[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Run graphical application in container

From: Christopher Lemmer Webber
Subject: Re: Run graphical application in container
Date: Wed, 01 Jul 2020 16:42:20 -0400
User-agent: mu4e 1.4.9; emacs 26.3

Leo Famulari writes:

> On Tue, Oct 16, 2018 at 04:22:43PM +0200, Pierre Neidhardt wrote:
>> I think this was mentioned before on the mailing list but I cannot find
>> it back.
> I think the first discussion was here, regarding IceCat:
> And a more recent discussion is here:
>> The following won't work:
>> --8<---------------cut here---------------start------------->8---
>> $ guix environment -C -N --ad-hoc epiphany -- epiphany
>> Unable to init server: Could not connect: Connection refused
>> Failed to parse arguments: Cannot open display: 
>> --8<---------------cut here---------------end--------------->8---
>> Is it possible to start a graphical application in a container?
> I think you'll need to share the host system's X socket, like
> '--share=/tmp/.X11-unix' or '--share=/tmp/serverauth.$RANDOM' and then
> `export DISPLAY=":0.0"` in the container. $RANDOM is a random string to
> make the filename unpredictable.
> So, it's definitely possible. In my experience, the hard part is finding
> the myriad directories used by the software and sharing or exposing them
> to the container. This is shown in the second discussion I linked above.

Yikes.  I gave this a try today.  I was trying to do the eolie container
example from the manual.  I couldn't figure it out.

  guix environment \
    --verbosity=2 --preserve='^DISPLAY$' --container --network \
    --expose=/etc/machine-id \
    --expose=/etc/ssl/certs/ \
    --share=$HOME/.local/share/eolie/=$HOME/.local/share/eolie/ \
    --share=/tmp/.X11-unix/=/tmp/.X11-unix/ \
    --share=$HOME/.Xauthority=$HOME/.Xauthority \
    --ad-hoc eolie nss-certs dbus -- eolie

Do we generally lack a reproducible way to be able to link in whatever
xauthority foo?

Docker and flatpack and etc must have already figured this out, right?
(Or maybe things are easier in wayland?  I'm skeptical though...)

(Of course, this does mean that any application that can run X can
escape the container, but I guess that was already the case.  Really
looking forward to a day when we have sane, ocap security as our
security foundation instead of this nonsense...)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]