x11docker: --gpu fails with --podman
Context: I’m troubleshooting a freezing issue with an electron app (Visual Studio Code) running as a container. I’m clueless about what the real issue might be but two things that occurred to me is the lack of gpu access and /dev/shm. I’m on a nvidia system but the same issue reproduces on an amd system.
To move forward with this, I’m using x11docker with a simpler container on the amd system, using podman rootless:
x11docker --podman --cap-default --gpu x11docker/xfce glxgears
It renders a black screen. Without the --gpu flag it renders correctly using a lot of cpu. On the host it renders using the gpu.
The command above translates to:
podman run --tty --detach \
--name x11docker_X114_x11docker-xfce-glxgears_69062233839 \
--user 1000:100 \
--env USER=user \
--userns=keep-id \
--group-add 481 \
--group-add 483 \
--security-opt label=type:container_runtime_t \
--volume '/usr/bin/catatonit':'/usr/local/bin/init':ro \
--tmpfs /run --tmpfs /run/lock \
--volume '/home/user/.cache/x11docker/x11docker-xfce-glxgears-69062233839/share':'/x11docker':rw \
--device '/dev/dri':'/dev/dri':rw \
--device '/dev/vga_arbiter':'/dev/vga_arbiter':rw \
--volume '/tmp/.X11-unix/X114':'/X114':rw \
--workdir '/tmp' \
--entrypoint env \
--env 'container=docker' \
--env 'XAUTHORITY=/x11docker/Xauthority.client' \
--env 'DISPLAY=:114' \
--env 'HOME=/home/user' \
--env 'XDG_RUNTIME_DIR=/tmp/XDG_RUNTIME_DIR' \
-- x11docker/xfce /usr/local/bin/init -- /bin/sh - /x11docker/containerrc
I reduced it to:
podman run --rm \
--device '/dev/dri':'/dev/dri':rw \
--device '/dev/vga_arbiter':'/dev/vga_arbiter':rw \
--volume /tmp/.X11-unix:/tmp/.X11-unix \
--volume $XAUTHORITY:/tmp/auth \
--tmpfs /run --tmpfs /run/lock \
--env DISPLAY \
--env XAUTHORITY=/tmp/auth \
-it --group-add 483 --group-add 481 \
x11docker/xfce glxgears
It’s a slightly different command, it causes some flickering on screen which takes me to reset the display manager.
Full logs
x11docker note: Option --podman: experimental only.
To avoid a prompt for root password, you might have to execute:
sysctl -w kernel.unprivileged_userns_clone=1
Please report issues at: https://github.com/mviereck/x11docker/issues/255
DEBUGNOTE[14:01:28,800]: traperror: Command at Line 6379 returned with error code 1:
grep 172.17.0.1
8607 - ::check_host::main::main
DEBUGNOTE[14:01:28,805]: time to say goodbye (traperror)
DEBUGNOTE[14:01:28,810]: traperror: Command at Line 6379 returned with error code 1:
Hostip=“$(ip -4 -o a | grep ‘docker0’ | awk ‘{print $4}’ | cut -d/ -f1 | grep 172.17.0.1)”
8607 - ::check_host::main::main
DEBUGNOTE[14:01:28,814]: time to say goodbye (traperror)
DEBUGNOTE[14:01:28,865]: check_host(): ps can watch root processes: yes
DEBUGNOTE[14:01:28,896]: host user: user 1000:100 /home/user
DEBUGNOTE[14:01:29,115]: storeinfo(): cache=/home/user/.cache/x11docker/x11docker-xfce-glxgears-18088751606
DEBUGNOTE[14:01:29,123]: storeinfo(): stdout=/home/user/.cache/x11docker/x11docker-xfce-glxgears-18088751606/share/stdout
DEBUGNOTE[14:01:29,131]: storeinfo(): stderr=/home/user/.cache/x11docker/x11docker-xfce-glxgears-18088751606/share/stderr
DEBUGNOTE[14:01:29,151]: storeinfo(): x11dockerpid=22773
DEBUGNOTE[14:01:29,193]:
x11docker version: 6.6.3-beta
docker version: podman version 2.1.1
Host system: “openSUSE Tumbleweed”
Host architecture: amd64 (x86_64)
Command: ‘/home/user/bin/x11docker’ ‘–debug’ ‘–podman’ ‘–cap-default’ ‘–gpu’ ‘x11docker/xfce’ ‘glxgears’
Parsed options: --debug --podman --cap-default --gpu – ‘x11docker/xfce’ ‘glxgears’
DEBUGNOTE[14:01:29,198]: --xpra-xwayland: xpra not found.
