search

mviereck / dockerfile-x11docker-deepin

3D desktop deepin from China
MIT License
33 stars 11 forks source link

The strange behavior when using --share=$HOME. #42

Closed hongyi-zhao closed 3 years ago

hongyi-zhao commented 3 years ago

I try to use --share=$HOME to start deepin-wine apricot image with x11docker. This will cause the following two symlinks to be created:

werner@X10DAi:~$ ls -l | grep werner$
lrwxrwxrwx  1 werner werner    17 Dec  6 08:23 werner -> /home.host/werner
werner@X10DAi:~$ ls -l ~/x11docker/hongyizhao-deepin-wine | grep werner$
lrwxrwxrwx 1 werner werner   17 Dec  6 08:14 home.host.werner -> /home.host/werner

I'm still confused on this behavior of x11docker. Any hints will be highly appreciated.

Regards, HY

mviereck commented 3 years ago

Did you run this command on host or in container? If there are nonsense symlinks left, please remove them first and run --share=$HOME again. If here are still odd symlinks left on host, please show them.

hongyi-zhao commented 3 years ago

Did you run this command on host or in container?

On host.

If there are nonsense symlinks left, please remove them first and run --share=$HOME again.

Done with the following on host:


$ rm -fr ~/werner
$ rm -fr ~/x11docker/hongyizhao-deepin-wine/home.host.werner

If here are still odd symlinks left on host, please show them.

Yes. See following:

$ ls -la ~/werner 
lrwxrwxrwx 1 werner werner 17 Dec  6 20:31 /home/werner/werner -> /home.host/werner

$ ls -la ~/x11docker/hongyizhao-deepin-wine/home.host.werner 
lrwxrwxrwx 1 werner werner 17 Dec  6 20:26 /home/werner/x11docker/hongyizhao-deepin-wine/home.host.werner -> /home.host/werner
mviereck commented 3 years ago

I cannot reproduce this with x11docker --share=$HOME x11docker/check. Please remove those files again and show me the full command that produces the softlinks.

hongyi-zhao commented 3 years ago

See following. But this the ~/werner hasn't been created.

$ docker images -f reference=*/deepin-wine
REPOSITORY               TAG                 IMAGE ID            CREATED             SIZE
hongyizhao/deepin-wine   apricot             3256a712a268        23 hours ago        4.2GB

$ x11docker --runasroot 'sed -r "s/^[[:blank:]]*[|]//" <<-EOF > /etc/sudoers
>         |#$ sudo grep -Ev '\''^[ ]*(#|$)'\'' /etc/sudoers  
>         |Defaultsenv_reset
>         |Defaultsmail_badpass
>         |Defaultssecure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
>         |rootALL=(ALL:ALL) ALL
>         |%admin ALL=(ALL) ALL
>         |%sudoALL=(ALL:ALL) ALL
>         |$USER ALL=(ALL) NOPASSWD:ALL
> EOF' --hostnet --pulseaudio --xoverip --home --share=$HOME --sudouser -c --desktop --init=systemd -- --cap-add=ALL -- hongyizhao/deepin-wine:apricot
x11docker note: Option --hostnet is deprecated.
  Please use --network=host instead.

x11docker WARNING: User werner is member of group docker.
  That allows unprivileged processes on host to gain root privileges.

x11docker note: Using X server option --xephyr

x11docker note: Sharing picture clips with option --clipboard
  is only possible with options --xpra, --xpra-xwayland and --hostdisplay.

x11docker note: Xephyr is a quite stable nested X server.
  Less stable, but resizeable is nxagent with option --nxagent.

x11docker WARNING: Option --network=host severly degrades 
  container isolation. Network namespacing is disabled. 
  Container shares host network stack. 
  Spying on network traffic may be possible. 
  Access to host X server :1 may be possible 
  through abstract unix socket.

