You are not logged in.
- Topics: Active | Unanswered
#1 2016-04-22 01:30:03
- Auch999
- Member
- Registered: 2016-02-28
- Posts: 13
LXC: /usr/bin/firefox opens a new firefox window outside of container
Can someone please explain this weird behaviour to me:
I have an unpriviliged LXC container with firefox inside.
If firefox is running on the host, /usr/bin/firefox inside the container launches a new firefox window on the host with the UID of the host user. (wtf)
If firefox is NOT running outside of the container, /usr/bin/firefox inside the container launches firefox with the UID of the container user, like it should be.
the reverse is also true:
If firefox is running inside the container (but not on the host), and firefox is started on the host, the firefox which is started has the UID of the container user.
?!?! How is that ?!?!
EDIT: Confirmed that this is happening with a standard upriviliged ubuntu container as well.
$ uname -r
4.6.0-rc4-customGIT+# not that it matters --- the same thing happens on a modified arch 4.5 stock kernel too (user namespaces enabled, checkpoint restore enabled)
$ lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
FUSE (for use with lxcfs): enabled
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabledconfig file:
lxc.devttydir = lxc
lxc.pts = 1024
lxc.tty = 4
lxc.cap.drop = mac_admin mac_override sys_time sys_module
lxc.pivotdir = lxc_putold
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 10:229 rwm
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.hook.mount = /usr/share/lxcfs/lxc.mount.hook
lxc.hook.post-stop = /usr/share/lxcfs/lxc.reboot.hook
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
lxc.cgroup.devices.allow = c 254:0 rm
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.cgroup.devices.allow = c 10:228 rwm
lxc.cgroup.devices.allow = c 10:232 rwm
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
lxc.devttydir =
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
lxc.arch = x86_64
lxc.cgroup.devices.allow = c 226:* rwm
lxc.mount.entry = tmpfs tmp tmpfs defaults
lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none ro,bind,create=dir 0 0lxc-start -n c1 -F -f /path/to/above/conf -s 'lxc.id_map = u 0 100000 65536' -s 'lxc.id_map = g 0 100000 65536' -s 'lxc.rootfs = /path/to/rootfs' -s 'lxc.init_cmd = /usr/bin/bash'stackexchange: https://unix.stackexchange.com/question … -container
Last edited by Auch999 (2016-04-22 13:26:24)
Offline
#2 2016-04-22 13:27:39
- ataraxia
- Member
- From: Pittsburgh
- Registered: 2007-05-06
- Posts: 1,553
Re: LXC: /usr/bin/firefox opens a new firefox window outside of container
It's a special firefox "feature" to do that. I think it uses some property of the root X window to do it, not sure. In any case, you can disable it by doing "firefox --no-remote" in your container.
Offline
#3 2016-04-22 13:33:31
- Auch999
- Member
- Registered: 2016-02-28
- Posts: 13
Re: LXC: /usr/bin/firefox opens a new firefox window outside of container
Does this mean, that this behavior's cause is in bind mounting the x11 socket into the container (see above config file)?
...
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none ro,bind,create=dir 0 0
....Last edited by Auch999 (2016-04-22 13:33:46)
Offline
#4 2016-04-22 19:14:09
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,643
- Website
Re: LXC: /usr/bin/firefox opens a new firefox window outside of container
How are you launching the containerized firefox?
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#5 2016-04-23 19:41:02
- Auch999
- Member
- Registered: 2016-02-28
- Posts: 13
Re: LXC: /usr/bin/firefox opens a new firefox window outside of container
How are you launching the containerized firefox?
lxc-start -n c1 -F -f /path/to/above/conf -s 'lxc.id_map = u 0 100000 65536' -s 'lxc.id_map = g 0 100000 65536' -s 'lxc.rootfs = /path/to/rootfs' -s 'lxc.init_cmd = /usr/bin/bash'then in the container bash prompt, I type
# /usr/bin/firefox
The -no-remote option is working ... but I think it is undesireable, that any containerized program can possibly send some (X) notification to another program on the host.
Is it possible to forbid this? (best would be to somehow forbid this in container configuration, if this is impossible second best would be to forbid this in host configuration)
Last edited by Auch999 (2016-04-23 19:43:31)
Offline
#6 2016-04-23 21:38:53
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,643
- Website
Re: LXC: /usr/bin/firefox opens a new firefox window outside of container
Try something for me:
1) Start the lxc container and install sshd in the container if you haven't done this already.
2) From the host: xhost +SI:localuser:yourusernamehere && ssh lxccontainer
3) (From the container): DISPLAY=:0 firefox
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline