diff --git a/CHANGELOG.md b/CHANGELOG.md index e42e0a36..46101d3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. Project website: https://github.com/mviereck/x11docker -## [Unreleased] +## [4.3.2](https://github.com/mviereck/x11docker/releases/tag/v4.3.2) - 2018-06-03 ### Changed - `x11docker-gui` is interactive now. Live preview of generated command. Starting multiple x11docker instances possible. Copy-to-clipboard button. diff --git a/README.md b/README.md index 409946c6..52147797 100644 --- a/README.md +++ b/README.md @@ -450,7 +450,7 @@ docker run --rm -e DISPLAY=:1 \ This solution is more secure than the above one as it does not give access to display :0 with host applications and does not need `--ipc=host`. To use this with single applications you can run a host window manager on Xephyr display, too, for example with `env DISPLAY=:1 x-window-manager`. # Examples -Some example images can be found on docker hub: https://hub.docker.com/u/x11docker/ +Some image examples can be found on docker hub: https://hub.docker.com/u/x11docker/ - Single GUI application in container: - Terminal: `x11docker x11docker/xfce xfce4-terminal` diff --git a/x11docker b/x11docker index fde5756a..06b1aa26 100755 --- a/x11docker +++ b/x11docker @@ -10,26 +10,12 @@ # Type 'x11docker --help' or scroll down to read usage information. # More documentation at: https://github.com/mviereck/x11docker -Version="4.3.2-beta" +Version="4.3.2" usage() { # --help: show usage information echo " x11docker: Run GUI applications and desktop environments in docker. - Optional features: - * Hardware acceleration for OpenGL - * Pulseaudio and ALSA sound - * Clipboard sharing - * Persistent home folders - * Wayland support - * Language locale creation - * Init system support (systemd, SysVinit, OpenRC, runit, tini) - * DBus in container - Focus on security: - * Avoids X security leaks using additional X servers. - * Container user is same as host user to avoid root in container. - * Restricts container capabilities to bare minimum. - Usage: To run a docker image with new X server (auto-choosing X server): x11docker [OPTIONS] IMAGE [COMMAND] @@ -40,6 +26,20 @@ To run a host application on a new X server: To run only a new empty X server: x11docker [OPTIONS] +Optional features: + * Hardware acceleration for OpenGL + * Pulseaudio and ALSA sound + * Clipboard sharing + * Persistent home folders + * Wayland support + * Language locale creation + * Init system support (systemd, SysVinit, OpenRC, runit, tini) + * DBus in container +Focus on security: + * Avoids X security leaks using additional X servers. + * Container user is same as host user to avoid root in container. + * Restricts container capabilities to bare minimum. + Dependencies on host: Depending on chosen options, x11docker needs some packages to be installed. It will check for them on startup and show messages if some are missing. @@ -57,8 +57,12 @@ Dependencies on host: xserver-xorg-legacy xserver-xorg-video-dummy Dependencies in image: - Doesn't have dependencies inside of docker images, except for - options --gpu, --lang and --pulseaudio, see below at option descriptions. + Doesn't have dependencies inside of docker images, except for options: + --gpu: OpenGL packages, mostly already installed as package dependencies. + --lang: localedef to create missing language locales. + --pulseaudio: sound with pulseaudio needs pulseaudio on host and in image. + --dbus, --dbus-system: needs obviously dbus in image. + --systemd, --runit,--openrc, --sysvinit: init systems need to be installed. Options: --help display this message and exit. @@ -270,7 +274,7 @@ Installation options (need root permissions): --remove Remove x11docker from your system. x11docker version: $Version -Please report issues at https://github.com/mviereck/x11docker +Please report issues and get help at: https://github.com/mviereck/x11docker " } license() { # --license: show license (MIT) @@ -376,7 +380,7 @@ echo -e " [ -n "$Hostxenv" ] && export $Hostxenv [ -n "$Newxenv" ] && { [ "$Tty" = "yes" ] && export $Newxenv - [ "$Xserver" = "--xorg" ] && export $Newxenv + [ "$Xserver" = "--xorg" ] && [ -e "$Newxsocket" ] && export $Newxenv } [ "$Silent" = "no" ] && alertbox "x11docker ERROR" "$Message" @@ -3399,6 +3403,7 @@ done Imagecommand="" Hostexebasename="xonly" X11dockermode="exe" + Showdisplayenvironment="yes" ;; esac ;; @@ -3990,8 +3995,7 @@ DefaultEnvironment=DISPLAY=$Newdisplay XAUTHORITY=$Cshare/Xclientcookie $(IFS=$' echo "# refresh list of available images for x11docker-gui" echo "mkfile $Cachebasefolder/x11docker-gui/images.list" echo "while read -r Line ; do" - echo ' Line="${Line%:}"' - echo ' [ "$Line" = "" ] || echo $Line >> '$Cachebasefolder/x11docker-gui/images.list + echo ' grep -q "" <<<$Line || echo $Line >> '$Cachebasefolder/x11docker-gui/images.list echo 'done < <(docker images --format "{{.Repository}}:{{.Tag}}" 2>/dev/null | sort)' echo "" diff --git a/x11docker-gui b/x11docker-gui index ed393813..9d747e0c 100755 --- a/x11docker-gui +++ b/x11docker-gui @@ -20,8 +20,11 @@ error() { exit 1 } warning() { - echo "x11docker-gui WARNING: $*" >&2 - echo "">&2 + echo "x11docker-gui WARNING: $* +" >&2 +} +verbose() { + [ "$Verbose" = "yes" ] && echo "$(tput setaf 4)x11docker-gui:$(tput sgr0) $*" >&2 } finish() { # clean up and say goodbye @@ -39,14 +42,32 @@ mkfile() { # create file $1 owned by $Hostuser } trap finish EXIT - export PATH="$PATH:/usr/local/bin" # can miss if executed as root +# check options +Verboseoption="--silent" +case "${1:-}" in + --icon) + echo "x11docker-gui does not create an icon on demand anymore." >&2 + exit 1 + ;; + -v|--verbose) + Verbose="yes" + Verboseoption="--verbose" + ;; + "") ;; + *) echo "Options: + -v --verbose Be verbose" + exit 1 + ;; +esac + # Try to find x11docker X11docker_exe="${0%-gui}" # look at path of current x11docker-gui command -v x11docker >/dev/null && X11docker_exe=x11docker # look whether x11docker is in $PATH [ ! -x "$X11docker_exe" ] && ! command -v x11docker >/dev/null && error "No executeable x11docker found" Version="$($X11docker_exe --version)" +verbose "Found x11docker: $X11docker_exe $Version" # check logged-in user Lognameuser="$(logname 2>/dev/null)" @@ -59,8 +80,6 @@ Lognameuser="$(logname 2>/dev/null)" Lognameusergid="$(getent passwd $Lognameuser | cut -d: -f4)" Lognameuserhome="$(getent passwd $Lognameuser | cut -d: -f6)" -CONTAINERUSER="$Lognameuser" -CONTAINERUSERHOME="$Lognameuserhome" Cachefolder=$Lognameuserhome/.cache/x11docker/x11docker-gui mkdir -p $Lognameuserhome/.cache/x11docker chown $Lognameuser $Lognameuserhome/.cache/x11docker @@ -71,9 +90,15 @@ Mycookie=$(mcookie | cut -c1-6) Kaptain_grammar_file=$Cachefolder/x11docker.kaptn.$Mycookie mkfile $Kaptain_grammar_file + +CONTAINERUSER="$Lognameuser" +CONTAINERUSERHOME="$Lognameuserhome" +## needed for github screenshots only +#CONTAINERUSER="\\\$USER" +#CONTAINERUSERHOME="/home/\\\$USER" + ##################### # Preset some options you may want to be set as default -# IMAGELIST='"", "x11docker/xfce ", @@ -91,8 +116,8 @@ IMAGELIST='"", "x11docker/cde \ \ # (needs --hostnet)", "x11docker/deepin \ \ # (needs --systemd)", "x11docker/cinnamon \ \ # (needs --dbus-system or --systemd)", -"x11docker/xwayland \ \ # (needs --wayland and --gpu)" -' +"x11docker/xwayland \ \ # (needs --wayland and --gpu)", +""' MYWM="auto" # preferred host window manager DOCKEROPTIONS="" # additional docker options @@ -104,10 +129,6 @@ GPU="!" DESKTOP="!" ##################### -## needed for github screenshots only -#CONTAINERUSER="\\\$USER" -#CONTAINERUSERHOME="/home/\\\$USER" - # check list of available window managers mkfile $Cachefolder/windowmanager.list Wm_all="$($X11docker_exe --wmlist)" @@ -130,19 +151,20 @@ while read Line; do done < <(cat /proc/asound/cards | grep ':' | cut -d[ -f2 | cut -d] -f1) ALSALIST="$ALSALIST\"\"" -# if docker can run without password prompt, create list of available named images +# check