x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
  x11docker will add them to 'docker run' command without
  a serious check for validity or security. Found options:
   '--cap-add=ALL'

x11docker WARNING: Found option --cap-add=ALL
  in custom docker run options. That is A VERY BAD IDEA.
  This is a very privileged setup.
  Malicious applications may harm to the host.

x11docker WARNING: Option --pulseaudio allows container applications
  to catch your audio output and microphone input.

x11docker WARNING: Option --init=systemd slightly degrades container isolation.
  It adds some user switching capabilities x11docker would drop otherwise.
  However, they are still within default docker capabilities.
  Not within default docker capabilities it adds capability SYS_BOOT.  
  It shares access to host cgroups in /sys/fs/cgroup.
  Some processes in container will run as root.

x11docker WARNING: Option --sudouser severly reduces container security.
  Container gains additional capabilities to allow sudo and su.
  If an application breaks out of container, it can harm your system
  in many ways without you noticing. Password: x11docker

x11docker note: Option --sudouser: Enabling option --newprivileges=yes.
  You can avoid this with --newprivileges=no

x11docker WARNING: Option --newprivileges=yes: x11docker does not set 
  docker run option --security-opt=no-new-privileges. 
  That degrades container security.
  However, this is still within a default docker setup.

dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='org.gtk.vfs.Daemon' requested by ':1.1' (uid=1000 pid=2576 comm="startdde " label="docker-default (enforce)")
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'org.gtk.vfs.Daemon'
No xresources data found!
<warning> manager.go:236: The name org.freedesktop.hostname1 was not provided by any .service files
<warning> util.go:451: failed to get current using graphics card pci id
<warning> util.go:451: failed to get current using graphics card pci id
<warning> manager.go:1089: failed to set brightness for default: The output(916) has invalid gamma size
<info> handle_event.go:198: redo map touch screen
<info> session_process.go:91: command /usr/bin/kwin_no_scale [] started, pid: 2595
<info> session_process.go:91: command /usr/lib/deepin-daemon/dde-session-daemon [] started, pid: 2596
<info> session_process.go:91: command /usr/bin/dde-desktop [] started, pid: 2599
<warning> util.go:451: failed to get current using graphics card pci id
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='com.deepin.wm' requested by ':1.5' (uid=1000 pid=2603 comm="kwin_x11 -platform dde-kwin-xcb:appFilePath=/usr/b" label="docker-default (enforce)")
<info> session_process.go:110: /usr/bin/dde-desktop [] startup duration: 160.352369ms
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='org.a11y.Bus' requested by ':1.10' (uid=1000 pid=2596 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'org.a11y.Bus'
dbus-daemon[2654]: Activating service name='org.a11y.atspi.Registry' requested by ':1.0' (uid=1000 pid=2596 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
dbus-daemon[2654]: Successfully activated service 'org.a11y.atspi.Registry'
SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry
<info> session_process.go:110: /usr/lib/deepin-daemon/dde-session-daemon [] startup duration: 253.024992ms
<info> session_process.go:91: command /usr/bin/dde-dock [-r] started, pid: 2664
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'com.deepin.wm'
No appenders assotiated with category qt.qpa.xcb
[Warning] <> QXcbConnection: XCB error: 5 (BadAtom), sequence: 571, resource id: 0, major code: 20 (GetProperty), minor code: 0
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='org.kde.kglobalaccel' requested by ':1.5' (uid=1000 pid=2603 comm="kwin_x11 -platform dde-kwin-xcb:appFilePath=/usr/b" label="docker-default (enforce)")
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'org.kde.kglobalaccel'
qt.qpa.xcb: QXcbConnection: XCB error: 5 (BadAtom), sequence: 719, resource id: 0, major code: 20 (GetProperty), minor code: 0
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='com.deepin.daemon.Timedate' requested by ':1.13' (uid=1000 pid=2664 comm="/usr/bin/dde-dock -r " label="docker-default (enforce)")
qt.qpa.xcb: QXcbConnection: XCB error: 5 (BadAtom), sequence: 740, resource id: 0, major code: 20 (GetProperty), minor code: 0
qt.qpa.xcb: QXcbConnection: XCB error: 5 (BadAtom), sequence: 763, resource id: 0, major code: 20 (GetProperty), minor code: 0
No appenders assotiated with category qt.qpa.xcb
[Warning] <> QXcbConnection: XCB error: 5 (BadAtom), sequence: 597, resource id: 0, major code: 20 (GetProperty), minor code: 0
No appenders assotiated with category qt.qpa.xcb
[Warning] <> QXcbConnection: XCB error: 5 (BadAtom), sequence: 625, resource id: 0, major code: 20 (GetProperty), minor code: 0
<info> session_process.go:110: /usr/bin/kwin_no_scale [] startup duration: 616.280267ms
<info> main.go:198: after 733.470985ms, call com.deepin.dde.Dock callShow
<warning> main.go:86: session manager does not allow me to run
dbus-daemon[2575]: [session uid=1000 pid=2575] Activated service 'com.deepin.daemon.Timedate' failed: Process com.deepin.daemon.Timedate exited with status 1
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='com.deepin.daemon.Timedate' requested by ':1.13' (uid=1000 pid=2664 comm="/usr/bin/dde-dock -r " label="docker-default (enforce)")
<warning> main.go:86: session manager does not allow me to run
dbus-daemon[2575]: [session uid=1000 pid=2575] Activated service 'com.deepin.daemon.Timedate' failed: Process com.deepin.daemon.Timedate exited with status 1
