Comments (9)
That looks harmless. If it does not cause obvious issues, you can ignore it.
from dockerfile-x11docker-deepin.
That looks harmless. If it does not cause obvious issues, you can ignore it.
The login UI of wechat won't appear for ever. Furthermore, I also tried to add the --hostnet option as shown below and the problem is still the same:
$ x11docker --sudouser --hostnet --clipboard x11docker-deepin-wechat deepin-terminal
$ x11docker --hostnet x11docker-deepin-wechat deepin-terminal
Regards,
HY
from dockerfile-x11docker-deepin.
I can reproduce the issue.
I considered it might depend on systemd and ran directly with:
x11docker --init=systemd --cap-default -- --security-opt seccomp=unconfined --cap-add IPC_LOCK -- wechatimage /opt/deepinwine/apps/Deepin-WeChat/run.sh
But this fails, too.
Adding options --alsa --pulseaudio --gpu
does not help either.
I have no idea how to fix this.
Did you try the bestwu/wechat
image? Did it work with the setup described there?
from dockerfile-x11docker-deepin.
I can reproduce the issue.
I considered it might depend on systemd and ran directly with:x11docker --init=systemd --cap-default -- --security-opt seccomp=unconfined --cap-add IPC_LOCK -- wechatimage /opt/deepinwine/apps/Deepin-WeChat/run.sh
But this fails, too.
Adding options--alsa --pulseaudio --gpu
does not help either.
Yep. But the error messages given the above two starting methods are different:
werner@X10DAi:~/Public/repo/github.com/mviereck$ x11docker --init=systemd --cap-default -- --security-opt seccomp=unconfined --cap-add IPC_LOCK -- x11docker-deepin-wechat /opt/deepinwine/apps/Deepin-WeChat/run.sh
x11docker WARNING: User werner is member of group docker.
That allows unprivileged processes on host to gain root privileges.
x11docker note: Using X server option --xpra
x11docker WARNING: Option --cap-default disables security hardening
for containers done by x11docker. Default docker capabilities are allowed.
This is considered to be less secure.
x11docker note: Option --cap-default: Enabling option --newprivileges.
You can avoid this with --newprivileges=no
x11docker note: Option --xpra: If you encounter issues with xpra,
you can try --nxagent instead.
Rather use xpra from www.xpra.org than from distribution repositories.
x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
x11docker will add them to 'docker run' command without
a serious check for validity or security. Found options:
'--security-opt' 'seccomp=unconfined' '--cap-add' 'IPC_LOCK'
x11docker WARNING: Option --init=systemd slightly degrades container isolation.
It adds some user switching capabilities x11docker would drop otherwise.
However, they are still within default docker capabilities.
Not within default docker capabilities it adds capability SYS_BOOT.
It shares access to host cgroups in /sys/fs/cgroup.
Some processes in container will run as root.
x11docker WARNING: Option --newprivileges=yes: x11docker does not set
docker run option --security-opt=no-new-privileges.
That degrades container security.
However, this is still within a default docker setup.
Run Deepin-WeChat 2.6.8.65deepin0 c:/Program Files/Tencent/WeChat/WeChat.exe
run Deepin-WeChat progress pid
Activating service name='org.gtk.vfs.Daemon'
Successfully activated service 'org.gtk.vfs.Daemon'
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
total 0
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 c: -> ../drive_c
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com1 -> /dev/ttyS0
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com10 -> /dev/ttyS9
lrwxrwxrwx 1 werner werner 11 Nov 9 07:34 com11 -> /dev/ttyS10
lrwxrwxrwx 1 werner werner 11 Nov 9 07:34 com12 -> /dev/ttyS11
lrwxrwxrwx 1 werner werner 11 Nov 9 07:34 com13 -> /dev/ttyS12
lrwxrwxrwx 1 werner werner 11 Nov 9 07:34 com14 -> /dev/ttyS13
lrwxrwxrwx 1 werner werner 11 Nov 9 07:34 com15 -> /dev/ttyS14
lrwxrwxrwx 1 werner werner 11 Nov 9 07:34 com16 -> /dev/ttyS15
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com2 -> /dev/ttyS1
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com3 -> /dev/ttyS2
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com4 -> /dev/ttyS3
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com5 -> /dev/ttyS4
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com6 -> /dev/ttyS5
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com7 -> /dev/ttyS6
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com8 -> /dev/ttyS7
lrwxrwxrwx 1 werner werner 10 Nov 9 07:34 com9 -> /dev/ttyS8
lrwxrwxrwx 1 werner werner 8 Nov 9 07:34 d:: -> /dev/sdb
lrwxrwxrwx 1 werner werner 17 Nov 9 07:34 e: -> /media/wayne/Ntfs
lrwxrwxrwx 1 werner werner 9 Nov 9 07:34 e:: -> /dev/sdb1
lrwxrwxrwx 1 werner werner 12 Nov 9 07:34 y: -> /home/werner
lrwxrwxrwx 1 werner werner 1 Nov 9 07:34 z: -> /
CallApp Deepin-WeChat c:/Program Files/Tencent/WeChat/WeChat.exe
Disable auto update
rm: cannot remove '/home/werner/.deepinwine/Deepin-WeChat/drive_c/users/werner/Application Data/Tencent/WeChat/All Users/config/configEx.ini': No such file or directory
Mon Nov 9 07:34:12 CST 2020:kill WeChat.exe block
Mon Nov 9 07:34:12 CST 2020:No wine process found
/home/werner/.deepinwine/Deepin-WeChat/drive_c/Program Files/Tencent/WeChat
Starting process c:/Program Files/Tencent/WeChat/WeChat.exe ...
