpra xserver-xephyr xvfb weston xwayland nxagent kwin xserver-xorg-video-dummy xfishtank xclip xdg-utils xauth xdotool xrandr unzip`, further (deeper surgery in system): `pulseaudio xserver-xorg-legacy`. ![x11docker-gui dependencies screenshot](/../screenshots/x11docker-dependencies.png?raw=true) @@ -122,8 +140,8 @@ _Advanced usage:_ root permissions are needed only to run docker. X servers run as unprivileged user. _Running x11docker as unprivileged user:_ - - x11docker checks whether docker needs a password to run and whether `su` or `sudo` are needed to get root privileges. A password prompt appears, if needed. - - If that check fails and does not match your setup, use option `--pw FRONTEND`. `FRONTEND` can be one of `su sudo gksu gksudo lxsu lxsudo kdesu kdesudo beesu pkexec` or `none`. + - x11docker checks whether docker needs a password to run and whether `su` or `sudo` are needed to get root privileges. A password prompt appears if needed. + - If that check fails and does not match your setup, use option `--pw FRONTEND`. `FRONTEND` can be one of `su sudo gksu gksudo lxsu lxsudo kdesu kdesudo beesu pkexec` or `none`. _Running x11docker as root:_ - Commands other than `docker` are executed as unprivileged user determined with [`logname`](http://pubs.opengroup.org/onlinepubs/9699919799/utilities/logname.html). (You can specify another host user with `--hostuser USER`). @@ -214,8 +232,8 @@ _Most important:_ _Rather special options reducing security, but not needed for regular use:_ - `--sudouser` allows sudo with password `x11docker`for container user. If an application breaks out of container, it can do anything. Allows some container capabilties that x11docker would drop otherwise. - - `--systemd`, `--openrc` and `--runit` allow some container capabilities that x11docker would drop otherwise. `--systemd` also shares access to `/sys/fs/cgroup`. - `--cap-default` disables x11docker's container hardening and falls back to default docker container privileges. + - `--systemd`, `--sysvinit`, `--openrc` and `--runit` allow some container capabilities that x11docker would drop otherwise. `--systemd` also shares access to `/sys/fs/cgroup`. - `--hostipc` sets docker run option `--ipc=host`. (Allows MIT-SHM / shared memory. Disables IPC namespacing.) - `--hostnet` sets docker run option `--net=host`. (Allows dbus connection to host, Shares host network stack.) @@ -290,10 +308,23 @@ x11docker --hostdisplay x11docker/xfce thunar # Thunar from another image appea ``` # Init system -x11docker supports init systems as PID 1 in container. - - As default, x11docker uses docker built-in [`tini`](https://github.com/krallin/tini) with docker run option `--init`. - - Init in container solves the [zombie reaping issue](https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/). +x11docker supports init systems as PID 1 in container. Init in container solves the [zombie reaping issue](https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/). + +## tini +As default, x11docker uses docker built-in [`tini`](https://github.com/krallin/tini) with docker run option `--init`. - You can disable init in container with option `--no-init`. + - On some distributions docker's init `/usr/bin/docker-init` is missing in docker package. To provide a replacement, download `tini-static` from https://github.com/krallin/tini + and store it at one of following locations: + - `~/local/share/x11docker` + - `/usr/local/share/x11docker` + - Example installation code: +``` +mkdir -p ~/.local/share/x11docker +cd ~/.local/share/x11docker +wget https://github.com/krallin/tini/releases/download/v0.18.0/tini-static +chmod +x tini-static +``` + ## systemd, SysVinit, runit, OpenRC x11docker sets up the init system to run desired command. No special setup is needed beside installing the init system in image. Installing `dbus` in image is recommended. - `--systemd`: [systemd](https://wiki.debian.org/systemd) in container. @@ -309,6 +340,24 @@ x11docker sets up the init system to run desired command. No special setup is ne - `--sysvinit`: [SysVinit](https://wiki.archlinux.org/index.php/SysVinit) in container. - Tested with [devuan](https://devuan.org/) images from [gitlab/paddy-hack](https://gitlab.com/paddy-hack/devuan/container_registry). +## elogind +x11docker automatically supports `elogind` in container with init system options `--sysvinit`, `--runit` and `--openrc`. + - You must set option `--sharecgroup` to allow `elogind` in container. + - If your host does not run with `elogind` (but e.g. with `systemd`), x11docker needs an elogind cgroup mountpoint at `/sys/fs/cgroup/elogind`. Run x11docker with root privileges to automatically create it. + - Same goes for `elogind` on host and `systemd` in container; a cgroup mountpoint for `systemd` must be created. + - Example to manually create elogind cgroup mountpoint on a systemd host: +``` +mount -o remount,rw cgroup /sys/fs/cgroup # remove write protection +mkdir -p /sys/fs/cgroup/elogind +mount -t cgroup cgroup /sys/fs/cgroup/elogind -o none,name=elogind +mount -o remount,ro cgroup /sys/fs/cgroup # restore write protection +``` + - Example to manually create a systemd cgroup mountpoint on an elogind host: +``` +mkdir -p /sys/fs/cgroup/systemd +mount -t cgroup cgroup /sys/fs/cgroup/systemd -o none,name=systemd +``` + ## dbus Some desktop environments and applications need a running dbus daemon and/or dbus user session. - use `--dbus-system` to run dbus system daemon. This includes option `--dbus`. Some desktops like cinnamon or deepin depend more on dbus system daemon than on a running full blown init system. diff --git a/x11docker b/x11docker index 4e570340..65a0fc8a 100755 --- a/x11docker +++ b/x11docker @@ -10,7 +10,7 @@ # Type 'x11docker --help' or scroll down to read usage information. # More documentation at: https://github.com/mviereck/x11docker -Version="4.2.0-beta" +Version="4.2.0" usage() { # --help: show usage information echo " @@ -68,16 +68,15 @@ Basic settings: (especially influencing auto choosing X server) -d, --desktop Indicate desktop environment in image. -g, --gpu Hardware accelerated OpenGL rendering. Shares files in /dev/dri. Works best with open source drivers installed - on host and OpenGL/Mesa in image. Closed source drivers - need to be the very same on host and in image. + on host and OpenGL/Mesa in image. + For closed source nvidia drivers regard terminal output. Degrades container isolation. Container access to GPU. - -W, --wayland Set up a wayland environment. (Some QT5 apps also need - option --dbus, some GTK3 apps must run without --dbus.) -w, --wm COMMAND Host window manager to use for single applications in nested X server options like --xephyr. To autodetect a host wm, use --wm=auto or short: -wm To set default autodetected window manager: update-alternatives --config x-window-manager + -W, --wayland Create a Wayland environment. Shared folders: -m, --home Share a host folder ~/x11docker/imagename as home folder @@ -100,6 +99,9 @@ Clipboard, sound, language: Same as host: --lang=\$LANG. Special options: + --sudouser Allow sudo and su for container user. Use with care, + severe reduction of default x11docker security! + Password: x11docker --no-internet Disable internet access for container. --no-entrypoint Disable ENTRYPOINT in image to allow other commands, too --workdir DIR Set working directory DIR @@ -109,10 +111,8 @@ Special options: For custom access to new X server. Get environment with: read xenv < <(x11docker --showenv [...]) --showid Echo container ID on stdout. - --sudouser Allow sudo and su for container user. Use with care, - severe reduction of default x11docker security! - Password: x11docker --runfromhost CMD Run host command CMD on new X server (you may need & ). + --runasroot CMD Run command CMD as root in container on startup. --pw FRONTEND Choose frontend for password prompt. Possible