search

mviereck / x11docker

Run GUI applications and desktops in docker and podman containers. Focus on security.
MIT License
5.68k stars 379 forks source link

Container won't start without --ipc=host #461

Closed kumikooumae closed 2 years ago

kumikooumae commented 2 years ago

I tried multiple images (x11docker/fvwm, x11docker/xfce, rycus86/pycharm), and they won't start in podman without --ipc=host.

The command I'm using: x11docker --backend=podman x11docker/xfce glxgears

Error message: x11docker ERROR: start_container(): Did not receive PID of PID1 in container. Maybe the container immediately stopped for unknown reasons. Just in case, check if host and image architecture are compatible: Host architecture: amd64 (x86_64), image architecture: amd64.

Content of container log: Error: no container with name or ID "x11docker_X165_x11docker-xfce-glxgears_059468494033" found: no such container Error: runc: runc create failed: unable to start container process: error during container init: error mounting "mqueue" to rootfs at "/dev/mqueue": mount mqueue:/dev/mqueue (via /proc/self/fd/15), flags: 0xe: operation not permitted: OCI permission denied Error: inspecting object: no such object: "x11docker_X165_x11docker-xfce-glxgears_059468494033"

However, if I add --ipc=host like x11docker --backend=podman --ipc=host x11docker/xfce glxgears, the container can start and nxagent window will show up.

mviereck commented 2 years ago

Thank you for the report!

The error message speaks of runc (docker default), but podman normally uses crun instead. Is that a custom configuration of you?

I can reproduce the issue here, too, if I add option --runtime=runc.

x11docker runs the X server in a container of x11docker/xserver if available and uses option --ipc to connect their shared memory (but not if one sets --ipc=host). It works with --xc=no to disable the X container. For example:

x11docker --runtime=runc --xc=no --backend=podman x11docker/xfce glxgears

It also works with --runtime=crun. Please try this:

x11docker --runtime=crun --backend=podman x11docker/xfce glxgears

I am still curious why podman uses runc in your case, and if that is an x11docker issue or a wrong podman configuration. Please show me the output of:

podman info | grep -A10 Runtime

To work around the issue, I've made a commit that does not share ipc of X container and command container in case of --backend=podman --runtime=runc.

kumikooumae commented 2 years ago

Thanks. crun was not installed on my computer. I removed runc and installed crun, and x11docker --backend=podman x11docker/xfce glxgears worked for me. Looks like Fedora chose runc as dependency instead of crun when I was installing podman.

mviereck commented 2 years ago

Looks like Fedora chose runc as dependency instead of crun when I was installing podman.

That's odd. podman and crun are closely related to RedHat/fedora having the same developers. Normally they would never use runc and even dropped docker from their repository. However, good that the issue is fixed.