[Users] X apps in OpenVZ containers
Solar Designer
solar at openwall.com
Fri May 15 08:22:38 PDT 2015
Hi,
There are these web pages:
https://openvz.org/X_inside_VE
http://pve.proxmox.com/wiki/X11_LXDE_in_OpenVZ
http://openvz.livejournal.com/31953.html
http://www.opennet.ru/tips/2396_firefox_openvz_chroot_limit_virtual.shtml
and I just tweeted:
<solardiz> Firefox 38 official binary build (still) works in OpenVZ container with CentOS 6 running on Owl 3.1-stable (RHEL5'ish OpenVZ kernel). Handy.
However, all of this involves TCP sockets - for SSH (over which X11 is
forwarded), for X11 protocol itself (if no SSH layer), or for VNC.
It'd be nice to be able to use Unix domain sockets for this. I've tried
bind-mounting a directory with X's Unix domain socket from host into a
container, but connecting to that socket from inside the container fails
with ECONNREFUSED. I didn't investigate this further, but I guess the
host's socket is simply not found in net/unix/af_unix.c:
unix_find_socket_byname(), which in fact checks ve_accessible_strict().
Maybe we should allow for relaxing this check on a per-container basis,
to achieve full native speed in setups like the above, and be able to
watch videos, etc. in web browsers setup like that? The TCP overhead
isn't adding any security against attacks on the X server anyway - it's
the same complicated and fully exposed X protocol anyway. :-( (VNC is
probably safer, depending on implementation and settings, but that's a
separate matter.)
Alexander
More information about the Users
mailing list