available images, update list if possible sudo -n echo 2>/dev/null && Sudo="sudo -n" || Sudo="" $Sudo docker info>/dev/null 2>&1 && { mkfile "$Cachefolder/images.list" while read -r Line ; do - Line="${Line%:}" - [ "$Line" = "" ] || echo $Line >> "$Cachefolder/images.list" + grep -q "" <<<$Line || echo $Line >> "$Cachefolder/images.list" done < <($Sudo docker images --format "{{.Repository}}:{{.Tag}}" 2>/dev/null | sort) } while read -r Line ; do + Line="${Line%:latest}" IMAGELIST="$IMAGELIST,\"$Line \"" done < "$Cachefolder/images.list" +# create combo of language locales Hostlangland=$(echo $LANG | cut -d. -f1) Langcombo="\"$Hostlangland\"" for Line in $(echo "aa_DJ aa_ER aa_ET af_ZA ak_GH am_ET an_ES anp_IN @@ -162,13 +184,13 @@ ta_IN ta_LK tcy_IN te_IN tg_TJ the_NP th_TH ti_ER ti_ET tig_ER tk_TM tl_PH tn_ZA ug_CN uk_UA unm_US ur_IN ur_PK uz_UZ ve_ZA vi_VN wa_BE wae_CH wal_ET wo_SN xh_ZA yi_US yo_NG yue_HK zh_CN zh_HK zh_SG zh_TW zu_ZA") do Langcombo="$Langcombo,\"$Line\""; done +# create combo of keymaps Keymaps="$(sed '/^! layout$/,/^ *$/!d ; //d' /usr/share/X11/xkb/rules/base.lst | awk '{print $1}' | sort)" Hostkeymap="$(setxkbmap -query | grep layout | rev | cut -d' ' -f1 | rev)" Keymapscombo=\"$Hostkeymap\" Keymapscombo=${Keymapscombo:-\"\"} for Line in $Keymaps; do Keymapscombo="$Keymapscombo,\"$Line\"" ; done - # Look for icon [ -e /usr/share/icons/hicolor/64x64/apps/x11docker.png ] && X11docker_icon=/usr/share/icons/hicolor/64x64/apps/x11docker.png [ -e /usr/local/share/icons/hicolor/64x64/apps/x11docker.png ] && X11docker_icon=/usr/local/share/icons/hicolor/64x64/apps/x11docker.png @@ -185,9 +207,9 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt choose_image "Choose docker image" -> logo_imageorexe dockerimage; logo_imageorexe:beside -> @icon("'$X11docker_icon'") imageorexe ; imageorexe -> image | exe | xonly; - image:beside "Run docker image" -> "-- " ; - exe "--exe: Run host application instead of docker image" -> "--exe -- "; - xonly "--xonly: Only create new empty X server" -> "--xonly -- "; + image:beside "Run docker image." -> "-- " ; + exe "--exe: Run host application instead of docker image." -> "--exe -- "; + xonly "--xonly: Only create new empty X server." -> "--xonly -- "; dockerimage "Docker image [and command] to run:" -> "--IMG=" @combow('$IMAGELIST'); xserver_tabbed:tabbed -> xserver_choose xserver_appearance; @@ -211,25 +233,25 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt "--hostwayland: Share host Wayland display without X", "--nothing: No X and no Wayland" ); - gpu "--gpu: Hardware acceleration for OpenGL" -> "--gpu " | '$GPU' ""; - wm :beside "--wm: Host window manager to use" -> "--wm=\"" @combow('$HOSTWM')="'$MYWM'" "\" " | ! "" ; - desktop "--desktop: Image contains a desktop environment" -> "--desktop " | '$DESKTOP' "" ; - wayland "--wayland: Create Wayland environment" -> "--wayland " | ! "" ; + gpu "--gpu: Hardware acceleration for OpenGL graphics." -> "--gpu " | '$GPU' ""; + wm :beside "--wm: Host window manager to use:" -> "--wm=\"" @combow('$HOSTWM')="'$MYWM'" "\" " | ! "" ; + desktop "--desktop: Image contains a desktop environment." -> "--desktop " | '$DESKTOP' "" ; + wayland "--wayland: Create Wayland environment." -> "--wayland " | ! "" ; xserver_appearance " Appearance of new X server" -> sizefullscreenline scale rotate dpi outputcount xfishtank; sizefullscreenline:beside -> size fullscreen; - size:beside "--size: Virtual screen size" -> "--size \"" @combow("320x240","640x480","800x600","1024x768","1280x800","1280x1024","1400x1050","1680x1200","1920x1080")="800x600" "\" "| !"" ; + size:beside "--size: Virtual screen size:" -> "--size \"" @combow("320x240","640x480","800x600","1024x768","1280x800","1280x1024","1400x1050","1680x1200","1920x1080")="800x600" "\" "| !"" ; fullscreen "--fullscreen" -> "--fullscreen " | ! "" ; - xfishtank "--xfishtank: Show a fish tank" -> "--xfishtank " | ! "" ; - scale:beside "--scale: Zoom