KDE Plasma Desktop container designed for Kubernetes supporting OpenGL GLX and Vulkan for NVIDIA GPUs with WebRTC and HTML5, providing an open-source remote cloud graphics or game streaming platform. Spawns its own fully isolated X Server instead of using the host X server, not requiring /tmp/.X11-unix host sockets or host configuration.
Use docker-nvidia-egl-desktop for a KDE Plasma Desktop container which directly accesses NVIDIA (and unofficially Intel and AMD) GPUs without using an X11 Server, supports sharing a GPU with many containers, and automatically falling back to software acceleration in the absence of GPUs (but with limited graphics performance).
Read the Troubleshooting section first before raising an issue. Support is also available with the Selkies Discord. Please redirect issues or discussions regarding the selkies-gstreamer WebRTC HTML5 interface to the project.
Container startup could take some time at first launch as it automatically installs NVIDIA drivers compatible with the host.
Wine, Winetricks, Lutris, and PlayOnLinux are bundled by default. Comment out the section where it is installed within Dockerfile if the user wants to remove them from the container.
There are two web interfaces that can be chosen in this container, the first being the default selkies-gstreamer WebRTC HTML5 interface (requires a TURN server or host networking), and the second being the fallback noVNC WebSocket HTML5 interface. While the noVNC interface does not support audio forwarding and remote cursors for gaming, it can be useful for troubleshooting the selkies-gstreamer WebRTC interface or using this container with low bandwidth environments.
The noVNC interface can be enabled by setting NOVNC_ENABLE to true. When using the noVNC interface, all environment variables related to the selkies-gstreamer WebRTC interface are ignored, with the exception of BASIC_AUTH_PASSWORD. As with the selkies-gstreamer WebRTC interface, the noVNC interface password will be set to BASIC_AUTH_PASSWORD, and uses PASSWD by default if not set. The noVNC interface also additionally accepts the NOVNC_VIEWPASS environment variable, where a view only password with only the ability to observe the desktop without controlling can also be set.
The container requires host NVIDIA GPU driver versions of at least 450.80.02 and preferably 470.42.01, with the NVIDIA Container Toolkit to be also configured on the host for allocating GPUs. All Maxwell or later generation GPUs in the consumer, professional, or datacenter lineups will not have significant issues running this container, although the selkies-gstreamer high-performance NVENC backend may not be available (see the next paragraph). Kepler GPUs are untested and likely does not support the NVENC backend, but can be mostly functional using fallback software acceleration.
The high-performance NVENC backend for the selkies-gstreamer WebRTC interface is only supported in GPUs listed as supporting H.264 (AVCHD) under the NVENC - Encoding section of NVIDIA's Video Encode and Decode GPU Support Matrix. If your GPU is not listed as supporting H.264 (AVCHD), add the environment variable WEBRTC_ENCODER with the value x264enc, vp8enc, or vp9enc in your container configuration for falling back to software acceleration, which also has a very good performance depending on your CPU.
The username is user in both the container user account and the web authentication prompt. The environment variable PASSWD is the password of the container user account, and BASIC_AUTH_PASSWORD is the password for the HTML5 interface authentication prompt. If ENABLE_BASIC_AUTH is set to true for selkies-gstreamer (not required for noVNC) but BASIC_AUTH_PASSWORD is unspecified, the HTML5 interface password will default to PASSWD.
NOTES: Only one web browser can be connected at a time with the selkies-gstreamer WebRTC interface. If the signaling connection works, but the WebRTC connection fails, read the Using a TURN Server section.
- Run the container with Docker (or other similar container CLIs like Podman):
docker run --gpus 1 -it --tmpfs /dev/shm:rw -e TZ=UTC -e SIZEW=1920 -e SIZEH=1080 -e REFRESH=60 -e DPI=96 -e CDEPTH=24 -e VIDEO_PORT=DFP -e PASSWD=mypasswd -e WEBRTC_ENCODER=nvh264enc -e BASIC_AUTH_PASSWORD=mypasswd -p 8080:8080 ghcr.io/selkies-project/nvidia-glx-desktop:latest
NOTES: The container tags available are
latestand22.04for Ubuntu 22.04, and20.04for Ubuntu 20.04. Persistent container tags are available in the form22.04-20210101010101. Replace all instances ofmypasswdwith your desired password.BASIC_AUTH_PASSWORDwill default toPASSWDif unspecified. The container must not be run in privileged mode.
