#question: x11docker on bare server (no "ServerGUI")

[SemanticBeeng]

#01 Can x11docker run on Unix servers without X11 (running) ?

Context: "An X server. Probably already installed." on https://github.com/mviereck/x11docker/wiki/Dependencies

Looking to use x11docker to run graphical applications on a bare, remote Ubuntu server and to access them remotely. In the spirit of avoiding the risks outlined here https://help.ubuntu.com/community/ServerGUI am thinking it would be best to not install X11 on host. But then the dependencies wiki page suggests X11 packages must be installed on the host. Must also have X11 started or just installed? If must run then how to think about the risks to the host outlined in the link above?

#02 How good would be the graphical quality given that the servers have poor graphical hardware. Asking by comparison with virtualbox which simulates the graphics and can provide high resolution even for low resolution cards.

#03 In terms of remote access, this VNC image https://github.com/mviereck/x11docker/wiki/VNC says "x11docker would not be required at all". That sounds a bit confusing: VNC is for remote access but x11docker is has many other features. VNC gives advantages over ssh https://github.com/mviereck/x11docker/wiki/Remote-access-with-SSH because one can leave containers running and re-connect. Also, am looking to run Docker containers using "contexts" as per https://www.docker.com/blog/how-to-deploy-on-remote-docker-hosts-with-docker-compose/ and starting a container over ssh would ... conflict with that. Such control over lifespan of remote container is critical in complex development / troubleshooting where multiple containers may need to be composed.

Did not see a VNC docker image and feel am missing something... :thinking:

Please advise (one question at a time, as you can afford).

[mviereck]

01 Can x11docker run on Unix servers without X11 (running) ?

X clients always need an X server. The only way I see to have no X server on the server is to run ssh -X x11docker --hostdisplay. This way you use the X server of your client system.

In the spirit of avoiding the risks outlined here https://help.ubuntu.com/community/ServerGUI am thinking it would be best to not install X11 on host.

Beside Xorg (package xorg) there are other possible X servers. xpra can use Xvfb or Xdummy, VNC normally uses Xvfb, too. I see several risks if you install a full desktop environment with several "services" as outlined in the article. I'd say an X server on its own is less an issue. However, multiple X applications running on the same X server can spy and control each other. This point is missing in the article.

Must also have X11 started or just installed?

x11docker runs the X server on its own, it does not need to run beforehand. However, nested X servers like Xephyr need an already running X environment or ssh -X. One possible setup is to run x11docker with --xvfb and access this with xpra.

02 How good would be the graphical quality given that the servers have poor graphical hardware. Asking by comparison with virtualbox which simulates the graphics and can provide high resolution even for low resolution cards.

Most setups use software rendering / CPU only. You can specify an arbitrary display size. Setups using a GPU are possible, but need more manual setup.

VNC gives advantages over ssh https://github.com/mviereck/x11docker/wiki/Remote-access-with-SSH because one can leave containers running and re-connect.

I prefer xpra to allow re-connection. I am less familiar with VNC. However, it has xserver-xorg-core in its dependency chain although it could run with Xvfb only. Providing a dummy package replacing xserver-xorg-video-dummy could be a workaround to use xpra without installing xorg.

Did not see a VNC docker image and feel am missing something... thinking

There is no VNC image. In fact, I barely tested VNC setups at all.

03 In terms of remote access, this VNC image https://github.com/mviereck/x11docker/wiki/VNC says "x11docker would not be required at all".

That sounds a bit confusing: VNC is for remote access but x11docker is has many other features.

That could be explained better, yes. x11docker runs an X server on host and provides X access to the container. Alternatively, you can run VNC or xpra server inside the container. In that case the X server runs in the container, too. x11docker is not needed but still possible to run the container. You can run x11docker with option --tty to start no X server on host. Instead, you set up the container that it starts VNC or xpra itself.

Overall, I see two ways for detachable setups:

• Set up xpra or VNC in the container and run it with x11docker option --tty. No X server on the server host system, but needs additional packages and setup in the container.
• Install Xvfb and one of xpra or VNC on the server. This way you have an X server on the server (but not Xorg). Run x11docker with --xvfb and access the X display afterwards with xpra or VNC
  • You can also run VNC with its own X server and run x11docker --hostdisplay as a VNC client.