FRONTEND: su sudo gksu gksudo lxsu lxsudo kdesu kdesudo pkexec beesu none @@ -252,7 +252,7 @@ Miscellaneous: --ps Preserve container and cache files on exit. --cleanup Clean up orphaned containers and cache files. -Verbose options: +Verbosity options: -v, --verbose Be verbose. Output of logfile on stderr. --silent Do not show terminal messages. --debug Debug mode: Show some debug output, @@ -466,6 +466,7 @@ installer() { # --install, --update, --update-master, --remove: Instal note "Installing icon for x11docker with xdg-icon-resource" xdg-icon-resource install --context apps --novendor --mode system --size 64 "$(pwd)/x11docker.png" x11docker || warning "Could not install icon for x11docker. Is 'xdg-icon-resource' installed on your system?" + xdg-icon-resource uninstall --size 72 x11docker ||: # deprecated icon size, may still be present. note "Creating application entry for x11docker" [ -e "/usr/bin/x11docker-gui" ] && { @@ -752,7 +753,7 @@ writeaccess() { # check if useruid $1 has write access to folder $2 waitforfilecreation() { # similar to inotify-wait: wait up to 15s for file $1 to be created # $1 file to wait for # $2 time to wait. default: 15s. possible: infinity - local Zeit Warten + local Zeit Warten Dauer Count Zeit=$(date +%s) verbose "Waiting for file creation of ${1:-}" case ${2:-} in @@ -761,13 +762,15 @@ waitforfilecreation() { # similar to inotify-wait: wait up to 15s for file $1 to *) Warten=${2:-} ;; esac while [ ! "$(find "${1:-}" 2>/dev/null)" ] ; do - sleep 0.2 - [ $Warten -lt $(($(date +%s) - $Zeit)) ] && { + Count=$(( Count + 1 )) + Dauer=$(( $(date +%s) - $Zeit )) + sleep $(awk "BEGIN { print $Count * 0.1 }") + [ $Warten -lt $Dauer ] && { warning "Failed to wait for file creation of ${1:-}" return 1 } - verbose "waiting since $(($(date +%s) - $Zeit))s for ${1:-} to be created, will wait up to $Warten seconds." + verbose "waiting since ${Dauer}s for ${1:-} to be created, will wait up to $Warten seconds." [ -e "$Timetosaygoodbye" ] && { verbose "stopped waiting for ${1:-} due to terminating signal." return 1 @@ -778,15 +781,17 @@ waitforfilecreation() { # similar to inotify-wait: wait up to 15s for file $1 to return 0 } waitforfilecontent() { # wait for file $1 to be not empty - local Zeit Warten # $1 file to look at + local Zeit Warten Dauer Count Zeit=$(date +%s) Warten=15 verbose "Waiting for file content in ${1:-}" while [ ! -s "${1:-}" ] ; do - sleep 0.2 - [ $Warten -lt $(expr $(date +%s) - $Zeit) ] && return 1 - verbose "waiting since $(expr $(date +%s) - $Zeit)s for ${1:-} to have content, will wait up to $Warten seconds." + Count=$(( Count + 1 )) + Dauer=$(( $(date +%s) - $Zeit )) + sleep $(awk "BEGIN { print $Count * 0.1 }") + [ $Warten -lt $Dauer ] && return 1 + verbose "waiting since ${Dauer}s for ${1:-} to have content, will wait up to $Warten seconds." [ -e "$Timetosaygoodbye" ] && { verbose "stopped waiting for file content of ${1:-} due to terminating signal." return 1 @@ -798,14 +803,16 @@ waitforlogentry() { # wait for entry $3 in logfile $2 of application $1 # $1 is the application we are waiting for to be ready # $2 points to logfile # $3 keyword to wait for - local Zeit Warten + local Zeit Warten Dauer Count Zeit=$(date +%s) Warten=24 while ! cat "${2:-}" | grep -q "${3:-}" ; do + Count=$(( Count + 1 )) + Dauer=$(( $(date +%s) - $Zeit )) # verbose "waiting since $(expr $(date +%s) - $Zeit)s for ${1:-} to be ready..." - verbose "waiting since $(expr $(date +%s) - $Zeit)s for ${1:-} to be ready..." - sleep 0.2 - [ $Warten -lt $(expr $(date +%s) - $Zeit) ] && return 1 + verbose "waiting since ${Dauer}s for ${1:-} to be ready..." + sleep $(awk "BEGIN { print $Count * 0.1 }") + [ $Warten -lt $Dauer ] && return 1 [ -e "$Timetosaygoodbye" ] && { verbose "stopped waiting for logentry in ${2:-} of ${1:-} due to terminating signal." return 1 @@ -876,6 +883,7 @@ Mksu="" # prefix to run unprivileged com Mksubenutzer="" # prefix to run commands as user defined by --user Hostgidaudio="" # host GID of group audio. Can differ from container GID Hostgidvideo="" # host GID of group video. Can differ from container GID +Groupadd="" # option --group-add: additional groups for container user # Gaining root privileges to run docker Passwordprompt="" # way to ask for password. one of pkexec, su, sudo, gksu, gksudo, auto @@ -900,6 +908,7 @@ Dockeroptions="" # options for docker after -- an # docker variables Containername="" # name of container set by x11docker to make --cleanup able to find orphaned containers Containerpid="" # process ID of script process with docker container +Nonewprivileges="yes" # docker related files Dockerrc=dockerrc # init script run by docker. Creates $Imagecommandscript @@ -1005,6 +1014,7 @@ Anyterminal="" # terminal emulator for alert() Terminallist="" # list of possible terminal emulators. Only a few work on wayland # regular options +Sudouser="no" # option --sudouser: Create user and root with sudo permissions with password 'x11docker' Benutzerhosthome="no" # option '-m, --home' (or '--homedir'): share a folder ~/.local/share/x11docker/Imagename with created container Benutzerhosthomefolder="" # " " : path to shared folder. Sharevolumes="" # option --volume: host folders to share, array @@ -1035,10 +1045,10 @@ Debug="no" # option --debug: Throw it all o DebugPS4='+ \033[32m${LINENO}:${FUNCNAME[0]:+${FUNCNAME[0]}(): }\033[0m' # developer options -Sudouser="no" # option --sudouser: Create user and root with sudo permissions with password 'x11docker' Capdropall="yes" # option --cap-default: (don't) drop all container capabilities Adminusercaps="no" # options --sudouser, --systemd: add capabilities for general sys administration -Switchcontaineruser="no" # options --dbus, --sudouser and initsystems: add capabilities for su/sudo user switching +Switchcontaineruser="no" # options for init systems: user switching to toggle login daemons +Switchcontainerusercaps="no" # options --dbus, --sudouser and initsystems: add capabilities for su/sudo user switching Sharehostipc="no" # option --hostipc, set --ipc=host. Sharehostnet="no" # option --hostnet, set --ipc=net Preservecachefiles="no" # if yes, dont delete cache files @@ -1046,7 +1056,8 @@ Preservecontainer="no" # option '-p, --ps': if yes, pre Initsystem="tini" Capsysadmin="no" # option --sys-admin: add capability SYS_ADMIN (deprecated) Sharecgroup="no" # options --systemd, --cgroup: share /sys/fs/cgroup -Addcommand="" # option --add: add host command to xinitrc +Runfromhost="" # option --runfromhost: add host command to xinitrc +Runasroot="" # option --runasroot: add command running as root to container setup script # X authentication Xauthentication="yes" # option '--no-auth' use cookie authentication yes/no @@ -1104,7 +1115,7 @@ Wm_all="$Wm_recommended_nodesktop_light $Wm_recommended_nodesktop_heavy $Wm_rec Longoptions="$Longoptions,xhost:,no-auth,vt:,display:,xtest,no-xtest,env:,showenv,showid" # X and environment options Longoptions="$Longoptions,verbose,stdout,stderr,silent,debug" # verbose options Longoptions="$Longoptions,hostipc,hostnet,ps,cache,cap-default,no-entrypoint,sudouser,hostuser:,group-add:" # capabilities, users - Longoptions="$Longoptions,cachedir:,homedir:,westonini:,sharedir:,keymap:,runfromhost:" # developer options + Longoptions="$Longoptions,cachedir:,homedir:,westonini:,sharedir:,keymap:,runfromhost:,runasroot:" # developer options Longoptions="$Longoptions,ipc,net,dbus-daemon,dbusdaemon,sharewayland,waylandenv,add:" # deprecated Parsedoptions="$(getopt --options $Shortoptions --longoptions $Longoptions --name "$0" -- "$@" 2>/tmp/x11docker_parsererror)" @@ -1141,18 +1152,20 @@ Wm_all="$Wm_recommended_nodesktop_light $Wm_recommended_nodesktop_heavy $Wm_rec -K|--kwin) Xserver="--kwin" ; Autochooseserver="no" ;; --kwin-xwayland) Xserver="--kwin-xwayland" ; Autochooseserver="no" ;; -n|--nxagent) Xserver="--nxagent" ; Autochooseserver="no" ;; - -W|--wayland) Sharewayland="yes" ; Setwaylandenv="yes" ;; # set