X Error of failed request: BadWindow (invalid Window parameter)
Major opcode of failed request: 20 (X_GetProperty)
Resource id in failed request: 0x0
Serial number of failed request: 10
Current serial number in output stream: 10
werner@X10DAi:~/Public/repo/github.com/mviereck$ x11docker --init=systemd --cap-default --alsa --pulseaudio --gpu -- --security-opt seccomp=unconfined --cap-add IPC_LOCK -- x11docker-deepin-wechat /opt/deepinwine/apps/Deepin-WeChat/run.sh
x11docker WARNING: User werner is member of group docker.
That allows unprivileged processes on host to gain root privileges.
x11docker note: Your system uses closed source NVIDIA driver.
GPU support will work only with options --hostdisplay and --xorg.
Consider to use free open source nouveau driver instead.
x11docker note: Using X server option --hostdisplay
x11docker WARNING: Option --gpu degrades container isolation.
Container gains access to GPU hardware.
This allows reading host window content (palinopsia leak)
and GPU rootkits (compare proof of concept: jellyfish).
x11docker note: Option --gpu: To allow GPU acceleration with --hostdisplay,
x11docker will allow trusted cookies.
x11docker WARNING: Option --cap-default disables security hardening
for containers done by x11docker. Default docker capabilities are allowed.
This is considered to be less secure.
x11docker note: Option --cap-default: Enabling option --newprivileges.
You can avoid this with --newprivileges=no
x11docker note: Option --hostdisplay: To allow --hostdisplay with trusted cookies,
x11docker must share host IPC namespace with container (option --hostipc)
to allow shared memory for X extension MIT-SHM.
x11docker note: To allow protection against X security leaks
while using --gpu with NVIDIA, please use option --xorg.
x11docker WARNING: Option --hostdisplay with trusted cookies provides
QUITE BAD CONTAINER ISOLATION !
Keylogging and controlling host applications is possible!
Clipboard sharing is enabled (option --cliboard).
It is recommended to use another X server option like --xpra or --nxagent.
x11docker WARNING: Option --hostipc severely degrades
container isolation. IPC namespace remapping is disabled.
x11docker WARNING: Found custom DOCKER_RUN_OPTIONS.
x11docker will add them to 'docker run' command without
a serious check for validity or security. Found options:
'--security-opt' 'seccomp=unconfined' '--cap-add' 'IPC_LOCK'
x11docker note: Option --gpu: You are using the closed source NVIDIA driver.
GPU acceleration will only work if you have installed the very same driver
version in image. That makes images less portable.
It is recommended to use free open source nouveau driver on host instead.
Ask NVIDIA corporation to at least publish their closed source API,
or even better to actively support open source driver nouveau.
x11docker note: Option --gpu: x11docker can try to automatically install NVIDIA driver
version 440.64 in container on every container startup.
Drawbacks: Container startup is a bit slower and its security will be reduced.
You can look here for a driver installer:
https://www.nvidia.com/Download/index.aspx
https://http.download.nvidia.com/
A direct download URL is probably:
https://http.download.nvidia.com/XFree86/Linux-x86_64/440.64/NVIDIA-Linux-x86_64-440.64.run
If you got a driver, store it at one of the following locations:
/home/werner/.local/share/x11docker/
/usr/local/share/x11docker/
Be aware that the version number must match exactly the version on host.
The file name must begin with 'NVIDIA', contain the version number 440.64
and end with suffix '.run'.
x11docker WARNING: Option --pulseaudio allows container applications
to catch your audio output and microphone input.
x11docker WARNING: ALSA sound with option --alsa degrades container isolation.
Shares device files in /dev/snd, container gains access to sound hardware.
Container applications can catch audio output and microphone input.
x11docker note: It seems that pulseaudio is running on your host.
Pulseaudio can interfere with ALSA sound (option --alsa).
Host sound may not work while container is playing sound and vice versa.
Alternative: with pulseaudio on host and in image, use option --pulseaudio.
x11docker WARNING: Option --init=systemd slightly degrades container isolation.