factor" -> "--scale=\"" @combow("0.25","0.5","0.75","0.9","1","1.25","1.5","2","2.5","3")="1.5" "\" " | ! "" ; - rotate:beside "--rotate: Rotation and mirroring" -> "--rotate=\"" @combo("0","90","180","270","flipped","flipped-90","flipped-180","flipped-270")="180" "\" " | ! "" ; - dpi:beside "--dpi: Dots per inch (influences font size)" -> "--dpi=\"" @combow("36","48","60","72","84","96","120","150","256","300")="96" "\" " | ! "" ; - outputcount:beside "--output-count: Multiple displays" -> "--output-count=\"" @combow("1","2","3","4")="2" "\" " | ! "" ; + xfishtank "--xfishtank: Show a fish tank." -> "--xfishtank " | ! "" ; + scale:beside "--scale: Zoom factor:" -> "--scale=\"" @combow("0.25","0.5","0.75","0.9","1","1.25","1.5","2","2.5","3")="1.5" "\" " | ! "" ; + rotate:beside "--rotate: Rotation and mirroring:" -> "--rotate=\"" @combo("0","90","180","270","flipped","flipped-90","flipped-180","flipped-270")="180" "\" " | ! "" ; + dpi:beside "--dpi: Dots per inch (influences font size):" -> "--dpi=\"" @combow("36","48","60","72","84","96","120","150","256","300")="96" "\" " | ! "" ; + outputcount:beside "--output-count: Multiple displays:" -> "--output-count=\"" @combow("1","2","3","4")="2" "\" " | ! "" ; options_tabbed:tabbed -> tab_regular tab_advanced tab_output; tab_regular:framed "Regular Options" -> options_normal options_hostfolders; - tab_advanced "Advanced Options" -> options_advanced_framed options_init_framed develdialogline; + tab_advanced "Advanced Options" -> options_advanced_framed options_init_framed develdialog; options_advanced_framed:framed -> options_advanced; options_init_framed:framed -> options_init; tab_output:framed "Terminal output" -> options_verbosity options_stdstream options_show ; @@ -254,27 +276,27 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt options_advanced "Advanced options"-> sudouser nointernet noentrypoint workdir pw setenvdialog; sudouser "--sudouser: Allow su and sudo in container. Password: x11docker\n Severe reduction of container security!" -> "--sudouser " | ! "" ; - noentrypoint "--no-entrypoint: Disable ENTRYPOINT in image" -> "--no-entrypoint " | ! "" ; - nointernet "--no-internet: Disable internet access for container" -> "--no-internet " | ! "" ; - pw:beside "--pw: password prompt frontend" -> "--pw=\"" @combo("su","sudo","gksu","gksudo","lxsu","lxsudo","kdesu","kdesudo","beesu","pkexec","none")="sudo" "\" " | ! "" ; + noentrypoint "--no-entrypoint: Disable ENTRYPOINT in image." -> "--no-entrypoint " | ! "" ; + nointernet "--no-internet: Disable internet access for container." -> "--no-internet " | ! "" ; + pw:beside "--pw: Password prompt frontend:" -> "--pw=\"" @combo("su","sudo","gksu","gksudo","lxsu","lxsudo","kdesu","kdesudo","beesu","pkexec","none")="sudo" "\" " | ! "" ; workdir:beside "--workdir: Working directory: " -> "--workdir=\"" @string="" "\" " | ! ""; options_init "Init system and dbus in container" -> dbus dbusdaemon initsystem sharecgroup; - initsystem:beside " Run init system in container (default: --tini)" -> @combo( "--tini","--systemd ","--sysvinit ","--runit ","--openrc ","--no-init")="--systemd " | ! "" ; - dbusdaemon "--dbus-system: Run dbus system daemon in container" -> "--dbus-system " | ! "" ; - dbus "--dbus: Run dbus user session in container" -> "--dbus " | ! "" ; + initsystem:beside " Run init system in container (default: --tini)." -> @combo( "--tini","--systemd ","--sysvinit ","--runit ","--openrc ","--no-init")="--systemd " | ! "" ; + dbusdaemon "--dbus-system: Run dbus system daemon in container." -> "--dbus-system " | ! "" ; + dbus "--dbus: Run dbus user session in container." -> "--dbus " | ! "" ; sharecgroup "--sharecgroup: Share /sys/fs/cgroup. (Default for --systemd.) \n - Enable for elogind support in container." -> "--sharecgroup " | ! "" ; + (Enable for elogind support in container.)" -> "--sharecgroup " | ! "" ; options_verbosity "Verbosity" -> verbose silent debug; - verbose "--verbose: Be verbose" -> "--verbose " | ! "" ; - silent "--silent: Be silent" -> "--silent " | ! "" ; - debug "--debug: Debugging mode" -> "--debug " | ! "" ; + verbose "--verbose: Be verbose." -> "--verbose " | ! "" ; + silent "--silent: Be silent." -> "--silent " | ! "" ; + debug "--debug: Debugging mode." -> "--debug " | ! "" ; options_stdstream "Standard streams" -> stdout stderr stdin; - stdout "--stdout: Show stdout of container on stdout" -> "--stdout " | ! "" ; - stderr "--stderr: Show stderr of container on stderr" -> "--stderr " | ! "" ; - stdin "--stdin: Forward stdin to container stdin" -> "--stdin " | ! "" ; + stdout "--stdout: Show stdout of container on stdout." -> "--stdout " | ! "" ; + stderr "--stderr: Show stderr of container on stderr." -> "--stderr " | ! "" ; + stdin "--stdin: Forward stdin to container stdin." -> "--stdin " | ! "" ; options_show "Show internals on stdout" -> show_explanation showenv showid showpid1; show_explanation -> @text="Catch output of following options with \"read var < <(x11docker ...)\"" ; @@ -283,7 +305,7 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt showpid1 "--showpid1: Output of host PID of container PID 1." -> "--showpid1" | ! "" ; develdialogline:beside -> @fill develdialog @fill; - develdialog:dialog "Developer options" -> developeroptions @execclose("echo develclose")=" close"; + develdialog:dialog "Additional special options" -> developeroptions @execclose("echo develclose")=" close"; developeroptions:beside -> develleft develright; develleft:framed -> devauth devxconfig devaddcommands ; develright:framed -> devuser devcaps devrun devmisc ; @@ -303,12 +325,12 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt runfromhost "--runfromhost: Run host command on new X server. Use sh syntax:" -> "--runfromhost=\"" @string="/usr/bin/launchy &" "\" " | ! "" ; runasroot "--runasroot: Run command as root in container. Use sh syntax:" -> "--runasroot=\"" @string="" "\" " | ! "" ; devauth "X authentication" -> untrusted trusted xhost noauth noxhost; - untrusted "--untrusted: Create untrusted cookies restricting X access. \n - Default for --hostdisplay." -> "--untrusted " | ! "" ; - trusted "--trusted: Trusted cookies for --hostdisplay. Default for --gpu." -> "--trusted " | ! "" ; - xhost:beside "--xhost: see \"man xhost\". Use with care" -> "--xhost=\"" @string="+SI:localuser:'$CONTAINERUSER'" "\" " | ! "" ; + untrusted "--untrusted: Create untrusted cookies restricting X access. \n + Default for --hostdisplay. (Some systems like fedora do not support that.)" -> "--untrusted " | ! "" ; + trusted "--trusted: Trusted cookies for --hostdisplay. Default for --gpu and --clipboard." -> "--trusted " | ! "" ; + xhost:beside "--xhost: see \"man xhost\". Use with care:" -> "--xhost=\"" @string="+SI:localuser:'$CONTAINERUSER'" "\" " | ! "" ; noauth "--no-auth: Disable cookie authentication on new X server." -> "--no-auth " | ! "" ; - noxhost "--no-xhost: Disable any \"xhost +...\" access to host X server" -> "--no-xhost " | ! "" ; + noxhost "--no-xhost: Disable any \"xhost +...\" access to host X server." -> "--no-xhost " | ! "" ; devenvironment "Environment" -> sharewayland waylandenv; sharewayland "--sharewayland: Share wayland socket and \$WAYLAND_DISPLAY.\n Default for --wayland, --weston, --kwin and --hostwayland." -> "--sharewayland " | ! "" ; @@ -324,9 +346,9 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt westonini "--westonini: Custom weston.ini (see man weston.ini)" -> "--westonini=\"" @infile="/usr/share/doc/weston/examples/weston.ini" "\" " | ! ""; devrun -> setcapsdialog dockeroptions ; dockeroptions "Custom options for \"docker run\" " -> "--OPT=\"" @string="'$DOCKEROPTIONS'" "\"" ; - devcaps "Container capabilities and namespaces" -> capdefault sysadmin ipc net; + devcaps "Container capabilities and namespaces" -> @text("These options severely degrade container isolation!") capdefault sysadmin ipc net; capdefault "--cap-default: Allow default container capabilities." -> "--cap-default " | ! "" ; - sysadmin "--sys-admin: Add capability SYS_ADMIN." -> "--sys-admin " | ! "" ; + sysadmin "--sys-admin: Add capability SYS_ADMIN. (Please do not)." -> "--sys-admin " | ! "" ; ipc "--hostipc: Disable IPC namespacing. Allows MIT-SHM extension. \n Shares host interprocess communication and shared memory. " -> "--hostipc " | ! "" ; net "--hostnet: Disable network namespacing. Shares host network stack." -> "--hostnet " | ! "" ; @@ -426,7 +448,7 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt xinfo_option_kwinxwayland xinfo_option_kwin xinfo_option_weston xinfo_option_wayland; xinfo_option_title -> @text(" X server"); - xinfo_option_auto -> @text(" --auto\n\n"); + xinfo_option_auto -> @text(" --auto \ (default)\n\n"); xinfo_option_nxagent -> @text(" --nxagent\n"); xinfo_option_xephyr -> @text(" --xephyr"); xinfo_option_xpra -> @text(" --xpra\n\n\n"); @@ -451,19 +473,19 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt xinfo_weston xinfo_wayland; xinfo_title -> @text(" "); xinfo_auto -> @text(" Chooses an X server depending on installed dependencies and on given or missing options --desktop, --gpu and --wayland.\n - --desktop indicates a desktop environment in image (instead of a single application)."); + Option --desktop indicates a desktop environment in image (instead of a single application)."); xinfo_nxagent -> @text(" Supports seamless mode for single applications and --desktop mode. Toggle fullscreen in desktop mode with [SHIFT][F11]."); - xinfo_xephyr -> @text(" Recommended alternative to nxagent to run desktop environments. Desktop appears in a window on host display."); + xinfo_xephyr -> @text(" Alternative to nxagent to run desktop environments. Desktop appears in a window on host display."); xinfo_xpra -> @text(" Seamless mode to run single applications. Application windows appear on host display. \n Best --clipboard support, picture clips are possible. Seamless scaling (0,5x, 1.5x, 3x ...) with option --scale is possible\n - Along with option --desktop usefull for desktop environments, too (similar to --xephyr)."); + (Supports option --desktop, too, but --nxagent and --xephyr are more performant in desktop mode.)"); xinfo_xorg -> @text(" Core X server. Switch between displays with keys [CTRL][ALT][F1]...[F12]. Runs ootb from console."); xinfo_hostdisplay -> @text(" Share host display :0 instead of running second X server. Attention: Low security, quite bad container isolation!\n - Please look at button [Security info]. Use with trusted images only. To reduce risks and to avoid bad RAM access, \n - untrusted cookies restricting X access are used. (Some applications will not work in untrusted mode). Least overhead.\n"); + To reduce risks and to avoid bad RAM access, untrusted cookies restricting X access are used. \n + Some applications will fail in untrusted mode. Options --clipboard or --gpu disable untrusted mode. \n"); xinfo_xpraxwayland -> @text(" Like --xpra, uses Xwayland in background. Additional to --xpra, GPU acceleration with option --gpu is possible.\n - Along with option --desktop usefull for desktop environments, too (similar to --xephyr)."); - xinfo_westonxwayland -> @text(" Like --xephyr, Weston with Xwayland. Can run on X or Wayland in a window or on its own from console. \n + (Supports option --desktop, too, but --weston-xwayland is more performant in desktop mode.)"); + xinfo_westonxwayland -> @text(" Can run on X or Wayland in a window or on its own from console. \n GPU acceleration, scaling (2x, 3x, 4x ...) and display rotation (0°, 90°, 180°, 270°, flipped, flipped-90°, ...) are possible."); xinfo_xwayland -> @text(" Core Xwayland needs a Wayland environment to run in. Fullscreen display can be moved around with [META][LMB].\n"); xinfo_xdummy:beside -> @text(" Invisible X server for custom access. Output of environment variables on stdout. \n @@ -546,7 +568,7 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt http://xpra.org/trac/wiki/Encryption/SSL ") @close=" Close"; - xdependenciesbutton:dialog "Dependencies" -> xdependencies @text(" Other dependencies, some in image, too") xdependencies2 @close=" close"; + xdependenciesbutton:dialog "Dependencies" -> xdependencies @text(" Other dependencies, some in image, too:") xdependencies2 @close=" close"; xdependencies:beside -> xdep_option xdep_host xdep_xrunning ; xdep_option -> xdep_option_title xdep_option_nxagent @@ -618,20 +640,18 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt xdep_options -> xdep_gpu xdep_xclip xdep_pulseaudio xdep_dbus; xdep_text -> xdep_gpu_text xdep_xclip_text xdep_pulseaudio_text xdep_dbus_text; xdep_xclip -> @text("--clipboard") ; - xdep_xclip_text -> @text("Needs package xclip on host (except for options --nxagent, --xpra, --xpra-xwayland and --hostdisplay).") ; + xdep_xclip_text -> @text("Needs xclip or xsel on host (except for options --nxagent, --xpra, --xpra-xwayland and --hostdisplay).") ; xdep_pulseaudio -> @text("--pulseaudio") ; - xdep_pulseaudio_text -> @text("Needs package pulseaudio on host AND in image.") ; + xdep_pulseaudio_text -> @text("Needs pulseaudio installed on host AND in image.") ; xdep_dbus -> @text("--dbus, --dbus-system") ; - xdep_dbus_text -> @text("Needs package dbus in image.") ; - xdep_systemd -> @text("--systemd") ; - xdep_systemd_text -> @text("Needs systemd in image") ; + xdep_dbus_text -> @text("Needs dbus installed in image.") ; xdep_gpu -> @text("--gpu\n\n") ; - xdep_gpu_text -> @text("Needs OpenGL dependencies (MESA) to be installed in image. \n - Works best with open source drivers on host. For closed source driver setups look at terminal messages."); - xdep_xorg_setupdialog:dialog "Setup" -> @text(" Option --xorg can be used out of the box on console tty1...tty6. \n + xdep_gpu_text -> @text("Needs OpenGL dependencies (MESA) installed in image. \n + Works best with open source drivers on host. For closed source driver setups read terminal messages."); + xdep_xorg_setupdialog:dialog "Setup" -> @text(" Option --xorg runs out of the box on console tty1...tty6. \n \n To run a second Xorg server from within an already running X session, \n - you have to edit file /etc/X11/Xwrapper.conf and replace line:\n + edit file /etc/X11/Xwrapper.config and replace line:\n \n \ \ allowed_users=console \n \n @@ -691,6 +711,7 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt X security: \n To avoid common X security leaks like keylogging and remote control of host applications, \n x11docker runs segregated additional X servers. Only option --hostdisplay is insecure here.\n + Please install at least one of: \ nxagent, \ Xephyr, \ Xnest, \ xpra \ or \ weston+Xwayland \n \n Container security:\n - Default user in container is same as host user to avoid root in container.\n @@ -707,10 +728,10 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt sec_deg_opt -> sec_hostdisplay_opt sec_gpu_opt sec_pulseaudio_opt sec_sudouser_opt sec_capdefault_opt ; sec_deg_text -> sec_hostdisplay_text sec_gpu_text sec_pulseaudio_text sec_sudouser_text sec_capdefault_text ; sec_gpu_opt -> @text(" --gpu \n\n\n\n"); - sec_gpu_text -> @text(" Option --gpu enables hardware acceleration for dockered OpenGL applications. Access to GPU hardware can allow rootkits. \n - Example rootkit: https://github.com/x0r1/jellyfish\n - Although there is little known of real attacks, you should be aware of this. This affects X servers and Wayland compositors as well. \n - Furthermore, container applications can grab video RAM content formerly drawn by host applications (palinopsia leak)."); + sec_gpu_text -> @text(" Option --gpu enables hardware acceleration for OpenGL applications. \n + Access to GPU hardware can allow rootkits. Example rootkit: https://github.com/x0r1/jellyfish\n + Furthermore, container applications can grab video RAM content formerly drawn by host applications (palinopsia leak). \n + Both issues affect X servers and Wayland compositors as well. "); sec_hostdisplay_opt -> @text(" --hostdisplay \n\n\n"); sec_hostdisplay_text -> @text(" Quite bad container isolation, but least overhead of all X server options. Use with trusted images only.