search

mviereck / x11docker

Run GUI applications and desktops in docker and podman containers. Focus on security.
MIT License
5.62k stars 378 forks source link

Daemon not found on Fedora 28 #49

Closed eine closed 6 years ago

eine commented 6 years ago

I have a freshly installed Fedora 28 (vanilla, i.e., with Gnome Shell). After I start docker with systemctl start docker, I can run e.g. docker run --rm -it debian:buster-slim bash:

$ docker run --rm -it debian:buster-slim bash
Unable to find image 'debian:buster-slim' locally
Trying to pull repository docker.io/library/debian ... 
sha256:158fd8073d5e6319ffd8cae2a41cdde95a98ec572fa314f6154facd3232eb97d: Pulling from docker.io/library/debian
ff0d602f5a3a: Pull complete 
Digest: sha256:158fd8073d5e6319ffd8cae2a41cdde95a98ec572fa314f6154facd3232eb97d
Status: Downloaded newer image for docker.io/debian:buster-slim
root@1b3511e3151a:/# exit
exit

However, when I try with x11docker I get:

$ ./x11docker debian:buster-slim bash
x11docker note: Using X server option --xorg

x11docker WARNING: Your configuration does not allow to start
  a second core Xorg server from within X. Option --xorg will probably fail.
  (As a default configuration, only root or console users can do that).

  Recommended easy solution: install one of nested X servers
  'nxagent', 'Xephyr' or 'Xnest'.
  Solution with --gpu support: install 'Weston' and 'Xwayland'.

  Or you can switch to console tty1...tty6 with <CTRL><ALT><F1>...<F6>
  and start x11docker there.

  Setup to start a second Xorg X server from within already running X:
  Edit file '/etc/X11/Xwrapper.config' and replace line:
      allowed_users=console
  with lines
      allowed_users=anybody
      needs_root_rights=yes
  If the file does not exist already, you can create it.
  On Ubuntu 16.04 and debian 9 you need package xserver-xorg-legacy.

x11docker note: Did not find a nice solution to run a seamless application
  on your desktop. (Only insecure option --hostdisplay would work).
  It is recommended to install nxagent or xpra.

x11docker note: Could not find Xephyr, Xnest, nxagent,
  xpra, weston+Xwayland or kwin_wayland+Xwayland to run a nested X server.
  Consider to install one of them.

x11docker note: You can switch between X servers and console terminals
  with [CTRL][ALT][F1]...[F12].

x11docker WARNING: On debian 9, switching often between multiple X servers can 
  cause a crash of one X server. This bug may be debian specific and is 
  probably some sort of race condition. If you know more about this or it 
  occurs on other systems, too, please report.

x11docker note: Could not detect a host window manager.
  Please specify one with option --wm=WINDOWMANAGER or install one of
  amiwm blackbox cinnamon compiz ctwm enlightenment fluxbox flwm fvwm jwm kwin lxsession mate-session mate-wm marco metacity notion olwm olvwm openbox ororobus pekwm sawfish twm wmaker w9wm xfwm4

x11docker WARNING: Although x11docker starts Xorg as unprivileged user,
  most system setups wrap Xorg to give it root permissions (setuid).
  Evil containers may try to abuse this.
  Other x11docker X server options like --xephyr are more secure at this point.

x11docker ERROR: Please make sure docker daemon is running.
  Try as root: 'systemctl start docker'

  Type 'x11docker --help' for usage information
  For debugging, run x11docker in terminal and/or enable option '--verbose'
  or look afterwards at logfile ~/.cache/x11docker/x11docker.log
  Please report issues at https://github.com/mviereck/x11docker

kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

I tried with --hostdisplay too:

$ ./x11docker --hostdisplay debian:buster-slim bash
x11docker note: Your X server does not support untrusted cookies.
  Have to use trusted cookies and to enable insecure option --hostipc.
  Consider to use options --nxagent or --xpra instead of --hostdisplay.

x11docker WARNING: Option --hostdisplay with trusted cookies provides 
      QUITE BAD CONTAINER ISOLATION !
  Keylogging and controlling host applications is possible!

x11docker WARNING: Security risk:
  Option --hostipc causes severe reduction of container isolation!
  Drawback: IPC namespace remapping is disabled.
  Advantage: X extension MIT-SHM is possible.

x11docker ERROR: Please make sure docker daemon is running.
  Try as root: 'systemctl start docker'

  Type 'x11docker --help' for usage information
  For debugging, run x11docker in terminal and/or enable option '--verbose'
  or look afterwards at logfile ~/.cache/x11docker/x11docker.log
  Please report issues at https://github.com/mviereck/x11docker

kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

I also tried running x11docker with sudo and installing nxagent. But I get the same result.

$ ./x11docker --nxagent btdi/texstudio bash

x11docker ERROR: Please make sure docker daemon is running.
  Try as root: 'systemctl start docker'

  Type 'x11docker --help' for usage information
  For debugging, run x11docker in terminal and/or enable option '--verbose'
  or look afterwards at logfile ~/.cache/x11docker/x11docker.log
  Please report issues at https://github.com/mviereck/x11docker

kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

The verbose option does not produce any output. The log file is empty.

Previously I was successfully using this script in Fedora 25, Fedora 26 and Windows 10 (with Xming). Therefore, I don't mind using the least secure options that x11docker provides (for now). What's the most straightforward solution to achieve it?

