Closed hongyi-zhao closed 3 years ago
That looks harmless. If it does not cause obvious issues, you can ignore it.
That looks harmless. If it does not cause obvious issues, you can ignore it.
The login UI of wechat won't appear for ever. Furthermore, I also tried to add the --hostnet option as shown below and the problem is still the same:
$ x11docker --sudouser --hostnet --clipboard x11docker-deepin-wechat deepin-terminal
$ x11docker --hostnet x11docker-deepin-wechat deepin-terminal
Regards, HY
I can reproduce the issue. I considered it might depend on systemd and ran directly with:
x11docker --init=systemd --cap-default -- --security-opt seccomp=unconfined --cap-add IPC_LOCK -- wechatimage /opt/deepinwine/apps/Deepin-WeChat/run.sh
But this fails, too.
Adding options --alsa --pulseaudio --gpu
does not help either.
I have no idea how to fix this.
Did you try the bestwu/wechat
image? Did it work with the setup described there?
I can reproduce the issue. I considered it might depend on systemd and ran directly with:
x11docker --init=systemd --cap-default -- --security-opt seccomp=unconfined --cap-add IPC_LOCK -- wechatimage /opt/deepinwine/apps/Deepin-WeChat/run.sh
But this fails, too. Adding options
--alsa --pulseaudio --gpu
does not help either.
Yep. But the error messages given the above two starting methods are different:
werner@X10DAi:~/Public/repo/github.com/mviereck$ x11docker --init=systemd --cap-default -- --security-opt seccomp=unconfined --cap-add IPC_LOCK -- x11docker-deepin-wechat /opt/deepinwine/apps/Deepin-WeChat/run.sh
x11docker WARNING: User werner is member of group docker.
That allows unprivileged processes on host to gain root privileges.
x11docker note: Using X server option --xpra
x11docker WARNING: Option --cap-default disables security hardening
for containers done by x11docker. Default docker capabilities are allowed.
This is considered to be less secure.
x11docker note: Option --cap-default: Enabling option --newprivileges.
You can avoid this with --newprivileges=no
x11docker note: Option --xpra: If you encounter issues with xpra,
you can try --nxagent instead.
Rather use xpra from www.xpra.org than from distribution repositories.
x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
x11docker will add them to 'docker run' command without
a serious check for validity or security. Found options:
'--security-opt' 'seccomp=unconfined' '--cap-add' 'IPC_LOCK'
x11docker WARNING: Option --init=systemd slightly degrades container isolation.
It adds some user switching capabilities x11docker would drop otherwise.
However, they are still within default docker capabilities.
Not within default docker capabilities it adds capability SYS_BOOT.
It shares access to host cgroups in /sys/fs/cgroup.
Some processes in container will run as root.
x11docker WARNING: Option --newprivileges=yes: x11docker does not set
docker run option --security-opt=no-new-privileges.
That degrades container security.
However, this is still within a default docker setup.
Run Deepin-WeChat 2.6.8.65deepin0 c:/Program Files/Tencent/WeChat/WeChat.exe
run Deepin-WeChat progress pid
Activating service name='org.gtk.vfs.Daemon'
Successfully activated service 'org.gtk.vfs.Daemon'
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
total 0
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 c: -> ../drive_c
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com1 -> /dev/ttyS0
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com10 -> /dev/ttyS9
lrwxrwxrwx 1 werner werner 11 Nov 9 07:34 com11 -> /dev/ttyS10
lrwxrwxrwx 1 werner werner 11 Nov 9 07:34 com12 -> /dev/ttyS11
lrwxrwxrwx 1 werner werner 11 Nov 9 07:34 com13 -> /dev/ttyS12
lrwxrwxrwx 1 werner werner 11 Nov 9 07:34 com14 -> /dev/ttyS13
lrwxrwxrwx 1 werner werner 11 Nov 9 07:34 com15 -> /dev/ttyS14
lrwxrwxrwx 1 werner werner 11 Nov 9 07:34 com16 -> /dev/ttyS15
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com2 -> /dev/ttyS1
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com3 -> /dev/ttyS2
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com4 -> /dev/ttyS3
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com5 -> /dev/ttyS4
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com6 -> /dev/ttyS5
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com7 -> /dev/ttyS6
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com8 -> /dev/ttyS7
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com9 -> /dev/ttyS8
lrwxrwxrwx 1 werner werner 8 Nov 9 07:34 d:: -> /dev/sdb
lrwxrwxrwx 1 werner werner 17 Nov 9 07:34 e: -> /media/wayne/Ntfs
lrwxrwxrwx 1 werner werner 9 Nov 9 07:34 e:: -> /dev/sdb1
lrwxrwxrwx 1 werner werner 12 Nov 9 07:34 y: -> /home/werner
lrwxrwxrwx 1 werner werner 1 Nov 9 07:34 z: -> /
CallApp Deepin-WeChat c:/Program Files/Tencent/WeChat/WeChat.exe
Disable auto update
rm: cannot remove '/home/werner/.deepinwine/Deepin-WeChat/drive_c/users/werner/Application Data/Tencent/WeChat/All Users/config/configEx.ini': No such file or directory
Mon Nov 9 07:34:12 CST 2020:kill WeChat.exe block
Mon Nov 9 07:34:12 CST 2020:No wine process found
/home/werner/.deepinwine/Deepin-WeChat/drive_c/Program Files/Tencent/WeChat
Starting process c:/Program Files/Tencent/WeChat/WeChat.exe ...