up wayland environment, regards --desktop #### Influencing X server -d|--desktop) Desktopmode="yes" ;; # image contains a desktop environment. - -g|--gpu) Gpu="yes" ;; # share files in /dev/dri - -w|--wm) case ${2:-} in + -g|--gpu) Gpu="yes" ;; # share files in /dev/dri, allow GPU usage + -w|--wm) case ${2:-} in # choose host window manager ""|"n"|"none") Windowmanager="none" ;; "m"|"auto") Windowmanager="auto" ;; *) Windowmanager=${2:-} ;; esac shift Desktopmode="yes" ;; + -W|--wayland) Sharewayland="yes" # set up wayland environment, regards --desktop + Setwaylandenv="yes" + Dbusdaemon="yes" ;; #### Appearance -f|--fullscreen) Fullscreen="yes" ;; # fullscreen mode for Xephyr and Weston @@ -1176,10 +1189,10 @@ Wm_all="$Wm_recommended_nodesktop_light $Wm_recommended_nodesktop_heavy $Wm_rec --no-internet)Internetaccess="no" ;; # disallow internet access --workdir) Workdir="$(escapestring "${2:-}")" ; shift ;; # set working directory --pw) Passwordprompt="${2:-}" ; shift ;; # frontend for password prompt - --runfromhost|--add) Addcommand="${2:-}" + --runfromhost|--add) Runfromhost="${2:-}" ; shift # add custom host command in xinitrc [ "${1:-}" = "--add" ] && warning "Option --add changed to --runfromhost and is deprecated. - Please use --runfromhost instead." - shift ;; # add custom host command in xinitrc + Please use --runfromhost instead." ;; + --runasroot) Runasroot="${2:-}" ; shift ;; # add custom root command in container setup script #### Verbose options -v|--verbose) Verbose="yes" ;; # be verbose @@ -1942,9 +1955,6 @@ Parsed options: $Parsedoptions" --weston|--kwin|--hostwayland) note "You are running a pure Wayland environment. X applications without Wayland support will fail." - [ "$Dbuslaunch" = "no" ] || [ "$Setwaylandenv" = "no" ] && note "QT5 / KDE applications need - options --dbus --wayland to run in Wayland. - GTK3 applications often fail with option --dbus." [ "$Xserver" = "--kwin" ] && note "kwin_wayland (option --kwin) does not support the xdg_shell interface in all versions. Some GTK3 Wayland applications depend on it. If application startup fails, try --weston instead." @@ -2106,8 +2116,9 @@ Parsed options: $Parsedoptions" Cmdstderrlogfile="$Sharefolder/$Cmdstderrlogfile" && mkfile $Cmdstderrlogfile 666 mkfile "$Sharefolder/environment" + ### FIXME disabled, blocks in ssh setups. # catch stdin (submitted in x11docker.CMD.sh) - [ -t 0 ] || cat >> $Cmdstdinfile + # [ -t 0 ] || cat >> $Cmdstdinfile } { #### part: create $Hostxenv: Environment variables for host X display @@ -2222,7 +2233,6 @@ Parsed options: $Parsedoptions" } { #### part: --gpu: check nvidia driver - [ "$Gpu" = "yes" ] && { warning "Option --gpu degrades container isolation. Container gains access to GPU hardware. @@ -2231,14 +2241,6 @@ Parsed options: $Parsedoptions" note "Hardware acceleration (option --gpu) works quite well with open source drivers on host and OpenGL/MESA in image. - - OpenGL/MESA packages for different base images: - Debian, Ubuntu: mesa-utils mesa-utils-extra - Arch Linux: mesa-demos - Fedora, CentOS: glx-utils mesa-dri-drivers - Alpine, NixOS: mesa-demos mesa-dri-ati mesa-dri-intel - mesa-dri-nouveau mesa-dri-swrast - If you have closed source nvidia driver on host, you need the very same closed source driver version in container to get hardware acceleration." } @@ -2246,30 +2248,32 @@ Parsed options: $Parsedoptions" # check for closed source nvidia driver on host, provide automated installation, warn about disadvantages [ "$Gpu" = "yes" ] && [ -e "/proc/driver/nvidia" ] && { Nvidiaversion=$(cat /proc/driver/nvidia/version | head -n1 | awk '{ print $8 }') - verbose "Detected nvidia driver $Nvidiaversion on host." + verbose "Detected nvidia driver version $Nvidiaversion on host." Nvidiadriver=$(find /usr/local/share/x11docker/NVIDIA* $Hostuserhome/.local/share/x11docker/NVIDIA* 2>/dev/null | grep $Nvidiaversion ) [ -e "$Nvidiadriver" ] && { - Adminusercaps="yes" verbose "Found proprietary closed source nvidia driver installer $Nvidiadriver" note "Will install closed source nvidia driver $Nvidiaversion in container. That slows down container startup. Startup will be much faster if image already includes modprobe and xz (packages 'kmod' and 'xz' or 'xz-utils'). With free nouveau driver on host there would be no startup delay. - Ask NVIDIA corporation to publish the closed source API of your hardware." + Ask NVIDIA corporation to publish the closed source API of your hardware. + Ask NVIDIA corporation to actively support free nouveau driver." [ "$Capdropall" = "yes" ] && warning "To install proprietary closed source nvidia driver, - x11docker must grant advanced privileges to container that would be dropped + x11docker must give some capabilities to container that would be dropped otherwise for security reasons. Container security is reduced now. You would not have this issue with free nouveau driver on host." - warning "Installation of proprietary closed source nvidia driver - fails with images based on musl libc like NixOS and Alpine. - Due to closed source policy of NVIDIA corporation that is not solvable. - Ask NVIDIA corp. to publish driver source code so you can use the hardware - you paid for on linux systems different from their presumptions. - Otherwise, install free nouveau driver on host." + note "Installation of proprietary closed source nvidia driver + fails in containers based on musl libc like NixOS and Alpine. + Installation in openSUSE containers fails with a self-extraction error. + + For openSUSE images you can try to create a custom installation + command with option --runasroot or to install a closed source nvidia driver + in image itself that matches your nvidia driver version on host." + # disabled: automated install of glibc compatibilty layer. nvidia installer fails anyway. # Alpineglibc=$(find /usr/local/share/x11docker/glibc*.apk $Hostuserhome/.local/share/x11docker/glibc*.apk 2>/dev/null | sort -V | tail -n1 ) # [ "$Alpineglibc" ] || note "For images based on musl libc like alpine or NixOS nvidia @@ -2279,24 +2283,23 @@ Parsed options: $Parsedoptions" # $Hostuserhome/.local/share/x11docker/ # /usr/local/share/x11docker/ # Otherwise, x11docker will download and install on itself in container." - : } || { Nvidiadriver="" warning "You are using proprietary closed source nvidia driver. - GPU acceleration will only work if you have the very same driver version - installed in image. That makes images less portable. + GPU acceleration will only work if you have installed the very same driver + version in image. That makes images less portable. It is recommended to use free open source nouveau driver on host instead. Ask NVIDIA corporation to at least publish their closed source API, or even better to actively support open source drivers like nouveau." - note "x11docker can try to automatically install nvidia driver $Nvidiaversion - in container on every container startup. + note "x11docker can try to automatically install nvidia driver + version $Nvidiaversion in container on every container startup. Drawbacks: Container startup is slower and its security will be reduced. You can look here for a driver installer: https://www.nvidia.com/Download/index.aspx A direct download URL may be: - https://us.download.nvidia.com/XFree86/Linux-x86_64/$Nvidiaversion/NVIDIA-Linux-x86_64-$Nvidiaversion.run + https://http.download.nvidia.com/XFree86/Linux-x86_64/$Nvidiaversion/NVIDIA-Linux-x86_64-$Nvidiaversion.run If you got a driver, store it at one of the following locations: $Hostuserhome/.local/share/x11docker/ /usr/local/share/x11docker/ @@ -2305,6 +2308,10 @@ Parsed options: $Parsedoptions" The file name must begin with 'NVIDIA', contain the version number $Nvidiaversion and end with suffix '.run'. + Automated installation fails on image