search

mviereck / x11docker

Run GUI applications and desktops in docker and podman containers. Focus on security.
MIT License
5.62k stars 378 forks source link

error: process ID list syntax error (master broken) #65

Closed sandrokeil closed 6 years ago

sandrokeil commented 6 years ago

I just realized that the current master version is broken. Version 4.3.6 works fine. Any idea what goes wrong? It looks it's only a x11/UI problem, because this error does not occur with --nothing.

Here is the output. What is this kind of Terminallist output? I guess the main error is error: process ID list syntax error.

x11docker note: You are running a beta version of x11docker.
  Beta versions change often and may introduce temporary new bugs.
  If you prefer latest stable release, run 'x11docker --update'.
  If you prefer to follow development, run 'x11docker --update-master'.

  You can contribute to x11docker if you find bugs and report them at:
    https://github.com/mviereck/x11docker

x11docker note: To allow GPU acceleration (option --gpu) with --hostdisplay,
  x11docker will share host resources with insecure option --hostipc
  and allow trusted cookies with option --trusted.

x11docker WARNING: To allow clipboard sharing with option --hostdisplay,
  trusted cookies and insecure option --hostipc will be enabled.
  No protection against X security leaks is left!
  Please consider to use another X server option.

x11docker WARNING: Option --hostdisplay with trusted cookies provides
      QUITE BAD CONTAINER ISOLATION !
  Keylogging and controlling host applications is possible!

x11docker WARNING: Security risk:
  Option --hostipc causes severe reduction of container isolation!
  Drawback: IPC namespace remapping is disabled.
  Advantage: X extension MIT-SHM is possible.

x11docker WARNING: Option --cap-default disables security hardening
  for containers. Granting docker's default capabilities is considered insecure.

x11docker WARNING: Option --sys-admin may be dangerous.
  It adds insecure capability SYS_ADMIN to container.
  It is needed to run debian 9 images with option --systemd.
  Debian 10 images run well without --sys-admin.

x11docker WARNING: Option --gpu degrades container isolation.
  Container gains access to GPU hardware.
  This allows reading host window content (palinopsia leak)
  and GPU rootkits (compare proof of concept: jellyfish).

realpath: '': No such file or directory
x11docker WARNING: You are using proprietary closed source nvidia driver.
  GPU acceleration will only work if you have installed the very same driver
  version in image. That makes images less portable.
  It is recommended to use free open source nouveau driver on host instead.
  Ask NVIDIA corporation to at least publish their closed source API,
  or even better to actively support open source drivers like nouveau.

x11docker note: x11docker can try to automatically install nvidia driver
  version 396.24 in container on every container startup.
  Drawbacks: Container startup is slower and its security will be reduced.

  You can look here for a driver installer:
    https://www.nvidia.com/Download/index.aspx
    https://http.download.nvidia.com/
  A direct download URL may be:
   https://http.download.nvidia.com/XFree86/Linux-x86_64/396.24/NVIDIA-Linux-x86_64-396.24.run
  If you got a driver, store it at one of the following locations:
    /home/skeil/.local/share/x11docker/
    /usr/local/share/x11docker/

  Be aware that the version number must match exactly the version on host.
  The file name must begin with 'NVIDIA', contain the version number 396.24
  and end with suffix '.run'.

  Automated installation fails on image systems not using glibc like Alpine
  and fails on openSUSE images with a self-extraction error.
  These issues cannot be fixed due to closed source policy of NVIDIA corporation.

  To avoid all this, use free nouveau driver on host
  instead of proprietary closed source nvidia driver.

x11docker WARNING: Option --pulseaudio allows container applications
  to catch your audio output and microphone input.

+ Terminallist='xterm lxterm lxterminal stterm sakura termit pterm terminator terminology Eterm konsole qterminal gnome-terminal mate-terminal mrxvt rxvt xvt kterm mlterm xfce4-terminal NOLUCK'
+ '[' -z :1:1 ']'
+ for Pullterminal in $Terminallist
+ command -v xterm
+ for Pullterminal in $Terminallist
+ command -v lxterm
+ for Pullterminal in $Terminallist
+ command -v lxterminal
+ for Pullterminal in $Terminallist
+ command -v stterm
+ for Pullterminal in $Terminallist
+ command -v sakura
+ for Pullterminal in $Terminallist
+ command -v termit
+ for Pullterminal in $Terminallist
+ command -v pterm
+ for Pullterminal in $Terminallist
+ command -v terminator
+ for Pullterminal in $Terminallist
+ command -v terminology
+ for Pullterminal in $Terminallist
+ command -v Eterm
+ for Pullterminal in $Terminallist
+ command -v konsole
+ for Pullterminal in $Terminallist
+ command -v qterminal
+ for Pullterminal in $Terminallist
+ command -v gnome-terminal
+ break
+ '[' gnome-terminal = NOLUCK ']'
+ '[' -z :1 ']'
+ case $Pullterminal in
+ Pullterminal='dbus-launch gnome-terminal -x'
+ '[' -z 'bash -c' ']'
+ Anyterminal='dbus-launch gnome-terminal -x'
+ '[' -z :1:1 ']'
+ set +x
error: process ID list syntax error

Usage:
 ps [options]

 Try 'ps --help <simple|list|output|threads|misc|all>'
  or 'ps --help <s|l|o|t|m|a>'
 for additional help text.

