From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id sDxeBUn1/F5MHwAA0tVLHw (envelope-from ) for ; Wed, 01 Jul 2020 20:42:49 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id sO0aAUn1/F4PDQAAbx9fmQ (envelope-from ) for ; Wed, 01 Jul 2020 20:42:49 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5B8A79404E2 for ; Wed, 1 Jul 2020 20:42:48 +0000 (UTC) Received: from localhost ([::1]:33054 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jqjZ9-0006gU-3s for larch@yhetil.org; Wed, 01 Jul 2020 16:42:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55314) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jqjYn-0006ev-8W for help-guix@gnu.org; Wed, 01 Jul 2020 16:42:27 -0400 Received: from dustycloud.org ([2600:3c02::f03c:91ff:feae:cb51]:60848) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jqjYk-0006Uj-9H for help-guix@gnu.org; Wed, 01 Jul 2020 16:42:23 -0400 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 9F8A82661A; Wed, 1 Jul 2020 16:42:20 -0400 (EDT) References: <87sh16hsy4.fsf@ambrevar.xyz> <20181016161056.GA25057@jasmine.lan> User-agent: mu4e 1.4.9; emacs 26.3 From: Christopher Lemmer Webber To: Leo Famulari Subject: Re: Run graphical application in container In-reply-to: <20181016161056.GA25057@jasmine.lan> Date: Wed, 01 Jul 2020 16:42:20 -0400 Message-ID: <87v9j7ynkj.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2600:3c02::f03c:91ff:feae:cb51; envelope-from=cwebber@dustycloud.org; helo=dustycloud.org X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: 14 X-Spam_score: 1.4 X-Spam_bar: + X-Spam_report: (1.4 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: 1.79 X-TUID: wZlBmvbtBARQ Leo Famulari writes: > On Tue, Oct 16, 2018 at 04:22:43PM +0200, Pierre Neidhardt wrote: >> I think this was mentioned before on the mailing list but I cannot find >> it back. > > I think the first discussion was here, regarding IceCat: > > https://lists.gnu.org/archive/html/guix-devel/2016-07/msg00120.html > > And a more recent discussion is here: > > https://lists.gnu.org/archive/html/help-guix/2018-01/msg00056.html > >> The following won't work: >> >> --8<---------------cut here---------------start------------->8--- >> $ guix environment -C -N --ad-hoc epiphany -- epiphany >> Unable to init server: Could not connect: Connection refused >> Failed to parse arguments: Cannot open display: >> --8<---------------cut here---------------end--------------->8--- >> >> Is it possible to start a graphical application in a container? > > I think you'll need to share the host system's X socket, like > '--share=/tmp/.X11-unix' or '--share=/tmp/serverauth.$RANDOM' and then > `export DISPLAY=":0.0"` in the container. $RANDOM is a random string to > make the filename unpredictable. > > So, it's definitely possible. In my experience, the hard part is finding > the myriad directories used by the software and sharing or exposing them > to the container. This is shown in the second discussion I linked above. Yikes. I gave this a try today. I was trying to do the eolie container example from the manual. I couldn't figure it out. guix environment \ --verbosity=2 --preserve='^DISPLAY$' --container --network \ --expose=/etc/machine-id \ --expose=/etc/ssl/certs/ \ --share=$HOME/.local/share/eolie/=$HOME/.local/share/eolie/ \ --share=/tmp/.X11-unix/=/tmp/.X11-unix/ \ --share=$HOME/.Xauthority=$HOME/.Xauthority \ --ad-hoc eolie nss-certs dbus -- eolie Do we generally lack a reproducible way to be able to link in whatever xauthority foo? Docker and flatpack and etc must have already figured this out, right? (Or maybe things are easier in wayland? I'm skeptical though...) (Of course, this does mean that any application that can run X can escape the container, but I guess that was already the case. Really looking forward to a day when we have sane, ocap security as our security foundation instead of this nonsense...)