systems not using glibc like Alpine + and fails on openSUSE images with a self-extraction error. + These issues cannot be fixed due to closed source policy of NVIDIA corporation. + To avoid all this, use free nouveau driver on host instead of proprietary closed source nvidia driver." } @@ -2729,11 +2736,12 @@ startup-animation=fade " >> "$Westonini" [ -n "$Xkblayout" ] && echo "keymap_layout=$Xkblayout" >> "$Westonini" [ -z "$Xkblayout" ] && [ "$Tty" = "yes" ] && echo "$(echo -n "keymap_layout=" && cat /etc/default/keyboard | grep XKBLAYOUT | cut -d= -f2 | cut -d'"' -f2)" >> "$Westonini" - [ -n "$Hostwayland" ] && [ "$Xserver" != "--xpra-xwayland" ] && [ "$Hostsystem" != "ubuntu" ] && { + [ -n "$Hostwayland" ] && [ "$Xserver" != "--xpra-xwayland" ] && [ "$Hostsystem" != "ubuntu" ] && [ "$Fullscreen" = "no" ] && { Westonoutput="WL" } || { [ -n "$Hostdisplay" ] && Westonoutput="X" } + [ -z "$Westonoutput" ] && [ -n "$Hostwayland" ] && Westonoutput="WL" [ "$Tty" = "yes" ] && { [ -n "$Screensize" ] || [ "$Scaling" != "0" ] || [ -n "$Rotation" ] && { # short start&stop of Weston to grep name of monitor @@ -3277,23 +3285,29 @@ done [ -e "$Hostuserhome/.local/share/x11docker/tini-static" ] && Tinibinary="$Hostuserhome/.local/share/x11docker/tini-static" [ -z "$Tinibinary" ] && { Initsystem="none" - warning "Did not find binary for init system tini. + note "Did not find binary for init system tini. This is most probably an issue with your distributions docker package. It should provide an executeable /usr/bin/docker-init. Please write a bug report to your distribution maintainer. - To get the advantages of init in container and to avoid possible startup - failures for some setups, please download tini-static from here: + To get the advantages of init in container, please download tini: https://github.com/krallin/tini/releases/download/v0.18.0/tini-static Make it executeable with 'chmod +x tini-static' and store it in one of: $Hostuserhome/.local/share/x11docker/ /usr/local/share/x11docker/" } || { - [ -x "$Tinibinary" ] || chmod +x "$Tinibinary" + [ -x "$Tinibinary" ] || { + chmod +x "$Tinibinary" || { + warning "Your tini binary is not executeable. Please run + chmod +x $Tinibinary" + Initsystem="none" + } + } } - + verbose "Found tini binary: ${Tinibinary:-(none)}" ;; + systemd) warning "Option --systemd degrades container isolation. It allows some docker container capabilities (nearly like --cap-default). @@ -3396,10 +3410,9 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' Containername="x11docker_X${Newdisplaynumber}_${Mycookie}_$(echo $Imagename | tr / _ | tr : _ )" Dockercommand="$Dockercommand --name=$Containername" - [ "$Benutzeruid" = "0" ] && Adminusercaps="yes" + [ "$Benutzeruid" = "0" ] && Sudouser="yes" [ "$Sudouser" = "yes" ] && Adminusercaps="yes" - [ "$Adminusercaps" = "yes" ] && Switchcontaineruser="yes" - [ "$Dbusdaemon" = "yes" ] && Switchcontaineruser="yes" + [ "$Dbusdaemon" = "yes" ] && Switchcontainerusercaps="yes" && Nonewprivileges="no" case $Initsystem in none|tini) @@ -3420,7 +3433,7 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' --userns=host" [ "$Capdropall" = "yes" ] && Dockercommand="$Dockercommand \\ - --cap-drop=ALL" + --cap-drop ALL" # option --sys-admin (deprecated) [ "$Capsysadmin" = "yes" ] && Dockercommand="$Dockercommand \\ @@ -3433,6 +3446,7 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' systemd) Switchcontaineruser="yes" + Nonewprivileges="no" Sharecgroup="yes" Dockercommand="$Dockercommand \\ --stop-signal SIGRTMIN+3\\ @@ -3446,6 +3460,7 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' runit) Switchcontaineruser="yes" + Nonewprivileges="no" Dockercommand="$Dockercommand \\ --stop-signal HUP --env VIRTUALIZATION=docker \\ --cap-add SYS_BOOT --cap-add KILL" @@ -3453,37 +3468,55 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' openrc) Switchcontaineruser="yes" + Nonewprivileges="no" Dockercommand="$Dockercommand \\ --cap-add SYS_BOOT --cap-add KILL" ;; sysvinit) Switchcontaineruser="yes" + Nonewprivileges="no" Dockercommand="$Dockercommand \\ --cap-add SYS_BOOT --cap-add KILL" ;; esac + [ "$Switchcontaineruser" = "yes" ] && Switchcontainerusercaps="yes" [ "$Capdropall" = "yes" ] && { [ "$Adminusercaps" = "yes" ] && { - Switchcontaineruser="yes" + Switchcontainerusercaps="yes" + Nonewprivileges="no" Dockercommand="$Dockercommand \\ --cap-add CHOWN --cap-add KILL\\ --cap-add FSETID --cap-add FOWNER --cap-add SETPCAP" } - [ "$Switchcontaineruser" = "yes" ] && { + [ "$Switchcontainerusercaps" = "yes" ] && { Dockercommand="$Dockercommand \\ --cap-add SETUID --cap-add SETGID --cap-add DAC_OVERRIDE\\ --cap-add AUDIT_WRITE" - } || { - Dockercommand="$Dockercommand \\ - --security-opt no-new-privileges" } # option --dbusdaemon: dbus needs CHOWN for XDG_RUNTIME_DIR [ "$Dbusdaemon" = "yes" ] && [ "$Adminusercaps" = "no" ] && Dockercommand="$Dockercommand \\ --cap-add CHOWN" - } - + : + } || Nonewprivileges="no" + + case $Nonewprivileges in + yes) Dockercommand="$Dockercommand \\ + --security-opt no-new-privileges" ;; + no) warning "Container runs without --security-opt=no-new-privileges. + That reduces default x11docker container security hardening. + This is the case for options: + --wayland --dbus-system --sudouser --cap-default + --systemd --sysvinit --openrc --runit" + [ "$Setwaylandenv" = "yes" ] && note "For more restricted Wayland setups + including --security-opt=no-new-privileges you can drop option --wayland + and use one of options '--weston', '--kwin' or '--hostwayland'. + QT5 applications also need options '--dbus --env QT_QPA_PLATFORM=wayland'. + But GTK3 applications must run without option '--dbus'." + ;; + esac + # SELinux restrictions for containers must be disabled to allow access to X socket. Flags z or Z do not help. Dockercommand="$Dockercommand \\ --security-opt label=type:container_runtime_t" @@ -3558,10 +3591,15 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' --device=$Line:$Line:rw \\ -v $Line:$Line:rw" done < <(find /dev/dri /dev/nvidia* /dev/vga_arbiter -maxdepth 0 2>/dev/null ||:) - [ "$Nvidiadriver" ] && Dockercommand="$Dockercommand \\ + [ "$Nvidiadriver" ] && { + Dockercommand="$Dockercommand \\ -v $Nvidiadriver:$Cshare/NVIDIA-$Nvidiaversion.run:ro" - [ "$Alpineglibc" ] && Dockercommand="$Dockercommand \\ + [ "$Capdropall" = "yes" ] && [ "$Adminusercaps" = "no" ] && Dockercommand="$Dockercommand \\ + --cap-add SETUID --cap-add SETGID --cap-add DAC_OVERRIDE\\ + --cap-add CHOWN --cap-add FOWNER" + [ "$Alpineglibc" ] && Dockercommand="$Dockercommand \\ -v $Alpineglibc:$Cshare/glibc.apk:ro" + } } ## options --hostipc and --hostnet @@ -3646,61 +3684,90 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' echo " Imagecommand=\${Imagecommand#/bin/sh -c }" echo " Imagecommand=\${Imagecommand%]}" echo "}" - [ "$Noentrypoint" = "no" ] && { - echo "# check ENTRYPOINT" - echo "Entrypoint=\$(docker inspect --format='{{.Config.Entrypoint}}' $Imagename)" - echo "Entrypoint=\${Entrypoint#[}" - echo "Entrypoint=\${Entrypoint#/bin/sh -c }" - echo "Entrypoint=\${Entrypoint%]}" - [ "$Initsystem" != "none" ] && { - echo "echo \"\$Entrypoint\" | grep -qE '/tini|/init|/systemd' && {" - echo " note \"There seems to be an init system in ENTRYPOINT of image:" - echo " \$Entrypoint" - echo " Will disable it as x11docker already runs an init with option --$Initsystem." - echo " To allow this ENTRYPOINT, run x11docker with option --no-init.\"" - echo " Entrypoint=" - echo "}" - } ||: - } || echo "Entrypoint=" + echo "" + + [ "$Tinibinary" ] && echo "Tini=\"/tini --\"" + case $Noentrypoint in + yes) echo "Entrypoint=" ;; + no) + echo "# check ENTRYPOINT" + echo "Entrypoint=\$(docker inspect --format='{{.Config.Entrypoint}}' $Imagename)" + echo "Entrypoint=\${Entrypoint#[}" + echo "Entrypoint=\${Entrypoint#/bin/sh -c }" + echo "Entrypoint=\${Entrypoint%]}" + case $Initsystem in + systemd|sysvinit|runit|openrc) + echo "echo \"\$Entrypoint\" | grep -qE '/init|/systemd' && {" + echo " note \"There seems to be an init system in ENTRYPOINT of image:" + echo " \$Entrypoint" + echo " Will disable it as x11docker already runs an init with option --$Initsystem." + echo " To allow this ENTRYPOINT, run x11docker with option --no-init.