Closed hongyi-zhao closed 2 years ago
I have no immediate idea.
Please try without x11docker but with docker alone, e.g.:
docker run -ti --rm hongyizhao/deepin-wine bash
Try in this interactive container your ssh command. This helps to see if this is a docker or an x11docker issue.
This won't trigger the problem reported here:
werner@X10DAi:~$ docker run -ti --rm hongyizhao/deepin-wine bash
root@3998f3333498:/# ssh werner@192.168.10.100
The authenticity of host '192.168.10.100 (192.168.10.100)' can't be established.
ECDSA key fingerprint is SHA256:DnybqBQiqZT+BCAJ1+HS8MhHV8Mkh8nJUzXoFfN0RKw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.100' (ECDSA) to the list of known hosts.
werner@192.168.10.100's password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-42-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
346 updates can be installed immediately.
147 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Wed Jul 28 15:52:16 2021 from 172.17.0.2
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'unattended-upgrades' is not installed, so not removed
The following packages were automatically installed and are no longer required:
apel flim fonts-lmodern libapache-pom-java libart-2.0-2 libayatana-appindicator3-1
libayatana-indicator3-7 libcommons-logging-java libcommons-parent-java libfontbox-java
libglade2-0 libgnomecanvas2-0 libgnomecanvas2-common libgsoap-2.8.91 libmime-charset-perl
libpdfbox-java libproxychains3 libproxychains4 libptexenc1 libqt5xdg3 libqt5xdgiconloader3
libsombok3 libteckit0 libtexlua53 libtexluajit2 libunicode-linebreak-perl libxapian-dev
libxdg-basedir1 libzim4 libzzip-0-13 node-iconv node-rw python3-cliapp python3-ttystatus slop
tinyproxy-bin
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 691 not upgraded.
werner@X10DAi:~$
Please try ssh in:
x11docker -ti hongyizhao/deepin-wine bash
If that fails, please try with:
x11docker -ti --cap-default hongyizhao/deepin-wine bash
Both succeeded.
Both succeeded.
Good! So, in which circumstances does it crash? In deepin-terminal?
In my situation, I start my docker container with the following command, and I recently find that the first run of the following command will fail:
$ x11docker --runasroot 'sed -r "s/^[[:blank:]]*[|]//" <<-EOF > /etc/sudoers
|#$ sudo grep -Ev '\''^[ ]*(#|$)'\'' /etc/sudoers
|Defaults env_reset
|Defaults mail_badpass
|Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
|root ALL=(ALL:ALL) ALL
|%admin ALL=(ALL) ALL
|%sudo ALL=(ALL:ALL) ALL
|$USER ALL=(ALL) NOPASSWD:ALL
EOF' --xephyr --network=bridge --pulseaudio --xoverip --home --share=$HOME --sudouser -c --desktop --init=systemd -- --device /dev/mem:/dev/mem --cap-add=ALL hongyizhao/deepin-wine:latest
x11docker WARNING: User werner is member of group docker.
That allows unprivileged processes on host to gain root privileges.
x11docker WARNING: You are running GNOME desktop in outdated version
GNOME Shell 3.36.4
This might cause issues with host applications if using additional X servers.
It is recommended to use another desktop environment or GNOME >= 3.38.
Only --xorg or discouraged option --hostdisplay might work as expected.
x11docker note: Sharing picture clips with option --clipboard
is only possible with options --xpra, --xpra-xwayland and --hostdisplay.
x11docker note: Option --init=systemd: Found cgroup v2
on your system. systemd in container might fail without an error message.
As a workaround you can set a kernel boot option to enforce cgroup v1:
systemd.unified_cgroup_hierarchy=0
Compare ticket https://github.com/mviereck/x11docker/issues/349
x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
x11docker will add them to 'docker run' command without
a serious check for validity or security. Found options:
'--device' '/dev/mem:/dev/mem' '--cap-add=ALL'
x11docker WARNING: Found option --cap-add=ALL
in custom docker run options. That is A VERY BAD IDEA.
That is a very privileged setup.
Malicious applications may harm to the host.
x11docker WARNING: Option --pulseaudio allows container applications
to catch your audio output and microphone input.
x11docker WARNING: Option --init=systemd slightly degrades container isolation.
It adds some user switching capabilities x11docker would drop otherwise.
However, they are still within default docker capabilities.
Not within default docker capabilities it adds capability SYS_BOOT.
