search

mviereck / x11docker

Run GUI applications and desktops in docker and podman containers. Focus on security.
MIT License
5.62k stars 378 forks source link

docker-for-win: cygwin/x not working, possible wrong DISPLAY #120

Closed eine closed 5 years ago

eine commented 5 years ago

I tried to execute x11docker --gpu --user=root --cap-default -- -p "8080:8080" -- x11docker/xpra sh -c "apk add xterm && xterm" in cygwin, but it failed:

Warning: This program is an suid-root program or is being run by the root user.
The full text of the error or warning message cannot be safely formatted
in this environment. You may get a more descriptive message by running the
program as a non-root user or by removing the suid bit on the executable.
xterm: Xt error: Can't open display: %s

x11docker_xwin.log

Since I cannot use --interactive in cygwin, I started a container:

$ ./x11docker --gpu --user=root --cap-default -- -p "8080:8080" -- x11docker/xpra sh
x11docker note: Failed to check for sshd. ps -p not supported.

x11docker note: Using X server option --xwin

x11docker note: Per default x11docker stores its cache files on drive C:.
  docker setup may not allow to share files from drive C:.
  If startup fails with an 'access denied' error,
  please either allow access to drive C: or specify a custom folder for cache
  storage with option '--cachebasedir D:/some/cache/folder'.
  Same issue can occur with option '--home'.
  Use option '--homebasedir D:/some/home/folder' in that case.

x11docker note: Windows firewall settings can forbid application access
  to the X server. If no application window appears, but no obvious error
  is shown, please check your firewall settings. Compare issue #108 on github.

x11docker WARNING: Option --cap-default disables security hardening
  for containers. Granting docker's default capabilities is considered insecure.

x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
  x11docker will add them to 'docker run' command
  without a check for validity or security. Found options:
   '-p' '8080:8080'

x11docker WARNING: Option --user=root: Adding some capabilities to allow
  some root privileges in container that x11docker would drop otherwise.

x11docker WARNING: Option --gpu degrades container isolation.
  Container gains access to GPU hardware.
  This allows reading host window content (palinopsia leak)
  and GPU rootkits (compare proof of concept: jellyfish).

x11docker note: Did not find container init system 'tini'.
  This is a bug in your distributions docker package.
  Normally, docker provides init system tini as '/usr/bin/docker-init'.

  x11docker uses tini for clean process handling and fast container shutdown.
  To provide tini yourself, please download tini-static:
    https://github.com/krallin/tini/releases/download/v0.18.0/tini-static
  Store it in one of:
    /home/eine/.local/share/x11docker/
    /usr/local/share/x11docker/

and I opened a terminal from MSYS2 (where winpty is available):

# winpty docker exec -it x11docker_X100_b451e21e43a9f6cebdbc1b174ce0941b_x11docker-xpra sh
/tmp # echo $DISPLAY
:100.75.1
/tmp #

DISPLAY should be 10.0.75.1:100, as reported in xdocker.log. If I set it and start xterm, it does not complain, but nothing is shown:

/tmp # export DISPLAY=10.0.75.1:100
/tmp # apk add xterm
(1/3) Installing libxpm (3.5.12-r0)
(2/3) Installing libxaw (1.0.13-r2)
(3/3) Installing xterm (337-r0)
Executing busybox-1.29.3-r10.trigger
OK: 422 MiB in 214 packages
/tmp # xterm

x11docker_xwin2.log

EDIT

I forgot to mention that the X server is properly started (100.0).

mviereck commented 5 years ago

The log shows that already xauth cannot access Xwin. I am not sure yet why. Please try --no-auth for now, that should work. DISPLAY seems to be set correctly, not sure why it is shown wrong in your docker exec access.

xauth: (argv):1:  unable to open display "10.0.75.1:100".

Edit: I just see that you still set +extension COMPOSITE. Please try without it.

eine commented 5 years ago

I removed +extension COMPOSITE from the script, and I added --no-auth: x11docker.log.

mviereck commented 5 years ago

Maybe it is a firewall issue again? However, this time we get an error message, not an infinite delay on hold. Can you try x11docker --xwin --no-auth --exe xterm that should not trigger a firewall because xterm runs on host? On the other hand, xauth failed previously, too, so the issue is probably something different.

eine commented 5 years ago

You nailed it! I wast jut coming to report it. Bloody firewall... It stupidly sets two rules...

So, this issue is legit. The DISPLAY envvar is not properly set inside the container. When I exec from MSYS and set export DISPLAY=10.0.75.1:100, xterm works. The following works too:

x11docker --gpu --user=root --cap-default -- -p "8080:8080" -- x11docker/xpra sh -c "apk add xterm && DISPLAY=10.0.75.1:100 xterm"
eine commented 5 years ago 
$ ./x11docker --xwin --no-auth --exe xterm
x11docker note: Failed to check for sshd. ps -p not supported.

x11docker note: Per default x11docker stores its cache files on drive C:.
  docker setup may not allow to share files from drive C:.
  If startup fails with an 'access denied' error,
  please either allow access to drive C: or specify a custom folder for cache
  storage with option '--cachebasedir D:/some/cache/folder'.
  Same issue can occur with option '--home'.
  Use option '--homebasedir D:/some/home/folder' in that case.

x11docker note: Windows firewall settings can forbid application access
  to the X server. If no application window appears, but no obvious error
  is shown, please check your firewall settings. Compare issue #108 on github.

x11docker WARNING: Option --no-auth: SECURITY RISK!
  Allowing access to X server for everyone.