\"" + echo " Entrypoint=" + echo "}" + ;; + tini) + echo "echo \"\$Entrypoint\" | grep -qE '/tini|/init|/systemd' && {" + echo " note \"There seems to be an init system in ENTRYPOINT of image:" + echo " \$Entrypoint" + echo " x11docker will run this instead of tini from host." + echo " You can disable this ENTRYPOINT with option --no-entrypoint.\"" + echo " Tini=" + echo "}" + ;; + none) + echo "echo \"\$Entrypoint\" | grep -qE '/tini|/init|/systemd' && {" + echo " note \"There seems to be an init system in ENTRYPOINT of image:" + echo " \$Entrypoint\"" + echo "}" + ;; + esac + ;; + esac + echo "" + echo "[ -z \"\$Imagecommand\$Entrypoint\" ] && echo 'x11docker WARNING: No image command specified and no CMD or ENTRYPOINT found in image.'|tee -a $Logfile" + echo "" - echo "# create x11docker.CMD.sh (shared with container and given as image command to docker run)" - echo "{ echo '#! /bin/sh'" + #### create x11docker.CMD.sh #### + echo "# create x11docker.CMD.sh (shared with container and given as image command to docker run)" + echo "{ echo '#! /bin/sh'" [ "$Debug" = "yes" ] && echo "echo 'set -x'" - echo " echo '# created startscript for docker run: x11docker.CMD.sh'" - echo " echo '# runs as unprivileged user in container'" - echo " echo 'echo x11docker: Running unprivileged user commands in container'" - - echo ' echo Imagecommand="\"$Imagecommand\""' - echo ' echo Entrypoint="\"$Entrypoint\""' - echo " echo ''" - echo " echo 'echo x11docker: container system:'" - echo " echo 'cat /etc/os-release'" - echo " echo ''" - - echo " echo '# wait for container setup script do be ready'" - echo " echo 'for Count in $(seq -s' ' 30); do'" - echo " echo ' [ -e /x11docker.setupready ] && break'" - echo " echo ' echo x11docker: waiting for root setup to be ready && sleep 0.1'" - echo " echo 'done'" - echo " echo ''" - echo "} >> $Imagecommandscript" + echo " echo '# created startscript for docker run: x11docker.CMD.sh'" + echo " echo '# runs as unprivileged user in container'" + echo " echo 'echo x11docker: Running unprivileged user commands in container'" + + echo ' echo Imagecommand="\"$Imagecommand\""' + echo ' echo Entrypoint="\"$Entrypoint\""' + echo " echo ''" + echo " echo 'echo x11docker: container system:'" + echo " echo 'cat /etc/os-release'" + echo " echo ''" + + echo " echo '# wait for container setup script do be ready'" + echo " echo 'Zeit=\$(date +%s)'" + echo " echo 'for Count in $(seq -s' ' 90); do'" + echo " echo ' [ -e /x11docker.setupready ] && break'" + echo " echo ' echo \"'" + echo " echo 'x11docker: waiting since \$((\$(date +%s) - \$Zeit))s for container setup to be ready\"'" + echo " echo ' sleep \$(awk \"BEGIN { print \$Count*0.2 }\")'" + echo " echo 'done'" + echo " echo ''" + echo "} >> $Imagecommandscript" [ "$Switchcontaineruser" = "yes" ] && { echo "echo '# Environment variables found in image:' >> $Imagecommandscript" echo "IFS=$'\n'" echo "while read -r Line; do" - echo " echo export \$(escapestring \"\$Line\") >> $Imagecommandscript" + echo " echo export \$(escapestring \"\$Line\") >> $Imagecommandscript" echo "done < <(docker run --rm --entrypoint env $Imagename env)" echo "IFS=$' \t\n'" echo "" - echo "echo 'export TINI_SUBREAPER=1' >> $Imagecommandscript" } - echo "{" - echo " echo ''" - echo " echo '# x11docker variable settings'" - echo " echo export USER=\"$Benutzer\"" + echo "{" + echo " echo ''" + echo " echo '# x11docker variable settings'" + echo " echo export USER=\"$Benutzer\"" [ "$Benutzerhosthome" = "no" ] && { echo " echo mkdir -p -v $Benutzerhome" for ((Count=1 ; Count<=$Sharevolumescount ; Count++)) ; do @@ -3708,11 +3775,11 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' echo " echo 'ln -s ${Sharevolumes[$Count]} $Benutzerhome'" done } - echo " echo 'export HOME=\"$Benutzerhome\"'" - echo " echo 'cd \"\$HOME\"'" + echo " echo 'export HOME=\"$Benutzerhome\"'" + echo " echo 'cd \"\$HOME\"'" [ "$Workdir" ] && echo " echo 'cd $Workdir'" - echo " echo ''" + echo " echo ''" [ -n "$Newdisplay" ] && { echo " echo 'export DISPLAY=$Newdisplay'" @@ -3729,14 +3796,14 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' echo " echo '[ -z \"\$Dbus\" ] && Dbus=\"\$(dbus-run-session --help >/dev/null 2>&1 && echo dbus-run-session)\"'" echo " echo '[ -z \"\$Dbus\" ] && echo \"x11docker WARNING: Did not find dbus-launch or dbus-run-session (option --dbus).\" >&2'" } - echo " echo 'echo x11docker: running dbus user session with: \${Dbus:-(none)} >&2'" - echo " echo ''" - echo ' echo "[ -e \"\$XDG_RUNTIME_DIR\" ] || {"' - echo " echo ' export XDG_RUNTIME_DIR=/tmp/XDG_RUNTIME_DIR'" - echo " echo ' mkdir -v -m 700 -p \$XDG_RUNTIME_DIR'" - echo " echo ' export XDG_RUNTIME_DIR'" - echo " echo ''" - echo " echo '}'" + echo " echo 'echo x11docker: running dbus user session with: \${Dbus:-(none)} >&2'" + echo " echo ''" + echo ' echo "[ -e \"\$XDG_RUNTIME_DIR\" ] || {"' + echo " echo ' export XDG_RUNTIME_DIR=/tmp/XDG_RUNTIME_DIR'" + echo " echo ' mkdir -v -m 700 -p \$XDG_RUNTIME_DIR'" + echo " echo ' export XDG_RUNTIME_DIR'" + echo " echo ''" + echo " echo '}'" [ "$Sharewayland" = "yes" ] && { echo " echo ''" @@ -3753,47 +3820,45 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' *) echo " echo 'export XDG_SESSION_TYPE=x11'" ;; esac - echo " echo ''" - echo " echo '# xpra environment settings'" - echo " echo 'export UBUNTU_MENUPROXY= QT_X11_NO_NATIVE_MENUBAR=1 MWNOCAPTURE=true MWNO_RIT=true MWWM=allwm'" + [ "$Switchcontaineruser" = "yes" ] && echo " echo 'export TINI_SUBREAPER=1'" + echo " echo ''" + echo " echo '# xpra environment settings'" + echo " echo 'export UBUNTU_MENUPROXY= QT_X11_NO_NATIVE_MENUBAR=1 MWNOCAPTURE=true MWNO_RIT=true MWWM=allwm'" [ -n "$Xprashm" ] && echo " echo 'export $Xprashm'" - echo " echo ''" - echo " echo 'bash --version >/dev/null 2>&1 && export SHELL=/bin/bash || export SHELL=/bin/sh'" - echo " echo 'export TERM=xterm'" - echo " echo ''" + echo " echo ''" + echo " echo 'bash --version >/dev/null 2>&1 && export SHELL=/bin/bash || export SHELL=/bin/sh'" + echo " echo 'export TERM=xterm'" + echo " echo ''" - echo " echo '[ -e /x11docker.LANG ] && export LANG=\"\$(cat /x11docker.LANG)\"'" - echo " echo ''" + echo " echo '[ -e /x11docker.LANG ] && export LANG=\"\$(cat /x11docker.LANG)\"'" + echo " echo ''" [ "$Pulseaudio" = "yes" ] && echo " echo 'export $Pulseserver'" - echo " echo '# custom environment (--env)'" + echo " echo '# custom environment (--env)'" IFS=$'\n' for Line in $Customenvironment ; do echo " echo export $(escapestring $Line)" done IFS=$' \t\n' - echo " echo ''" + echo " echo ''" - echo " echo 'echo x11docker: container environment:'" - echo " echo 'env >> $Cshare/environment'" - echo " echo 'sed -i \"/\(PWD=\|_=\)/d\" $Cshare/environment'" - echo " echo 'env | sort'" - echo " echo 'echo x11docker: copy of environment stored in $Cshare/environment'" - echo " echo ''" - - [ "$Tinibinary" ] && echo " echo 'Tini=\"/tini --\"'" + echo " echo 'echo x11docker: container environment:'" + echo " echo 'env >> $Cshare/environment'" + echo " echo 'sed -i \"/\(PWD=\|_=\)/d\" $Cshare/environment'" + echo " echo 'env | sort'" + echo " echo 'echo x11docker: copy of environment stored in $Cshare/environment'" + echo " echo ''" - echo " echo \"echo x11docker: running image command: \\\$Tini \\\$Dbus \$Entrypoint \$Imagecommand\"" + echo " echo \"echo x11docker: running image command: \$Tini \\\$Dbus \$Entrypoint \$Imagecommand\"" [ -s "$Cmdstdinfile" ] && echo " echo \"cat $Cshare/stdin | \\\$Dbus \$Entrypoint \$Imagecommand >>$Cshare/stdout 