It shares access to host cgroups in /sys/fs/cgroup.
Some processes in container will run as root.
x11docker WARNING: Option --sudouser severly reduces container security.
Container gains additional capabilities to allow sudo and su.
If an application breaks out of container, it can harm your system
in many ways without you noticing. Default password: x11docker
x11docker note: Option --sudouser: Enabling option --newprivileges=yes.
You can avoid this with --newprivileges=no
x11docker WARNING: Option --newprivileges=yes: x11docker does not set
docker run option --security-opt=no-new-privileges.
That degrades container security.
However, this is still within a default docker setup.
werner@X10DAi:~$
And the second run of the above command will start the docker container:
Then I issue ssh werner@192.168.10.100
command under the terminal of the docker container, it will crashed with the following log on the host's stdout:
x11docker WARNING: User werner is member of group docker.
That allows unprivileged processes on host to gain root privileges.
x11docker WARNING: You are running GNOME desktop in outdated version
GNOME Shell 3.36.4
This might cause issues with host applications if using additional X servers.
It is recommended to use another desktop environment or GNOME >= 3.38.
Only --xorg or discouraged option --hostdisplay might work as expected.
x11docker note: Sharing picture clips with option --clipboard
is only possible with options --xpra, --xpra-xwayland and --hostdisplay.
x11docker note: Option --init=systemd: Found cgroup v2
on your system. systemd in container might fail without an error message.
As a workaround you can set a kernel boot option to enforce cgroup v1:
systemd.unified_cgroup_hierarchy=0
Compare ticket https://github.com/mviereck/x11docker/issues/349
x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
x11docker will add them to 'docker run' command without
a serious check for validity or security. Found options:
'--device' '/dev/mem:/dev/mem' '--cap-add=ALL'
x11docker WARNING: Found option --cap-add=ALL
in custom docker run options. That is A VERY BAD IDEA.
That is a very privileged setup.
Malicious applications may harm to the host.
x11docker WARNING: Option --pulseaudio allows container applications
to catch your audio output and microphone input.
x11docker WARNING: Option --init=systemd slightly degrades container isolation.
It adds some user switching capabilities x11docker would drop otherwise.
However, they are still within default docker capabilities.
Not within default docker capabilities it adds capability SYS_BOOT.
It shares access to host cgroups in /sys/fs/cgroup.
Some processes in container will run as root.
x11docker WARNING: Option --sudouser severly reduces container security.
Container gains additional capabilities to allow sudo and su.
If an application breaks out of container, it can harm your system
in many ways without you noticing. Default password: x11docker
x11docker note: Option --sudouser: Enabling option --newprivileges=yes.
You can avoid this with --newprivileges=no
x11docker WARNING: Option --newprivileges=yes: x11docker does not set
docker run option --security-opt=no-new-privileges.
That degrades container security.
However, this is still within a default docker setup.
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.gtk.vfs.Daemon' requested by ':1.1' (uid=1000 pid=2592 comm="startdde " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.gtk.vfs.Daemon'
No xresources data found!
<warning> manager.go:233: The name org.freedesktop.hostname1 was not provided by any .service files
<warning> util.go:456: failed to get current using graphics card pci id
<warning> util.go:456: failed to get current using graphics card pci id
<warning> manager.go:1093: failed to set brightness for default: The output(1306) has invalid gamma size
<info> handle_event.go:176: redo map touch screen
<warning> util.go:456: failed to get current using graphics card pci id
<info> session_process.go:91: command /usr/bin/kwin_no_scale [] started, pid: 2612
<info> session_process.go:91: command /usr/lib/deepin-daemon/dde-session-daemon [] started, pid: 2613
<info> session_process.go:91: command /usr/bin/dde-desktop [] started, pid: 2616
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='com.deepin.wm' requested by ':1.7' (uid=1000 pid=2619 comm="kwin_x11 -platform dde-kwin-xcb:appFilePath=/usr/b" label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'com.deepin.wm'
<info> session_process.go:110: /usr/bin/dde-desktop [] startup duration: 8.011612587s
<info> handle_event.go:176: redo map touch screen