Change WEBRTC_ENCODER to x264enc, vp8enc, or vp9enc when using the selkies-gstreamer interface if your GPU does not support H.264 (AVCHD) under the NVENC - Encoding section in NVIDIA's Video Encode and Decode GPU Support Matrix.
- Connect to the web server with a browser on port 8080. You may also separately configure a reverse proxy to this port for external connectivity.
NOTES: Additional configurations and environment variables for the selkies-gstreamer WebRTC HTML5 interface are listed in lines that start with
parser.add_argumentwithin the selkies-gstreamer main script.
- (Not Applicable for noVNC) Read carefully if the selkies-gstreamer WebRTC HTML5 interface does not connect. Choose whether to use host networking or a TURN server. The selkies-gstreamer WebRTC HTML5 interface will likely just start working if you add
--network hostto the abovedocker runcommand. However, this may be restricted or be undesired because of security reasons. If so, check if the container starts working after omitting--network host. If it does not work, you need a TURN server. Read the Using a TURN Server section and add the environment variables-e TURN_HOST=,-e TURN_PORT=, and pick one of-e TURN_SHARED_SECRET=or both-e TURN_USERNAME=and-e TURN_PASSWORD=environment variables to thedocker runcommand based on your authentication method.
- Create the Kubernetes Secret with your authentication password:
kubectl create secret generic my-pass --from-literal=my-pass=YOUR_PASSWORDNOTES: Replace
YOUR_PASSWORDwith your desired password, and change the namemy-passto your preferred name of the Kubernetes secret with thexgl.ymlfile changed accordingly as well. It is possible to skip the first step and directly provide the password withvalue:inxgl.yml, but this exposes the password in plain text.
- Create the pod after editing the
xgl.ymlfile to your needs, explanations are available in the file:
kubectl create -f xgl.ymlNOTES: The container tags available are
latestand22.04for Ubuntu 22.04, and20.04for Ubuntu 20.04. Persistent container tags are available in the form22.04-20210101010101.BASIC_AUTH_PASSWORDwill default toPASSWDif unspecified.
Change WEBRTC_ENCODER to x264enc, vp8enc, or vp9enc when using the selkies-gstreamer WebRTC interface if your GPU does not support H.264 (AVCHD) under the NVENC - Encoding section in NVIDIA's Video Encode and Decode GPU Support Matrix.
- Connect to the web server spawned at port 8080. You may configure the ingress endpoint or reverse proxy that your Kubernetes cluster provides to this port for external connectivity.
NOTES: Additional configurations and environment variables for the selkies-gstreamer WebRTC HTML5 interface are listed in lines that start with
parser.add_argumentwithin the selkies-gstreamer main script.
- (Not Applicable for noVNC) Read carefully if the selkies-gstreamer WebRTC HTML5 interface does not connect. Choose whether to use host networking or a TURN server. The selkies-gstreamer WebRTC HTML5 interface will likely just start working if you uncomment
hostNetwork: trueinxgl.yml. However, this may be restricted or be undesired because of security reasons. If so, check if the container starts working after commenting outhostNetwork: true. If it does not work, you need a TURN server. Read the Using a TURN Server section and fill in the environment variablesTURN_HOSTandTURN_PORT, then pick one ofTURN_SHARED_SECRETor bothTURN_USERNAMEandTURN_PASSWORDenvironment variables based on your authentication method.
Note that this section is only required for the selkies-gstreamer WebRTC HTML5 interface. For an easy fix to when the signaling connection works, but the WebRTC connection fails, add the option --network host to your Docker command, or uncomment hostNetwork: true in your xgl.yml file when using Kubernetes (note that your cluster may have not allowed this, resulting in an error). This exposes your container to the host network, which disables network isolation. If this does not fix the connection issue (normally when the host is behind another firewall) or you cannot use this fix for security or technical reasons, read the below text.
In most cases when either of your server or client has a permissive firewall, the default Google STUN server configuration will work without additional configuration. However, when connecting from networks that cannot be traversed with STUN, a TURN server is required.
Read the instructions from selkies-gstreamer if want to deploy a TURN server or use a public TURN server instance.
