Discussion:
CirrOS on OpenStack using LXD as a hypervisor
(too old to reply)
Muneeb Ahmad
2016-07-19 07:16:16 UTC
Permalink
Hi guys,

First of all I greatly appreciate the work you guys have been doing.
My question is about CirrOS. I have deployed OpenStack with nova-lxd
through devstack. Is there any way I can run CirrOS on it as far as I read,
it's not available for LXD yet. Any help?

Muneeb
Serge E. Hallyn
2016-07-19 12:38:52 UTC
Permalink
Post by Muneeb Ahmad
Hi guys,
First of all I greatly appreciate the work you guys have been doing.
My question is about CirrOS. I have deployed OpenStack with nova-lxd
through devstack. Is there any way I can run CirrOS on it as far as I read,
it's not available for LXD yet. Any help?
Odd, that surprises me, I thought images.linuxcontainers.org had that. But,
you create a lxc cirros container, create a dummy lxd container, copy the
lxc rootfs over into it, then (once verified everything is working) publish
that lxd container as a new image that you can launch containers from. It's
a hastle, but only the first time.
rob e
2016-07-21 02:27:10 UTC
Permalink
I'm trying to use an LXD based container to run desktop applications on
my standard desktop, in much the same way as this
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/

So far I can run an application in a Xephyr screen but not on the host
desktop (ultimate aim)

For a Xephyr screen
1) Install Xephyr
2) run Xephyr with "Xephyr -a -br -noreset -name xephyr_screen_101
-title Browse_Danger -screen 1800x1080 :101"
3) log into the container and run the program, directing output to
display 101 ie.
a) lxc exec <container-name> bash
b) DISPLAY=:101 firefox
4) Firefox will duly appear on the Xephyr screen

To run this from outside the container
1) Create shell program inside the container, containing just the
command in 3b ie.
#!/bin/bash
DISPLAY=:101 firefox
2) Make the program executable ie. chmod ug+x <shell-program-above> and
possibly change ownership
2) Execute with
lxc exec <container-name> su <user name> -- <shell-program-above>

The minimum config required to make this work seems to be

withname: <container-name>
profiles:
- default
config:
raw.lxc: lxc.aa_profile=lxc-container-default-with-mounting
devices:
root:
path: /
type: disk
x11-unix:
path: /tmp/.X11-unix
source: /tmp/.X11-unix
type: disk
ephemeral: false


by adding a few more mounts we can get a full desktop for user = <user>
to run in Xephyr eg.

devices:
dri:
path: /dev/dri
source: /dev/dri
type: disk
iceauthority-<user>:
path: /home/<user>/.ICEauthority
source: /home/<user>/.ICEauthority
type: disk
root:
path: /
type: disk
x11-unix:
path: /tmp/.X11-unix
source: /tmp/.X11-unix
type: disk
xauthority-<user>:
path: /home/<user>/.Xauthority
source: /home/<user>/.Xauthority
type: disk
ephemeral: false

Obviously we needed to have added <user> first and ensure the home
directory was created (should be when using "adduser") and then run the
desktop whilst logged in as <user>

No matter what I do I cannot get a program to display on the host screen
eg. DISPLAY=:0 firefox. This return an error message

$ DISPLAY=:0 firefox
No protocol specified
Failed to connect to Mir: Failed to connect to server socket: No
such file or directory
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :0

These messages turn up in the host dmesg

* 508499.335953] audit: type=1400 audit(1469067007.731:3225):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="lxd-xenial-browse-danger-test_</var/lib/lxd>" pid=29368
comm="apparmor_parser"
* [508499.342613] device vethO9YPDN entered promiscuous mode
* [508499.342650] IPv6: ADDRCONF(NETDEV_UP): vethO9YPDN: link is not ready
* [508499.385405] eth0: renamed from vethE393S7
* [508499.408826] IPv6: ADDRCONF(NETDEV_CHANGE): vethO9YPDN: link
becomes ready
* [508499.408877] lxcbr0: port 4(vethO9YPDN) entered forwarding state
* [508499.408886] lxcbr0: port 4(vethO9YPDN) entered forwarding state
* [508499.438414] audit: type=1400 audit(1469067007.835:3226):
apparmor="DENIED" operation="mount" info="failed type match"
error=-13 profile="lxc-container-default-with-mounting"
name="/sys/fs/cgroup/systemd/" pid=29377 comm="systemd"
fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
* [508499.438529] audit: type=1400 audit(1469067007.835:3227):
apparmor="DENIED" operation="mount" info="failed type match"
error=-13 profile="lxc-container-default-with-mounting"
name="/sys/fs/cgroup/systemd/" pid=29377 comm="systemd"
fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
* [508514.445340] lxcbr0: port 4(vethO9YPDN) entered forwarding state

and from the host Syslog

* Jul 21 12:10:07 virt-host kernel: [508499.438414] audit: type=1400
audit(1469067007.835:3226): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting"
name="/sys/fs/cgroup/systemd/" pid=29377 comm="systemd"
fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
* Jul 21 12:10:07 virt-host kernel: [508499.438529] audit: type=1400
audit(1469067007.835:3227): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting"
name="/sys/fs/cgroup/systemd/" pid=29377 comm="systemd"
fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"

If I then change the apparmor profile to unconfined and re-run, I see
the following in the host dmesg

* [508796.382044] audit: type=1400 audit(1469067304.766:3230):
apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
name="/etc/ld.so.preload" pid=5259 comm="cupsd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
* [508796.395527] audit: type=1400 audit(1469067304.782:3231):
apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
name="/etc/ld.so.preload" pid=5266 comm="cups-exec"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
* [508796.395578] audit: type=1400 audit(1469067304.782:3232):
apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
name="/etc/ld.so.preload" pid=5265 comm="cups-exec"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
* [508796.395778] audit: type=1400 audit(1469067304.782:3233):
apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
name="/etc/ld.so.preload" pid=5265 comm="dbus" requested_mask="r"
denied_mask="r" fsuid=7 ouid=0
* [508796.398616] audit: type=1400 audit(1469067304.782:3234):
apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
name="/etc/ld.so.preload" pid=5266 comm="dbus" requested_mask="r"
denied_mask="r" fsuid=7 ouid=0

It's worth noting that the legacy LXC approach outlined in the first
link above still works on this host (so I have a legacy style lxc
container which works). The legacy style config is notably different in
its id maps

* lxc.id_map = u 0 100000 1000
* lxc.id_map = g 0 100000 1000
* lxc.id_map = u 1000 1000 1
* lxc.id_map = g 1000 1000 1
* lxc.id_map = u 1001 101001 64535
* lxc.id_map = g 1001 101001 64535

vs the default.
If I try to use the above map, the container won't start. I can use the
following map (created a new profile and then created the test container
using that profile + default) and it will start, but doesn't address
the access problem

* lxc.id_map = u 400000 1000 1
* lxc.id_map = g 400000 1000 1

I also tried adding

* lxc.id_map = u 1001 401001 64535
* lxc.id_map = g 1001 401001 64535

But that didn't help and the 1000 1000 mapping prevented the container
from starting


DOES ANYONE HAVE ANY INSIGHTS SUGGESTIONS ?
Muneeb Ahmad
2016-07-26 11:35:30 UTC
Permalink
Thank you for your reply. I tried the way you suggested. ran a lxc cirros
container and replaced lxd container's rootfs with lxc container's.
Restarted it and when I try to enter it with 'lxc exec <name> /bin/bash',
nothing happens.
In lxc.log, i get an error. Any ideas?
"ERROR lxc_attach - attach.c:lxc_attach_run_command:1226 - No such file
or directory - failed to exec '/bin/bash'"
Post by Serge E. Hallyn
Post by Muneeb Ahmad
Hi guys,
First of all I greatly appreciate the work you guys have been doing.
My question is about CirrOS. I have deployed OpenStack with nova-lxd
through devstack. Is there any way I can run CirrOS on it as far as I
read,
Post by Muneeb Ahmad
it's not available for LXD yet. Any help?
Odd, that surprises me, I thought images.linuxcontainers.org had that.
But,
you create a lxc cirros container, create a dummy lxd container, copy the
lxc rootfs over into it, then (once verified everything is working) publish
that lxd container as a new image that you can launch containers from.
It's
a hastle, but only the first time.
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Serge E. Hallyn
2016-07-26 13:36:21 UTC
Permalink
Well, cirros does not in fact have /bin/bash :) Try /bin/sh.
Post by Muneeb Ahmad
Thank you for your reply. I tried the way you suggested. ran a lxc cirros
container and replaced lxd container's rootfs with lxc container's.
Restarted it and when I try to enter it with 'lxc exec <name> /bin/bash',
nothing happens.
In lxc.log, i get an error. Any ideas?
"ERROR lxc_attach - attach.c:lxc_attach_run_command:1226 - No such file
or directory - failed to exec '/bin/bash'"
Post by Serge E. Hallyn
Post by Muneeb Ahmad
Hi guys,
First of all I greatly appreciate the work you guys have been doing.
My question is about CirrOS. I have deployed OpenStack with nova-lxd
through devstack. Is there any way I can run CirrOS on it as far as I
read,
Post by Muneeb Ahmad
it's not available for LXD yet. Any help?
Odd, that surprises me, I thought images.linuxcontainers.org had that.
But,
you create a lxc cirros container, create a dummy lxd container, copy the
lxc rootfs over into it, then (once verified everything is working) publish
that lxd container as a new image that you can launch containers from.
It's
a hastle, but only the first time.
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Muneeb Ahmad
2016-07-26 16:15:20 UTC
Permalink
I didn't know that. Thank you very much. It worked!
Post by Serge E. Hallyn
Well, cirros does not in fact have /bin/bash :) Try /bin/sh.
Post by Muneeb Ahmad
Thank you for your reply. I tried the way you suggested. ran a lxc cirros
container and replaced lxd container's rootfs with lxc container's.
Restarted it and when I try to enter it with 'lxc exec <name> /bin/bash',
nothing happens.
In lxc.log, i get an error. Any ideas?
"ERROR lxc_attach - attach.c:lxc_attach_run_command:1226 - No such
file
Post by Muneeb Ahmad
or directory - failed to exec '/bin/bash'"
Post by Serge E. Hallyn
Post by Muneeb Ahmad
Hi guys,
First of all I greatly appreciate the work you guys have been doing.
My question is about CirrOS. I have deployed OpenStack with nova-lxd
through devstack. Is there any way I can run CirrOS on it as far as I
read,
Post by Muneeb Ahmad
it's not available for LXD yet. Any help?
Odd, that surprises me, I thought images.linuxcontainers.org had that.
But,
you create a lxc cirros container, create a dummy lxd container, copy
the
Post by Muneeb Ahmad
Post by Serge E. Hallyn
lxc rootfs over into it, then (once verified everything is working)
publish
Post by Muneeb Ahmad
Post by Serge E. Hallyn
that lxd container as a new image that you can launch containers from.
It's
a hastle, but only the first time.
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
rob e
2016-07-21 08:18:29 UTC
Permalink
I'm trying to use an LXD based container to run desktop applications on
my standard desktop, in much the same way as this
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/

So far I can run an application in a Xephyr screen (essentially an X
"subscreen") but not on the host desktop (ultimate aim)

For a Xephyr screen
1) Install Xephyr
2) run Xephyr with "Xephyr -a -br -noreset -name xephyr_screen_101
-title Browse_Danger -screen 1800x1080 :101"
3) log into the container and run the program, directing output to
display 101 ie.
a) lxc exec <container-name> bash
b) DISPLAY=:101 firefox
4) Firefox will duly appear on the Xephyr screen

To run this from outside the container
1) Create shell program inside the container, containing just the
command in 3b ie.
#!/bin/bash
DISPLAY=:101 firefox
2) Make the program executable ie. chmod ug+x <shell-program-above> and
possibly change ownership
2) Execute with
lxc exec <container-name> su <user name> -- <shell-program-above>

The minimum config required to make this work seems to be

withname: <container-name>
profiles:
- default
config:
raw.lxc: lxc.aa_profile=lxc-container-default-with-mounting
devices:
root:
path: /
type: disk
x11-unix:
path: /tmp/.X11-unix
source: /tmp/.X11-unix
type: disk
ephemeral: false


by adding a few more mounts we can get a full desktop for user = <user>
to run in Xephyr eg.

devices:
dri:
path: /dev/dri
source: /dev/dri
type: disk
iceauthority-<user>:
path: /home/<user>/.ICEauthority
source: /home/<user>/.ICEauthority
type: disk
root:
path: /
type: disk
x11-unix:
path: /tmp/.X11-unix
source: /tmp/.X11-unix
type: disk
xauthority-<user>:
path: /home/<user>/.Xauthority
source: /home/<user>/.Xauthority
type: disk
ephemeral: false

Obviously we needed to have added <user> first and ensure the home
directory was created (should be created when using "adduser") and then
run the desktop whilst logged in as <user>

No matter what I do I cannot get a program to display on the host screen
eg. DISPLAY=:0 firefox. This return an error message

$ DISPLAY=:0 firefox
No protocol specified
Failed to connect to Mir: Failed to connect to server socket: No
such file or directory
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :0

These messages turn up in the host dmesg ... but I'm a bit suspicious of
the apparmor messages, they may be red herrings (should I be?)

* 508499.335953] audit: type=1400 audit(1469067007.731:3225):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="lxd-xenial-browse-danger-test_</var/lib/lxd>" pid=29368
comm="apparmor_parser"
* [508499.342613] device vethO9YPDN entered promiscuous mode
* [508499.342650] IPv6: ADDRCONF(NETDEV_UP): vethO9YPDN: link is not ready
* [508499.385405] eth0: renamed from vethE393S7
* [508499.408826] IPv6: ADDRCONF(NETDEV_CHANGE): vethO9YPDN: link
becomes ready
* [508499.408877] lxcbr0: port 4(vethO9YPDN) entered forwarding state
* [508499.408886] lxcbr0: port 4(vethO9YPDN) entered forwarding state
* [508499.438414] audit: type=1400 audit(1469067007.835:3226):
apparmor="DENIED" operation="mount" info="failed type match"
error=-13 profile="lxc-container-default-with-mounting"
name="/sys/fs/cgroup/systemd/" pid=29377 comm="systemd"
fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
* [508499.438529] audit: type=1400 audit(1469067007.835:3227):
apparmor="DENIED" operation="mount" info="failed type match"
error=-13 profile="lxc-container-default-with-mounting"
name="/sys/fs/cgroup/systemd/" pid=29377 comm="systemd"
fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
* [508514.445340] lxcbr0: port 4(vethO9YPDN) entered forwarding state

and from the host Syslog

* Jul 21 12:10:07 virt-host kernel: [508499.438414] audit: type=1400
audit(1469067007.835:3226): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting"
name="/sys/fs/cgroup/systemd/" pid=29377 comm="systemd"
fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
* Jul 21 12:10:07 virt-host kernel: [508499.438529] audit: type=1400
audit(1469067007.835:3227): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting"
name="/sys/fs/cgroup/systemd/" pid=29377 comm="systemd"
fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"

If I then change the apparmor profile to unconfined and re-run, I see
the following in the host dmesg

* [508796.382044] audit: type=1400 audit(1469067304.766:3230):
apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
name="/etc/ld.so.preload" pid=5259 comm="cupsd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
* [508796.395527] audit: type=1400 audit(1469067304.782:3231):
apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
name="/etc/ld.so.preload" pid=5266 comm="cups-exec"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
* [508796.395578] audit: type=1400 audit(1469067304.782:3232):
apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
name="/etc/ld.so.preload" pid=5265 comm="cups-exec"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
* [508796.395778] audit: type=1400 audit(1469067304.782:3233):
apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
name="/etc/ld.so.preload" pid=5265 comm="dbus" requested_mask="r"
denied_mask="r" fsuid=7 ouid=0
* [508796.398616] audit: type=1400 audit(1469067304.782:3234):
apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
name="/etc/ld.so.preload" pid=5266 comm="dbus" requested_mask="r"
denied_mask="r" fsuid=7 ouid=0

It's worth noting that the legacy LXC approach outlined in the first
link above still works on this host (so I have a legacy style lxc
container which works). The legacy style config is notably different in
its id maps

* lxc.id_map = u 0 100000 1000
* lxc.id_map = g 0 100000 1000
* lxc.id_map = u 1000 1000 1
* lxc.id_map = g 1000 1000 1
* lxc.id_map = u 1001 101001 64535
* lxc.id_map = g 1001 101001 64535

vs the default.
If I try to use the above map, the container won't start. I can use the
following map (created a new profile and then created the test container
using that profile + default) and it will start, but doesn't address
the access problem

* lxc.id_map = u 400000 1000 1
* lxc.id_map = g 400000 1000 1

I also tried adding

* lxc.id_map = u 1001 401001 64535
* lxc.id_map = g 1001 401001 64535

But that didn't help and the 1000 1000 mapping prevented the container
from starting
It seems odd that Xephyr screens are painted ok but the host screen :0
isn't .... And if it's an apparmor problem, how come "unconfined" is
confining it ?

DOES ANYONE HAVE ANY INSIGHTS SUGGESTIONS ?
brian mullan
2016-07-21 19:53:53 UTC
Permalink
Rob

If you want to run single apps from the container like with microsofts
remoteapp then a really simple way to accomplish it is with x2go & the x2go
published applications
<http://wiki.x2go.org/doku.php/wiki:advanced:published-applications>
capabilty.

I just configured a new LXD container. Its simple to setup/configure and
sound, printing, shared folders all work

*Step #1*

Create a privileged container & configure it to autostart:

# Launch an Ubuntu xenial 16.04 64 bit containers and name it cn1. We are
launching CN1 as a
# PRIVILEGED container:

lxc launch images:ubuntu/xenial/amd64 cn1 -c security.privileged=true

# set LXC container CN1 to autostart when the Host is rebooted

lxc config set cn1 boot.autostart 1

*Step #2*

$ lxc exec cn1 bash

# you will be logged into the CN1 container as root so just execute the
following to install
# Ubuntu-Mate Desktop

Note: you can put all of the following in a bash script..

# Install a desktop in it (I use Ubuntu-Mate:

echo "deb http://archive.canonical.com/ubuntu xenial partner" | tee -a
/etc/apt/sources.list
echo "deb-src http://archive.canonical.com/ubuntu xenial partner" | tee -a
/etc/apt/sources.list
echo "deb http://us.archive.ubuntu.com/ubuntu/ xenial-backports main
restricted universe multiverse" | tee -a /etc/apt/sources.list
echo "deb-src http://us.archive.ubuntu.com/ubuntu/ xenial-backports main
restricted universe multiverse" | tee -a /etc/apt/sources.list

# update & upgrade container
apt-get update
apt-get upgrade -y

# install apt
apt-get install apt -y

# From here on we can use apt to update Everything
apt dist-upgrade -y

#Install miscellaneous

apt install pulseaudio pulseaudio-utils alsa-base alsa-utils
linux-sound-base gstreamer1.0-pulseaudio gstreamer1.0-alsa libpulse-dev -y

# Install UBUNTU-MATE desktop environment as default for all users
including ones added in the # future

add-apt-repository ppa:ubuntu-mate-dev/xenial-mate -y
add-apt-repository ppa:x2go/stable

apt update

apt install lightdm ubuntu-mate-core ubuntu-mate-desktop ufw
ubuntu-restricted-extras ubuntu-restricted-addons -y

echo "Desktop Install Done"

# Configure the Xsession file default desktop environment change ALL future
User additions to default xsession to be UBUNTU-MATE

update-alternatives --set x-session-manager /usr/bin/mate-session

# and some gui based useful tools that aren't included in the
minimal-xubuntu-desktop

apt install gdebi synaptic gedit wget git terminator network-manager -y

apt install x2goserver x2goserver-xsession

adduser yourID and password in the container and any others you want to add
as users.

# reboot

*Step #3*

On the host all you have to do is install the x2go client

add-apt-repository ppa:x2go/stable

apt update

apt install x2goclient

*Step #4*

launch the x2goclient & follow the directions on the x2go published
applications page (use the IP of your container)

In the x2goclient when you create the Published Application "profile" click
on the connection tab and slide it all the way to the right so x2go doesn't
waste cpu doing any compression.

Save that new Published Application Profile and it will move to the right
side of the x2goclient menu.

Click on it & answer yes to the ssh question on adding the new server.

Look on your top menu bar and you will notice 2 new icons shown, Click on
the one that has the little Seal icon on it (thats HOCA they mascot for
x2go) and you will see
a pull down menu item called Published Applicaitons.

Click on any one of those and they will startup in the container but be
displayed on your Host Desktop,

x2go has clients for Linux, Mac and Windows as well as a python client.
All are open source.

Brian
rob e
2016-07-21 21:33:15 UTC
Permalink
thanks Brian,
yes, I have about 4 of those running - unprivileged :) And I've had a go
with TigerVNC (which supports 3d capabilities currently lacking in X2Go).
I can run current versions of KDE and Unity on Xephyr, which I currently
cannot with X2Go

But for this use case, I want desktop integration from an unprivileged
container. I have achieved it with LXC on Ubuntu 16.04... but was hoping
to be able to use LXD. It feels like I'm so close ... just missing
something, probably quite trivial once you know how ... I wish i knew how

Currently I have the following containers
- Mythtv Backend (unprivileged, but with special user mappings which
mean it can write to host devices when they're mounted in)
- Proxy with Openvpn and Dante
- Development - X2Go with Mate
- Browsing, semi secure, X2Go with Mate
- Desktop integrated browsing - Unsecure with Mate, on either Xephyr or
Host desktop BUT running as lxc-start ie. legacy formate
- Various other experimental containers, including one with KDE, X2Go,
Xephyr and TigerVNC

Somewhat surprisingly current KDE is quite useful with X2Go as long as
you autostart some applications, particularly dolphin and konsole ...
then others can be started. You just won't have the panels etc. I
haven't spent too much time with it because it's not close enough to
what I want to achieve.

thanks again
Rob
Post by brian mullan
Rob
If you want to run single apps from the container like with microsofts
remoteapp then a really simple way to accomplish it is with x2go & the
x2go published applications
<http://wiki.x2go.org/doku.php/wiki:advanced:published-applications>
capabilty.
I just configured a new LXD container. Its simple to setup/configure
and sound, printing, shared folders all work
*Step #1*
# Launch an Ubuntu xenial 16.04 64 bit containers and name it cn1. We
are launching CN1 as a
lxc launch images:ubuntu/xenial/amd64 cn1 -c security.privileged=true
# set LXC container CN1 to autostart when the Host is rebooted
lxc config set cn1 boot.autostart 1
*Step #2*
$ lxc exec cn1 bash
# you will be logged into the CN1 container as root so just execute
the following to install
# Ubuntu-Mate Desktop
Note: you can put all of the following in a bash script..
echo "deb http://archive.canonical.com/ubuntu xenial partner" | tee -a
/etc/apt/sources.list
echo "deb-src http://archive.canonical.com/ubuntu xenial partner" |
tee -a /etc/apt/sources.list
echo "deb http://us.archive.ubuntu.com/ubuntu/ xenial-backports main
restricted universe multiverse" | tee -a /etc/apt/sources.list
echo "deb-src http://us.archive.ubuntu.com/ubuntu/ xenial-backports
main restricted universe multiverse" | tee -a /etc/apt/sources.list
# update & upgrade container
apt-get update
apt-get upgrade -y
# install apt
apt-get install apt -y
# From here on we can use apt to update Everything
apt dist-upgrade -y
#Install miscellaneous
apt install pulseaudio pulseaudio-utils alsa-base alsa-utils
linux-sound-base gstreamer1.0-pulseaudio gstreamer1.0-alsa libpulse-dev -y
# Install UBUNTU-MATE desktop environment as default for all users
including ones added in the # future
add-apt-repository ppa:ubuntu-mate-dev/xenial-mate -y
add-apt-repository ppa:x2go/stable
apt update
apt install lightdm ubuntu-mate-core ubuntu-mate-desktop ufw
ubuntu-restricted-extras ubuntu-restricted-addons -y
echo "Desktop Install Done"
# Configure the Xsession file default desktop environment change ALL
future User additions to default xsession to be UBUNTU-MATE
update-alternatives --set x-session-manager /usr/bin/mate-session
# and some gui based useful tools that aren't included in the
minimal-xubuntu-desktop
apt install gdebi synaptic gedit wget git terminator network-manager -y
apt install x2goserver x2goserver-xsession
adduser yourID and password in the container and any others you want
to add as users.
# reboot
*Step #3*
On the host all you have to do is install the x2go client
add-apt-repository ppa:x2go/stable
apt update
apt install x2goclient
*Step #4*
launch the x2goclient & follow the directions on the x2go published
applications page (use the IP of your container)
In the x2goclient when you create the Published Application "profile"
click on the connection tab and slide it all the way to the right so
x2go doesn't waste cpu doing any compression.
Save that new Published Application Profile and it will move to the
right side of the x2goclient menu.
Click on it & answer yes to the ssh question on adding the new server.
Look on your top menu bar and you will notice 2 new icons shown,
Click on the one that has the little Seal icon on it (thats HOCA they
mascot for x2go) and you will see
a pull down menu item called Published Applicaitons.
Click on any one of those and they will startup in the container but
be displayed on your Host Desktop,
x2go has clients for Linux, Mac and Windows as well as a python
client. All are open source.
Brian
Fajar A. Nugraha
2016-07-22 08:31:18 UTC
Permalink
Post by rob e
thanks Brian,
yes, I have about 4 of those running - unprivileged :) And I've had a go
with TigerVNC (which supports 3d capabilities currently lacking in X2Go).
I can run current versions of KDE and Unity on Xephyr, which I currently
cannot with X2Go
3d support is kinda weird with virtual displays. At least so in xrdp:
- xrdp is supposed to support remotefx which 'allows the end user to
work remotely in a Windows Aero desktop environment, watch videos and
run 3-D applications with performance that is close to a native
desktop experience' when enabled and configured correctly (i.e. you
have certain libraries, and enable certain configure switches). IIRC
there was a compile error last time I tried enabling it (long time
ago, memory kinda hazy)
- the default vnc display supports 3d (at least glxgears run), but
does not support text copy-paste
- x11rdp support text copy-paste, but does not support 3d
- xrdp's xorg module supports 3d and text copy-paste, but somehow
breaks autologin (when user/password saved by windows)

