GithubHelp home page GithubHelp logo

Running the self-build wechat docker image in x11docker's single application mode via deepin-terminal. about dockerfile-x11docker-deepin HOT 9 CLOSED

mviereck avatar mviereck commented on June 20, 2024
Running the self-build wechat docker image in x11docker's single application mode via deepin-terminal.

from dockerfile-x11docker-deepin.

Comments (9)

mviereck avatar mviereck commented on June 20, 2024

That looks harmless. If it does not cause obvious issues, you can ignore it.

from dockerfile-x11docker-deepin.

hongyi-zhao avatar hongyi-zhao commented on June 20, 2024

That looks harmless. If it does not cause obvious issues, you can ignore it.

The login UI of wechat won't appear for ever. Furthermore, I also tried to add the --hostnet option as shown below and the problem is still the same:

$ x11docker --sudouser --hostnet --clipboard x11docker-deepin-wechat deepin-terminal
$ x11docker --hostnet x11docker-deepin-wechat deepin-terminal

Regards,
HY

from dockerfile-x11docker-deepin.

mviereck avatar mviereck commented on June 20, 2024

I can reproduce the issue.
I considered it might depend on systemd and ran directly with:

x11docker --init=systemd --cap-default  -- --security-opt seccomp=unconfined --cap-add IPC_LOCK -- wechatimage /opt/deepinwine/apps/Deepin-WeChat/run.sh

But this fails, too.
Adding options --alsa --pulseaudio --gpu does not help either.

I have no idea how to fix this.
Did you try the bestwu/wechat image? Did it work with the setup described there?

from dockerfile-x11docker-deepin.

hongyi-zhao avatar hongyi-zhao commented on June 20, 2024

I can reproduce the issue.
I considered it might depend on systemd and ran directly with:

x11docker --init=systemd --cap-default  -- --security-opt seccomp=unconfined --cap-add IPC_LOCK -- wechatimage /opt/deepinwine/apps/Deepin-WeChat/run.sh

But this fails, too.
Adding options --alsa --pulseaudio --gpu does not help either.

Yep. But the error messages given the above two starting methods are different:

werner@X10DAi:~/Public/repo/github.com/mviereck$ x11docker --init=systemd --cap-default  -- --security-opt seccomp=unconfined --cap-add IPC_LOCK -- x11docker-deepin-wechat /opt/deepinwine/apps/Deepin-WeChat/run.sh
x11docker WARNING: User werner is member of group docker.
  That allows unprivileged processes on host to gain root privileges.

x11docker note: Using X server option --xpra

x11docker WARNING: Option --cap-default disables security hardening
  for containers done by x11docker. Default docker capabilities are allowed.
  This is considered to be less secure.

x11docker note: Option --cap-default: Enabling option --newprivileges.
  You can avoid this with --newprivileges=no

x11docker note: Option --xpra: If you encounter issues with xpra, 
  you can try --nxagent instead.
  Rather use xpra from www.xpra.org than from distribution repositories.

x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
  x11docker will add them to 'docker run' command without
  a serious check for validity or security. Found options:
   '--security-opt' 'seccomp=unconfined' '--cap-add' 'IPC_LOCK'

x11docker WARNING: Option --init=systemd slightly degrades container isolation.
  It adds some user switching capabilities x11docker would drop otherwise.
  However, they are still within default docker capabilities.
  Not within default docker capabilities it adds capability SYS_BOOT.  
  It shares access to host cgroups in /sys/fs/cgroup.
  Some processes in container will run as root.

x11docker WARNING: Option --newprivileges=yes: x11docker does not set 
  docker run option --security-opt=no-new-privileges. 
  That degrades container security.
  However, this is still within a default docker setup.