With Docker (or Podman), use the -e option to add the TURN_HOST, TURN_PORT environment variables. This is the hostname or IP and the port of the TURN server (3478 in most cases).
You may set TURN_PROTOCOL to tcp if you are only able to open TCP ports for the coTURN container to the internet, or if the UDP protocol is blocked or throttled in your client network. You may also set TURN_TLS to true with the -e option if TURN over TLS/DTLS was properly configured.
You also require to provide either just TURN_SHARED_SECRET for time-limited shared secret TURN authentication, or both TURN_USERNAME and TURN_PASSWORD for legacy long-term TURN authentication, depending on your TURN server configuration. Provide just one of these authentication methods, not both.
Your TURN server will use only one out of two ways to authenticate the client, so only provide one type of authentication method. The time-limited shared secret TURN authentication requires to only provide the Base64 encoded TURN_SHARED_SECRET. The legacy long-term TURN authentication requires to provide both TURN_USERNAME and TURN_PASSWORD credentials.
- Create a secret containing the TURN shared secret:
kubectl create secret generic turn-shared-secret --from-literal=turn-shared-secret=MY_TURN_SHARED_SECRETNOTES: Replace
MY_TURN_SHARED_SECRETwith the shared secret of the TURN server, then changing the nameturn-shared-secretto your preferred name of the Kubernetes secret, with thexgl.ymlfile also being changed accordingly.
- Uncomment the lines in the
xgl.ymlfile related to TURN server usage, updating theTURN_HOSTandTURN_PORTenvironment variable as needed:
- name: TURN_HOST
value: "turn.example.com"
- name: TURN_PORT
value: "3478"
- name: TURN_SHARED_SECRET
valueFrom:
secretKeyRef:
name: turn-shared-secret
key: turn-shared-secret
- name: TURN_PROTOCOL
value: "udp"
- name: TURN_TLS
value: "false"NOTES: It is possible to skip the first step and directly provide the shared secret with
value:, but this exposes the shared secret in plain text. SetTURN_PROTOCOLtotcpif you were able to only open TCP ports while creating your own coTURN Deployment/DaemonSet, or if your client network throttles or blocks the UDP protocol.
- Create a secret containing the TURN password:
kubectl create secret generic turn-password --from-literal=turn-password=MY_TURN_PASSWORDNOTES: Replace
MY_TURN_PASSWORDwith the password of the TURN server, then changing the nameturn-passwordto your preferred name of the Kubernetes secret, with thexgl.ymlfile also being changed accordingly.
- Uncomment the lines in the
xgl.ymlfile related to TURN server usage, updating theTURN_HOST,TURN_PORT, andTURN_USERNAMEenvironment variable as needed:
- name: TURN_HOST
value: "turn.example.com"
- name: TURN_PORT
value: "3478"
- name: TURN_USERNAME
value: "username"
- name: TURN_PASSWORD
valueFrom:
secretKeyRef:
name: turn-password
key: turn-password
- name: TURN_PROTOCOL
value: "udp"
- name: TURN_TLS
value: "false"NOTES: It is possible to skip the first step and directly provide the TURN password with
value:, but this exposes the TURN password in plain text. SetTURN_PROTOCOLtotcpif you were able to only open TCP ports while creating your own coTURN Deployment/DaemonSet, or if your client network throttles or blocks the UDP protocol.
Link
Run Input Method: Configure Input Method from the start menu, uncheck Only Show Current Language, search and add from available input methods (Hangul, Mozc, Pinyin, and others) by moving to the right, then use Ctrl + Space to switch between the input methods. Raise an issue if you need more layouts.
Check that the NVIDIA Container Toolkit is properly configured in the host. Next, check whether your host NVIDIA GPU driver is the nvidia-headless variant, which lacks the required display and graphics capabilities for this container.
After that, check the environment variable NVIDIA_DRIVER_CAPABILITIES after starting a shell interface inside the container. NVIDIA_DRIVER_CAPABILITIES should be set to all, or include a comma-separated list of compute (requirement for CUDA and OpenCL, or for the selkies-gstreamer WebRTC remote desktop interface), utility (requirement for nvidia-smi and NVML), graphics (requirement for OpenGL and part of the requirement for Vulkan), video (required for encoding or decoding videos using NVIDIA GPUs, or for the selkies-gstreamer WebRTC remote desktop interface), display (the other requirement for Vulkan), and optionally compat32 if you use Wine or 32-bit graphics applications.
