search

mviereck / x11docker

Run GUI applications and desktops in docker and podman containers. Focus on security.
MIT License
5.5k stars 370 forks source link

ssh to host from within docker container will cause the container crashed. #374

Closed hongyi-zhao closed 2 years ago

hongyi-zhao commented 2 years ago

On Ubuntu 20.04, I'm using the git master version of x11docker to start my docker container deepin-wine. Then I try to ssh to host by the following command:

$ ssh werner@192.168.10.100

But the above command will cause the container crashed immediately.

Any hints for this problem?

Regards, HY

mviereck commented 2 years ago

I have no immediate idea.

Please try without x11docker but with docker alone, e.g.:

docker run -ti --rm hongyizhao/deepin-wine bash

Try in this interactive container your ssh command. This helps to see if this is a docker or an x11docker issue.

hongyi-zhao commented 2 years ago

This won't trigger the problem reported here:

werner@X10DAi:~$ docker run -ti --rm hongyizhao/deepin-wine bash
root@3998f3333498:/# ssh werner@192.168.10.100
The authenticity of host '192.168.10.100 (192.168.10.100)' can't be established.
ECDSA key fingerprint is SHA256:DnybqBQiqZT+BCAJ1+HS8MhHV8Mkh8nJUzXoFfN0RKw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.100' (ECDSA) to the list of known hosts.
werner@192.168.10.100's password: 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-42-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

346 updates can be installed immediately.
147 of these updates are security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Wed Jul 28 15:52:16 2021 from 172.17.0.2
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'unattended-upgrades' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  apel flim fonts-lmodern libapache-pom-java libart-2.0-2 libayatana-appindicator3-1
  libayatana-indicator3-7 libcommons-logging-java libcommons-parent-java libfontbox-java
  libglade2-0 libgnomecanvas2-0 libgnomecanvas2-common libgsoap-2.8.91 libmime-charset-perl
  libpdfbox-java libproxychains3 libproxychains4 libptexenc1 libqt5xdg3 libqt5xdgiconloader3
  libsombok3 libteckit0 libtexlua53 libtexluajit2 libunicode-linebreak-perl libxapian-dev
  libxdg-basedir1 libzim4 libzzip-0-13 node-iconv node-rw python3-cliapp python3-ttystatus slop
  tinyproxy-bin
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 691 not upgraded.
werner@X10DAi:~$
mviereck commented 2 years ago

Please try ssh in:

x11docker -ti hongyizhao/deepin-wine bash

If that fails, please try with:

x11docker -ti --cap-default hongyizhao/deepin-wine bash
hongyi-zhao commented 2 years ago

Both succeeded.

mviereck commented 2 years ago

Both succeeded.

Good! So, in which circumstances does it crash? In deepin-terminal?

hongyi-zhao commented 2 years ago

In my situation, I start my docker container with the following command, and I recently find that the first run of the following command will fail:

$ x11docker --runasroot 'sed -r "s/^[[:blank:]]*[|]//" <<-EOF > /etc/sudoers
        |#$ sudo grep -Ev '\''^[ ]*(#|$)'\'' /etc/sudoers  
        |Defaults   env_reset
        |Defaults   mail_badpass
        |Defaults   secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
        |root   ALL=(ALL:ALL) ALL
        |%admin ALL=(ALL) ALL
        |%sudo  ALL=(ALL:ALL) ALL
        |$USER ALL=(ALL) NOPASSWD:ALL
    EOF' --xephyr --network=bridge --pulseaudio --xoverip --home --share=$HOME --sudouser -c --desktop --init=systemd -- --device /dev/mem:/dev/mem --cap-add=ALL hongyizhao/deepin-wine:latest
x11docker WARNING: User werner is member of group docker.
  That allows unprivileged processes on host to gain root privileges.

x11docker WARNING: You are running GNOME desktop in outdated version 
  GNOME Shell 3.36.4
  This might cause issues with host applications if using additional X servers.
  It is recommended to use another desktop environment or GNOME >= 3.38.
  Only --xorg or discouraged option --hostdisplay might work as expected.

x11docker note: Sharing picture clips with option --clipboard
  is only possible with options --xpra, --xpra-xwayland and --hostdisplay.

x11docker note: Option --init=systemd: Found cgroup v2
  on your system. systemd in container might fail without an error message.
  As a workaround you can set a kernel boot option to enforce cgroup v1:
    systemd.unified_cgroup_hierarchy=0
  Compare ticket https://github.com/mviereck/x11docker/issues/349

x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
  x11docker will add them to 'docker run' command without
  a serious check for validity or security. Found options:
   '--device' '/dev/mem:/dev/mem' '--cap-add=ALL'

x11docker WARNING: Found option --cap-add=ALL
  in custom docker run options. That is A VERY BAD IDEA.
  That is a very privileged setup.
  Malicious applications may harm to the host.