<info> session_process.go:110: /usr/bin/dde-dock [-r] startup duration: 800.922494ms
<info> main.go:155: core components cost: 1.055142922s
<warning> manager_ifc.go:254: failed to  disable  redshift.service: exit status 1
<warning> startmanager.go:132: open /usr/lib/UIAppSched.hooks/launched: no such file or directory
<warning> session_process.go:142: exit status 255
<warning> manager_ifc.go:254: failed to  stop  redshift.service: exit status 5
<warning> manager_ifc.go:272: failed to reset ColorTemperature  exec: "redshift": executable file not found in $PATH
<warning> sound_effect.go:64: open /etc/lightdm/lightdm.conf: no such file or directory
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='org.ayatana.bamf' requested by ':1.3' (uid=1000 pid=2596 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='com.deepin.api.CursorHelper' requested by ':1.3' (uid=1000 pid=2596 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'com.deepin.api.CursorHelper'
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'org.ayatana.bamf'
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='org.gtk.vfs.UDisks2VolumeMonitor' requested by ':1.7' (uid=1000 pid=2599 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'org.gtk.vfs.UDisks2VolumeMonitor'
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='org.gtk.vfs.GPhoto2VolumeMonitor' requested by ':1.7' (uid=1000 pid=2599 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'org.gtk.vfs.GPhoto2VolumeMonitor'
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='org.gtk.vfs.MTPVolumeMonitor' requested by ':1.7' (uid=1000 pid=2599 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'org.gtk.vfs.MTPVolumeMonitor'
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='org.gtk.vfs.GoaVolumeMonitor' requested by ':1.7' (uid=1000 pid=2599 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'org.gtk.vfs.GoaVolumeMonitor'
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='org.gtk.vfs.AfcVolumeMonitor' requested by ':1.7' (uid=1000 pid=2599 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
Volume monitor alive
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'org.gtk.vfs.AfcVolumeMonitor'
<info> session_process.go:60: start dde-session-daemon part2 cost: 489.361291ms
<warning> session.go:948: failed to call com.deepin.userexperience.Daemon.SendLogonData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<info> main.go:313: iowait disabled
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> startmanager.go:346: launch failed: reserved character '\'' is not be quoted
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> startmanager.go:1107: reserved character '\'' is not be quoted
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> startmanager.go:730: [/bin/sh -c export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;exec /usr/bin/cgexec -g memory,freezer,blkio:c1@dde/uiapps/8 start-pulseaudio-x11]: exit status 1
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='ca.desrt.dconf' requested by ':1.4' (uid=1000 pid=2596 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<info> handle_event.go:198: redo map touch screen
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'ca.desrt.dconf'
<warning> util.go:451: failed to get current using graphics card pci id
<info> handle_event.go:198: redo map touch screen
<info> handle_event.go:198: redo map touch screen
<warning> util.go:451: failed to get current using graphics card pci id
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files
<warning> dde_shutdown.go:32: failed to start deepinid-daemon: fork/exec /usr/lib/deepin-deepinid-daemon/deepin-deepinid-daemon: no such file or directory
<warning> watchdog.go:89: fork/exec /usr/lib/deepin-deepinid-daemon/deepin-deepinid-daemon: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/at-spi-dbus-bus.desktop c1@dde/uiapps/3 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/3/cgroup.procs: no such file or directory
<warning> startmanager.go:765: open /sys/fs/cgroup/memory/c1@dde/uiapps/3/cgroup.procs: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/deepin-ab-recovery.desktop c1@dde/uiapps/6 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/6/cgroup.procs: no such file or directory
<warning> startmanager.go:765: open /sys/fs/cgroup/memory/c1@dde/uiapps/6/cgroup.procs: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/xdg-user-dirs.desktop c1@dde/uiapps/7 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/7/cgroup.procs: no such file or directory
<warning> startmanager.go:765: open /sys/fs/cgroup/memory/c1@dde/uiapps/7/cgroup.procs: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/pulseaudio.desktop c1@dde/uiapps/8 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/8/cgroup.procs: no such file or directory
<warning> startmanager.go:765: open /sys/fs/cgroup/memory/c1@dde/uiapps/8/cgroup.procs: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/x11docker-xrandr.desktop c1@dde/uiapps/2 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/2/cgroup.procs: no such file or directory
<warning> startmanager.go:765: open /sys/fs/cgroup/memory/c1@dde/uiapps/2/cgroup.procs: no such file or directory
dbus-daemon[2575]: [session uid=1000 pid=2575] Activating service name='org.gtk.vfs.Metadata' requested by ':1.45' (uid=1000 pid=3207 comm="/usr/bin/dde-file-manager -n " label="docker-default (enforce)")
dbus-daemon[2575]: [session uid=1000 pid=2575] Successfully activated service 'org.gtk.vfs.Metadata'
<warning> startmanager.go:643: failed to call com.deepin.userexperience.Daemon.SendAppStateData, The name com.deepin.userexperience.Daemon was not provided by any .service files