2>>$Cshare/stderr\"" - [ -s "$Cmdstdinfile" ] || echo " echo \"exec \\\$Tini \\\$Dbus \$Entrypoint \$Imagecommand >>$Cshare/stdout 2>>$Cshare/stderr\"" + [ -s "$Cmdstdinfile" ] || echo " echo \"exec \$Tini \\\$Dbus \$Entrypoint \$Imagecommand >>$Cshare/stdout 2>>$Cshare/stderr\"" - echo " echo 'pstree'" + echo " echo '# Ready for docker run'" + echo "} >> $Imagecommandscript" + #### End of x11docker.CMD.sh #### - echo " echo '# Ready for docker run'" - echo "} >> $Imagecommandscript" - echo "" echo "cat $Imagecommandscript | nl -ba >> $Dockerlogfile" echo "" @@ -3815,7 +3880,7 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' echo " mount -o remount,rw cgroup /sys/fs/cgroup" echo " You can restore write protection after cgroup creation with:" echo " mount -o remount,ro cgroup /sys/fs/cgroup'" - [ "$Wantcgroup" = "elogind" ] && echo " note 'If you do not want or need elogind in container, " + [ "$Wantcgroup" = "elogind" ] && echo " note 'If you do not want, need or have elogind in container, " echo " just ignore warning above.'" echo " }" findmnt /sys/fs/cgroup -O ro >/dev/null && { @@ -3857,7 +3922,7 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' echo "echo x11docker: container PID: \$Containerpid" echo "echo \$Containerpid >> $Containerpidfile" echo "" - [ "$Switchcontaineruser" = "no" ] && echo "docker exec -u root $Containername /bin/sh $Cshare/containersetup.sh" + [ "$Switchcontaineruser" = "no" ] && echo "docker exec --tty -u root $Containername /bin/sh $Cshare/containersetup.sh" } >> $Dockerrc { #### part: create container setup script: This part runs as root in container @@ -3865,8 +3930,9 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' echo "# set up docker container as root before ongoing in unprivileged x11docker.CMD.sh" echo "# commands in this script are executed as root in container" [ "$Debug" = "yes" ] && echo "set -x" - echo "echo x11docker: setup as root in container" + echo "echo 'x11docker: setup as root in container'" echo "" + echo "# create some system dirs with needed permissions" echo "mkdir -v -p /var/lib/dbus /var/run/dbus" echo "mkdir -v -p -m 1777 /tmp/.ICE-unix /tmp/.X11-unix /tmp/.font-unix" @@ -3877,6 +3943,10 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' echo "export DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie" echo "" + echo "Containersystem=\$(source /etc/os-release; echo \$ID)" + echo "echo \"x11docker: container system ID: \$Containersystem\"" + echo "" + IFS=$'\n' for Line in $Customenvironment ; do [ "$Line" ] && echo "export $Line" @@ -3904,10 +3974,10 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' echo "# replace container GIDs of video and audio with host GIDs" echo "Gidvideo=$Hostgidvideo" echo "Gidaudio=$Hostgidaudio" - echo "[ \"\$Gidvideo\" ] || Gidvideo=\$(getent group | grep video: | cut -d: -f3)" - echo "[ \"\$Gidaudio\" ] || Gidaudio=\$(getent group | grep audio: | cut -d: -f3)" - echo "getent group | sed \"s/^video.*/video:x:\$Gidvideo:\$(getent group | grep video: | cut -d: -f4 ),$Benutzer/ ;" - echo " s/^audio.*/audio:x:\$Gidaudio:\$(getent group | grep audio: | cut -d: -f4 ),$Benutzer/ ;" + echo "[ \"\$Gidvideo\" ] || Gidvideo=\$(getent group video | cut -d: -f3)" + echo "[ \"\$Gidaudio\" ] || Gidaudio=\$(getent group audio | cut -d: -f3)" + echo "getent group | sed \"s/^video.*/video:x:\$Gidvideo:\$(getent group video | cut -d: -f4 ),$Benutzer/ ;" + echo " s/^audio.*/audio:x:\$Gidaudio:\$(getent group audio | cut -d: -f4 ),$Benutzer/ ;" for Line in $Groupadd ; do echo " s/^$Line.*/\0,$Benutzer/ ;" done @@ -3921,38 +3991,50 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' echo "" [ "$Benutzerhosthome" = "no" ] && echo "mkdir -v -m 777 /fakehome" echo "" - [ "$Switchcontaineruser" = "yes" ] && { - echo "# create /etc/sudoers, remove /etc/sudoers.d. Delete possible sudo setups in image." - echo "echo 'root ALL=(ALL) ALL' > /etc/sudoers" - echo "rm -R /etc/sudoers.d" - [ "$Sudouser" = "yes" ] && { - echo "# create sudo entry for container user" - echo "echo '$Benutzer ALL=(ALL) ALL' >> /etc/sudoers" - } - } + + echo "# create /etc/sudoers, delete /etc/sudoers.d. Overwrite possible sudo setups in image." + echo "rm -R /etc/sudoers.d" + echo "echo '# /etc/sudoers created by x11docker' > /etc/sudoers" + echo "echo 'root ALL=(ALL) ALL' >> /etc/sudoers" + case $Sudouser in + yes) + echo "echo '$Benutzer ALL=(ALL) ALL' >> /etc/sudoers" + ;; + no) echo "rm /etc/sudoers" ;; + esac echo "" + [ "$Nvidiadriver" ] && { + echo "Installationwillsucceed=maybe" echo "ldd 2>&1 | grep 'musl libc' && {" - echo " Musllibc=yes" + echo " Installationwillsucceed=no" echo " echo 'x11docker WARNING: Found musl libc in image. Closed source NVIDIA driver" echo " is not not installable. Use free nouveau driver on host and ask NVIDIA corp." echo " to publish driver source code to allow you using your hardware." echo " Fallback: Skipping installation of nvidia driver.'" - echo "} || Musllibc=no" - echo "[ \"\$Musllibc\" = \"no\" ] && [ -z \"\$(find . -name *${Nvidiaversion}* -print 2>/dev/null)\" ] && {" + echo "}" + echo "case \$Containersystem in" + echo " opensuse)" + echo " Installationwillsucceed=no" + echo " echo x11docker WARNING: nvidia driver installation fails in \$Containersystem." + echo " ;;" + echo "esac" + echo "[ \"\$Installationwillsucceed\" = \"maybe\" ] && [ -z \"\$(find . -name *${Nvidiaversion}* -print 2>/dev/null)\" ] && {" echo " mkdir -m 1777 /tmp2 && export TMPDIR=/tmp2" echo " # Install nvidia driver" echo " { command -v modprobe && command -v xz ; } || {" echo " # Try to install modprobe" echo " echo 'x11docker WARNING: Did not find modprobe/kmod or xz in image." + echo " modprobe and xz are needed by nvidia installer." + echo " Install them in image to speed up container startup." echo " Will try to install them. That slows down container startup.'" echo " apt-get update && apt-get install -y kmod xz-utils # debian" #ok echo " dnf install -y kmod xz || yum install -y kmod xz # fedora, centos" #ok echo " xbps-install -Sy kmod xz # void" #ok echo " pacman -Sy --noconfirm kmod xz # arch" #ok - echo " apk add --no-cache kmod xz # alpine, nixos" #ok, but some remaining glibc issues + echo " emerge --ask n kmod xz # gentoo" #ok + echo " apk add --no-cache kmod xz # alpine, nixos" #ok, but remaining glibc issues echo " zypper --non-interactive install kmod xz # opensuse" #ok, but nvidia-installer extraction fails - echo " emerge --ask n kmod xz # gentoo" #NOT CHECKED echo " }" # disabled: nvidia-driver fails anyway. closed source sucks. # echo " apk -V && {" @@ -3974,26 +4056,29 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' echo " echo 'x11docker WARNING: Installing proprietary closed source NVIDIA driver $Nvidiaversion. That slows down container startup.'" echo " sh $Cshare/NVIDIA-$Nvidiaversion.run --accept-license --no-runlevel-check --no-questions --ui=none --no-kernel-module --no-kernel-module-source --no-backup --tmpdir /tmp2" echo " rm -R /tmp2 && unset TMPDIR" - echo "} || echo 'x11docker: NVIDIA driver $Nvidiaversion seems to be installed already." - echo " Skipping installation of $Cshare/NVIDIA-$Nvidiaversion.run'" + echo "} || echo 'x11docker: Skipping installation of $Cshare/NVIDIA-$Nvidiaversion.run'" + echo "" } - echo "" + case $Initsystem in tini|none) - [ "$Dbusdaemon" = "yes" ] && { - echo "echo 'x11docker: starting dbus system daemon'" - echo "dbus-daemon --system --fork" - echo " for Count in 1 2 3 4 5 6 7 8 9 10 ; do" - echo " [ -e /run/dbus/system_bus_socket ] && break" - echo " sleep 0.1" - echo " done" - [ "$Sharecgroup" = "yes" ] && { - echo "[ -e /sys/fs/cgroup/elogind ] && which elogind >/dev/null && {" - echo " echo x11docker: starting elogind" - echo " elogind &" - echo "}" - } - } + case $Dbusdaemon in + yes) + echo "echo 'x11docker: starting dbus system daemon'" + echo "dbus-daemon --system --fork" + echo "for Count in 1 2 3 4 5 6 7 8 9 10 ; do" + echo " [ -e /run/dbus/system_bus_socket ] && break" + echo " sleep 0.1" + echo "done" + [ "$Nonewprivileges" = "yes" ] && { + echo "# support for dbus daemon with no-new-privileges" + echo "echo 'x11docker: starting polkitd'" + echo "/usr/lib/policykit-1/polkitd &" + echo "echo 'x11docker: starting accounts-daemon'" + echo "/usr/lib/accountsservice/accounts-daemon &" + } + ;; + esac ;; systemd) echo "# to be sure, allow/unmask most important services" @@ -4065,6 +4150,7 @@ start() { echo "sed -i 's/.