:100 runs without cookie authentication..75.1

:100m: Xt error: Can't open display: 10.0.75.1
x11docker WARNING: Application 'xterm ' terminated fast
  or failed at all, or the process forked itself and cannot be supervised.
  Last lines of application output:
==> /cygdrive/c/Users/eine/x11docker/cache/xterm-e8260deaef1e6d799bb6b32a22b9f370/share/stdout <==

==> /cygdrive/c/Users/eine/x11docker/cache/xterm-e8260deaef1e6d799bb6b32a22b9f370/share/stderr <==
:100m: Xt error: Can't open display: 10.0.75.1

x11docker.log

mviereck commented 5 years ago

You nailed it! I wast jut coming to report it. Bloody firewall... It stupidly sets two rules...

If there was a firewall issue, could you add some info in #108 concerning Xwin?

:100m: Xt error: Can't open display: 10.0.75.1

This looks like a DOS/UNIX newline issue. The :100 appears at the wrong place. I've made an update that converts the newline in the IP check. Please try out. However, it is odd that the issue did not appear in MSYS2 as well. Can you also try with --vcxsrv?

eine commented 5 years ago

This looks like a DOS/UNIX newline issue. The :100 appears at the wrong place. I've made an update that converts the newline in the IP check. Please try out. However, it is odd that the issue did not appear in MSYS2 as well.

I git fetched and pulled from MSYS:

# git pull
Updating 6094dda..3ac61a5
Fast-forward
 x11docker | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

If I try to execute it in Cygwin:

$ ./x11docker --xwin --no-auth --exe xterm
./x11docker: line 2: $'\r': command not found
./x11docker: line 13: $'\r': command not found
./x11docker: line 15: $'\r': command not found
./x11docker: line 356: $':\r': command not found
./x11docker: line 357: $'}\r': command not found
./x11docker: line 358: syntax error near unexpected token `}'
'/x11docker: line 358: `  } || {

So I executed dos2unix (in Cygwin):

$ dos2unix x11docker
dos2unix: converting file x11docker to Unix format...

No xterm (local) works:

$ ./x11docker --xwin --no-auth --exe xterm
x11docker note: Failed to check for sshd. ps -p not supported.

x11docker note: Per default x11docker stores its cache files on drive C:.
  docker setup may not allow to share files from drive C:.
  If startup fails with an 'access denied' error,
  please either allow access to drive C: or specify a custom folder for cache
  storage with option '--cachebasedir D:/some/cache/folder'.
  Same issue can occur with option '--home'.
  Use option '--homebasedir D:/some/home/folder' in that case.

x11docker note: Windows firewall settings can forbid application access
  to the X server. If no application window appears, but no obvious error
  is shown, please check your firewall settings. Compare issue #108 on github.

x11docker WARNING: Option --no-auth: SECURITY RISK!
  Allowing access to X server for everyone.

x11docker WARNING: --xwin: X server 10.0.75.1:100 runs without cookie authentication.

xterm: cannot load font "-Misc-Fixed-bold-R-*-*-13-120-75-75-C-120-ISO10646-1"

It seems to be fixed, indeed. x11docker --gpu --user=root --cap-default -- -p "8080:8080" -- x11docker/xpra sh -c "apk add xterm && xterm" now works ok.

Can you also try with --vcxsrv?

I got the Invalid MIT-MAGIC-COOKIE-1 error again. But after retrying it works:

$ ./x11docker --vcxsrv --gpu --user=root --cap-default -- -p "8080:8080" -- x11docker/xpra sh -c "apk add xterm && xterm"
...
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/3) Installing libxpm (3.5.12-r0)
(2/3) Installing libxaw (1.0.13-r2)
(3/3) Installing xterm (337-r0)
Executing busybox-1.29.3-r10.trigger
OK: 422 MiB in 214 packages
Invalid MIT-MAGIC-COOKIE-1 keyWarning: This program is an suid-root program or is being run by the root user.
The full text of the error or warning message cannot be safely formatted
in this environment. You may get a more descriptive message by running the
program as a non-root user or by removing the suid bit on the executable.
xterm: Xt error: Can't open display: %s

$ ./x11docker --vcxsrv --gpu --user=root --cap-default -- -p "8080:8080" -- x11docker/xpra sh -c "apk add xterm && xterm"
...
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/3) Installing libxpm (3.5.12-r0)
(2/3) Installing libxaw (1.0.13-r2)
(3/3) Installing xterm (337-r0)
Executing busybox-1.29.3-r10.trigger
OK: 422 MiB in 214 packages

This seems to be solved, so I'm closing it. Thanks for the quick fix!