Run Deepin-WeChat 2.6.8.65deepin0 c:/Program Files/Tencent/WeChat/WeChat.exe
run Deepin-WeChat progress pid 
Activating service name='org.gtk.vfs.Daemon'
Successfully activated service 'org.gtk.vfs.Daemon'
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
total 0
lrwxrwxrwx 1 werner werner 10 Nov  9 07:34 c: -> ../drive_c
lrwxrwxrwx 1 werner werner 10 Nov  9 07:34 com1 -> /dev/ttyS0
lrwxrwxrwx 1 werner werner 10 Nov  9 07:34 com10 -> /dev/ttyS9
lrwxrwxrwx 1 werner werner 11 Nov  9 07:34 com11 -> /dev/ttyS10
lrwxrwxrwx 1 werner werner 11 Nov  9 07:34 com12 -> /dev/ttyS11
lrwxrwxrwx 1 werner werner 11 Nov  9 07:34 com13 -> /dev/ttyS12
lrwxrwxrwx 1 werner werner 11 Nov  9 07:34 com14 -> /dev/ttyS13
lrwxrwxrwx 1 werner werner 11 Nov  9 07:34 com15 -> /dev/ttyS14
lrwxrwxrwx 1 werner werner 11 Nov  9 07:34 com16 -> /dev/ttyS15
lrwxrwxrwx 1 werner werner 10 Nov  9 07:34 com2 -> /dev/ttyS1
lrwxrwxrwx 1 werner werner 10 Nov  9 07:34 com3 -> /dev/ttyS2
lrwxrwxrwx 1 werner werner 10 Nov  9 07:34 com4 -> /dev/ttyS3
lrwxrwxrwx 1 werner werner 10 Nov  9 07:34 com5 -> /dev/ttyS4
lrwxrwxrwx 1 werner werner 10 Nov  9 07:34 com6 -> /dev/ttyS5
lrwxrwxrwx 1 werner werner 10 Nov  9 07:34 com7 -> /dev/ttyS6
lrwxrwxrwx 1 werner werner 10 Nov  9 07:34 com8 -> /dev/ttyS7
lrwxrwxrwx 1 werner werner 10 Nov  9 07:34 com9 -> /dev/ttyS8
lrwxrwxrwx 1 werner werner  8 Nov  9 07:34 d:: -> /dev/sdb
lrwxrwxrwx 1 werner werner 17 Nov  9 07:34 e: -> /media/wayne/Ntfs
lrwxrwxrwx 1 werner werner  9 Nov  9 07:34 e:: -> /dev/sdb1
lrwxrwxrwx 1 werner werner 12 Nov  9 07:34 y: -> /home/werner
lrwxrwxrwx 1 werner werner  1 Nov  9 07:34 z: -> /
CallApp Deepin-WeChat c:/Program Files/Tencent/WeChat/WeChat.exe
Disable auto update
rm: cannot remove '/home/werner/.deepinwine/Deepin-WeChat/drive_c/users/werner/Application Data/Tencent/WeChat/All Users/config/configEx.ini': No such file or directory
Mon Nov  9 07:34:12 CST 2020:kill WeChat.exe block
Mon Nov  9 07:34:12 CST 2020:No wine process found
/home/werner/.deepinwine/Deepin-WeChat/drive_c/Program Files/Tencent/WeChat
Starting process c:/Program Files/Tencent/WeChat/WeChat.exe ...
X Error of failed request:  BadWindow (invalid Window parameter)
  Major opcode of failed request:  20 (X_GetProperty)
  Resource id in failed request:  0x0
  Serial number of failed request:  10
  Current serial number in output stream:  10



werner@X10DAi:~/Public/repo/github.com/mviereck$ x11docker --init=systemd --cap-default --alsa --pulseaudio --gpu -- --security-opt seccomp=unconfined --cap-add IPC_LOCK -- x11docker-deepin-wechat /opt/deepinwine/apps/Deepin-WeChat/run.sh
x11docker WARNING: User werner is member of group docker.
  That allows unprivileged processes on host to gain root privileges.

x11docker note: Your system uses closed source NVIDIA driver.
  GPU support will work only with options --hostdisplay and --xorg.
  Consider to use free open source nouveau driver instead.

x11docker note: Using X server option --hostdisplay

x11docker WARNING: Option --gpu degrades container isolation.
  Container gains access to GPU hardware.
  This allows reading host window content (palinopsia leak)
  and GPU rootkits (compare proof of concept: jellyfish).