It adds some user switching capabilities x11docker would drop otherwise.
However, they are still within default docker capabilities.
Not within default docker capabilities it adds capability SYS_BOOT.
It shares access to host cgroups in /sys/fs/cgroup.
Some processes in container will run as root.
x11docker WARNING: Option --newprivileges=yes: x11docker does not set
docker run option --security-opt=no-new-privileges.
That degrades container security.
However, this is still within a default docker setup.
x11docker WARNING: Sharing device file: /dev/dri
x11docker WARNING: Sharing device file: /dev/nvidia0
x11docker WARNING: Sharing device file: /dev/nvidiactl
x11docker WARNING: Sharing device file: /dev/nvidia-modeset
x11docker WARNING: Sharing device file: /dev/nvidia-uvm
x11docker WARNING: Sharing device file: /dev/nvidia-uvm-tools
x11docker WARNING: Sharing device file: /dev/vga_arbiter
x11docker WARNING: Sharing device file: /dev/snd
Run Deepin-WeChat 2.6.8.65deepin0 c:/Program Files/Tencent/WeChat/WeChat.exe
run Deepin-WeChat progress pid
** (zenity:2604): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-ZZm0m0LT9c: Connection refused
Activating service name='org.gtk.vfs.Daemon'
Successfully activated service 'org.gtk.vfs.Daemon'
Gtk-Message: Failed to load module "canberra-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
total 0
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 c: -> ../drive_c
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com1 -> /dev/ttyS0
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com10 -> /dev/ttyS9
lrwxrwxrwx 1 werner werner 11 Nov 9 07:35 com11 -> /dev/ttyS10
lrwxrwxrwx 1 werner werner 11 Nov 9 07:35 com12 -> /dev/ttyS11
lrwxrwxrwx 1 werner werner 11 Nov 9 07:35 com13 -> /dev/ttyS12
lrwxrwxrwx 1 werner werner 11 Nov 9 07:35 com14 -> /dev/ttyS13
lrwxrwxrwx 1 werner werner 11 Nov 9 07:35 com15 -> /dev/ttyS14
lrwxrwxrwx 1 werner werner 11 Nov 9 07:35 com16 -> /dev/ttyS15
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com2 -> /dev/ttyS1
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com3 -> /dev/ttyS2
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com4 -> /dev/ttyS3
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com5 -> /dev/ttyS4
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com6 -> /dev/ttyS5
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com7 -> /dev/ttyS6
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com8 -> /dev/ttyS7
lrwxrwxrwx 1 werner werner 10 Nov 9 07:35 com9 -> /dev/ttyS8
lrwxrwxrwx 1 werner werner 8 Nov 9 07:35 d:: -> /dev/sdb
lrwxrwxrwx 1 werner werner 17 Nov 9 07:35 e: -> /media/wayne/Ntfs
lrwxrwxrwx 1 werner werner 9 Nov 9 07:35 e:: -> /dev/sdb1
lrwxrwxrwx 1 werner werner 12 Nov 9 07:35 y: -> /home/werner
lrwxrwxrwx 1 werner werner 1 Nov 9 07:35 z: -> /
CallApp Deepin-WeChat c:/Program Files/Tencent/WeChat/WeChat.exe
Disable auto update
rm: cannot remove '/home/werner/.deepinwine/Deepin-WeChat/drive_c/users/werner/Application Data/Tencent/WeChat/All Users/config/configEx.ini': No such file or directory
Mon Nov 9 07:35:40 CST 2020:kill WeChat.exe block
Mon Nov 9 07:35:40 CST 2020:tag bottle:
Traceback (most recent call last):
File "/opt/deepinwine/tools/get_tray_window", line 28, in <module>
get_tray_window()
File "/opt/deepinwine/tools/get_tray_window", line 18, in get_tray_window
traymanager = bus.get_object("com.deepin.dde.TrayManager", "/com/deepin/dde/TrayManager")
File "/usr/lib/python2.7/dist-packages/dbus/bus.py", line 241, in get_object
follow_name_owner_changes=follow_name_owner_changes)
File "/usr/lib/python2.7/dist-packages/dbus/proxies.py", line 248, in __init__
self._named_service = conn.activate_name_owner(bus_name)
File "/usr/lib/python2.7/dist-packages/dbus/bus.py", line 180, in activate_name_owner
self.start_service_by_name(bus_name)
File "/usr/lib/python2.7/dist-packages/dbus/bus.py", line 278, in start_service_by_name
'su', (bus_name, flags)))
File "/usr/lib/python2.7/dist-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name com.deepin.dde.TrayManager was not provided by any .service files
Mon Nov 9 07:35:40 CST 2020:active bottles:
/home/werner/.deepinwine/Deepin-WeChat/drive_c/Program Files/Tencent/WeChat
Starting process c:/Program Files/Tencent/WeChat/WeChat.exe ...