X Error of failed request: BadWindow (invalid Window parameter)
Major opcode of failed request: 20 (X_GetProperty)
Resource id in failed request: 0x0
Serial number of failed request: 10
Current serial number in output stream: 10
werner@X10DAi:~/Public/repo/github.com/mviereck$ x11docker --init=systemd --cap-default --alsa --pulseaudio --gpu -- --security-opt seccomp=unconfined --cap-add IPC_LOCK -- x11docker-deepin-wechat /opt/deepinwine/apps/Deepin-WeChat/run.sh
x11docker WARNING: User werner is member of group docker.
That allows unprivileged processes on host to gain root privileges.
x11docker note: Your system uses closed source NVIDIA driver.
GPU support will work only with options --hostdisplay and --xorg.
Consider to use free open source nouveau driver instead.
x11docker note: Using X server option --hostdisplay
x11docker WARNING: Option --gpu degrades container isolation.
Container gains access to GPU hardware.
This allows reading host window content (palinopsia leak)
and GPU rootkits (compare proof of concept: jellyfish).
x11docker note: Option --gpu: To allow GPU acceleration with --hostdisplay,
x11docker will allow trusted cookies.
x11docker WARNING: Option --cap-default disables security hardening
for containers done by x11docker. Default docker capabilities are allowed.
This is considered to be less secure.
x11docker note: Option --cap-default: Enabling option --newprivileges.
You can avoid this with --newprivileges=no
x11docker note: Option --hostdisplay: To allow --hostdisplay with trusted cookies,
x11docker must share host IPC namespace with container (option --hostipc)
to allow shared memory for X extension MIT-SHM.
x11docker note: To allow protection against X security leaks
while using --gpu with NVIDIA, please use option --xorg.
x11docker WARNING: Option --hostdisplay with trusted cookies provides
QUITE BAD CONTAINER ISOLATION !
Keylogging and controlling host applications is possible!
Clipboard sharing is enabled (option --cliboard).
It is recommended to use another X server option like --xpra or --nxagent.
x11docker WARNING: Option --hostipc severely degrades
container isolation. IPC namespace remapping is disabled.
x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
x11docker will add them to 'docker run' command without
a serious check for validity or security. Found options:
'--security-opt' 'seccomp=unconfined' '--cap-add' 'IPC_LOCK'
x11docker note: Option --gpu: You are using the closed source NVIDIA driver.
GPU acceleration will only work if you have installed the very same driver
version in image. That makes images less portable.
It is recommended to use free open source nouveau driver on host instead.
Ask NVIDIA corporation to at least publish their closed source API,
or even better to actively support open source driver nouveau.
x11docker note: Option --gpu: x11docker can try to automatically install NVIDIA driver
version 440.64 in container on every container startup.
Drawbacks: Container startup is a bit slower and its security will be reduced.
You can look here for a driver installer:
https://www.nvidia.com/Download/index.aspx
https://http.download.nvidia.com/
A direct download URL is probably:
https://http.download.nvidia.com/XFree86/Linux-x86_64/440.64/NVIDIA-Linux-x86_64-440.64.run
If you got a driver, store it at one of the following locations:
/home/werner/.local/share/x11docker/
/usr/local/share/x11docker/
Be aware that the version number must match exactly the version on host.