x11docker WARNING: Option --pulseaudio allows container applications
  to catch your audio output and microphone input.

x11docker WARNING: Option --init=systemd slightly degrades container isolation.
  It adds some user switching capabilities x11docker would drop otherwise.
  However, they are still within default docker capabilities.
  Not within default docker capabilities it adds capability SYS_BOOT.  
  It shares access to host cgroups in /sys/fs/cgroup.
  Some processes in container will run as root.

x11docker WARNING: Option --sudouser severly reduces container security.
  Container gains additional capabilities to allow sudo and su.
  If an application breaks out of container, it can harm your system
  in many ways without you noticing. Default password: x11docker

x11docker note: Option --sudouser: Enabling option --newprivileges=yes.
  You can avoid this with --newprivileges=no

x11docker WARNING: Option --newprivileges=yes: x11docker does not set 
  docker run option --security-opt=no-new-privileges. 
  That degrades container security.
  However, this is still within a default docker setup.

werner@X10DAi:~$

And the second run of the above command will start the docker container:

image

Then I issue ssh werner@192.168.10.100 command under the terminal of the docker container, it will crashed with the following log on the host's stdout:

x11docker WARNING: User werner is member of group docker.
  That allows unprivileged processes on host to gain root privileges.

x11docker WARNING: You are running GNOME desktop in outdated version 
  GNOME Shell 3.36.4
  This might cause issues with host applications if using additional X servers.
  It is recommended to use another desktop environment or GNOME >= 3.38.
  Only --xorg or discouraged option --hostdisplay might work as expected.

x11docker note: Sharing picture clips with option --clipboard
  is only possible with options --xpra, --xpra-xwayland and --hostdisplay.

x11docker note: Option --init=systemd: Found cgroup v2
  on your system. systemd in container might fail without an error message.
  As a workaround you can set a kernel boot option to enforce cgroup v1:
    systemd.unified_cgroup_hierarchy=0
  Compare ticket https://github.com/mviereck/x11docker/issues/349

x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
  x11docker will add them to 'docker run' command without
  a serious check for validity or security. Found options:
   '--device' '/dev/mem:/dev/mem' '--cap-add=ALL'

x11docker WARNING: Found option --cap-add=ALL
  in custom docker run options. That is A VERY BAD IDEA.
  That is a very privileged setup.
  Malicious applications may harm to the host.

x11docker WARNING: Option --pulseaudio allows container applications
  to catch your audio output and microphone input.

x11docker WARNING: Option --init=systemd slightly degrades container isolation.
  It adds some user switching capabilities x11docker would drop otherwise.
  However, they are still within default docker capabilities.
  Not within default docker capabilities it adds capability SYS_BOOT.  
  It shares access to host cgroups in /sys/fs/cgroup.
  Some processes in container will run as root.

x11docker WARNING: Option --sudouser severly reduces container security.
  Container gains additional capabilities to allow sudo and su.
  If an application breaks out of container, it can harm your system
  in many ways without you noticing. Default password: x11docker

x11docker note: Option --sudouser: Enabling option --newprivileges=yes.
  You can avoid this with --newprivileges=no

x11docker WARNING: Option --newprivileges=yes: x11docker does not set 
  docker run option --security-opt=no-new-privileges. 
  That degrades container security.
  However, this is still within a default docker setup.

dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.gtk.vfs.Daemon' requested by ':1.1' (uid=1000 pid=2592 comm="startdde " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.gtk.vfs.Daemon'
No xresources data found!
<warning> manager.go:233: The name org.freedesktop.hostname1 was not provided by any .service files
<warning> util.go:456: failed to get current using graphics card pci id
<warning> util.go:456: failed to get current using graphics card pci id
<warning> manager.go:1093: failed to set brightness for default: The output(1306) has invalid gamma size
<info> handle_event.go:176: redo map touch screen
<warning> util.go:456: failed to get current using graphics card pci id
<info> session_process.go:91: command /usr/bin/kwin_no_scale [] started, pid: 2612
<info> session_process.go:91: command /usr/lib/deepin-daemon/dde-session-daemon [] started, pid: 2613
<info> session_process.go:91: command /usr/bin/dde-desktop [] started, pid: 2616
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='com.deepin.wm' requested by ':1.7' (uid=1000 pid=2619 comm="kwin_x11 -platform dde-kwin-xcb:appFilePath=/usr/b" label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'com.deepin.wm'
<info> session_process.go:110: /usr/bin/dde-desktop [] startup duration: 8.011612587s
<info> handle_event.go:176: redo map touch screen
No appenders assotiated with category qt.qpa.xcb
[Warning] <> QXcbConnection: XCB error: 5 (BadAtom), sequence: 575, resource id: 0, major code: 20 (GetProperty), minor code: 0
<warning> util.go:456: failed to get current using graphics card pci id
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.a11y.Bus' requested by ':1.13' (uid=1000 pid=2613 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.a11y.Bus'
dbus-daemon[2767]: Activating service name='org.a11y.atspi.Registry' requested by ':1.0' (uid=1000 pid=2613 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
dbus-daemon[2767]: Successfully activated service 'org.a11y.atspi.Registry'
SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry
<info> session_process.go:110: /usr/lib/deepin-daemon/dde-session-daemon [] startup duration: 10.573667344s
<info> handle_event.go:176: redo map touch screen
<info> session_process.go:91: command /usr/bin/dde-dock [-r] started, pid: 2779
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.kde.kglobalaccel' requested by ':1.7' (uid=1000 pid=2619 comm="kwin_x11 -platform dde-kwin-xcb:appFilePath=/usr/b" label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.kde.kglobalaccel'
qt.qpa.xcb: QXcbConnection: XCB error: 5 (BadAtom), sequence: 722, resource id: 0, major code: 20 (GetProperty), minor code: 0
<info> handle_event.go:176: redo map touch screen
<warning> util.go:456: failed to get current using graphics card pci id
qt.qpa.xcb: QXcbConnection: XCB error: 5 (BadAtom), sequence: 746, resource id: 0, major code: 20 (GetProperty), minor code: 0
qt.qpa.xcb: QXcbConnection: XCB error: 5 (BadAtom), sequence: 770, resource id: 0, major code: 20 (GetProperty), minor code: 0
No appenders assotiated with category qt.qpa.xcb
[Warning] <> QXcbConnection: XCB error: 5 (BadAtom), sequence: 604, resource id: 0, major code: 20 (GetProperty), minor code: 0
No appenders assotiated with category qt.qpa.xcb
[Warning] <> QXcbConnection: XCB error: 5 (BadAtom), sequence: 633, resource id: 0, major code: 20 (GetProperty), minor code: 0
<info> session_process.go:110: /usr/bin/kwin_no_scale [] startup duration: 12.793531283s
<info> main.go:200: after 13.314528012s, call com.deepin.dde.Dock callShow
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='ca.desrt.dconf' requested by ':1.4' (uid=1000 pid=2613 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'ca.desrt.dconf'
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.gtk.vfs.MTPVolumeMonitor' requested by ':1.11' (uid=1000 pid=2616 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.gtk.vfs.MTPVolumeMonitor'
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.gtk.vfs.GPhoto2VolumeMonitor' requested by ':1.11' (uid=1000 pid=2616 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.gtk.vfs.GPhoto2VolumeMonitor'
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.gtk.vfs.AfcVolumeMonitor' requested by ':1.11' (uid=1000 pid=2616 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.ayatana.bamf' requested by ':1.3' (uid=1000 pid=2613 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
Volume monitor alive
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.gtk.vfs.AfcVolumeMonitor'
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='org.gtk.vfs.GoaVolumeMonitor' requested by ':1.11' (uid=1000 pid=2616 comm="/usr/bin/dde-desktop " label="docker-default (enforce)")
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.gtk.vfs.GoaVolumeMonitor'
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'org.ayatana.bamf'
<info> session_process.go:110: /usr/bin/dde-dock [-r] startup duration: 4.404388709s
<info> main.go:157: core components cost: 14.990780535s
<warning> manager_ifc.go:318: failed to  disable  redshift.service: exit status 1
<warning> startmanager.go:114: open /usr/lib/UIAppSched.hooks/launched: no such file or directory
<warning> manager_ifc.go:318: failed to  stop  redshift.service: exit status 5
<warning> manager_ifc.go:336: failed to reset ColorTemperature  exec: "redshift": executable file not found in $PATH
<warning> session_process.go:142: launchWithoutWait /usr/bin/cgexec [-g memory:c1@dde/DE /usr/lib/deepin-daemon/dde-osd] exit with error: exit status 255
<warning> sound_effect.go:64: open /etc/lightdm/lightdm.conf: no such file or directory
<info> session_process.go:60: start dde-session-daemon part2 cost: 3.107767209s
<info> main.go:314: iowait disabled
<info> handle_event.go:176: redo map touch screen
<info> handle_event.go:176: redo map touch screen
<warning> util.go:456: failed to get current using graphics card pci id
<warning> startmanager.go:737: [/bin/sh -c export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;exec /usr/bin/cgexec -g memory,freezer,blkio:c1@dde/uiapps/3 /usr/local/bin/x11docker-xrandr]: exit status 1
dbus-daemon[2588]: [session uid=1000 pid=2588] Activating service name='com.deepin.api.CursorHelper' requested by ':1.3' (uid=1000 pid=2613 comm="/usr/lib/deepin-daemon/dde-session-daemon " label="docker-default (enforce)")
<warning> startmanager.go:737: [/bin/sh -c export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;exec /usr/bin/cgexec -g memory,freezer,blkio:c1@dde/uiapps/9 start-pulseaudio-x11]: exit status 1
dbus-daemon[2588]: [session uid=1000 pid=2588] Successfully activated service 'com.deepin.api.CursorHelper'
<info> handle_event.go:176: redo map touch screen
<info> handle_event.go:176: redo map touch screen
<warning> util.go:456: failed to get current using graphics card pci id
<warning> dde_shutdown.go:32: failed to start deepinid-daemon: fork/exec /usr/lib/deepin-deepinid-daemon/deepin-deepinid-daemon: no such file or directory
<warning> watchdog.go:89: fork/exec /usr/lib/deepin-deepinid-daemon/deepin-deepinid-daemon: no such file or directory
<info> handle_event.go:176: redo map touch screen
<info> handle_event.go:176: redo map touch screen
<warning> util.go:456: failed to get current using graphics card pci id
<info> handle_event.go:176: redo map touch screen
<info> handle_event.go:176: redo map touch screen
<warning> util.go:456: failed to get current using graphics card pci id
<info> checker.go:293: process memory: /etc/xdg/autostart/xdg-user-dirs.desktop c1@dde/uiapps/2 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/2/cgroup.procs: no such file or directory
<warning> startmanager.go:771: open /sys/fs/cgroup/memory/c1@dde/uiapps/2/cgroup.procs: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/im-launch.desktop c1@dde/uiapps/5 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/5/cgroup.procs: no such file or directory
<warning> startmanager.go:771: open /sys/fs/cgroup/memory/c1@dde/uiapps/5/cgroup.procs: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/pulseaudio.desktop c1@dde/uiapps/9 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/9/cgroup.procs: no such file or directory
<warning> startmanager.go:771: open /sys/fs/cgroup/memory/c1@dde/uiapps/9/cgroup.procs: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/x11docker-xrandr.desktop c1@dde/uiapps/3 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/3/cgroup.procs: no such file or directory
<warning> startmanager.go:771: open /sys/fs/cgroup/memory/c1@dde/uiapps/3/cgroup.procs: no such file or directory
<info> checker.go:293: process memory: /etc/xdg/autostart/deepin-ab-recovery.desktop c1@dde/uiapps/4 0 open /sys/fs/cgroup/memory/c1@dde/uiapps/4/cgroup.procs: no such file or directory
<warning> startmanager.go:771: open /sys/fs/cgroup/memory/c1@dde/uiapps/4/cgroup.procs: no such file or directory
<warning> session_process.go:96: command /usr/bin/kwin_no_scale [] exit with error: signal: terminated
werner@X10DAi:~$
mviereck commented 2 years ago