I wonder if your tigervnc solution properly support text copy-paste
between local and remote desktop.
Post by rob e
But for this use case, I want desktop integration from an unprivileged
container. I have achieved it with LXC on Ubuntu 16.04... but was hoping to
be able to use LXD. It feels like I'm so close ... just missing something,
probably quite trivial once you know how ... I wish i knew how
IIRC you can NOT have custom uid mappings in lxd. It's either
privileged, or use-the-same-unprivileged-mapping-for-all-containers.

The workaround would PROBABLY be (untested) to have an unpriv user in
the CONTAINER (e.g. uid 100 in the container, which translates to uid
100100 in the host), then manually create a user with uid 100100 in
the HOST (e.g "unpriv_user"), grant the necessary privilege to it
(i.e. make it so that the user can login to the host, start GUI
including pulseaudio, and so on), and redo your setup. So you can skip
the specific-user-mapping step.
--
Fajar
rob e
2016-07-22 09:45:10 UTC
Permalink
Post by Fajar A. Nugraha
Post by rob e
thanks Brian,
yes, I have about 4 of those running - unprivileged :) And I've had a go
with TigerVNC (which supports 3d capabilities currently lacking in X2Go).
I can run current versions of KDE and Unity on Xephyr, which I currently
cannot with X2Go
- xrdp is supposed to support remotefx which 'allows the end user to
work remotely in a Windows Aero desktop environment, watch videos and
run 3-D applications with performance that is close to a native
desktop experience' when enabled and configured correctly (i.e. you
have certain libraries, and enable certain configure switches). IIRC
there was a compile error last time I tried enabling it (long time
ago, memory kinda hazy)
- the default vnc display supports 3d (at least glxgears run), but
does not support text copy-paste
- x11rdp support text copy-paste, but does not support 3d
- xrdp's xorg module supports 3d and text copy-paste, but somehow
breaks autologin (when user/password saved by windows)
I wonder if your tigervnc solution properly support text copy-paste
between local and remote desktop.
Post by rob e
But for this use case, I want desktop integration from an unprivileged
container. I have achieved it with LXC on Ubuntu 16.04... but was hoping to
be able to use LXD. It feels like I'm so close ... just missing something,
probably quite trivial once you know how ... I wish i knew how
IIRC you can NOT have custom uid mappings in lxd. It's either
privileged, or use-the-same-unprivileged-mapping-for-all-containers.
The workaround would PROBABLY be (untested) to have an unpriv user in
the CONTAINER (e.g. uid 100 in the container, which translates to uid
100100 in the host), then manually create a user with uid 100100 in
the HOST (e.g "unpriv_user"), grant the necessary privilege to it
(i.e. make it so that the user can login to the host, start GUI
including pulseaudio, and so on), and redo your setup. So you can skip
the specific-user-mapping step.
thanks Fajar,
TigerVNC works with Xenial's standard version of KDE (Plasma 5) whereas
X2Go will not. I use KRDC on the host to access TigerVNC running on the
container and it works nicely. And Tigervnc supports copy and paste (I
just checked it).

I do have user mappings on LXD, that's how I run myth backend in a
container, accessing a mount from the host. See this post

https://gist.github.com/bloodearnest/ebf044476e70c4baee59c5000a10f4c8

Use the code on that page to create a new profile. Then create a
container with the profile eg. "lxc init <container-name> -p <your-id>
-p default". I had a little trouble where profiles could become
"disconnected" from the container so I now edit the container config to
reflect the profile entries (which is why I use "init" rather than
"launch"). And I don't map my home directory into the container, map
other mounts instead.

This is working very well for me.
Loading...