I hope my answer is not confusing. Feel free to ask further.

[synclpz]

This definitely got to be added to docs.

[SemanticBeeng]

Thanks. this helps.

"I'd say an X server on its own is less an issue."

How to think when comparing having virtualbox for all users vs individual x11dockers ?

nested X servers like Xephyr need an already running X environment or ssh -X.

Hmm... not an expert in X stuff so am having a hard time understanding this "or". Wip on studying and experimenting with https://github.com/mviereck/x11docker/wiki/Remote-access-with-SSH and https://github.com/mviereck/x11docker/wiki/Short-setups-to-provide-X-display-to-container which are very rich, thank you.

If I am supposed to understand then above from those articles then will dig. Extra hints always appreciated.

Choosing between xpra and xephyr is a bit of stumbling block. My golden standard is nomachine and looking to replace with x11docker because of the modularization but would not want to loose too much from UX quality.

[SemanticBeeng]

you can run VNC or xpra server inside the container. In that case the X server runs in the container, too. x11docker is not needed but still possible to run the container.

Would this not avoid having to install X and having it stared on the host ?

Been looking at https://github.com/x11vnc/x11vnc-desktop (with application here https://github.com/x11vnc/atom-desktop) to compare: looks fine but not as advanced as x11docker.

Trying to understand the use of VNC there with the X servers in your implementation from the point of the "heebee jeebees" I get from the thought of having X server running on host (as described above).

[SemanticBeeng]

Set up xpra or VNC in the container and run it with x11docker option --tty. No X server on the server host system, but needs additional packages and setup in the container.

This sounds attractive! If possible not to have an X server running outside containers (on the host) then how come this is not documented? :sunglasses: (How would that work: have a dedicated container with X running and docker-compose with? :thinking: )

Again from security POV it would be great to have all this X stuff run from Docker so that we/I could control external access at network level. I have OpenVPN setup and looking to have X/VNC traffic just in the VPN virtual network and none on the main network. This would be a decent way to mitigate the risks from "ServerGUI" above, no?

If so, then may I bug you for some help to implement this deployment mode ?

[mviereck]

If possible not to have an X server running outside containers (on the host) then how come this is not documented?

Originally x11docker was intended run run GUIs in container visible on a local system. Running an invisible X server (along with VNC or xpra) in a container possible, but not part of x11docker. You have to set up X in container yourself. x11docker can still be useful in this picture with some features like container user setup.

(How would that work: have a dedicated container with X running and docker-compose with? thinking )

Possible in general. However, if more than one container accesses this X server, they could spy and control each other. It would be simpler to have a base image with an X server setup and build other images upon it.

This would be a decent way to mitigate the risks from "ServerGUI" above, no?

Yes, of course.

If so, then may I bug you for some help to implement this deployment mode ?

You're welcome. My attempt would be to create a base image with VNC or xpra. Build images with desired applications based on this VNC/xpra image. Let VNC/xpra run the desired applications.

A dedicated VNC/xpra image is possible, too. I would run one instance per desired container. However, I am not familiar with setups where containers communicate with each other. Not sure how to share an X unix socket across containers. Alternatively, an X TCP setup is possible, but discouraged by X developers. A connection could be done with docker option --net using the same network for both containers.

[mviereck]

Just for refererence: Server setups, but with focus on GPU support: #197 #199

[SemanticBeeng]

Thanks. Still parsing a few things out about about how x11docker and this other image (or container) would work together.

x11docker can still be useful in this picture

Does this look close to what you are thinking ? https://github.com/retog/docker-x11-xpra

[mviereck]

Does this look close to what you are thinking ?

Yes, sort of. Sorry for my late response.

Basically I'd recommend that you first try a setup with VNC or xpra on host until it works and you are satisfied. Than do the same in a container and look where it fails. Likely you have to do some port forwarding, but not more than that. I am not sure if x11docker will be a great help here. It might make more sense to look which of its features would be helpful for you, and than implement them yourself. I think, container user setup and privilege restrictions are most of interest. The wiki already gives some hints. If you know which features you need and you get stuck, just ask me.