Closed mviereck closed 7 years ago
Sometimes a solution can be much easier than thought ... I have to explicitly disable extension MIT-SHM when starting a new X server. MIT-SHM seems to be enabled by default which I wasn't aware of. Now those annoying rendering glitches are gone. Option --ipc is still useful to avoid rendering glitches with option --hostdisplay (cannot disable MIT-SHM from host X server except for QT in docker) and to speed up option --gpu.
GPU acceleration with option
--gpu
using core X11 can have rendering glitches. These glitches can be avoided with option--ipc
. Then the new X socket is shared (instead of accessing X over tcp). Same problems can occure with option--hostdisplay
, independent from option--gpu
. Option--hostdisplay
uses shared X socket, too.Option
--ipc
sets docker run option--ipc=host
. The docker run reference says:x11docker recommends to use this option only with option
--hostuser
enabled to minimize risks. This way the container does not have root access to interprocess communication and shared memory. However, I'm not sure which risks are left.I would like to find a more restricted solution to get GPU acceleration accessing X over shared X socket. I've already tested
docker run ... --add-cap=ALL
and--privileged
to check if one of those capabilities could do the trick, but they don't.Running
x11docker-gui -d
shows some additional developer options. Enabling options--sharegpu
and--xsocket
has the same effect as official option--gpu
.Maybe someone has a good idea how to improve container isolation in this case. Any help is appreciated. Also, any assessment about security implications using
--ipc=host
(as root or as user in container) is welcome.