Moreover, if you are using custom configurations, check if your shared memory path /dev/shm has sufficient capacity, where expanding the capacity is done by adding --tmpfs /dev/shm:rw to your Docker command or adding the below lines to your Kubernetes configuration file.
spec:
template:
spec:
containers:
volumeMounts:
- mountPath: /dev/shm
name: dshm
volumes:
- name: dshm
emptyDir:
medium: MemoryIf you checked everything here, scroll down.
I want to use systemd, polkit, FUSE mounts, or sandboxed (containerized) application distribution systems like Flatpak, Snapcraft (snap), AppImage, and etc.
Use the option --appimage-extract-and-run or --appimage-extract with your AppImage to run them in a container. Alternatively, set export APPIMAGE_EXTRACT_AND_RUN=1 to your current shell. For controlling PulseAudio, use pactl instead of pacmd as the latter corrupts the audio system within the container. Use sudoedit to edit protected files in the desktop instead of using sudo followed by the name of the editor.
Open Long Answer
For systemd, polkit, FUSE mounts, or sandboxed application distribution systems, do not use them with containers. You can use them if you add unsafe capabilities to your containers, but it will break the isolation of the containers. This is especially bad if you are using Kubernetes. For controlling PulseAudio, use pactl instead of pacmd as the latter corrupts the audio system within the container. Because polkit does not work, use sudoedit to edit protected files with the GUI instead of using sudo followed by the name of the editor. There will likely be an alternative way to install the applications, including Personal Package Archives. For some applications, there will be options to disable sandboxing when running or options to extract files before running.
Note that because of restrictions from Xorg, it is not possible to share one GPU to multiple Xorg servers running in different containers. Use docker-nvidia-egl-desktop if you intend to do this.
The container does not work if an existing GUI, desktop environment, or X server is running in the host outside the container. / I want to use this container in --privileged mode or with --cap-add and do not want other containers to interfere.
Open Answer
In order to use an X server on the host for your monitor with one GPU, and provision the other GPUs to the containers, you must change your /etc/X11/xorg.conf configuration of the host.
First, use sudo nvidia-xconfig --no-probe-all-gpus --busid=$BUS_ID --only-one-x-screen to generate /etc/X11/xorg.conf where BUS_ID is generated with the below script. Set GPU_SELECT to the ID (from nvidia-smi) of the specific GPU you want to provision.
HEX_ID=$(nvidia-smi --query-gpu=pci.bus_id --id="$GPU_SELECT" --format=csv | sed -n 2p)
IFS=":." ARR_ID=($HEX_ID)
unset IFS
BUS_ID=PCI:$((16#${ARR_ID[1]})):$((16#${ARR_ID[2]})):$((16#${ARR_ID[3]}))
Then, edit the /etc/X11/xorg.conf file of your host outside the container and add the below snippet to the end of the file. If you want to use containers in --privileged mode or with --cap-add, add the snippet to the /etc/X11/xorg.conf files of all other containers running an Xorg server as well (has been already added for this container). The exact file location may vary if not using the NVIDIA graphics driver.
Section "ServerFlags"
Option "AutoAddGPU" "false"
EndSection
The below command adds the above snippet automatically. The exact file location may vary if not using the NVIDIA graphics driver.
echo -e "Section \"ServerFlags\"\n Option \"AutoAddGPU\" \"false\"\nEndSection" | sudo tee -a /etc/X11/xorg.conf > /dev/nullIf you restart your OS or the Xorg server, you will now be able to use one GPU for your host X server and your real monitor, and use the rest of the GPUs for the containers.
Then, you must avoid the GPU of which you are using for your host X server. Use docker --gpus '"device=1,2"' to provision GPUs with device IDs 1 and 2 to the container, avoiding the GPU with the ID of 0 that is used by the host X server, if you set GPU_SELECT to the ID of 0. Note that --gpus 1 means any single GPU, not the GPU device ID of 1.
Make sure that the NVIDIA_DRIVER_CAPABILITIES environment variable is set to all, or includes both graphics and display. The display capability is especially crucial to Vulkan, but the container does start without noticeable issues other than Vulkan without display, despite its name.