*getty/##getty disabled by x11docker## \0/' /etc/inittab" ;; esac + echo "" [ "$Langwunsch" ] && { echo "echo \"x11docker: Searching for language locale matching $Langwunsch\"" @@ -4103,14 +4189,19 @@ start() { echo "} || echo \"x11docker WARNING: desired locale for '--lang=$Langwunsch' not found and not created.\"" echo "echo \"x11docker: Output of locale -a:\"" echo "locale -a" + echo "" } - echo "" [ "$Pulseaudio" = "yes" ] && { echo "command -v pulseaudio >/dev/null || echo \"x11docker ERROR: pulseaudio not found in image (option --pulseaudio)\"" + echo "" + } + + [ "$Runasroot" ] && { + echo "# custom setup root command added with option --runasroot" + echo "$Runasroot" } - echo "" echo ":> /x11docker.setupready" [ "$Switchcontaineruser" = "yes" ] && { # if "no", x11docker.CMD.sh is executed in command line $Dockercommand case $Initsystem in @@ -4418,9 +4509,9 @@ start() { echo "$Windowmanager & storepid \$! windowmanager" } - [ -n "$Addcommand" ] && { - echo "# added custom command with option --add" - echo "$Addcommand" + [ "$Runfromhost" ] && { + echo "# custom host command with added option --runfromhost" + echo "$Runfromhost" } echo "touch $Cachefolder/Xready" @@ -4814,30 +4905,24 @@ $(tail $Compositorlogfile)" ######### ToDo notes for development todo() { -# docker run options: check escaped strings, failed once with : in --volume -# nvidia-driver: check openSUSE and gentoo images -# stdin seems to be not recognized if running starter from xfce4-panel -# --runasroot: new option? -# ssh -X -- command fails. why? -# --group-add: compare host and container GID? warn if group misses in container? -# --fullscreen: --weston[-x] in weston crashes. Use X backend if DISPLAY is available. +# stdin: find reliable check to reimplement it +# --group-add: compare host and container GID? warn if group misses in container, or create it? +# BUG opensuse/arch: issues with x11docker/fluxbox, background missing, sometimes no context menu. where is the difference? + # work on traperror(). 'set -u' possible without a stop? # --update: regard possible location in /opt -# escape more option arguments: --runfromhost, custom docker options, --workdir, --user, --homedir, --sharedir, --wm, --lang, --xhost +# escape more option arguments: custom docker options, --workdir, --user, --homedir, --sharedir, --wm, --lang, --xhost # --dbus-system: policykit must not have no-new-privileges. Seems to use setuid? Core issue AccountsService? # starting polkitd and accounts-daemon in setupscript helps: # -> cinnamon starts up with lots of (harmless?) error messages # -> deepin needs --pulseaudio again -# --wayland --dbus-system GTK3 seems to work now!? # check fgconsole # bestwu/deepin: why sh is replaced by bash? -# BUG opensuse/arch: issues with x11docker/fluxbox, background missing, sometimes no context menu. where is the difference? # check echo especially in sh scripts, replace with printf if needed (#25) # avoid possible confusions --home --sharedir. --sharedir mounts can overlap --home folder. What about softlinks with existing target in --home? Maybe avoid /home/$USER at all # --xpra --desktop restarts client if closing desktop window -# bug report to docker about --volume in --volume +# bug report to docker about --volume waylandsocket in --volume -# check out possibilities to allow 'sudo docker' directly again. # --lang: find out locale package names for several distris for documentation # --keymap does not work on tty with --kwin and --kwin-xwayland. No idea how to set it. # xpra restart on tty switch -> bug report @@ -4845,13 +4930,11 @@ todo() { # BUG check whether VT is not in use with --xorg/--xpra/--xdummy, bug if accidently using vt that is already in use # check all FIXME -# note: SYS_PTRACE allows polkit in docker? # --systemd: try to avoid xhost +SI:localuser:$Benutzer # --xpra-xwayland, xdummy-xwayland: use kwin-wayland as fallback for missing weston? # --xorg: getty and autologin to avoid Xwrapper.config changes? # gnome3 based desktop failing due to gnome bugs: pantheon budgie gnome3 # check Xorg version for +iglx, check security implications, maybe option --iglx? -# GTK3 in Wayland: --dbus once worked with $Dbusdaemon=yes # --wayland --user/--hostuser: wayland socket access denied due to XDG_RUNTIME_DIR # --nxagent 3.5.0: Mageia 6: seamless mode fails # fedora: SElinux issue: '--security-opt label=type:container_runtime_t': need more restrictive setting diff --git a/x11docker-gui b/x11docker-gui index 5f05b97c..a8540279 100755 --- a/x11docker-gui +++ b/x11docker-gui @@ -97,8 +97,8 @@ touch "$X11docker_kaptn" chown "$Lognameuser" "$X11docker_kaptn" ## needed for github screenshots only -#CONTAINERUSER="\\\$USER" -#CONTAINERUSERHOME="/home/\\\$USER" +CONTAINERUSER="\\\$USER" +CONTAINERUSERHOME="/home/\\\$USER" # check list of available window managers Wm_all="$($X11docker_exe --wmlist)" @@ -158,7 +158,7 @@ for Line in $Keymaps; do Keymapscombo="$Keymapscombo,\"$Line\"" ; done Kaptain_grammar='#! /usr/bin/kaptain start "Run GUI applications in docker images - x11docker '$Version'" -> options buttons; options:beside -> frameleft frameright; - frameleft -> choose_image_framed choose_xserver_framed appeareance_framed ; + frameleft -> choose_image_framed choose_xserver_framed appeareance_framed verbosity_framed; frameright -> choose_options stddevelline @fill; choose_image_framed:framed -> choose_image; @@ -171,7 +171,7 @@ start "Run GUI applications in docker images - x11docker '$Version'" -> options dockerimage "docker image [and command] to run:" -> @combow('$IMAGELIST'); choose_xserver_framed:framed -> choose_xserver; - choose_xserver -> xserverbla xservercombo desktop gpu wm waylanddbus; + choose_xserver -> xserverbla xservercombo desktop gpu wm wayland; xserverbla:beside "Choose X server" -> @fill xinfobutton xdependenciesbutton ; xservercombo -> s/(:.*$)/ / @combo( ": Automatically choose X server (regards --desktop, --gpu and --wayland)", @@ -194,10 +194,7 @@ start "Run GUI applications in docker images - x11docker '$Version'" -> options gpu "--gpu: Hardware acceleration for OpenGL (degrades container isolation)" -> "--gpu " | '$GPU' ""; wm :beside "--wm: Host window manager to use" -> "--wm=\"" @combow('$HOSTWM')="'$MYWM'" "\" " | ! "" ; desktop "--desktop: Image contains a desktop environment" -> "--desktop " | '$DESKTOP' "" ; - waylanddbus:beside -> wayland dbus whydbus; - wayland "--wayland: Create Wayland environment" -> "--wayland " | ! "" ; - dbus "--dbus: Run with" -> "--dbus " | ! "" ; - whydbus:dialog "dbus-launch" -> @text=" Some QT5 applications in Wayland need dbus-launch. \n Some GTK3 applications must run without it. \n ¯\\_(°-°)_/¯" @close=" Close"; + wayland "--wayland: Create Wayland environment" -> "--wayland " | ! "" ; appeareance_framed:framed -> sizefullscreen ; sizefullscreen " Appearance of new X server" -> sizefullscreenline scale rotate dpi outputcount; @@ -209,6 +206,15 @@ start "Run GUI applications in docker images - x11docker '$Version'" -> options rotate:beside "--rotate: rotation and mirroring (Xorg and Weston only)" -> "--rotate=\"" @combo("0","90","180","270","flipped","flipped-90","flipped-180","flipped-270")="180" "\" " | ! "" ; dpi:beside "--dpi: screen density / dots per inch (influences font size)" -> "--dpi=\"" @combow("36","48","60","72","84","96","120","150","256","300")="96" "\" " | ! "" ; outputcount:beside "--output-count: multiple displays (Weston, KWin, Xephyr)" -> "--output-count=\"" @combow("1","2","3","4")="2" "\" " | ! "" ; + + verbosity_framed:framed -> verbosity ; + verbosity "Verbosity" -> verbosesilentline stdoutstderrline; + verbosesilentline:beside -> verbose silent; + verbose "--verbose: Be verbose" -> "--verbose " | ! "" ; + silent "--silent: Be silent" -> "--silent " | ! "" ; + stdoutstderrline:beside -> stdout stderr ; + stdout "--stdout: Show stdout of container" -> "--stdout " | ! "" ; + stderr "--stderr: Show stderr of container" -> "--stderr " | ! "" ; choose_options:framed -> choose_options_normal choose_options_hostfolders choose_options_advanced; choose_options_normal "Sound, clipboard and language" -> clipboard alsaline pulseaudio lang ; @@ -226,40 +232,37 @@ start "Run GUI applications in docker images - x11docker '$Version'" -> options sharedir1:beside "--sharedir: Share host folder:" -> "--sharedir=\"" @directory="" "\" " | ! "" ; sharedir2:beside "--sharedir: Share host folder:" -> "--sharedir=\"" @directory="" "\" " | ! "" ; - choose_options_advanced "Advanced options"-> verbose noentrypoint nointernet initsystem dbusdaemon pw; - verbose "--verbose: Be verbose (terminal output of logfiles)" -> "--verbose " | ! "" ; + choose_options_advanced "Advanced options"-> sudouser noentrypoint nointernet initsystem dbusdaemon dbus pw; + sudouser "--sudouser: Allow su and sudo in container. Password: x11docker\n + Severe reduction of container security!" -> "--sudouser " | ! "" ; noentrypoint "--no-entrypoint: Disable ENTRYPOINT in image" -> "--no-entrypoint " | ! "" ; nointernet "--no-internet: Disable internet access for container" -> "--no-internet " | ! "" ; initsystem:beside " Run init system in container (default: --tini)" -> @combo( "--tini","--systemd ","--sysvinit ","--runit ","--openrc ","--no-init")="--systemd " | ! "" ; - dbusdaemon "--dbus-system: Run dbus system daemon in container" -> "--dbus-system " | ! "" ; + dbusdaemon "--dbus-system: Run dbus system daemon in container (includes --dbus)" -> "--dbus-system " | ! "" ; + dbus "--dbus: Run dbus user session in container" -> "--dbus " | ! "" ; pw:beside "--pw: password prompt frontend" -> "--pw=\"" @combo("su","sudo","gksu","gksudo","lxsu","lxsudo","kdesu","kdesudo","beesu","pkexec","none")="sudo" "\" " | ! "" ; stddevelline:beside -> develdialog; develdialog:dialog "Developer options" -> developeroptions @close=" close"; developeroptions:beside -> develleft develright; - develleft:framed -> devauth devxconfig devoutput devmisc; + develleft:framed -> devauth devxconfig devmisc; develright:framed -> devenvironment devuser devcaps devrun; - develcollect -> devenvironment devauth devxconfig devmisc devuser devcaps devoutput; - devuser "User settings" -> user hostuser sudouser groupadd; + develcollect -> devenvironment devauth devxconfig devmisc devuser devcaps; + devuser "User settings" -> user hostuser groupadd; user:beside "--user: Container user (name or uid)\n (default: same as host user)\n (a gid can be specified with user:gid)" -> "--user=\"" @string="'$CONTAINERUSER'" "\" " | ! "" ; hostuser:beside "--hostuser: run x11docker as user \n different from \$(logname)='$CONTAINERUSER':\n (x11docker must be started as root)" -> "--hostuser=\"" @string="" "\" " | ! "" ; - sudouser "--sudouser: Allow su and sudo in container. Password: x11docker\n - Severe reduction of container security!" -> "--sudouser " | ! "" ; groupadd:beside "--group-add: Additional groups for container user: " -> "--group-add=\"" @string="" "\" " | ! "" ; - devmisc "Miscellaneous" -> ps cachedir runfromhost; + devmisc "Miscellaneous" -> ps cachedir runfromhost runasroot; ps "--ps: Keep created container and cache files" -> "--ps " | ! "" ; cachedir:beside "--cachedir: Host cache folder: " -> "--cachedir=\"" @directory="" "\" " | ! "" ; - runfromhost "--runfromhost: Run host command on new X server. Use sh syntax:" -> "--runfromhost=\"" @string="/usr/bin/launchy &" "\" " | ! "" ; - devoutput "Verbose output" -> silent stdoutline debug; - silent "--silent: Do not show any messages" -> "--silent " | ! "" ; - stdoutline:beside -> stdout stderr ; - stdout "--stdout: Show stdout of container" -> "--stdout " | ! "" ; - stderr "--stderr " -> "--stderr " | ! "" ; - debug "--debug: Show all executed command lines" -> "--debug " | ! "" ; + runfromhost "--runfromhost: Run host command on new X server. Use sh syntax:" -> "--runfromhost=\"" @string="/usr/bin/launchy &" "\" " | ! "" ; + runasroot "--runasroot: Run command as root in container. Use sh syntax:" -> "--runasroot=\"" @string="" "\" " | ! "" ; + devoutput "Verbose output" -> debug; + debug "--debug: Show some additional debug output" -> "--debug " | ! "" ; devauth "X authentication" -> untrusted trusted xhost noauth noxhost; untrusted "--untrusted: Create untrusted cookies restricting X access. \n Default for --hostdisplay." -> "--untrusted " | ! "" ; @@ -291,7 +294,7 @@ stddevelline:beside -> develdialog; sysadmin "--sys-admin: add capability SYS_ADMIN. Needed for older systemd \n versions like in debian 9 based images for --systemd." -> "--sys-admin " | ! "" ; sharecgroup "--sharecgroup: Share /sys/fs/cgroup. \n - Default for --systemd. Possible use case with --openrc." -> "--sharecgroup " | ! "" ; + Default for --systemd. Needed for elogind in container." -> "--sharecgroup " | ! "" ; ipc "--hostipc: Disable IPC namespacing. Allows MIT-SHM extension. \n Shares host interprocess communication and shared memory. " -> "--hostipc " | ! "" ; net "--hostnet: Disable network namespacing. \n @@ -585,14 +588,14 @@ stddevelline:beside -> develdialog; xdep_xclip_text -> @text("Needs package xclip on host (except for options --xpra, --xpra-xwayland and --nxagent).") ; xdep_pulseaudio -> @text("--pulseaudio") ; xdep_pulseaudio_text -> @text("Needs package pulseaudio on host AND in image.") ; - xdep_dbus -> @text("--dbus") ; - xdep_dbus_text -> @text("Needs dbus-launch (debian: package dbus-x11) in image.") ; + xdep_dbus -> @text("--dbus, --dbus-system") ; + xdep_dbus_text -> @text("Needs package dbus in image.") ; xdep_systemd -> @text("--systemd") ; xdep_systemd_text -> @text("Needs systemd in image") ; xdep_gpu -> @text("--gpu\n\n\n") ; xdep_gpu_text -> @text("Needs OpenGL dependencies (mesa) to be installed in image. For debian images: mesa-utils mesa-utils-extra,\n CentOS and fedora images: glx-utils mesa-dri-drivers, Arch Linux images: mesa-demos\n - Works best with open source drivers on host. Closed source drivers need to be installed in image, too."); + Works best with open source drivers on host. For closed source drivers look at terminal output."); xdep_xorg_setupdialog:dialog "Setup" -> @text(" Option --xorg can be used out of the box on console tty1...tty6. \n \n To run a second Xorg server from within an already running X session, \n @@ -788,7 +791,7 @@ case $Hostkaptain in If your distribution does not provide package kaptain (>=0.73), look at kaptain repository: https://github.com/mviereck/kaptain Fallback: Will try to use image x11docker/kaptain." - { read -r containerID ; read -r X11docker_command ;} < <(x11docker --hostdisplay --no-init --clipboard $Verbose --stdout --env HOME="$CONTAINERUSERHOME" -- --volume="$X11docker_logo":"$X11docker_logo":ro --volume="$CONTAINERUSERHOME":"$CONTAINERUSERHOME":ro x11docker/kaptain $X11docker_kaptn) + { read -r containerID ; read -r X11docker_command ;} < <(x11docker --hostdisplay --no-init --clipboard $Verbose --stdout --env HOME="$CONTAINERUSERHOME" --sharedir $X11docker_kaptn -- --volume="$X11docker_logo":"$X11docker_logo":ro --volume="$CONTAINERUSERHOME":"$CONTAINERUSERHOME":ro x11docker/kaptain $X11docker_kaptn) ;; esac diff --git a/x11docker.png b/x11docker.png index 93f114a0..98296d60 100644 Binary files a/x11docker.png and b/x11docker.png differ