You can look for the package name of this command at:
https://github.com/mviereck/x11docker/wiki/dependencies#table-of-all-packages
DEBUGNOTE[14:01:29,202]: --xpra-xwayland: weston not found.
You can look for the package name of this command at:
https://github.com/mviereck/x11docker/wiki/dependencies#table-of-all-packages
DEBUGNOTE[14:01:29,206]: --xpra-xwayland: xdotool not found.
You can look for the package name of this command at:
https://github.com/mviereck/x11docker/wiki/dependencies#table-of-all-packages
DEBUGNOTE[14:01:29,211]: Dependency check for --xpra-xwayland: 1
DEBUGNOTE[14:01:29,215]: --weston-xwayland: weston not found.
You can look for the package name of this command at:
https://github.com/mviereck/x11docker/wiki/dependencies#table-of-all-packages
DEBUGNOTE[14:01:29,220]: Dependency check for --weston-xwayland: 1
DEBUGNOTE[14:01:29,224]: Dependency check for --kwin-xwayland: 0
DEBUGNOTE[14:01:29,229]: Dependencies of --kwin-xwayland already checked: 0
x11docker note: Using X server option --kwin-xwayland
DEBUGNOTE[14:01:29,233]: storeinfo(): xserver=–kwin-xwayland
x11docker WARNING: Option --gpu degrades container isolation.
Container gains access to GPU hardware.
This allows reading host window content (palinopsia leak)
and GPU rootkits (compare proof of concept: jellyfish).
x11docker WARNING: Option --cap-default disables security hardening
for containers done by x11docker. Default docker capabilities are allowed.
This is considered to be less secure.
x11docker note: Option --cap-default: Enabling option --newprivileges.
You can avoid this with --newprivileges=no
DEBUGNOTE[14:01:29,258]: container user: user 1000:100 /home/user
DEBUGNOTE[14:01:29,288]: waitforlogentry(): tailstdout: Waiting for logentry “x11docker=ready” in store.info
DEBUGNOTE[14:01:29,289]: waitforlogentry(): tailstderr: Waiting for logentry “x11docker=ready” in store.info
DEBUGNOTE[14:01:29,301]: storepid(): Stored pid ‘23331’ of ‘watchpidlist’: 23331 pts/2 00:00:00 bash
DEBUGNOTE[14:01:29,316]: storepid(): Stored pid ‘23352’ of ‘watchmessagefifo’: 23352 pts/2 00:00:00 bash
DEBUGNOTE[14:01:29,474]: storeinfo(): DISPLAY=:124
DEBUGNOTE[14:01:29,482]: storeinfo(): XAUTHORITY=/home/user/.cache/x11docker/x11docker-xfce-glxgears-18088751606/share/Xauthority.
