search

mviereck / x11docker

Run GUI applications and desktops in docker and podman containers. Focus on security.
MIT License
5.62k stars 378 forks source link

/x11docker/cmdrc: 51: /x11docker/cmdrc: [startdde]: not found #370

Closed hongyi-zhao closed 3 years ago

hongyi-zhao commented 3 years ago

On Ubuntu 20.04, I try to start my docker container deepin-wine with the latest git master version of x11docker, but failed. See below for the more detailed info:

$ x11docker --runasroot 'sed -r "s/^[[:blank:]]*[|]//" <<-EOF > /etc/sudoers
        |#$ sudo grep -Ev '\''^[ ]*(#|$)'\'' /etc/sudoers  
        |Defaults   env_reset
        |Defaults   mail_badpass
        |Defaults   secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
        |root   ALL=(ALL:ALL) ALL
        |%admin ALL=(ALL) ALL
        |%sudo  ALL=(ALL:ALL) ALL
        |$USER ALL=(ALL) NOPASSWD:ALL
    EOF' --xephyr --network=bridge --pulseaudio --xoverip --home --share=$HOME --sudouser -c --desktop --init=systemd -- --device /dev/mem:/dev/mem --cap-add=ALL -- hongyizhao/deepin-wine:latest
x11docker WARNING: User werner is member of group docker.
  That allows unprivileged processes on host to gain root privileges.

x11docker WARNING: You are running GNOME desktop in outdated version 
  GNOME Shell 3.36.4
  This might cause issues with host applications if using additional X servers.
  It is recommended to use another desktop environment or GNOME >= 3.38.
  Only --xorg or discouraged option --hostdisplay might work as expected.

x11docker note: Sharing picture clips with option --clipboard
  is only possible with options --xpra, --xpra-xwayland and --hostdisplay.

x11docker note: Option --init=systemd: Found cgroup v2
  on your system. systemd in container might fail without an error message.
  As a workaround you can set a kernel boot option to enforce cgroup v1:
    systemd.unified_cgroup_hierarchy=0
  Compare ticket https://github.com/mviereck/x11docker/issues/349

x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
  x11docker will add them to 'docker run' command without
  a serious check for validity or security. Found options:
   '--device' '/dev/mem:/dev/mem' '--cap-add=ALL'

x11docker WARNING: Found option --cap-add=ALL
  in custom docker run options. That is A VERY BAD IDEA.
  That is a very privileged setup.
  Malicious applications may harm to the host.

x11docker WARNING: Option --pulseaudio allows container applications
  to catch your audio output and microphone input.

x11docker WARNING: Option --init=systemd slightly degrades container isolation.
  It adds some user switching capabilities x11docker would drop otherwise.
  However, they are still within default docker capabilities.
  Not within default docker capabilities it adds capability SYS_BOOT.  
  It shares access to host cgroups in /sys/fs/cgroup.
  Some processes in container will run as root.

x11docker WARNING: Option --sudouser severly reduces container security.
  Container gains additional capabilities to allow sudo and su.
  If an application breaks out of container, it can harm your system
  in many ways without you noticing. Default password: x11docker

x11docker note: Option --sudouser: Enabling option --newprivileges=yes.
  You can avoid this with --newprivileges=no

x11docker WARNING: Option --newprivileges=yes: x11docker does not set 
  docker run option --security-opt=no-new-privileges. 
  That degrades container security.
  However, this is still within a default docker setup.

/x11docker/cmdrc: 51: /x11docker/cmdrc: [startdde]: not found
werner@X10DAi:~$ deepin-wine@latest.sh 
x11docker WARNING: User werner is member of group docker.
  That allows unprivileged processes on host to gain root privileges.

x11docker WARNING: You are running GNOME desktop in outdated version 
  GNOME Shell 3.36.4
  This might cause issues with host applications if using additional X servers.
  It is recommended to use another desktop environment or GNOME >= 3.38.
  Only --xorg or discouraged option --hostdisplay might work as expected.

x11docker note: Sharing picture clips with option --clipboard
  is only possible with options --xpra, --xpra-xwayland and --hostdisplay.

x11docker note: Option --init=systemd: Found cgroup v2
  on your system. systemd in container might fail without an error message.
  As a workaround you can set a kernel boot option to enforce cgroup v1:
    systemd.unified_cgroup_hierarchy=0
  Compare ticket https://github.com/mviereck/x11docker/issues/349

x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
  x11docker will add them to 'docker run' command without
  a serious check for validity or security. Found options:
   '--device' '/dev/mem:/dev/mem' '--cap-add=ALL'

x11docker WARNING: Found option --cap-add=ALL
  in custom docker run options. That is A VERY BAD IDEA.
  That is a very privileged setup.
  Malicious applications may harm to the host.