For more details see ps(1).
error: process ID list syntax error

Usage:
 ps [options]

 Try 'ps --help <simple|list|output|threads|misc|all>'
  or 'ps --help <s|l|o|t|m|a>'
 for additional help text.

For more details see ps(1).
[skeil@desktop1950x ~]$ /home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/dockerrc: line 172: /home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/share/container.CMD.sh: No such file or directory
/home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/dockerrc: line 218: /home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/share/container.CMD.sh: No such file or directory
/home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/dockerrc: line 220: /home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/share/x11docker.log: No such file or directory
/home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/dockerrc: line 222: /home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/container.log: No such file or directory
/home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/dockerrc: line 64: /home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/share/message.fifo: No such file or directory
tail: cannot open '/home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/container.log' for reading: No such file or directory
/home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/dockerrc: line 70: /home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/share/message.fifo: No such file or directory
touch: cannot touch '/home/skeil/.cache/x11docker/X50-sandrokeil-arch-chromium-nvidia/xtermready': No such file or directory
mviereck commented 6 years ago

The terminal list output is created by a set -x that I inserted for debugging and accidently uploaded to master. It is already removed in latest master. The ps error is something different, not sure now. Can you please update and try again?

sandrokeil commented 6 years ago

Alright, just updated to latest master. The Terminallist is gone, but I still have the process ID error. Just quick lookup, maybe it's something like this?

sandrokeil commented 6 years ago

It occurs since this commit https://github.com/mviereck/x11docker/commit/02657d8851253c29276d75a26fb51f3b75d67e28#diff-308fa5eac58a6b2ba23e0fbc6e033041 Previous revisions worked fine.

mviereck commented 6 years ago

Can you run with option --debug and show me the output, please? It shows at lot of background process handling and gives good chances to find the false ps command. I assume it happens in finish().

Currently I don't have this issue, maybe it depends on special options.

sandrokeil commented 6 years ago

It's Command at Line 5702 returned with error code 1: awk '{print $1}'

x11docker note: You are running a beta version of x11docker.
  Beta versions change often and may introduce temporary new bugs.
  If you prefer latest stable release, run 'x11docker --update'.
  If you prefer to follow development, run 'x11docker --update-master'.

  You can contribute to x11docker if you find bugs and report them at:
    https://github.com/mviereck/x11docker

DEBUGNOTE:(20:28:01) Command at Line 1878 returned with error code 1:
  tr -cd '[:alpha:][:digit:][:blank:]-_.'
  0 - ::main
DEBUGNOTE:(20:28:01) Command at Line 1878 returned with error code 1:
  Imagecommandbasename=$(basename $(echo $Imagecommand | cut -d' ' -f1) 2>/dev/null | tr -cd '[:alpha:][:digit:][:blank:]-_.')
  0 - ::main
DEBUGNOTE:(20:28:01) Dependency check for --hostdisplay: 0
DEBUGNOTE:(20:28:01) Dependency check for --hostdisplay: 0
DEBUGNOTE:(20:28:01) Using X server option --hostdisplay
x11docker WARNING: To allow clipboard sharing with option --hostdisplay,
  trusted cookies and insecure option --hostipc will be enabled.
  No protection against X security leaks is left!
  Please consider to use another X server option.

x11docker WARNING: Option --hostdisplay with trusted cookies provides
      QUITE BAD CONTAINER ISOLATION !
  Keylogging and controlling host applications is possible!

x11docker WARNING: Security risk:
  Option --hostipc causes severe reduction of container isolation!
  Drawback: IPC namespace remapping is disabled.
  Advantage: X extension MIT-SHM is possible.

