Dear list,
I am the creator of subuser.org. Subuser is a free open source software project
(LGPL3) which aims to allow a person to run desktop applications inside Docker
containers. Subuser has several aims. One is to make it easier to publish
desktop applications on linux by improving portability. Another is to make the
desktop more secure by containing those desktop applications within their
respective containers.
Right now, the seccond goal is not met. Desktop applications communicate with
the host's X11 server by sharing the /tmp/.X11-unix folder with it. This works
well, but is completely insecure. I have been waiting for wayland to come out
in order to provide a secure solution. However, spurred on by the success of
OZ, written by subgraph.com I have begun to reconsider xpra as an intermediate
option.
As I want to maintain portability and ease of creating subuser Docker images, I
do not wish to install the xpra server in each Docker image which contains a
desktop application. In order to maintain this sepparation of requirements, I
have come up with the following architecture involving 3 containers:
------------- -------------
|desktop app| <--/tmp/.X11-unix--> |xpra server| Untrusted
------------- -------------
^
| ~/.xpra
v
------------- -------------
| host | <--/tmp/.X11-unix--> |xpra client| Trusted
------------- -------------
This allows me to run 3 containers.
1) contains the untrusted desktop application
2) contains an untrusted xpra server
3) contains a trusted xpra client
I can use an up-to-date version of xpra, as I do not need to have xpra
installed on the host.
The only problem, is that when I run
$ xpra start :100 --start-child=xterm
I don't end up with a unix domain socket in the xpra server's /tmp/.X11-unix
directory. This is despite the fact that I have -nolisten tcp set in xpra.conf:
xvfb=Xorg -dpi 96 -noreset -nolisten tcp +extension GLX +extension RANDR
+extension RENDER -logfile ${HOME}/.xpra/Xorg.${DISPLAY}.log -config
/etc/xpra/xorg.conf
I am confused as to why this is happening, and how I can get a unix domain
socket to work with. I cannot use a UDP socket due to the difficulties of
sharing UDP sockets between containers.
I have been testing this settup on xpra version 0.14.10
Thank you in advance for your help,
Timothy Hobbs
_______________________________________________
shifter-users mailing list
[email protected]
http://lists.devloop.org.uk/mailman/listinfo/shifter-users