The file name must begin with 'NVIDIA', contain the version number 440.64
and end with suffix '.run'.
x11docker WARNING: Option --pulseaudio allows container applications
to catch your audio output and microphone input.
x11docker WARNING: ALSA sound with option --alsa degrades container isolation.
Shares device files in /dev/snd, container gains access to sound hardware.
Container applications can catch audio output and microphone input.
x11docker note: It seems that pulseaudio is running on your host.
Pulseaudio can interfere with ALSA sound (option --alsa).
Host sound may not work while container is playing sound and vice versa.
Alternative: with pulseaudio on host and in image, use option --pulseaudio.
x11docker WARNING: Option --init=systemd slightly degrades container isolation.
It adds some user switching capabilities x11docker would drop otherwise.
However, they are still within default docker capabilities.
Not within default docker capabilities it adds capability SYS_BOOT.
It shares access to host cgroups in /sys/fs/cgroup.
Some processes in container will run as root.
x11docker WARNING: Option --newprivileges=yes: x11docker does not set
docker run option --security-opt=no-new-privileges.
That degrades container security.
However, this is still within a default docker setup.
x11docker WARNING: Sharing device file: /dev/dri
x11docker WARNING: Sharing device file: /dev/nvidia0
x11docker WARNING: Sharing device file: /dev/nvidiactl
x11docker WARNING: Sharing device file: /dev/nvidia-modeset
x11docker WARNING: Sharing device file: /dev/nvidia-uvm
x11docker WARNING: Sharing device file: /dev/nvidia-uvm-tools
x11docker WARNING: Sharing device file: /dev/vga_arbiter
x11docker WARNING: Sharing device file: /dev/snd
Run Deepin-WeChat 2.6.8.65deepin0 c:/Program Files/Tencent/WeChat/WeChat.exe
run Deepin-WeChat progress pid
** (zenity:2604): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-ZZm0m0LT9c: Connection refused
Activating service name='org.gtk.vfs.Daemon'
Successfully activated service 'org.gtk.vfs.Daemon'
Gtk-Message: Failed to load module "canberra-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
total 0
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 c: -> ../drive_c
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com1 -> /dev/ttyS0
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com10 -> /dev/ttyS9
lrwxrwxrwx 1 werner werner 11 Nov 9 07:35 com11 -> /dev/ttyS10
lrwxrwxrwx 1 werner werner 11 Nov 9 07:35 com12 -> /dev/ttyS11
lrwxrwxrwx 1 werner werner 11 Nov 9 07:35 com13 -> /dev/ttyS12
lrwxrwxrwx 1 werner werner 11 Nov 9 07:35 com14 -> /dev/ttyS13
lrwxrwxrwx 1 werner werner 11 Nov 9 07:35 com15 -> /dev/ttyS14
lrwxrwxrwx 1 werner werner 11 Nov 9 07:35 com16 -> /dev/ttyS15
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com2 -> /dev/ttyS1
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com3 -> /dev/ttyS2
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com4 -> /dev/ttyS3
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com5 -> /dev/ttyS4
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com6 -> /dev/ttyS5
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com7 -> /dev/ttyS6
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com8 -> /dev/ttyS7
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com9 -> /dev/ttyS8
lrwxrwxrwx 1 werner werner 8 Nov 9 07:35 d:: -> /dev/sdb
lrwxrwxrwx 1 werner werner 17 Nov 9 07:35 e: -> /media/wayne/Ntfs
lrwxrwxrwx 1 werner werner 9 Nov 9 07:35 e:: -> /dev/sdb1
lrwxrwxrwx 1 werner werner 12 Nov 9 07:35 y: -> /home/werner
lrwxrwxrwx 1 werner werner 1 Nov 9 07:35 z: -> /
CallApp Deepin-WeChat c:/Program Files/Tencent/WeChat/WeChat.exe
Disable auto update
rm: cannot remove '/home/werner/.deepinwine/Deepin-WeChat/drive_c/users/werner/Application Data/Tencent/WeChat/All Users/config/configEx.ini': No such file or directory
Mon Nov 9 07:35:40 CST 2020:kill WeChat.exe block
Mon Nov 9 07:35:40 CST 2020:tag bottle:
Traceback (most recent call last):
File "/opt/deepinwine/tools/get_tray_window", line 28, in <module>
get_tray_window()
File "/opt/deepinwine/tools/get_tray_window", line 18, in get_tray_window
traymanager = bus.get_object("com.deepin.dde.TrayManager", "/com/deepin/dde/TrayManager")
File "/usr/lib/python2.7/dist-packages/dbus/bus.py", line 241, in get_object
follow_name_owner_changes=follow_name_owner_changes)
File "/usr/lib/python2.7/dist-packages/dbus/proxies.py", line 248, in __init__
self._named_service = conn.activate_name_owner(bus_name)
File "/usr/lib/python2.7/dist-packages/dbus/bus.py", line 180, in activate_name_owner
self.start_service_by_name(bus_name)
File "/usr/lib/python2.7/dist-packages/dbus/bus.py", line 278, in start_service_by_name
'su', (bus_name, flags)))
File "/usr/lib/python2.7/dist-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name com.deepin.dde.TrayManager was not provided by any .service files
Mon Nov 9 07:35:40 CST 2020:active bottles:
/home/werner/.deepinwine/Deepin-WeChat/drive_c/Program Files/Tencent/WeChat
Starting process c:/Program Files/Tencent/WeChat/WeChat.exe ...