client
DEBUGNOTE[14:01:29,490]: storeinfo(): XSOCKET=/tmp/.X11-unix/X124
DEBUGNOTE[14:01:29,498]: storeinfo(): WAYLAND_DISPLAY=wayland-124
DEBUGNOTE[14:01:29,506]: storeinfo(): XDG_RUNTIME_DIR=/run/user/1000
DEBUGNOTE[14:01:29,514]: storeinfo(): Xenv= DISPLAY=:124 XAUTHORITY=/home/user/.cache/x11docker/x11docker-xfce-glxgears-1808875160
6/share/Xauthority.client XSOCKET=/tmp/.X11-unix/X124 WAYLAND_DISPLAY=wayland-124 XDG_RUNTIME_DIR=/run/user/1000
DEBUGNOTE[14:01:29,639]: X server command:
/usr/bin/Xwayland :124
-retro
+extension RANDR
+extension RENDER
+extension GLX
+extension XVideo
+extension DOUBLE-BUFFER
+extension SECURITY
+extension DAMAGE
+extension X-Resource
-extension XINERAMA -xinerama
-extension MIT-SHM
+extension Composite +extension COMPOSITE
-extension XTEST -tst
-dpms
-s off
-auth /home/user/.cache/x11docker/x11docker-xfce-glxgears-18088751606/Xauthority.server
-nolisten tcp
-dpi 96
DEBUGNOTE[14:01:29,644]: Compositor command:
env QT_XKB_CONFIG_ROOT=/usr/share/X11/xkb kwin_wayland
--xwayland
--socket=wayland-124
--width=1264 --height=672
--x11-display=:0
DEBUGNOTE[14:01:29,760]: storeinfo(): tini=/usr/bin/catatonit
DEBUGNOTE[14:01:29,770]: Users and terminal:
x11docker was started by: user
As host user serves (running X, storing cache): user
Container user will be: user
Container user password: x11docker
Getting permission to run docker with: eval
Terminal for password frontend: bash -c
Running in a terminal: yes
Running on console: no
Running over SSH: no
Running sourced: no
bash $-: huBE
x11docker WARNING: Option --newprivileges=yes: x11docker does not set
docker run option --security-opt=no-new-privileges.
That degrades container security.
However, this is still within a default docker setup.
DEBUGNOTE[14:01:29,776]: storeinfo(): containername=x11docker_X124_x11docker-xfce-glxgears_18088751606
x11docker WARNING: Sharing device file: /dev/dri
x11docker WARNING: Sharing device file: /dev/vga_arbiter
DEBUGNOTE[14:01:30,023]: Docker command:
podman run --tty --detach
--name x11docker_X124_x11docker-xfce-glxgears_18088751606
--user 1000:100
--env USER=user
--userns=keep-id
--group-add 481
--group-add 483
--security-opt label=type:container_runtime_t
--volume ‘/usr/bin/catatonit’:‘/usr/local/bin/init’:ro
--tmpfs /run --tmpfs /run/lock
--volume ‘/home/user/.cache/x11docker/x11docker-xfce-glxgears-18088751606/share’:‘/x11docker’:rw
--device ‘/dev/dri’:‘/dev/dri’:rw
--device ‘/dev/vga_arbiter’:‘/dev/vga_arbiter’:rw
--volume ‘/tmp/.X11-unix/X124’:‘/X124’:rw
--workdir ‘/tmp’
--entrypoint env
--env ‘container=docker’
--env ‘XAUTHORITY=/x11docker/Xauthority.client’
--env ‘DISPLAY=:124’
--env ‘HOME=/home/user’
--env ‘XDG_RUNTIME_DIR=/tmp/XDG_RUNTIME_DIR’
– x11docker/xfce /usr/local/bin/init – /bin/sh - /x11docker/containerrc
DEBUGNOTE[14:01:30,301]: storepid(): Stored pid ‘24132’ of ‘containershell’: 24132 pts/2 00:00:00 bash
DEBUGNOTE[14:01:30,312]: Running xtermrc: Ask for password if needed (no)
DEBUGNOTE[14:01:30,318]: waitforlogentry(): start_xserver(): Waiting for logentry “readyforX=ready” in store.info
DEBUGNOTE[14:01:30,336]: Running dockerrc: Setup as root or as user docker on host.