x11docker note: Option --gpu: To allow GPU acceleration with --hostdisplay,
  x11docker will allow trusted cookies.

x11docker WARNING: Option --cap-default disables security hardening
  for containers done by x11docker. Default docker capabilities are allowed.
  This is considered to be less secure.

x11docker note: Option --cap-default: Enabling option --newprivileges.
  You can avoid this with --newprivileges=no

x11docker note: Option --hostdisplay: To allow --hostdisplay with trusted cookies,
  x11docker must share host IPC namespace with container (option --hostipc)
  to allow shared memory for X extension MIT-SHM.

x11docker note: To allow protection against X security leaks 
  while using --gpu with NVIDIA, please use option --xorg.

x11docker WARNING: Option --hostdisplay with trusted cookies provides
      QUITE BAD CONTAINER ISOLATION !
  Keylogging and controlling host applications is possible! 
  Clipboard sharing is enabled (option --cliboard).
  It is recommended to use another X server option like --xpra or --nxagent.

x11docker WARNING: Option --hostipc severely degrades 
  container isolation. IPC namespace remapping is disabled.

x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
  x11docker will add them to 'docker run' command without
  a serious check for validity or security. Found options:
   '--security-opt' 'seccomp=unconfined' '--cap-add' 'IPC_LOCK'

x11docker note: Option --gpu: You are using the closed source NVIDIA driver.
  GPU acceleration will only work if you have installed the very same driver
  version in image. That makes images less portable.
  It is recommended to use free open source nouveau driver on host instead.
  Ask NVIDIA corporation to at least publish their closed source API,
  or even better to actively support open source driver nouveau.

x11docker note: Option --gpu: x11docker can try to automatically install NVIDIA driver
  version 440.64 in container on every container startup.
  Drawbacks: Container startup is a bit slower and its security will be reduced.

  You can look here for a driver installer:
    https://www.nvidia.com/Download/index.aspx
    https://http.download.nvidia.com/
  A direct download URL is probably:
    https://http.download.nvidia.com/XFree86/Linux-x86_64/440.64/NVIDIA-Linux-x86_64-440.64.run
  If you got a driver, store it at one of the following locations:
    /home/werner/.local/share/x11docker/
    /usr/local/share/x11docker/

  Be aware that the version number must match exactly the version on host.
  The file name must begin with 'NVIDIA', contain the version number 440.64
  and end with suffix '.run'.

x11docker WARNING: Option --pulseaudio allows container applications
  to catch your audio output and microphone input.

x11docker WARNING: ALSA sound with option --alsa degrades container isolation.
  Shares device files in /dev/snd, container gains access to sound hardware.
  Container applications can catch audio output and microphone input.

x11docker note: It seems that pulseaudio is running on your host.
  Pulseaudio can interfere with ALSA sound (option --alsa).
  Host sound may not work while container is playing sound and vice versa.
  Alternative: with pulseaudio on host and in image, use option --pulseaudio.

x11docker WARNING: Option --init=systemd slightly degrades container isolation.
  It adds some user switching capabilities x11docker would drop otherwise.
  However, they are still within default docker capabilities.
  Not within default docker capabilities it adds capability SYS_BOOT.  
  It shares access to host cgroups in /sys/fs/cgroup.
  Some processes in container will run as root.

x11docker WARNING: Option --newprivileges=yes: x11docker does not set 
  docker run option --security-opt=no-new-privileges. 
  That degrades container security.
  However, this is still within a default docker setup.

x11docker WARNING: Sharing device file: /dev/dri

x11docker WARNING: Sharing device file: /dev/nvidia0

x11docker WARNING: Sharing device file: /dev/nvidiactl

x11docker WARNING: Sharing device file: /dev/nvidia-modeset

x11docker WARNING: Sharing device file: /dev/nvidia-uvm

x11docker WARNING: Sharing device file: /dev/nvidia-uvm-tools

x11docker WARNING: Sharing device file: /dev/vga_arbiter

x11docker WARNING: Sharing device file: /dev/snd

Run Deepin-WeChat 2.6.8.65deepin0 c:/Program Files/Tencent/WeChat/WeChat.exe
run Deepin-WeChat progress pid 