x11docker WARNING: Option --pulseaudio allows container applications
  to catch your audio output and microphone input.

x11docker WARNING: Option --init=systemd slightly degrades container isolation.
  It adds some user switching capabilities x11docker would drop otherwise.
  However, they are still within default docker capabilities.
  Not within default docker capabilities it adds capability SYS_BOOT.  
  It shares access to host cgroups in /sys/fs/cgroup.
  Some processes in container will run as root.

x11docker WARNING: Option --sudouser severly reduces container security.
  Container gains additional capabilities to allow sudo and su.
  If an application breaks out of container, it can harm your system
  in many ways without you noticing. Default password: x11docker

x11docker note: Option --sudouser: Enabling option --newprivileges=yes.
  You can avoid this with --newprivileges=no

x11docker WARNING: Option --newprivileges=yes: x11docker does not set 
  docker run option --security-opt=no-new-privileges. 
  That degrades container security.
  However, this is still within a default docker setup.

/x11docker/cmdrc: 51: /x11docker/cmdrc: [startdde]: not found

Any hints for this problem?

Regards, HY

mviereck commented 3 years ago

/x11docker/cmdrc: 51: /x11docker/cmdrc: [startdde]: not found

The [ ] around the command are odd. Your Dockerfile shows CMD ["startdde"] which is a valid syntax. x11docker recently got a change in parsing the docker inspect output where it reads the CMD instruction. So possibly a bug was introduced. However, my own test images work well, like:

FROM x11docker/xfce
CMD ["xfce4-terminal"]

So I cannot reproduce the issue.

Could you switch to the current release with x11docker --update instead of master and check if it shows the same error? You could also check if your image really contains command startdde, e.g. with 

docker run --rm hongyizhao/deepin-wine:latest which startdde

Btw., x11docker meanwhile supports a passwordless sudo:

     --sudouser [=nopasswd] Allow su and sudo for container user. Use with care,
                       severe reduction of default x11docker security!
                       Optionally passwordless sudo with argument nopasswd.
                       Default password is 'x11docker'.
hongyi-zhao commented 3 years ago

Could you switch to the current release with x11docker --update instead of master and check if it shows the same error?

This will fix the problem reported here, as shown below:

$ git checkout v6.9.0
$ x11docker --version
6.9.0

You could also check if your image really contains command startdde

$ docker run --rm hongyizhao/deepin-wine:latest which startdde
/usr/bin/startdde

Btw., x11docker meanwhile supports a passwordless sudo:

I tried with --sudouser=nopasswd, but the sudo -i still requires password:

image

mviereck commented 3 years ago

It seems I have to check the parser. Could you please show me the output of:

docker inspect hongyizhao/deepin-wine:latest

I tried with --sudouser=nopasswd, but the sudo -i still requires password:

Odd. It works well here, with v6.9.0 as well as with latest master. Please try if sudo -i works here:

x11docker -ti hongyizhao/deepin-wine:latest bash
hongyi-zhao commented 3 years ago

It seems I have to check the parser. Could you please show me the output of:

docker inspect hongyizhao/deepin-wine:latest
$ docker inspect hongyizhao/deepin-wine:latest
[
    {
        "Id": "sha256:52e2e33bb8176e4a7a2f713768915108a7eed9bafc667b0ae6a3f29e3fc96573",
        "RepoTags": [
            "hongyizhao/deepin-wine:latest"
        ],
        "RepoDigests": [
            "hongyizhao/deepin-wine@sha256:62c1c4903d78b33bc9caa7877c6fd4feea52d8372356c3945ac458b99f28888f"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2021-05-22T16:39:18.326612412Z",
        "Container": "8de8b5ea4f2d47c70602ec3feb29266474effe46196791e078c4ca4f71a1b88b",
        "ContainerConfig": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "SHELL=/bin/bash",
                "LANG=en_US.UTF-8",
                "XMODIFIERS=@im=fcitx",
                "QT4_IM_MODULE=fcitx",
                "QT_IM_MODULE=fcitx",
                "GTK_IM_MODULE=fcitx"
            ],
            "Cmd": [
                "|4",
                "DEEPIN_APPSTORE_MIRROR=https://mirror.deepines.com/appstore",
                "DEEPIN_APPSTORE_RELEASE=eagle",
                "DEEPIN_MIRROR=https://mirrors.tuna.tsinghua.edu.cn/deepin",
                "DEEPIN_RELEASE=apricot",
                "/bin/sh",
                "-c",
                "apt-get update &&     env DEBIAN_FRONTEND=noninteractive apt-get install -y         fcitx fcitx-googlepinyin fcitx-module-cloudpinyin &&     mkdir -p /etc/xdg/autostart &&     echo \"[Desktop Entry]\\nEncoding=UTF-8\\nVersion=0.9.4\\nType=Application\\nName=fcitx\\nComment=\\nExec=/usr/bin/fcitx-autostart\\n\" > /etc/xdg/autostart/fcitx.desktop"
            ],
            "Image": "sha256:162ab2d1348717e9cf43ba9320e00a7ec6398761c1481c86c635b3c3760978eb",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": null
        },
        "DockerVersion": "19.03.8",
        "Author": "",
        "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "SHELL=/bin/bash",
                "LANG=en_US.UTF-8",
                "XMODIFIERS=@im=fcitx",
                "QT4_IM_MODULE=fcitx",
                "QT_IM_MODULE=fcitx",
                "GTK_IM_MODULE=fcitx"
            ],
            "Cmd": [
                "startdde"
            ],
            "Image": "sha256:162ab2d1348717e9cf43ba9320e00a7ec6398761c1481c86c635b3c3760978eb",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": null
        },
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 4838773421,
        "VirtualSize": 4838773421,
        "GraphDriver": {
            "Data": {
                "LowerDir": "/opt/docker/overlay2/3b15c2319df580af14ca45a1ae69278381a17ff2b45680d16a1816d6e976caf6/diff:/opt/docker/overlay2/30e317f12ae741a2937904a129f81b5bf913096750cbd0c2308b2f6d1fd00257/diff:/opt/docker/overlay2/8128fe2cd0a0aa15059f0a2c5b77d7205e4e66a8507f0d4a0fd40a7914d30ad4/diff:/opt/docker/overlay2/2cb5bf01f2e114076f503207d1b7c3f0e932f50352fbf44943d66e74f3d10f5b/diff:/opt/docker/overlay2/8bf05e021ba5a5edddd7ec902ff7d42e6210e9615033fe2f7a6215ee2d4a351c/diff:/opt/docker/overlay2/dffe655ec5d5910822c467bcaa7e6024780e60b6ed74d4f4d9d9c7df04c61be2/diff:/opt/docker/overlay2/805fc245ec78daf4a8b430e9427193ab634ec1a450a0bba04477c46980544754/diff:/opt/docker/overlay2/2ebebf486816adfccde586f20d98bef40536fcb54f90dd42edcd8d5310e41e6f/diff",
                "MergedDir": "/opt/docker/overlay2/14373f5691e83aa001478d46ac15009c7de57474df27b1b56d9e2d06d4a45720/merged",
                "UpperDir": "/opt/docker/overlay2/14373f5691e83aa001478d46ac15009c7de57474df27b1b56d9e2d06d4a45720/diff",
                "WorkDir": "/opt/docker/overlay2/14373f5691e83aa001478d46ac15009c7de57474df27b1b56d9e2d06d4a45720/work"
            },
            "Name": "overlay2"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:5f48daee7ed6bed7e49dda9e3d9f97b5f989340cc9501512a82e853049aec6a9",
                "sha256:2655e522277556d5746d43569acd09bb05923d29ccae80ef5943794bad37a4e8",
                "sha256:b54faad624c4f41b47b0381c6c66c70ec146b528087e4e972699a7c097d5cd98",
                "sha256:72dc232aa994842eec37e8de5e5f1a07cbe4614e6e21eaebc2ac82563836dc47",
                "sha256:0d055b82ddf3427264cf14d0cfc0f78e678a22c8ac78f49a97a7ddfbd4a0cd0b",
                "sha256:7f2f2acdb3607185b3a1c15c18572cb2440c1bb75d54ffddea400810b83a7108",
                "sha256:33414a4e19775908ed074b33524794ba30575067c10cc1aab403616c508131f5",
                "sha256:8398347bd0512dc54e4f9ad74fe75a645da45ef1f82ffede4b9d3662438d2403",
                "sha256:80e72052ac1991eb8147a906a7fc00e91e925d6e0dbad5b081ecb0d7400b0a7c"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]

I tried with --sudouser=nopasswd, but the sudo -i still requires password:

Odd. It works well here, with v6.9.0 as well as with latest master. Please try if sudo -i works here:

x11docker -ti hongyizhao/deepin-wine:latest bash

It freezes as below forever:

$ x11docker -ti hongyizhao/deepin-wine:latest bash
x11docker WARNING: User werner is member of group docker.
  That allows unprivileged processes on host to gain root privileges.

x11docker WARNING: You are running GNOME desktop in outdated version 
  GNOME Shell 3.36.4
  This might cause issues with host applications if using additional X servers.
  It is recommended to use another desktop environment or GNOME >= 3.38.
  Only otherwise discouraged option --hostdisplay might work as expected.
mviereck commented 3 years ago

I have no idea what is going wrong. The parser gives a correct result for the docker inspect output, it returns 'startdde'.

