2020-07-10T16:25:05+12:00 http://bluishcoder.co.nz/ Bluishcoder admin@bluishcoder.co.nz 2017-01-18T12:00:00+13:00 http://bluishcoder.co.nz/2017/01/18/running-x11-apps-in-an-rkt-container <p><a href="https://coreos.com/rkt/">rkt</a> is a container runtime I've been using on a few projects recently. I was creating a container for <a href="https://mozart.github.io/">Mozart</a> which uses emacs as an IDE. This requires running an X11 application within the container and have it displayed on the host display.</p> <p>To get this working I needed to mount my hosts X11 unix domain socket inside the container and provide an <code>Xauthority</code> file that gave the container the rights to connect to the host X server.</p> <p>The following shell commands use <a href="https://github.com/containers/build/">acbuild</a> to create a container that runs <code>xclock</code> as an example of the process:</p> <pre><code>acbuild begin docker://ubuntu:16.04 acbuild set-name bluishcoder.co.nz/xclock acbuild run -- apt install --no-install-recommends --yes x11-apps acbuild run -- rm -rf /var/lib/apt/lists/* acbuild environment add DISPLAY unix$DISPLAY acbuild environment add XAUTHORITY /root/.Xauthority acbuild mount add x11socket /tmp/.X11-unix acbuild mount add x11auth /root/.Xauthority acbuild set-exec xclock acbuild write --overwrite xclock.aci acbuild end </code></pre> <p>It uses an Ubuntu Linux image from the Docker hub as a base and installs <code>x11-apps</code>. To reduce disk space it removes cached package files afterwards. A <code>DISPLAY</code> environment variable is set to point to use the same <code>DISPLAY</code> as the host. The <code>XAUTHORITY</code> enviroment variable is set to point to a file in the home directory of the <code>root</code> user in the container.</p> <p>The <code>mount</code> subcommands expose the <code>x11socket</code> and <code>x11auth</code> endpoints to point to where the X11 unix domain socket and the <code>Xauthority</code> file are expected to be. These will be provided by the <code>rkt</code> invocation to mount host resources in those locations.</p> <p>The final part of the script sets the executable to be <code>xclock</code> and writes the <code>aci</code> file.</p> <p>On the host side we need to create an <code>Xauthority</code> file that provides the container access to our X11 server. This file needs to be set so that any hostname can connect to the X11 server as the hostname for the container can change between invocations. To do this the authentication family in the file needs to be set to <code>FamilyWild</code>. I got the steps to do this from <a href="https://stackoverflow.com/questions/16296753/can-you-run-gui-apps-in-a-docker-container">this stack overflow post</a>:</p> <pre><code>xauth nlist :0 | sed -e 's/^..../ffff/' | xauth -f myauthority nmerge - </code></pre> <p>This will retrieve the <code>Xauthority</code> information for display <code>:0</code> and modify the first four bytes to be <code>ffff</code>. This sets the authority family to <code>FamilyWild</code>. A new file called <code>myauthority</code> is created with this data. This file will be mapped to the <code>x11auth</code> mount point in the container.</p> <p>The container can be executed with <code>rkt</code>:</p> <pre><code>rkt run --insecure-options=image xclock.aci \ --volume x11socket,kind=host,source=/tmp/.X11-unix \ --volume x11auth,kind=host,source=./myauthority </code></pre> <p>The <code>--volume</code> command line arguments map the mount points we defined in the <code>acbuild</code> commands to locations on the host. The running <code>xclock</code> application should now appear on the host X11 display.</p>