** (zenity:2604): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-ZZm0m0LT9c: Connection refused
Activating service name='org.gtk.vfs.Daemon'
Successfully activated service 'org.gtk.vfs.Daemon'
Gtk-Message: Failed to load module "canberra-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
total 0
lrwxrwxrwx 1 werner werner 10 Nov  9 07:35 c: -> ../drive_c
lrwxrwxrwx 1 werner werner 10 Nov  9 07:35 com1 -> /dev/ttyS0
lrwxrwxrwx 1 werner werner 10 Nov  9 07:35 com10 -> /dev/ttyS9
lrwxrwxrwx 1 werner werner 11 Nov  9 07:35 com11 -> /dev/ttyS10
lrwxrwxrwx 1 werner werner 11 Nov  9 07:35 com12 -> /dev/ttyS11
lrwxrwxrwx 1 werner werner 11 Nov  9 07:35 com13 -> /dev/ttyS12
lrwxrwxrwx 1 werner werner 11 Nov  9 07:35 com14 -> /dev/ttyS13
lrwxrwxrwx 1 werner werner 11 Nov  9 07:35 com15 -> /dev/ttyS14
lrwxrwxrwx 1 werner werner 11 Nov  9 07:35 com16 -> /dev/ttyS15
lrwxrwxrwx 1 werner werner 10 Nov  9 07:35 com2 -> /dev/ttyS1
lrwxrwxrwx 1 werner werner 10 Nov  9 07:35 com3 -> /dev/ttyS2
lrwxrwxrwx 1 werner werner 10 Nov  9 07:35 com4 -> /dev/ttyS3
lrwxrwxrwx 1 werner werner 10 Nov  9 07:35 com5 -> /dev/ttyS4
lrwxrwxrwx 1 werner werner 10 Nov  9 07:35 com6 -> /dev/ttyS5
lrwxrwxrwx 1 werner werner 10 Nov  9 07:35 com7 -> /dev/ttyS6
lrwxrwxrwx 1 werner werner 10 Nov  9 07:35 com8 -> /dev/ttyS7
lrwxrwxrwx 1 werner werner 10 Nov  9 07:35 com9 -> /dev/ttyS8
lrwxrwxrwx 1 werner werner  8 Nov  9 07:35 d:: -> /dev/sdb
lrwxrwxrwx 1 werner werner 17 Nov  9 07:35 e: -> /media/wayne/Ntfs
lrwxrwxrwx 1 werner werner  9 Nov  9 07:35 e:: -> /dev/sdb1
lrwxrwxrwx 1 werner werner 12 Nov  9 07:35 y: -> /home/werner
lrwxrwxrwx 1 werner werner  1 Nov  9 07:35 z: -> /
CallApp Deepin-WeChat c:/Program Files/Tencent/WeChat/WeChat.exe
Disable auto update
rm: cannot remove '/home/werner/.deepinwine/Deepin-WeChat/drive_c/users/werner/Application Data/Tencent/WeChat/All Users/config/configEx.ini': No such file or directory
Mon Nov  9 07:35:40 CST 2020:kill WeChat.exe block
Mon Nov  9 07:35:40 CST 2020:tag bottle: 
Traceback (most recent call last):
  File "/opt/deepinwine/tools/get_tray_window", line 28, in <module>
    get_tray_window()
  File "/opt/deepinwine/tools/get_tray_window", line 18, in get_tray_window
    traymanager = bus.get_object("com.deepin.dde.TrayManager", "/com/deepin/dde/TrayManager")
  File "/usr/lib/python2.7/dist-packages/dbus/bus.py", line 241, in get_object
    follow_name_owner_changes=follow_name_owner_changes)
  File "/usr/lib/python2.7/dist-packages/dbus/proxies.py", line 248, in __init__
    self._named_service = conn.activate_name_owner(bus_name)
  File "/usr/lib/python2.7/dist-packages/dbus/bus.py", line 180, in activate_name_owner
    self.start_service_by_name(bus_name)
  File "/usr/lib/python2.7/dist-packages/dbus/bus.py", line 278, in start_service_by_name
    'su', (bus_name, flags)))
  File "/usr/lib/python2.7/dist-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name com.deepin.dde.TrayManager was not provided by any .service files
Mon Nov  9 07:35:40 CST 2020:active bottles: 
/home/werner/.deepinwine/Deepin-WeChat/drive_c/Program Files/Tencent/WeChat
Starting process c:/Program Files/Tencent/WeChat/WeChat.exe ...
[1109/073541:INFO:exception_record.cc(518)] [QB]Process ID: 60 Type: 1

