Linux - ContainersThis forum is for the discussion of all topics relating to Linux containers. Docker, LXC, LXD, runC, containerd, CoreOS, Kubernetes, Mesos, rkt, and all other Linux container platforms are welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You still don't understand and did not answer some questions.
(like how did you want to connect several keyboards and mice to this host)
Quote:
Originally Posted by Skaperen
X MUST handle the switching if the switch needs to change video mode. the kernel knows nothing about advanced video modes. the kernel does intercept the change and handles the text mode change. but if X is running in a console that the switch leaves or goes to, the kernel signals X to do its part. that may have changed some recently as i have seen some very fast changes from X to a different X with never a pause in between.
Again, switching between consoles works with and/or without X. Works also if you started more than one X server (on different consoles). X is responsible to set video for itself, but is not responsible for anything outside the running session. X must not and cannot handle the switching to another console/X or whatever.
Quote:
Originally Posted by Skaperen
the big issue i anticipate with X in a container is how X access the hardware without that becoming a security exposure. a root user in a container needs to be fully confined to that container, including access to video hardware. that would mean the kernel needs to enable that access only for the currently switched-to container.
The root inside the container is not really equivalent to the root of the host itself. Running X inside a container means you create a lot of security holes on the container to allow to do things which are not meant to do in a container.
Quote:
Originally Posted by Skaperen
i don't know if there is any means to pass a text-mode whole console to a container, but i don't need that now that things are overall fast enough to just use X with e terminal window (20 years ago it was not fast enough).
That means you need to modify the login process to start the login shell in a docker (or another container). It is not really impossible, but still I have no idea how do you imagine it. How will be the mouse/keyboard connected?
Quote:
Originally Posted by Skaperen
following that link, i find too many things that don't work (such as audio) that i want to consider something else. maybe multiple X servers in the host with all the user specific processes running in a container (different for each) can be sufficiently secure to be worth doing. what i would be looking at is how the container accesses that X process, and only that X process. X can use Unix sockets so that might be the way to go (via a small finite shared file space for each).
container does not try to access anything. Containerization means the encapsulation of the environment, so when you are inside you cannot see (cannot have any idea about what is) outside. When you want to allow the app inside to use the real hardware you will just go against this encapsulation, you will need to create security holes (usually open ports) to access devices. As you see accessing the same hardware (video/audio) can be a problem, and also connecting mouse/keyboard to the containerized X can be an issue.
You still don't understand and did not answer some questions.
(like how did you want to connect several keyboards and mice to this host)
there won't be several keyboards and mice. just one keyboard and one mouse. it is the built-in keyboard on the laptop. the mouse is a wireless with a receiver plugged into a USB 2.0 port.
Quote:
Originally Posted by pan64
Again, switching between consoles works with and/or without X. Works also if you started more than one X server (on different consoles). X is responsible to set video for itself, but is not responsible for anything outside the running session. X must not and cannot handle the switching to another console/X or whatever.
since X (probably) has the video hardware in a mode the text console cannot handle, the kernel signals X to set the mode back before the kernel completes the switch.
Quote:
Originally Posted by pan64
The root inside the container is not really equivalent to the root of the host itself. Running X inside a container means you create a lot of security holes on the container to allow to do things which are not meant to do in a container.
that's why running X in a container is an issue. inside the container is supposed to look like an isolated system. root in the container is supposed to be able to do privileged things but not affect the host or other containers. this is more difficult with X since X does need to deal with "other" consoles (see above).
Quote:
Originally Posted by pan64
That means you need to modify the login process to start the login shell in a docker (or another container). It is not really impossible, but still I have no idea how do you imagine it. How will be the mouse/keyboard connected?
this is to be decided as part of the design. i can say i won't be using docker. i may use lxc. i may just have a process that does the syscalls to build and move itself into a container.
Quote:
Originally Posted by pan64
container does not try to access anything. Containerization means the encapsulation of the environment, so when you are inside you cannot see (cannot have any idea about what is) outside. When you want to allow the app inside to use the real hardware you will just go against this encapsulation, you will need to create security holes (usually open ports) to access devices. As you see accessing the same hardware (video/audio) can be a problem, and also connecting mouse/keyboard to the containerized X can be an issue.
yes, these (and more) are the issues. so i am thinking that needs to stay outside the container. X is supposed to be safe from its user exploiting its root privileges. but if X can let the user even do user things in some way, its not safe for X to be outside a container intended to (better) isolate a user in a container.
there won't be several keyboards and mice. just one keyboard and one mouse. it is the built-in keyboard on the laptop. the mouse is a wireless with a receiver plugged into a USB 2.0 port.
In that case how do you want to use more than one X in the same time?
Quote:
Originally Posted by Skaperen
since X (probably) has the video hardware in a mode the text console cannot handle, the kernel signals X to set the mode back before the kernel completes the switch.
No, I would rather say when you switch the console the new one will set the required config for itself (There can be a running X on the other console as well).
I don't really know if the old console should do something like "reset to default" or is there any way to "set the mode back - to what?".
Quote:
Originally Posted by Skaperen
that's why running X in a container is an issue. inside the container is supposed to look like an isolated system. root in the container is supposed to be able to do privileged things but not affect the host or other containers. this is more difficult with X since X does need to deal with "other" consoles (see above).
No, forget it! X must not deal with other consoles, X must have no any idea if there were any other consoles available [how many, where are they] and how are they actually set. X is just an app as any other one.
Quote:
Originally Posted by Skaperen
i may just have a process that does the syscalls to build and move itself into a container.
In that case how do you want to use more than one X in the same time?
i already use multiple X servers with one keyboard and one mouse. i just use one at a time. i have keyboard shortcuts that do "dm-tool switch-to-user <username>" fo about 20 user names. these users are "nopasswdlogin" group so LightDM switches without prompting me for a password. that lets me switch around quite frequently.
Quote:
Originally Posted by pan64
No, I would rather say when you switch the console the new one will set the required config for itself (There can be a running X on the other console as well).
I don't really know if the old console should do something like "reset to default" or is there any way to "set the mode back - to what?".
when i switch away, that X server understands that it is disconnected from all user interface and operates accordingly. all of them are in the same mode (1920x1080). i did some experiments with 3840x2160 which worked even though i was limited to seeing only 1920x1080 of it at one time. i had only one X server in that mode and switching to/from it worked fine.
Quote:
Originally Posted by pan64
No, forget it! X must not deal with other consoles, X must have no any idea if there were any other consoles available [how many, where are they] and how are they actually set. X is just an app as any other one.
X (not in containers) appears to be doing things different depending on how the console switching takes place, like whether the other virtual console is run by another X server or not or is just not active. in a container, that view will be different.
Quote:
Originally Posted by pan64
Is this feasible?
i don't see why not. something will need to create the container when a user logs in initially. whether X will be in the container or not, all the user processes will be (the goal of all this). LightDM doesn't do this (yet). so i need to create something that gets run first (perhaps by LightDM) and starts things up the way that is needed.
right now i have a user i switched away from playing a live radio stream on YouTube (https://www.youtube.com/watch?v=60UGcXAW0qM) while i am editing this. i have to run pulseaudio in system mode to hear it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