It freezes as below forever:

Odd as well. You should get an interactive tty, works here.

Please run tests with other images and the latest x11docker master version, for example:

x11docker x11docker/check
x11docker -ti --sudouser=nopasswd x11docker/check bash
hongyi-zhao commented 3 years ago

Both were failed as shown below:

$ x11docker --version
6.9.1-beta-3

 $ x11docker x11docker/check
x11docker WARNING: User werner is member of group docker.
  That allows unprivileged processes on host to gain root privileges.

x11docker WARNING: You are running GNOME desktop in outdated version 
  GNOME Shell 3.36.4
  This might cause issues with host applications if using additional X servers.
  It is recommended to use another desktop environment or GNOME >= 3.38.
  Only --xorg or discouraged option --hostdisplay might work as expected.

x11docker note: Using X server option --hostdisplay

x11docker WARNING: Clipboard isolation may fail.

x11docker note: To allow protection against X security leaks,
  please install 'xinit' and one or more of:
    xpra, Xephyr, nxagent, weston+Xwayland, kwin_wayland+Xwayland or Xnest,
  or run a second Xorg server with option --xorg.

x11docker WARNING: Option --hostdisplay provides only low container isolation!
  It is recommended to use another X server option like --nxagent or --xpra.

  To improve security with --hostdisplay x11docker uses untrusted cookies.
  This can lead to strange behaviour of some applications.

  If you encounter application errors, enable option --clipboard
  that disables security restrictions for --hostdisplay as a side effect.

x11docker note: Option --hostdisplay may fail with proprietary NVIDIA driver
  on host. In that case try other X server options like 
  --nxagent, --xpra or --xephyr.

/x11docker/cmdrc: 51: /x11docker/cmdrc: [/bin/sh,: not found

$ x11docker -ti --sudouser=nopasswd x11docker/check bash
x11docker WARNING: User werner is member of group docker.
  That allows unprivileged processes on host to gain root privileges.

x11docker note: Option --sudouser: If you want to run GUI application
  with su or sudo, you might need to add either option --xoverip 
  or (discouraged) option --network=host.

x11docker WARNING: Option --sudouser severly reduces container security.
  Container gains additional capabilities to allow sudo and su.
  If an application breaks out of container, it can harm your system
  in many ways without you noticing. Default password: x11docker

x11docker note: Option --sudouser: Enabling option --newprivileges=yes.
  You can avoid this with --newprivileges=no

x11docker WARNING: Option --newprivileges=yes: x11docker does not set 
  docker run option --security-opt=no-new-privileges. 
  That degrades container security.
  However, this is still within a default docker setup.

werner@ffc2631a88f0:~$ sudo -i
bash: sudo: command not found
mviereck commented 3 years ago

Sorry for my late response. Can you please show me the output of python --version? Here I get Python 2.7.18, it works well. Also tested with python3 Python 3.9.2.

hongyi-zhao commented 3 years ago

Can you please show me the output of python --version?

Thank you very much for pointing this out.

The system python version is:

$ python --version
Python 3.8.5

I use pyenv as the python version manager, and have the following python versions installed:

$ pyenv versions| egrep  '^[ 0-9.]+$'
  2.7.18
  3.5.6
  3.6.10
  3.7.7
  3.8.3
  3.9.1
  3.9.2

Here I get Python 2.7.18, it works well. Also tested with python3 Python 3.9.2.

By testing with the following x11docker git master version, on my side, Python 2.7.18 works, while 3.8.5 (system's default version) and 3.9.2 failed:

$ x11docker --version
6.9.1-beta-3
mviereck commented 3 years ago

I found and fixed the bug. I could reproduce it with python 3.9.2. I have missed to check a late change in the code with python3.

Thank you for reporting and testing! x11docker 6.9.1-beta-4 should work now on your system.

hongyi-zhao commented 3 years ago

Yes. But there is a very small probability that this problem will still occur.

Another issue: the problem reported previously about the following option remains the same:

--sudouser=nopasswd

mviereck commented 3 years ago

Sorry for my late response. I'll have a look at --sudouser=nopasswd.

mviereck commented 3 years ago

I finally checked again; --sudouser=nopasswd works as intended here. If you still have issues with it, please open a new ticket.


werner@ffc2631a88f0:~$ sudo -i
bash: sudo: command not found

It will obviously only work if sudo is installed in the image.

hongyi-zhao commented 3 years ago

OK. I'll continue to follow-up.