\n Instead of creating a new segregated X server to avoid X security leaks, your host X server is shared with container. \n @@ -719,7 +740,7 @@ start "Run GUI applications in docker containers - x11docker '$Version'" -> opt sec_pulseaudio_text -> @text(" With sound enabled, container applications can catch your audio output and also can hear everything you say \n if your computer has microphones. With option --alsa, container applications have immediate access to sound hardware."); sec_capdefault_opt -> @text(" --cap-default "); - sec_capdefault_text -> @text(" Allows default container capabilities; disables container security hardening by x11docker."); + sec_capdefault_text -> @text(" Allows default container capabilities. Disables container security hardening of x11docker."); sec_sudouser_opt -> @text(" --sudouser "); sec_sudouser_text -> @text(" Allows su and sudo with password \"x11docker\" in container. Allows many capabilities. Outbreaking applications have no limits. "); @@ -763,32 +784,16 @@ buttons:horizontal -> run runxterm starter cleanupxterm quit; Kaptain_grammar="$(sed -e 's/ */ /g' <<< "$Kaptain_grammar")" echo "$Kaptain_grammar" >> $Kaptain_grammar_file -# check options -Verboseoption="--silent" -case "${1:-}" in - --icon) - echo "x11docker-gui does not create an icon on demand anymore." >&2 - exit 1 - ;; - -v|--verbose) - kaptain --version - Verbose="yes" - Verboseoption="--verbose" - echo "x11docker-gui: created kaptain grammar:" - printf "%s" "$Kaptain_grammar" | nl - echo "" - ;; - "") ;; - *) echo "Options: - -v --verbose Be verbose" - exit 1 - ;; -esac +# output of kaptain grammar script +verbose "created kaptain grammar: +$(printf "%s" "$Kaptain_grammar" | nl) +" # check if kaptain is available on host command -v kaptain >/dev/null && Hostkaptain="yes" || Hostkaptain="no" # check kaptain version +verbose "$(kaptain --version 2>/dev/null)" [ "$Hostkaptain" = "yes" ] && kaptain --version 2>&1 | grep -q 'kaptain 0.72' && { # regard kde3-kaptain from openSUSE KDE:KDE3 repository # up to date from decades ago is 0.73 @@ -815,7 +820,7 @@ case $Hostkaptain in esac ;; - *) + no) warning "Did not find executeable 'kaptain'. If your distribution does not provide package kaptain (>=0.73), look at kaptain repository: https://github.com/mviereck/kaptain @@ -841,12 +846,12 @@ esac send() { # send messages to kaptain over its stdin echo "$1" >&6 - [ "$Verbose" = "yes" ] && echo "sent: $1" + verbose "sent: $1" } # watch kaptain messages while read Line; do - [ "$Verbose" = "yes" ] && echo "received: $Line" + verbose "received: $Line" # Option output starts with -- # --CAPitalized options are internal x11docker-gui signals @@ -869,18 +874,25 @@ while read Line; do # execute x1docker if "Run" button was pressed before [ "$Runit" ] && { + verbose "Running: $Previewline" case $Runit in run) - eval $Previewline & disown + bash -c "$Previewline" & Pid=$! ;; runxterm) - xterm -hold -e "$Previewline" & disown + xterm -hold -e "$Previewline" & Pid=$! ;; runstarter) - xterm -e "$X11docker_exe --starter $(echo "$Previewline" | cut -d' ' -f2-)" & disown + xterm -e "$X11docker_exe --starter $(echo "$Previewline" | cut -d' ' -f2-)" & Pid=$! ;; esac - Previewline="$X11docker_exe" + disown $Pid + { # show pstree of x11docker + sleep 5 + verbose "pstree of: $Previewline +$(pstree -p $Pid)" + } & + Previewline="$X11docker_exe" # workaround for double-receiving options that happens for unknown reason if editing image+command line and pressing "Run" Runit="" } ;; @@ -942,6 +954,7 @@ while read Line; do # on all action messages (without --) refresh preview line. Ask for all set options to be written on stdout. [ "$Line" ] && { + verbose "Refreshing preview" Previewline="$X11docker_exe" for Line in xserver_choose xserver_appearance \ options_normal options_hostfolders \