From: Christopher Lemmer Webber <cwebber@dustycloud.org>
To: Leo Famulari <leo@famulari.name>
Cc: help-guix@gnu.org
Subject: Re: Run graphical application in container
Date: Wed, 01 Jul 2020 16:42:20 -0400 [thread overview]
Message-ID: <87v9j7ynkj.fsf@dustycloud.org> (raw)
In-Reply-To: <20181016161056.GA25057@jasmine.lan>
Leo Famulari writes:
> On Tue, Oct 16, 2018 at 04:22:43PM +0200, Pierre Neidhardt wrote:
>> I think this was mentioned before on the mailing list but I cannot find
>> it back.
>
> I think the first discussion was here, regarding IceCat:
>
> https://lists.gnu.org/archive/html/guix-devel/2016-07/msg00120.html
>
> And a more recent discussion is here:
>
> https://lists.gnu.org/archive/html/help-guix/2018-01/msg00056.html
>
>> The following won't work:
>>
>> --8<---------------cut here---------------start------------->8---
>> $ guix environment -C -N --ad-hoc epiphany -- epiphany
>> Unable to init server: Could not connect: Connection refused
>> Failed to parse arguments: Cannot open display:
>> --8<---------------cut here---------------end--------------->8---
>>
>> Is it possible to start a graphical application in a container?
>
> I think you'll need to share the host system's X socket, like
> '--share=/tmp/.X11-unix' or '--share=/tmp/serverauth.$RANDOM' and then
> `export DISPLAY=":0.0"` in the container. $RANDOM is a random string to
> make the filename unpredictable.
>
> So, it's definitely possible. In my experience, the hard part is finding
> the myriad directories used by the software and sharing or exposing them
> to the container. This is shown in the second discussion I linked above.
Yikes. I gave this a try today. I was trying to do the eolie container
example from the manual. I couldn't figure it out.
guix environment \
--verbosity=2 --preserve='^DISPLAY$' --container --network \
--expose=/etc/machine-id \
--expose=/etc/ssl/certs/ \
--share=$HOME/.local/share/eolie/=$HOME/.local/share/eolie/ \
--share=/tmp/.X11-unix/=/tmp/.X11-unix/ \
--share=$HOME/.Xauthority=$HOME/.Xauthority \
--ad-hoc eolie nss-certs dbus -- eolie
Do we generally lack a reproducible way to be able to link in whatever
xauthority foo?
Docker and flatpack and etc must have already figured this out, right?
(Or maybe things are easier in wayland? I'm skeptical though...)
(Of course, this does mean that any application that can run X can
escape the container, but I guess that was already the case. Really
looking forward to a day when we have sane, ocap security as our
security foundation instead of this nonsense...)
next prev parent reply other threads:[~2020-07-01 20:42 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-16 14:22 Run graphical application in container Pierre Neidhardt
2018-10-16 16:10 ` Leo Famulari
2018-10-16 18:25 ` Pierre Neidhardt
2018-10-17 12:20 ` Ludovic Courtès
2020-07-01 20:17 ` Christopher Lemmer Webber
2020-07-01 20:42 ` Christopher Lemmer Webber [this message]
2020-07-01 20:57 ` Pierre Neidhardt
2020-07-01 21:53 ` zimoun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v9j7ynkj.fsf@dustycloud.org \
--to=cwebber@dustycloud.org \
--cc=help-guix@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).