Sorry for my late response. Currently I am rarely at x11docker.

Maybe you could try to reduce the options you use in your command step by step until you find out which one makes the difference between "works" or "crashes".

hongyi-zhao commented 2 years ago

Currently I am rarely at x11docker.

Why? Do you want to stop further development of this tool?

mviereck commented 2 years ago

Why? Do you want to stop further development of this tool?

No, don't worry. :-) I just spend more of my time for offline projects yet while it is summer. More development is done during winter.

hongyi-zhao commented 2 years ago

Got it. Thank you for your explanation.

mviereck commented 2 years ago

Finally I've tried to reproduce your issue. Tested with deepin apricot and started with your command example:

x11docker --runasroot 'sed -r "s/^[[:blank:]]*[|]//" <<-EOF > /etc/sudoers
        |#$ sudo grep -Ev '\''^[ ]*(#|$)'\'' /etc/sudoers  
        |Defaults   env_reset
        |Defaults   mail_badpass
        |Defaults   secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
        |root   ALL=(ALL:ALL) ALL
        |%admin ALL=(ALL) ALL
        |%sudo  ALL=(ALL:ALL) ALL
        |$USER ALL=(ALL) NOPASSWD:ALL
    EOF' --xephyr --network=bridge --pulseaudio --xoverip --home --share=$HOME --sudouser -c --desktop --init=systemd -- --device /dev/mem:/dev/mem --cap-add=ALL -- x11docker/deepin

I could not reproduce your issue. ssh in deepin terminal to host just works.

Do you still have the issue?

hongyi-zhao commented 2 years ago

I confirmed your conclusion: Running my deepin apricot desktop with the latest git master x11docker commit doesn't have this problem too.