Discussion:
Graphically isolating Guix containers with Xpra.
Rutger Helling
2018-02-16 10:47:53 UTC
Permalink
Hey Guix,

Here's a small tip for how you can create graphically isolated containers with Guix and Xpra.

First we create a Xpra server, with no clipboard access.
$ xpra start --clipboard=no :200

Next we switch to an empty tmp directory, and start a Guix container that has access to the X200 socket only.
$ cd tmp
$ guix environment -C --ad-hoc coreutils gedit --expose=/home/$USER/.Xauthority --expose=/tmp/.X11-unix/X200 -- env DISPLAY=:200 XAUTHORITY=/home/$USER/.Xauthority gedit

On a different terminal (or over SSH) you can now access the Xpra server.
$ xpra attach :200

Note that in order to be fully isolated the container should not be able to access even abstract sockets.
You can either run the container without the -N switch, or create a new network namespace with a veth or something like that.

With the following command you can check the sockets. No X11 sockets other than the Xpra one should be shown.
$ ss | grep X11

Once Wayland becomes widely used this will probably be redundant, since the isolation in Wayland is far better than X11. But this might still be useful.
Ludovic Courtès
2018-02-16 16:55:46 UTC
Permalink
Hello Rutger,
Post by Rutger Helling
Here's a small tip for how you can create graphically isolated containers with Guix and Xpra.
First we create a Xpra server, with no clipboard access.
$ xpra start --clipboard=no :200
Next we switch to an empty tmp directory, and start a Guix container that has access to the X200 socket only.
$ cd tmp
$ guix environment -C --ad-hoc coreutils gedit --expose=/home/$USER/.Xauthority --expose=/tmp/.X11-unix/X200 -- env DISPLAY=:200 XAUTHORITY=/home/$USER/.Xauthority gedit
On a different terminal (or over SSH) you can now access the Xpra server.
$ xpra attach :200
Nice trick!

Did you see the discussion at
<https://lists.gnu.org/archive/html/help-guix/2018-01/msg00056.html>?

This is something we could directly add to ‘guix run’ or similar.

Ludo’.
Rutger Helling
2018-02-19 12:02:44 UTC
Permalink
Hi Ludo,

I've tried 'guix run' for a little bit and I think it has a lot of
potential! One of the problems with guix environment containers is that
it can take quite a while to build. 'guix run' could solve that.

Adding Xpra to 'guix run' and/or 'guix environment' in some way could
definitely be handy for isolation purposes. For the most part it would
just consist of starting up a Xpra socket and exposing that to the
container, then maybe automatically attaching to it.

I've pushed a change to Xpra to start Xvfb with '-nolisten local'. This
disables abstract sockets for the Xorg server that gets started with
Xpra. As a result, using the commands below, you should be isolated even
on the same network namespace.

I can also write something for the Guix documentation, though i'm not
sure if that's considered out-of-scope.

On Fri, 16 Feb 2018 17:55:46 +0100
Post by Ludovic Courtès
Hello Rutger,
Post by Rutger Helling
Here's a small tip for how you can create graphically isolated
containers with Guix and Xpra.
First we create a Xpra server, with no clipboard access.
$ xpra start --clipboard=no :200
Next we switch to an empty tmp directory, and start a Guix
container that has access to the X200 socket only. $ cd tmp
$ guix environment -C --ad-hoc coreutils gedit
--expose=/home/$USER/.Xauthority --expose=/tmp/.X11-unix/X200 --
env DISPLAY=:200 XAUTHORITY=/home/$USER/.Xauthority gedit
On a different terminal (or over SSH) you can now access the Xpra
server. $ xpra attach :200
Nice trick!
Did you see the discussion at
<https://lists.gnu.org/archive/html/help-guix/2018-01/msg00056.html>?
This is something we could directly add to ‘guix run’ or similar.
Ludo’.
Loading...