[1109/073541:INFO:exception_record.cc(518)] [QB]Process ID: 60 Type: 1
I have no idea how to fix this. Did you try the
bestwu/wechat
image? Did it work with the setup described there?
Tried both docker-compose and docker run methods described there. For the case of docker-compose, the login UI won't appear for ever; for the case of docker run, the login UI appears quickly as a flash and then disappeared.
Tried both docker-compose and docker run methods described there. For the case of docker-compose, the login UI won't appear for ever; for the case of docker run, the login UI appears quickly as a flash and then disappeared.
Maybe you could open an issue there? bestwu might be more familiar with wechat and might find a fix that could be used with x11docker as well.
The new error mssages indicate that wechat tries to connect to the deepin tray manager and crashes because there is no tray.
Maybe you could open an issue there? bestwu might be more familiar with wechat and might find a fix that could be used with x11docker as well.
Bestwu currently isn't very active in maintaining his project. I'm afraid that even if I open a question there, he may not have time to study it.
The new error mssages indicate that wechat tries to connect to the deepin tray manager and crashes because there is no tray.
Why this will happen and how to fix it?
Why this will happen and how to fix it?
I don't know. This should be rather asked at www.deepin.org .
Surprisingly I got wechat running:
x11docker --hostdisplay --clipboard -- wechatimage sh -c '/opt/deepinwine/apps/Deepin-WeChat/run.sh ; sleep 5; while pgrep WeChat; do sleep 1; done'
It fails with other X servers, and it takes a very long time until the window with QR-code appears.
(The additional pgrep/sleep loop is needed because the WeChat process moves itself to run in background. A foreground process is needed to keep the container running.)
Tricky and wonderful. I confirm that your conclusion is correct with the following command:
$ x11docker --hostdisplay --clipboard -- hongyi-zhao/deepin-wine sh -c '/opt/deepinwine/apps/Deepin-WeChat/run.sh ; sleep 5; while pgrep WeChat; do sleep 1; done'
Furthermore, I also can successfully run x11docker with more complicated arguments shown as below:
x11docker_share=$HOME/x11docker-share
if [ ! -d $x11docker_share ]; then
mkdir -p $x11docker_share
fi
x11docker --runasroot "cat <<-EOF > /etc/sudoers
#$ sudo grep -Ev '^[ ]*(#|$)' /etc/sudoers
Defaults env_reset
Defaults mail_badpass
Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin\"
root ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
$USER ALL=(ALL) NOPASSWD:ALL
EOF" --share=$x11docker_share --sudouser -c --hostdisplay --init=systemd -- --cap-add=ALL --security-opt seccomp=unconfined -- hongyi-zhao/deepin-wine sh -c '/opt/deepinwine/apps/Deepin-WeChat/run.sh ; sleep 5; while pgrep WeChat; do sleep 1; done'
All other tries with --xpra and --nxagent failed just as you have verified.
The Dockerfile and the image build command are as follows:
$ docker build -t x11docker-deepin-wechat .
Start the docker image and then run wechat from dockerized deepin-terminal.
Any hints for this problem?
Regards, HY