DEBUGNOTE[14:01:30,414]: dockerrc: Found default Runtime:
DEBUGNOTE[14:01:30,428]: dockerrc: All
DEBUGNOTE[14:01:30,444]: dockerrc: Container Runtime:
DEBUGNOTE[14:01:30,460]: storeinfo(): runtime=
DEBUGNOTE[14:01:30,598]: dockerrc: Image architecture: amd64
DEBUGNOTE[14:01:30,610]: dockerrc: Image USER:
DEBUGNOTE[14:01:30,624]: storeinfo(): containeruser=user
DEBUGNOTE[14:01:30,637]: dockerrc: Image ENTRYPOINT:
DEBUGNOTE[14:01:30,648]: dockerrc: Image WORKDIR:
DEBUGNOTE[14:01:30,663]: storeinfo(): readyforX=ready
DEBUGNOTE[14:01:30,675]: waitforlogentry(): dockerrc: Waiting for logentry “xinitrc is ready” in xinit.log
DEBUGNOTE[14:01:30,837]: waitforlogentry(): start_xserver(): Found log entry “readyforX=ready” in store.info.
DEBUGNOTE[14:01:30,852]: storeinfo(): compositorpid=24513
DEBUGNOTE[14:01:30,874]: waitforlogentry(): start_compositor(): Waiting for logentry “X-Server” in compositor.log
^CDEBUGNOTE[14:01:34,771]: Received SIGINT
DEBUGNOTE[14:01:34,777]: storeinfo(): error=130
DEBUGNOTE[14:01:34,785]: Terminating x11docker.
DEBUGNOTE[14:01:34,790]: time to say goodbye (finish)
DEBUGNOTE[14:01:34,809]: finish(): Checking pid 24132 (containershell): 24132 pts/2 00:00:00 bash
DEBUGNOTE[14:01:34,825]: termpid(): Terminating 24132 (containershell): 24132 pts/2 00:00:00 bash
DEBUGNOTE[14:01:34,952]: finish(): Checking pid 23352 (watchmessagefifo): 23352 pts/2 00:00:00 bash
DEBUGNOTE[14:01:34,970]: finish(): Checking pid 23331 (watchpidlist): 23331 pts/2 00:00:00 bash
DEBUGNOTE[14:01:34,983]: termpid(): Terminating 23331 (watchpidlist): 23331 pts/2 00:00:00 bash
DEBUGNOTE[14:01:35,100]: Removing container x11docker_X124_x11docker-xfce-glxgears_18088751606
Error: Failed to evict container: “”: Failed to find container “x11docker_X124_x11docker-xfce-glxgears_18088751606” in state: no co
ntainer with name or ID x11docker_X124_x11docker-xfce-glxgears_18088751606 found: no such container
x11docker note: Failed to remove container x11docker_X124_x11docker-xfce-glxgears_18088751606
DEBUGNOTE[14:01:35,171]: termpid(): Terminating 23352 (watchmessagefifo): 23352 pts/2 00:00:00 bash
DEBUGNOTE[14:01:35,293]: x11docker exit code: 130
DEBUGNOTE[14:01:35,781]: waitforlogentry(): tailstderr: Stopped waiting for x11docker=ready in store.info due to termin
ating signal.
DEBUGNOTE[14:01:35,781]: waitforlogentry(): tailstdout: Stopped waiting for x11docker=ready in store.info due to terminating signal
.
UPDATE
Solution: add the privileged flag
x11docker --podman --cap-default --gpu -- --privileged -- x11docker/xfce glxgears -info
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 19 (11 by maintainers)
Commits related to this issue
- --podman --gpu: failure note #293 — committed to mviereck/x11docker by mviereck 4 years ago
- --xopt: experimental option to add X server options --podman -gpu --alsa: share devices with --volume #293 #255 — committed to mviereck/x11docker by mviereck 4 years ago
The article mention masked paths, a more recent release (2.1) masks
/sys/devas well, and from a few tests I’ve run I can tell it needs to be available inside the container. There’s discussion at https://github.com/containers/podman/issues/7801.To workaround the issue, no flag other than
--privilegedis able to make it work. Masked paths are applied after mounts, and only when unprivileged.So I am running out of ideas here. Overall I rather wait for podman to get some fixes in the future and leave the
--podmanoption in undocumented experimental state. I’ll leave the ticket open. If you have new ideas or make new findings, I am happy to hear about it.