My target, after a simple image works, is to run image btdi/texstudio.

mviereck commented 6 years ago

Thank you for reporting! I am currently installing fedora 28 in a VM to reproduce the issues.

As a "first aid" you can disable the check for docker daemon in x11docker code at line 3384. Obviously the docker daemon does no longer run with name dockerd in fedora:

      pidof dockerd >/dev/null     || error "Please make sure docker daemon is running.
  Try as root: 'systemctl start docker'"
eine commented 6 years ago

Thanks a lot! It was as stupid as that. I'm so sorry for wasting your time.

I am about to drop the docker_guiapp.sh script I wrote, and use this project instead. However, AFAIK you have not considered Windows as a host, have you? Would you be open to including something as docker_guiapp.sh#L30-L51? Not the exact same code, but the concept of starting either Xming, VcXsrv or Cygwin/X automatically.

BTW, congratulations. Not only because of x11docker, but also because of kaptain.

I'm leaving this issue open for you to close it when you push a fix that checks the daemon name. But it is solved for me, so you can close whenever you want.

mviereck commented 6 years ago

Thanks a lot! It was as stupid as that. I'm so sorry for wasting your time.

It is a great help that you reported the bug! Although it was small, it rendered x11docker useless on fedora. x11docker now also checks for dockerd-current to suit fedora 28.

Another bug showing up was that x11docker tried to run --xorg instead of --hostdisplay.

And I see some errors about file descriptors I have to investigate further.

It seems I have to do some extensive tests on fedora and other systems whether x11docker runs on them without failures. I did major code changes in the last weeks that may not work on all systems.

If you run x11docker --update-master you get at least the bugfixes for the docker daemon check and for --hostdisplay. Please report again if you find something that looks fishy!

However, AFAIK you have not considered Windows as a host, have you? Would you be open to including something as docker_guiapp.sh#L30-L51? Not the exact same code, but the concept of starting either Xming, VcXsrv or Cygwin/X automatically.

I have considered to support X servers on Windows, too. Though, I don't have a working Windows installation. I got Win10 preinstalled on my laptop, but changed the hard disk. Win10 refuses to start on the same machine and same hard disk plugged in as usb drive. I cussed a bit and gave up the idea of supporting Windows.

Though, it should not be too hard. I could add an option --xming and autodetect Windows as host. But without a testing environment it does not make sense. And Windows 10 in VirtualBox is a slow curse.

BTW, congratulations. Not only because of x11docker, but also because of kaptain.

Thank you! :-) But I have to say, kaptain is not my creation, I only use and provide it and try to keep it alive.

mviereck commented 6 years ago

Bugfix is now part of release v4.3.3.

mviereck commented 6 years ago

About Xming:

I had a look at some documentation and found that it should already be possible to use x11docker with Xming.

There is a "Start program" dialog in Xming.

The point is: if x11docker finds a valid DISPLAY, it will just work.

eine commented 6 years ago

Glad to hear that! I will try it and keep you posted.

maccradar commented 6 years ago

I have the similar bug on Ubuntu 15.04:

$ x11docker <image-name>
x11docker note: Using X server option --hostdisplay

x11docker note: To allow protection against X security leaks,
  please install one or more of:
    nxagent, xpra, Xephyr, weston+Xwayland, kwin_wayland+Xwayland or Xnest.
  or run a second Xorg server with option --xorg.

x11docker WARNING: Option --hostdisplay provides only low container isolation!
  It is recommended to use another X server option like --nxagent or --xpra.

  To improve security with --hostdisplay x11docker uses untrusted cookies.
  This can lead to strange behaviour of some applications.

  If you encounter issues, enable option --clipboard that disables security
  settings for --hostdisplay by the way.

x11docker ERROR: Please make sure docker daemon is running.
  Try as root: 'systemctl start docker'

  Type 'x11docker --help' for usage information
  For debugging, run x11docker in terminal and/or enable option '--verbose'
  or look afterwards at logfile <home>/.cache/x11docker/x11docker.log
  Please report issues at https://github.com/mviereck/x11docker

kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

Might be my old docker version:

$ docker --version
Docker version 1.9.1, build a34a1d5
mviereck commented 6 years ago

@maccradar Thanks for reporting! Can you please show me the output of:

pidof dockerd
pidof dockerd-current
ps aux | grep dockerd
maccradar commented 6 years ago

Strangely, the daemon is called 'docker' on my system:

$ pidof dockerd
$ pidof dockerd-current
$ pidof docker
11422
$ ps aux | grep dockerd
11645  0.0  0.0   9992  2488 pts/1    S+   11:32   0:00 grep --color=auto dockerd
$ ps aux | grep docker
11422  0.2  0.4 448536 40288 ?        Ssl  11:30   0:00 /usr/bin/docker daemon -H fd://
11664  0.0  0.0   9992  2364 pts/1    S+   11:32   0:00 grep --color=auto docker
mviereck commented 6 years ago

That is really strange. I am about to drop the check for docker daemon at all. If it is not running, startup of x11docker will just fail later at container startup.

I will publish an update soon. Meanwhile you can remove:

 pidof dockerd >/dev/null     || error "Please make sure docker daemon is running.
  Try as root: 'systemctl start docker'"

at about line 3384.

maccradar commented 6 years ago

OK, thanks for the fast response! I really need to upgrade to a new LTS because this ubuntu config is getting old :smile:

mviereck commented 6 years ago

I've made an update to master branch. Please run x11docker --update-master, it should work now. I have removed the docker daemon check at all.