No appenders assotiated with category qt.qpa.xcb
[Warning] <> QXcbConnection: XCB error: 5 (BadAtom), sequence: 575, resource id: 0, major code: 20 (GetProperty), minor code: 0
<warning> util.go:456: failed to get current using graphics card pci id
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.a11y.Bus' requested by ':1.13' (uid=1000 pid=2613 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.a11y.Bus'
dbus-daemon[2767]: Activating service name='org.a11y.atspi.Registry' requested by ':1.0' (uid=1000 pid=2613 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
dbus-daemon[2767]: Successfully activated service 'org.a11y.atspi.Registry'
SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry
<info> session_process.go:110: /usr/lib/deepin-daemon/dde-session-daemon [] startup duration: 10.573667344s
<info> handle_event.go:176: redo map touch screen
<info> session_process.go:91: command /usr/bin/dde-dock [-r] started, pid: 2779
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.kde.kglobalaccel' requested by ':1.7' (uid=1000 pid=2619 comm="kwin_x11 -platform dde-kwin-xcb:appFilePath=/usr/b" label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.kde.kglobalaccel'
qt.qpa.xcb: QXcbConnection: XCB error: 5 (BadAtom), sequence: 722, resource id: 0, major code: 20 (GetProperty), minor code: 0
<info> handle_event.go:176: redo map touch screen
<warning> util.go:456: failed to get current using graphics card pci id
qt.qpa.xcb: QXcbConnection: XCB error: 5 (BadAtom), sequence: 746, resource id: 0, major code: 20 (GetProperty), minor code: 0
qt.qpa.xcb: QXcbConnection: XCB error: 5 (BadAtom), sequence: 770, resource id: 0, major code: 20 (GetProperty), minor code: 0
No appenders assotiated with category qt.qpa.xcb
[Warning] <> QXcbConnection: XCB error: 5 (BadAtom), sequence: 604, resource id: 0, major code: 20 (GetProperty), minor code: 0
No appenders assotiated with category qt.qpa.xcb
[Warning] <> QXcbConnection: XCB error: 5 (BadAtom), sequence: 633, resource id: 0, major code: 20 (GetProperty), minor code: 0
<info> session_process.go:110: /usr/bin/kwin_no_scale [] startup duration: 12.793531283s
<info> main.go:200: after 13.314528012s, call com.deepin.dde.Dock callShow
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='ca.desrt.dconf' requested by ':1.4' (uid=1000 pid=2613 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'ca.desrt.dconf'
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.gtk.vfs.MTPVolumeMonitor' requested by ':1.11' (uid=1000 pid=2616 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.gtk.vfs.MTPVolumeMonitor'
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.gtk.vfs.GPhoto2VolumeMonitor' requested by ':1.11' (uid=1000 pid=2616 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.gtk.vfs.GPhoto2VolumeMonitor'
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.gtk.vfs.AfcVolumeMonitor' requested by ':1.11' (uid=1000 pid=2616 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.ayatana.bamf' requested by ':1.3' (uid=1000 pid=2613 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
Volume monitor alive
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.gtk.vfs.AfcVolumeMonitor'
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.gtk.vfs.GoaVolumeMonitor' requested by ':1.11' (uid=1000 pid=2616 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.gtk.vfs.GoaVolumeMonitor'
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.ayatana.bamf'
<info> session_process.go:110: /usr/bin/dde-dock [-r] startup duration: 4.404388709s
<info> main.go:157: core components cost: 14.990780535s
<warning> manager_ifc.go:318: failed to disable redshift.service: exit status 1
<warning> startmanager.go:114: open /usr/lib/UIAppSched.hooks/launched: no such file or directory
<warning> manager_ifc.go:318: failed to stop redshift.service: exit status 5
<warning> manager_ifc.go:336: failed to reset ColorTemperature exec: "redshift": executable file not found in $PATH
<warning> session_process.go:142: launchWithoutWait /usr/bin/cgexec [-g memory:c1@dde/DE /usr/lib/deepin-daemon/dde-osd] exit with error: exit status 255
<warning> sound_effect.go:64: open /etc/lightdm/lightdm.conf: no such file or directory
<info> session_process.go:60: start dde-session-daemon part2 cost: 3.107767209s
<info> main.go:314: iowait disabled
<info> handle_event.go:176: redo map touch screen
<info> handle_event.go:176: redo map touch screen
<warning> util.go:456: failed to get current using graphics card pci id