Check the automatically created nonsense folders:

werner@X10DAi:~$ ls -l ~/x11docker/hongyizhao-deepin-wine/home.host.werner 
lrwxrwxrwx 1 werner werner 17 Dec  6 20:53 /home/werner/x11docker/hongyizhao-deepin-wine/home.host.werner -> /home.host/werner
werner@X10DAi:~$ ls -l ~/werner
ls: cannot access '/home/werner/werner': No such file or directory

Then I use the suggested option --network=host to run the above command again, and the two folders appear again:

werner@X10DAi:~$ ls -l ~/werner 
lrwxrwxrwx 1 werner werner 17 Dec  6 21:01 /home/werner/werner -> /home.host/werner
werner@X10DAi:~$ ls -l ~/x11docker/hongyizhao-deepin-wine/home.host.werner 
lrwxrwxrwx 1 werner werner 17 Dec  6 20:53 /home/werner/x11docker/hongyizhao-deepin-wine/home.host.werner -> /home.host/werner
mviereck commented 3 years ago

Now I can reproduce the issue. It happens when:

I don't understand why this happens. It occurs when x11docker runs ln -s although the softlink alread exists. I would expect ln to fail in this case instead of creating another softlink at a wrong place.

Now x11docker only creates the softlink if it does not exist, and furthermore removes it on exit. That should avoid this issue in future.

hongyi-zhao commented 3 years ago

It fixed by your commit.