If your GPU is a consumer or professional GPU, change the VIDEO_PORT environment variable from DFP to DP-0 if DP-0 is empty, or any empty DP-* port. Set VIDEO_PORT to where your monitor is connected if you want to show the remote desktop in a real monitor. If your GPU is a Datacenter (Tesla) GPU, keep the VIDEO_PORT environment variable to DFP, and your maximum resolution is at 2560 x 1600. To go above this restriction, you may set VIDEO_PORT to none, but you must use borderless window instead of fullscreen, and this may lead to quite a lot of applications not starting, showing errors related to XRANDR or RANDR.
Open Long Answer
The container simulates the GPU to become plugged into a physical DVI-D/HDMI/DisplayPort digital video interface in consumer and professional GPUs with the ConnectedMonitor NVIDIA driver option. The container uses virtualized DVI-D ports for this purpose in Datacenter (Tesla) GPUs.
The ports to be used should only be connected with an actual monitor if the user wants the remote desktop screen to be shown on that monitor. If you want to show the remote desktop screen spawned by the container in a physical monitor, connect the monitor and set VIDEO_PORT to the the video interface identifier that is connected to the monitor. If not, avoid the video interface identifier that is connected to the monitor.
VIDEO_PORT identifiers and their connection states can be obtained by typing xrandr -q when the DISPLAY environment variable is set to the number of the spawned X server display (for example :0). As an alternative, you may set VIDEO_PORT to none (which effectively sets --use-display-device=None), but you must use borderless window instead of fullscreen, and this may lead to quite a lot of applications not starting because the RANDR extension is not available in the X server.
NOTES: Do not start two or more X servers for a single GPU. Use a separate GPU (or use Xvfb/Xdummy/Xvnc without hardware acceleration to use no GPUs at all) if you need a host X server unaffiliated with containers, and do not make the GPU available to the container runtime.
Since this container simulates the GPU being virtually plugged into a physical monitor while it actually does not, make sure the resolutions specified with the environment variables SIZEW and SIZEH are within the maximum size supported by the GPU. The environment variable VIDEO_PORT can override which video port is used (defaults to DFP, the first interface detected in the driver). Therefore, specifying VIDEO_PORT to an unplugged DisplayPort (for example numbered like DP-0, DP-1, and so on) is recommended for resolutions above 1920 x 1200 at 60 hz, because some driver restrictions are applied when the default is set to an unplugged physical DVI-D or HDMI port. The maximum size that should work in all cases is 1920 x 1200 at 60 hz, mainly for when the default VIDEO_PORT identifier DFP is not set to DisplayPort. The screen sizes over 1920 x 1200 at 60 hz but under the maximum supported display size specified for each port (supported by GPU specifications) will be possible if the port is set to DisplayPort (both physically connected or disconnected), or when a physical monitor or dummy plug to any other type of display ports (including DVI-D and HDMI) has been physically connected. If all GPUs in the cluster have at least one DisplayPort and they are not physically connected to any monitors, simply setting VIDEO_PORT to DP-0 is recommended (but this is not set as default because of legacy GPU compatibility reasons).
Datacenter (Tesla) GPUs seem to only support resolutions of up to around 2560 x 1600 at 60 hz (VIDEO_PORT must be kept to DFP instead of changing to DP-0 or other DisplayPort identifiers). The K40 (Kepler) GPU did not support RandR (required for some graphical applications using SDL and other graphical frameworks). Other Kepler generation Datacenter GPUs (maybe except the GRID K1 and K2 GPUs with vGPU capabilities) are also unlikely to support RandR, thus Datacenter GPU RandR support probably starts from Maxwell. Other tested Datacenter GPUs (V100, T4, A40, A100) support all graphical applications that consumer GPUs support. However, the performances were not better than consumer GPUs that usually cost a fraction of Datacenter GPUs, and the maximum supported resolutions were even lower.
This work was supported in part by National Science Foundation (NSF) awards CNS-1730158, ACI-1540112, ACI-1541349, OAC-1826967, OAC-2112167, CNS-2100237, CNS-2120019, the University of California Office of the President, and the University of California San Diego's California Institute for Telecommunications and Information Technology/Qualcomm Institute. Thanks to CENIC for the 100Gbps networks.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent