本文介绍了X11转发在docker中运行的GUI应用的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

首先,我已经阅读了关于SO的类似问题的答案,但没有一个起作用.

First off: I have read the answers to similar questions on SO, but none of them worked.

情况:

  • 带有GUI的应用程序在Arch Linux下的docker容器(CentOS 7.1)中运行. (机器A)
  • 机器A连接了一个监视器.
  • 我想在Arch Linux客户端计算机上通过X11转发访问此GUI. (机器B)

有效方法:

  • GUI在机器A上本地工作(/tmp/.X11-unix安装在Docker容器中).
  • 在docker外部运行的任何应用程序的X11转发(X11转发已设置为非docker使用而正确运行).
  • 我什至可以在远程登录时切换用户,将.Xauthority文件复制到其他用户,并且X11转发也可以.
  • GUI works locally on machine A (with /tmp/.X11-unix being mounted in the Docker container).
  • X11 forwarding of any app running outside of docker (X11 forwarding is set up and running properly for non-docker usage).
  • I can even switch the user while remotely logged in, copy the .Xauthority file to the other user and X11 forwarding works as well.

一些设置信息:

  • Docker网络是桥接"的.
  • 容器可以到达主机(防火墙已打开).
  • 在容器中设置了
  • DISPLAY变量(由于sshd正在侦听的TCP端口6010,因此将其设置为host-ip-addr:10.0).
  • 到X转发端口(6010)的数据包正从容器(已选中tcpdump)到达主机.
  • Docker networking is 'bridged'.
  • Container can reach host (firewall is open).
  • DISPLAY variable is set in container (to host-ip-addr:10.0 because of TCP port 6010 where sshd is listening).
  • Packets to X forward port (6010) are reaching the host from the container (tcpdump checked).

什么不起作用:

  • Docker应用程序的X11转发
  • 错误:

X11 connection rejected because of wrong authentication.

xterm: Xt error: Can't open display: host-ip-addr:10.0

我尝试过的事情:

  • 在计算机B上使用ssh -Y选项启动客户端ssh
  • 在计算机B的ssh_config中放入"X11ForwardTrusted yes"
  • xhost +(因此允许任何客户端连接)在机器B上
  • 在计算机B的ssh_config中放入Host *
  • 在计算机A的sshd_config中放入X11UseLocalhost no(以允许非本地客户端)
  • 使用计算机上A上登录用户的xauth add在容器中添加X auth令牌
  • 只需将工作用户的.Xauthority文件复制到容器中
  • 确保.Xauthority文件具有正确的权限和所有者
  • starting client ssh with ssh -Y option on machine B
  • putting "X11ForwardTrusted yes" in ssh_config on machine B
  • xhost + (so allow any clients to connect) on machine B
  • putting Host * in ssh_config on machine B
  • putting X11UseLocalhost no in sshd_config on machine A (to allow non-localhost clients)
  • Adding the X auth token in the container with xauth add from the login user on machine A
  • Just copying over the .Xauthority file from a working user into the container
  • Making shure .Xauthority file has correct permissions and owner

我如何才能禁用所有X安全性并使之正常工作?

How can i just disable all the X security stuff and get this working?

或更妙的是:我如何使其与安全性一起工作?

Or even better: How can i get it working with security?

是否至少有一种方法可以进行广泛的调试,以查看问题出在哪里?

Is there at least a way to enable extensive debugging to see where exactly the problem is?

推荐答案

好,这是东西:

1)登录到远程计算机

1) Log in to remote machine

2)检查使用echo $DISPLAY

3)运行xauth list

4)复制与您的DISPLAY

5)输入您的Docker容器

5) Enter your docker container

6)xauth add <the line you copied> *

7)使用export DISPLAY=<ip-to-host>:<no-of-display>

*到目前为止一切都好吗?

*so far so good right?

这并不是什么新鲜事物...但是这里有一个转折点:xauth list为登录用户打印的行看起来像这样(在我的情况下):

This was nothing new...however here is the twist:The line printed by xauth list for the login user looks something like this (in my case):

<hostname-of-machine>/unix:<no-of-display> MIT-MAGIC-COOKIE-1 <some number here>

因为我使用桥接docker设置,所以X转发端口不在本地侦听,因为sshd不在容器中运行.将上面的行更改为:

Because i use the bridged docker setup, the X forwarding port is not listening locally, because the sshd is not running in the container. Change the line above to:

<ip-of-host>:<no-of-display> MIT-MAGIC-COOKIE-1 <some number here>

本质上:删除/unix部分.

<ip-of-host>是sshd运行的IP地址.

<ip-of-host> is the IP address where the sshd is running.

如上所述设置DISPLAY变量.

Set the DISPLAY variable as above.

因此,错误是环境变量中的DISPLAY名称与xauth list/.Xauthority文件中的条目不是相同"的,并且客户端因此无法正确进行身份验证.

So the error was that the DISPLAY name in the environment variable was not the "same" as the entry in the xauth list / .Xauthority file and the client could therefor not authenticate properly.

我切换回不受信任的X11转发设置.

I switched back to an untrusted X11 forwarding setting.

但是sshd_config文件中的X11UseLocalhost no设置很重要,因为传入的连接将来自不同的"机器(docker容器).

The X11UseLocalhost no setting in the sshd_config file however is important, because the incomming connection will come from a "different" machine (the docker container).

这篇关于X11转发在docker中运行的GUI应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-24 22:38