[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Graphically isolating Guix containers with Xpra.
From: |
Rutger Helling |
Subject: |
Graphically isolating Guix containers with Xpra. |
Date: |
Fri, 16 Feb 2018 11:47:53 +0100 |
Hey Guix,
Here's a small tip for how you can create graphically isolated containers with
Guix and Xpra.
First we create a Xpra server, with no clipboard access.
$ xpra start --clipboard=no :200
Next we switch to an empty tmp directory, and start a Guix container that has
access to the X200 socket only.
$ cd tmp
$ guix environment -C --ad-hoc coreutils gedit --expose=/home/$USER/.Xauthority
--expose=/tmp/.X11-unix/X200 -- env DISPLAY=:200
XAUTHORITY=/home/$USER/.Xauthority gedit
On a different terminal (or over SSH) you can now access the Xpra server.
$ xpra attach :200
Note that in order to be fully isolated the container should not be able to
access even abstract sockets.
You can either run the container without the -N switch, or create a new network
namespace with a veth or something like that.
With the following command you can check the sockets. No X11 sockets other than
the Xpra one should be shown.
$ ss | grep X11
Once Wayland becomes widely used this will probably be redundant, since the
isolation in Wayland is far better than X11. But this might still be useful.
pgpxOnfsWISuG.pgp
Description: OpenPGP digital signature
- Graphically isolating Guix containers with Xpra.,
Rutger Helling <=