It appears that I have fixed my imediate problem. I was sharing /tmp/.X11-unix
using docker volumes, and I needed to run chmod 1777 /tmp/.X11-unix on it to
get the permissions the way Xorg wants them :)
Tim
On Sat, Jul 18, 2015 at 10:08:25PM +0200, Timothy Hobbs wrote:
> Dear list,
>
> I am the creator of subuser.org. Subuser is a free open source software
> project (LGPL3) which aims to allow a person to run desktop applications
> inside Docker containers. Subuser has several aims. One is to make it easier
> to publish desktop applications on linux by improving portability. Another is
> to make the desktop more secure by containing those desktop applications
> within their respective containers.
>
> Right now, the seccond goal is not met. Desktop applications communicate with
> the host's X11 server by sharing the /tmp/.X11-unix folder with it. This
> works well, but is completely insecure. I have been waiting for wayland to
> come out in order to provide a secure solution. However, spurred on by the
> success of OZ, written by subgraph.com I have begun to reconsider xpra as an
> intermediate option.
>
> As I want to maintain portability and ease of creating subuser Docker images,
> I do not wish to install the xpra server in each Docker image which contains
> a desktop application. In order to maintain this sepparation of requirements,
> I have come up with the following architecture involving 3 containers:
>
> ------------- -------------
> |desktop app| <--/tmp/.X11-unix--> |xpra server| Untrusted
> ------------- -------------
> ^
> | ~/.xpra
> v
> ------------- -------------
> | host | <--/tmp/.X11-unix--> |xpra client| Trusted
> ------------- -------------
>
> This allows me to run 3 containers.
>
> 1) contains the untrusted desktop application
> 2) contains an untrusted xpra server
> 3) contains a trusted xpra client
>
> I can use an up-to-date version of xpra, as I do not need to have xpra
> installed on the host.
>
> The only problem, is that when I run
>
> $ xpra start :100 --start-child=xterm
>
> I don't end up with a unix domain socket in the xpra server's /tmp/.X11-unix
> directory. This is despite the fact that I have -nolisten tcp set in
> xpra.conf:
>
> xvfb=Xorg -dpi 96 -noreset -nolisten tcp +extension GLX +extension RANDR
> +extension RENDER -logfile ${HOME}/.xpra/Xorg.${DISPLAY}.log -config
> /etc/xpra/xorg.conf
>
> I am confused as to why this is happening, and how I can get a unix domain
> socket to work with. I cannot use a UDP socket due to the difficulties of
> sharing UDP sockets between containers.
>
> I have been testing this settup on xpra version 0.14.10
>
> Thank you in advance for your help,
>
> Timothy Hobbs
> _______________________________________________
> shifter-users mailing list
> [email protected]
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
_______________________________________________
shifter-users mailing list
[email protected]
http://lists.devloop.org.uk/mailman/listinfo/shifter-users
