search

mviereck / x11docker

Run GUI applications and desktops in docker and podman containers. Focus on security.
MIT License
5.62k stars 378 forks source link

find more restricted solution for GPU access with shared X socket than option --ipc #3

Closed mviereck closed 7 years ago

mviereck commented 7 years ago

GPU acceleration with option --gpu using core X11 can have rendering glitches. These glitches can be avoided with option --ipc. Then the new X socket is shared (instead of accessing X over tcp). Same problems can occure with option --hostdisplay, independent from option --gpu. Option --hostdisplay uses shared X socket, too.

Option --ipc sets docker run option --ipc=host. The docker run reference says:

--ipc=host: use the host's IPC namespace inside the container IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. Shared memory segments are used to accelerate inter-process communication at memory speed, rather than through pipes or through the network stack. Shared memory is commonly used by databases and custom-built (typically C/OpenMPI, C++/using boost libraries) high performance applications for scientific computing and financial services industries. If these types of applications are broken into multiple containers, you might need to share the IPC mechanisms of the containers.

x11docker recommends to use this option only with option --hostuser enabled to minimize risks. This way the container does not have root access to interprocess communication and shared memory. However, I'm not sure which risks are left.

I would like to find a more restricted solution to get GPU acceleration accessing X over shared X socket. I've already tested docker run ... --add-cap=ALL and --privileged to check if one of those capabilities could do the trick, but they don't.

Running x11docker-gui -d shows some additional developer options. Enabling options --sharegpu and --xsocket has the same effect as official option --gpu.

Maybe someone has a good idea how to improve container isolation in this case. Any help is appreciated. Also, any assessment about security implications using --ipc=host (as root or as user in container) is welcome.

mviereck commented 7 years ago

Sometimes a solution can be much easier than thought ... I have to explicitly disable extension MIT-SHM when starting a new X server. MIT-SHM seems to be enabled by default which I wasn't aware of. Now those annoying rendering glitches are gone. Option --ipc is still useful to avoid rendering glitches with option --hostdisplay (cannot disable MIT-SHM from host X server except for QT in docker) and to speed up option --gpu.