<warning> startmanager.go:737: [/bin/sh -c export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;exec /usr/bin/cgexec -g memory,freezer,blkio:c1@dde/uiapps/3 /usr/local/bin/x11docker-xrandr]: exit status 1
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='com.deepin.api.CursorHelper' requested by ':1.3' (uid=1000 pid=2613 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
<warning> startmanager.go:737: [/bin/sh -c export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;exec /usr/bin/cgexec -g memory,freezer,blkio:c1@dde/uiapps/9 start-pulseaudio-x11]: exit status 1
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'com.deepin.api.CursorHelper'
<info> handle_event.go:176: redo map touch screen
<info> handle_event.go:176: redo map touch screen
<warning> util.go:456: failed to get current using graphics card pci id
<warning> dde_shutdown.go:32: failed to start deepinid-daemon: fork/exec /usr/lib/deepin-deepinid-daemon/deepin-deepinid-daemon: no such file or directory
<warning> watchdog.go:89: fork/exec /usr/lib/deepin-deepinid-daemon/deepin-deepinid-daemon: no such file or directory
<info> handle_event.go:176: redo map touch screen
<info> handle_event.go:176: redo map touch screen
<warning> util.go:456: failed to get current using graphics card pci id
<info> handle_event.go:176: redo map touch screen
<info> handle_event.go:176: redo map touch screen
<warning> util.go:456: failed to get current using graphics card pci id
<info> checker.go:293: process memory: /etc/xdg/autostart/xdg-user-dirs.desktop c1@dde/uiapps/2 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/2/cgroup.procs: no such file or directory
<warning> startmanager.go:771: open /sys/fs/cgroup/memory/c1@dde/uiapps/2/cgroup.procs: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/im-launch.desktop c1@dde/uiapps/5 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/5/cgroup.procs: no such file or directory
<warning> startmanager.go:771: open /sys/fs/cgroup/memory/c1@dde/uiapps/5/cgroup.procs: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/pulseaudio.desktop c1@dde/uiapps/9 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/9/cgroup.procs: no such file or directory
<warning> startmanager.go:771: open /sys/fs/cgroup/memory/c1@dde/uiapps/9/cgroup.procs: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/x11docker-xrandr.desktop c1@dde/uiapps/3 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/3/cgroup.procs: no such file or directory
<warning> startmanager.go:771: open /sys/fs/cgroup/memory/c1@dde/uiapps/3/cgroup.procs: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/deepin-ab-recovery.desktop c1@dde/uiapps/4 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/4/cgroup.procs: no such file or directory
<warning> startmanager.go:771: open /sys/fs/cgroup/memory/c1@dde/uiapps/4/cgroup.procs: no such file or directory
<warning> session_process.go:96: command /usr/bin/kwin_no_scale [] exit with error: signal: terminated
werner@X10DAi:~$
Sorry for my late response. Currently I am rarely at x11docker.
Maybe you could try to reduce the options you use in your command step by step until you find out which one makes the difference between "works" or "crashes".
Currently I am rarely at x11docker.
Why? Do you want to stop further development of this tool?
Why? Do you want to stop further development of this tool?
No, don't worry. :-) I just spend more of my time for offline projects yet while it is summer. More development is done during winter.
Got it. Thank you for your explanation.
Finally I've tried to reproduce your issue. Tested with deepin apricot and started with your command example:
x11docker --runasroot 'sed -r "s/^[[:blank:]]*[|]//" <<-EOF > /etc/sudoers
|#$ sudo grep -Ev '\''^[ ]*(#|$)'\'' /etc/sudoers
|Defaults env_reset
|Defaults mail_badpass
|Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
|root ALL=(ALL:ALL) ALL
|%admin ALL=(ALL) ALL
|%sudo ALL=(ALL:ALL) ALL
|$USER ALL=(ALL) NOPASSWD:ALL
EOF' --xephyr --network=bridge --pulseaudio --xoverip --home --share=$HOME --sudouser -c --desktop --init=systemd -- --device /dev/mem:/dev/mem --cap-add=ALL -- x11docker/deepin
I could not reproduce your issue.
ssh
in deepin terminal to host just works.
Do you still have the issue?
I confirmed your conclusion: Running my deepin apricot desktop with the latest git master x11docker commit doesn't have this problem too.
On Ubuntu 20.04, I'm using the git master version of x11docker to start my docker container deepin-wine. Then I try to ssh to host by the following command:
$ ssh werner@192.168.10.100
But the above command will cause the container crashed immediately.
Any hints for this problem?
Regards, HY