[1109/073541:INFO:exception_record.cc(518)] [QB]Process ID: 60 Type: 1
I have no idea how to fix this.
Did you try thebestwu/wechat
image? Did it work with the setup described there?
Tried both docker-compose and docker run methods described there. For the case of docker-compose, the login UI won't appear for ever; for the case of docker run, the login UI appears quickly as a flash and then disappeared.
from dockerfile-x11docker-deepin.
Tried both docker-compose and docker run methods described there. For the case of docker-compose, the login UI won't appear for ever; for the case of docker run, the login UI appears quickly as a flash and then disappeared.
Maybe you could open an issue there? bestwu might be more familiar with wechat and might find a fix that could be used with x11docker as well.
The new error mssages indicate that wechat tries to connect to the deepin tray manager and crashes because there is no tray.
from dockerfile-x11docker-deepin.
Maybe you could open an issue there? bestwu might be more familiar with wechat and might find a fix that could be used with x11docker as well.
Bestwu currently isn't very active in maintaining his project. I'm afraid that even if I open a question there, he may not have time to study it.
The new error mssages indicate that wechat tries to connect to the deepin tray manager and crashes because there is no tray.
Why this will happen and how to fix it?
from dockerfile-x11docker-deepin.
Why this will happen and how to fix it?
I don't know. This should be rather asked at www.deepin.org .
from dockerfile-x11docker-deepin.
Surprisingly I got wechat running:
x11docker --hostdisplay --clipboard -- wechatimage sh -c '/opt/deepinwine/apps/Deepin-WeChat/run.sh ; sleep 5; while pgrep WeChat; do sleep 1; done'
It fails with other X servers, and it takes a very long time until the window with QR-code appears.
(The additional pgrep/sleep loop is needed because the WeChat process moves itself to run in background. A foreground process is needed to keep the container running.)
from dockerfile-x11docker-deepin.
Tricky and wonderful. I confirm that your conclusion is correct with the following command:
$ x11docker --hostdisplay --clipboard -- hongyi-zhao/deepin-wine sh -c '/opt/deepinwine/apps/Deepin-WeChat/run.sh ; sleep 5; while pgrep WeChat; do sleep 1; done'
Furthermore, I also can successfully run x11docker with more complicated arguments shown as below:
x11docker_share=$HOME/x11docker-share
if [ ! -d $x11docker_share ]; then
mkdir -p $x11docker_share
fi
x11docker --runasroot "cat <<-EOF > /etc/sudoers
#$ sudo grep -Ev '^[ ]*(#|$)' /etc/sudoers
Defaults env_reset
Defaults mail_badpass
Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin\"
root ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
$USER ALL=(ALL) NOPASSWD:ALL
EOF" --share=$x11docker_share --sudouser -c --hostdisplay --init=systemd -- --cap-add=ALL --security-opt seccomp=unconfined -- hongyi-zhao/deepin-wine sh -c '/opt/deepinwine/apps/Deepin-WeChat/run.sh ; sleep 5; while pgrep WeChat; do sleep 1; done'
All other tries with --xpra and --nxagent failed just as you have verified.
from dockerfile-x11docker-deepin.
Related Issues (20)
- W: Cannot check Release signature; keyring file not available /usr/share/keyrings/deepin-archive-camel-keyring.gpg HOT 2
- Deepin apricot: inputting the digits included in password with num keyboard will freeze the qq login. HOT 4
- The cleanup script will destroy the cache used by synaptic. HOT 9
- Automate the deepin image building progress on Docker hub by writing a build hook script. HOT 2
- The appstore with codename apricot should be used when extending the base Deepin apricot image. HOT 3
- File transfer with wechat in Deepin paricot docker container started through x11docker using bridge network is inefficient and unstable. HOT 3
- Extending Deepin apricot docker image for sound support with x11docker's corresponding options. HOT 23
- About the echo command used for multiple lines case in the Dockerfile. HOT 5
- The strange behavior when using --share=$HOME. HOT 6
- Install and config the fcitx5/fcitx5-rime/rime as the Chinese characters input method engine in Dockerfile. HOT 5
- The softlink of x11docker folder apprear recursively. HOT 10
- Disscussion on the environment variables setting of fcitx5 once more. HOT 4
- Failed to run `sudo dmidecode -t 4' in container. HOT 1
- Some warning and info given by x11docker when running deepin-wine image. HOT 1
- The strange garbled Chinese character display problem for qq and fcitx-googlepinyin. HOT 1
- A minimalist Dockerfile used to build the `Deepin` base image.
- New Deepin repositories.
- Use centos7 to cause build failure? [udisks2 dpkg error] HOT 4
- debian bootstrap configuration delayed HOT 2
- debootstrap failed with dpkg error HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dockerfile-x11docker-deepin.