search

mviereck / x11docker

Run GUI applications and desktops in docker and podman containers. Focus on security.
MIT License
5.62k stars 378 forks source link

Strange message during installing new image #193

Closed R3D9477 closed 4 years ago

R3D9477 commented 4 years ago

Hello. I have a strange error while the new image is installing. Here is full log:

$ x11docker --hostdisplay --gpu x11docker/check
x11docker WARNING: User player is member of group docker.
  That allows unprivileged processes on host to gain root privileges.

x11docker WARNING: Option --gpu degrades container isolation.
  Container gains access to GPU hardware.
  This allows reading host window content (palinopsia leak)
  and GPU rootkits (compare proof of concept: jellyfish).

x11docker note: Option --gpu: To allow GPU acceleration with --hostdisplay,
  x11docker will allow trusted cookies.

x11docker note: Option --hostdisplay: To allow --hostdisplay with trusted cookies,
  x11docker must share host IPC namespace with container (option --hostipc)
  to allow shared memory for X extension MIT-SHM.

x11docker WARNING: Option --hostdisplay with trusted cookies provides
      QUITE BAD CONTAINER ISOLATION !
  Keylogging and controlling host applications is possible! 
  Clipboard sharing is enabled (option --cliboard).
  It is recommended to use another X server option like --xpra or --nxagent.

x11docker WARNING: Option --hostipc severely degrades 
  container isolation. IPC namespace remapping is disabled.

x11docker WARNING: Sharing device file: /dev/dri

x11docker WARNING: Sharing device file: /dev/vga_arbiter

Image x11docker/check not found locally.
Do you want to pull it from docker hub?
(timeout after 60s assuming no) [Y|n]
x11docker note: Pulling image 'x11docker/check' from docker hub

Using default tag: latest
latest: Pulling from x11docker/check
5ae19949497e: Already exists 
3041f0d64112: Pull complete 
c1572d5429cf: Downloading [=================>                                 ]   77.4MB/215.8MB
bfea0353bba5: Download complete 
e7d8c0b6d235: Download complete 
4ba6f9bf127a: Download complete 
a8f6d39042ba: Download complete 
a240f9ac8b29: Download complete 
269280c5d256: Download complete 
48702744d0aa: Downloading [=======================>                           ]  11.32MB/24.07MB
b7b6f0e554b9: Download complete 

x11docker ERROR: waitforlogentry(): start_xserver(): Timeout waiting for log entry "readyforX=ready" in store.info
  Last lines of logfile store.info:
x11dockerpid=5278
xserver=--hostdisplay
DISPLAY=:0
XAUTHORITY=/home/player/.cache/x11docker/x11docker-check-37690852501/share/Xauthority.client
XSOCKET=/tmp/.X11-unix/X0
XDG_RUNTIME_DIR=/run/user/1000
Xenv= DISPLAY=:0 XAUTHORITY=/home/player/.cache/x11docker/x11docker-check-37690852501/share/Xauthority.client XSOCKET=/tmp/.X11-unix/X0 XDG_RUNTIME_DIR=/run/user/1000
c1572d5429cf: Downloading [==================>                                ]  77.94MB/215.8MB
containername=x11docker_X0_x11docker-check_37690852501
runtime=runc

  Type 'x11docker --help' for usage information
  Debug options: '--verbose' (full log) or '--debug' (log excerpt).
  Logfile will be: /home/player/.cache/x11docker/x11docker.log
48702744d0aa: Downloading [========================>                          ]  11.57MB/24.07MB

/usr/bin/x11docker: line 854:  6379 Terminated              { trap '' SIGINT; case $X11dockermode in 
    run)
        start_docker
    ;;
    exe)
        start_hostexe
    ;;
esac; Pid1pid="$(storeinfo dump pid1pid)"; case $X11dockermode in 
    run)
        case $Winsubsystem in 
            "")
                setonwatchpidlist "${Pid1pid:-NOPID}" pid1pid
            ;;
            *)
                setonwatchpidlist "CONTAINER$Containername"
            ;;
        esac
    ;;
    exe)
        setonwatchpidlist "${Pid1pid:-NOPID}" pid1pid
    ;;
esac; case $Xserver in 
    --tty | --hostdisplay | --hostwayland | --weston | --kwin)

    ;;
    *)
        Xinitpid="$(pgrep -a xinit 2>/dev/null | grep "xinit $Xinitrc" | awk '{print $1}')"; checkpid "$Xinitpid" && setonwatchpidlist $Xinitpid xinit; echo $Xcommand | grep -q Xorgwrapper && Line="Xorg $Newdisplay" || Line="$(echo "$Xcommand" | head -n1)"; Xserverpid=$(ps aux | rmcr| grep "$(echo "${Line:-nothingtolookfor}" | cut -d' ' -f1-2)" | grep -v grep | grep -v xinit | awk '{print $2}'); checkpid "$Xserverpid" && setonwatchpidlist "$Xserverpid" Xserver
c1572d5429cf: Downloading [==================>                                ]  78.48MB/215.8MB
c1572d5429cf: Pull complete 
bfea0353bba5: Pull complete 
e7d8c0b6d235: Pull complete 
4ba6f9bf127a: Pull complete 
a8f6d39042ba: Pull complete 
a240f9ac8b29: Pull complete 
269280c5d256: Pull complete 
48702744d0aa: Pull complete 
b7b6f0e554b9: Pull complete 
Digest: sha256:d274779d23b3cb21f26cae77668dd9478cc04eb6089a3b18f7268415d22ade12
Status: Downloaded newer image for x11docker/check:latest
docker.io/x11docker/check:latest

docker:

$ docker --version
Docker version 19.03.4, build 9013bf583a

I'm watching this message with any image I'm trying to install. Any ideas? Thanks.

mviereck commented 4 years ago

Thank you for reporting this!

Yesterday I fixed this bug in commit https://github.com/mviereck/x11docker/commit/965cbe58305d3a7678365cfe3e41ac4de59d9747. It is a timeout error while pulling a new image. Now x11docker waits until docker pull is ready. I've published a new release v6.4.0 yet that contains the fix. Please update x11docker (x11docker --update).

R3D9477 commented 4 years ago

@mviereck I've updated x11docker and seems like problem is gone. Thanks! So I can close issue?

mviereck commented 4 years ago

I've updated x11docker and seems like problem is gone.

Great!

So I can close issue?

Yes; I just do it now.