I have no idea how to fix this.
Did you try the bestwu/wechat image? Did it work with the setup described there?

Tried both docker-compose and docker run methods described there. For the case of docker-compose, the login UI won't appear for ever; for the case of docker run, the login UI appears quickly as a flash and then disappeared.

from dockerfile-x11docker-deepin.

mviereck avatar mviereck commented on June 20, 2024

Tried both docker-compose and docker run methods described there. For the case of docker-compose, the login UI won't appear for ever; for the case of docker run, the login UI appears quickly as a flash and then disappeared.

Maybe you could open an issue there? bestwu might be more familiar with wechat and might find a fix that could be used with x11docker as well.

The new error mssages indicate that wechat tries to connect to the deepin tray manager and crashes because there is no tray.

from dockerfile-x11docker-deepin.

hongyi-zhao avatar hongyi-zhao commented on June 20, 2024

Maybe you could open an issue there? bestwu might be more familiar with wechat and might find a fix that could be used with x11docker as well.

Bestwu currently isn't very active in maintaining his project. I'm afraid that even if I open a question there, he may not have time to study it.

The new error mssages indicate that wechat tries to connect to the deepin tray manager and crashes because there is no tray.

Why this will happen and how to fix it?

from dockerfile-x11docker-deepin.

mviereck avatar mviereck commented on June 20, 2024

Why this will happen and how to fix it?

I don't know. This should be rather asked at www.deepin.org .

from dockerfile-x11docker-deepin.

mviereck avatar mviereck commented on June 20, 2024

Surprisingly I got wechat running:

x11docker  --hostdisplay --clipboard -- wechatimage sh -c '/opt/deepinwine/apps/Deepin-WeChat/run.sh ; sleep 5; while pgrep WeChat; do sleep 1; done'

It fails with other X servers, and it takes a very long time until the window with QR-code appears.

(The additional pgrep/sleep loop is needed because the WeChat process moves itself to run in background. A foreground process is needed to keep the container running.)

from dockerfile-x11docker-deepin.

hongyi-zhao avatar hongyi-zhao commented on June 20, 2024

Tricky and wonderful. I confirm that your conclusion is correct with the following command:

$ x11docker --hostdisplay --clipboard -- hongyi-zhao/deepin-wine sh -c '/opt/deepinwine/apps/Deepin-WeChat/run.sh ; sleep 5; while pgrep WeChat; do sleep 1; done'

Furthermore, I also can successfully run x11docker with more complicated arguments shown as below:

x11docker_share=$HOME/x11docker-share
if [ ! -d $x11docker_share ]; then
  mkdir -p $x11docker_share
fi

x11docker --runasroot "cat <<-EOF > /etc/sudoers
#$ sudo grep -Ev '^[ ]*(#|$)' /etc/sudoers  
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin\"
root	ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo	ALL=(ALL:ALL) ALL

$USER ALL=(ALL) NOPASSWD:ALL
EOF" --share=$x11docker_share --sudouser -c --hostdisplay --init=systemd -- --cap-add=ALL --security-opt seccomp=unconfined -- hongyi-zhao/deepin-wine sh -c '/opt/deepinwine/apps/Deepin-WeChat/run.sh ; sleep 5; while pgrep WeChat; do sleep 1; done'

All other tries with --xpra and --nxagent failed just as you have verified.

from dockerfile-x11docker-deepin.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.