DEBUGNOTE:(20:28:01) Stored background pid 8466 of watchpidlist
DEBUGNOTE:(20:28:01) Stored background pid 8472 of watchmessagefifo
DEBUGNOTE:(20:28:01) Watching   8196 pts/0    00:00:00 x11docker
DEBUGNOTE:(20:28:01) docker command:
  docker run -d --tty --rm --name=x11docker_X1_00bf0e_sandrokeil-archlinux \
  --user=1000:985 --env USER=skeil \
  --userns=host \
  --cap-drop ALL \
  --volume //usr/bin/docker-init://x11docker/tini:ro \
  --security-opt no-new-privileges \
  --security-opt label=type:container_runtime_t \
  --group-add 995 \
  --group-add 986 \
  --tmpfs //run --tmpfs //run/lock \
  --entrypoint=env \
  --env container=docker \
  -v //home/skeil/.cache/x11docker/X53-sandrokeil-archlinux/share://x11docker:rw \
  -v '//home/skeil/data/x11docker/robo3t':'//home/skeil':rw \
  -e DISPLAY=:1 -e XAUTHORITY=//x11docker/Xclientcookie \
  -v //tmp/.X11-unix/X1://X1:rw \
  --ipc=host \
  --workdir //tmp \
  -- sandrokeil/archlinux:robo3t //bin/sh - //x11docker/container.CMD.sh
DEBUGNOTE:(20:28:01) Users and terminal:
  x11docker was started by:                       skeil
  As host user serves (running X, storing cache): skeil
  Container user will be:                         skeil
  Container user password:                        x11docker
  Getting permission to run docker with:          bash -c 
  Running X and other user commands with:         bash -c
  Terminal for password frontend:                 bash -c
  Terminal to show docker pull progress:          dbus-launch gnome-terminal -x
  Running on console:                             no
  Running over SSH:                               no
  Running on MS Windows:                          no
  Running on CYGWIN or MSYS2:                     no
  Running on WSL:                                 no
DEBUGNOTE:(20:28:01) Stored background pid 8528 of containershell
DEBUGNOTE:(20:28:01) Waiting for X server --hostdisplay to be ready.
DEBUGNOTE:(20:28:01) Running xinitrc
DEBUGNOTE:(20:28:01) --hostdisplay is ready
DEBUGNOTE:(20:28:01) Command at Line 5702 returned with error code 1:
  awk '{print $1}'
  0 - ::main
DEBUGNOTE:(20:28:01) Command at Line 5702 returned with error code 1:
  Xinitpid="$(pgrep -a xinit | grep "xinit $Xinitrc" | awk '{print $1}')"
  0 - ::main
error: process ID list syntax error

Usage:
 ps [options]

 Try 'ps --help <simple|list|output|threads|misc|all>'
  or 'ps --help <s|l|o|t|m|a>'
 for additional help text.

For more details see ps(1).
DEBUGNOTE:(20:28:02) Stored background pid PID of 1
DEBUGNOTE:(20:28:02) Watching 
DEBUGNOTE:(20:28:02) watchpidlist: PID PID has terminated
DEBUGNOTE:(20:28:02) time to say goodbye (watchpidlist PID)
DEBUGNOTE:(20:28:02) time to say goodbye (watchpidlist)
DEBUGNOTE:(20:28:02) time to say goodbye (xinit)
DEBUGNOTE:(20:28:02) Terminating x11docker.
DEBUGNOTE:(20:28:02) List of stored background processes:
8466 watchpidlist
8472 watchmessagefifo
8528 containershell
PID 1
error: process ID list syntax error

Usage:
 ps [options]

 Try 'ps --help <simple|list|output|threads|misc|all>'
  or 'ps --help <s|l|o|t|m|a>'
 for additional help text.

For more details see ps(1).
DEBUGNOTE:(20:28:02) Running dockerrc
DEBUGNOTE:(20:28:02) Checking: PID (1): 
DEBUGNOTE:(20:28:02) Checking: 8528 (containershell):   8528 pts/0    00:00:00 x11docker
DEBUGNOTE:(20:28:02) Terminating 8528 (containershell) x11docker:   8528 pts/0    00:00:00 x11docker
DEBUGNOTE:(20:28:02) Checking: 8472 (watchmessagefifo): 
DEBUGNOTE:(20:28:02) Checking: 8466 (watchpidlist): 
DEBUGNOTE:(20:28:02) time to say goodbye (finish)
DEBUGNOTE:(20:28:02) Exitcode 0

It looks like $Bgpidfile has as last entry PID 1

mviereck commented 6 years ago

Thank you for investigating! The bug itself has been two lines below and only appeared with --hostdisplay:

      echo $Xcommand | grep -q Xorgwrapper && Line="Xorg $Newdisplay" || Line="$Xcommand"
      Xserverpid=$(ps aux | grep "$(echo "$Line" | cut -d' ' -f1-2)" | grep -v grep | grep -v xinit | awk '{print $2}')
      [ "$Xserverpid" ] && setonwatchpidlist $Xserverpid && storepid $Xserverpid Xserver

With --hostdisplay variable $Line is empty. ps aux | grep "$(echo "$Line" [...] gives full output of ps aux and leads coincidentally in parsing to PID 1. Thanks god that x11docker failed to kill PID 1 accidentally. :-) The fix is now not to parse for X server pid with --hostdisplay.