Running X11 Software in Incus Container?

NetSpasibo79 · October 27, 2023, 12:05am

Previously, when I ran LXD via snap on Debian, running X11 applications in containers wasn’t easy but ti was doable.

I’ve since switched to Incus and am having a heck of a time following the old LXD instructions Blog Simos

Has anyone had success getting X11 within Incus up and runnig?

Specs:
Host: Debian 12
Guest: Ubuntu 22.04 (though I would prefer using Debian 12 in the container but Simos’ instructions seem pretty specific to Ubuntu guests)
Obviously, SNAP is not in play.

Errors within the container:
If profile is config’d as follows:

connect: unix:@/tmp/.X11-unix/X0
listen: unix:@/tmp/.X11-unix/X0

when I execute “xclock” in the container, I get:

Authorization required, but no authorization protocol specified

Error: Can't open display: :0

If profile is config’d as follows:

    connect: unix:@/tmp/.X11-unix/X1
    listen: unix:@/tmp/.X11-unix/X0

when I execute “xclock” in the container, I get:

Error: Can't open display: :0

Now, one thing I don’t have is any special subguid or subuid mappings in part because I never had to mess with those when using LXD (due to SNAP handling that)

Any ideas?

Thank you as always!

stgraber · October 27, 2023, 4:07am

You usually want security.uid and security.gid to be set to your user’s uid/gid on the host.

That’s because most X servers these days control access based on the user credential of whatever connects to the socket. With your current configuration, that connection would happen as root (uid/gid 0) when the X server is most likely configured to only allow your current user to talk to it.

NetSpasibo79 · October 27, 2023, 5:52pm

Stephane:
Thank you for the response!
What would be the best approach to accomplish this?

Thank you!

stgraber · October 27, 2023, 7:07pm

Use incus config device set to set security.uid and security.gid on your proxy device.

NetSpasibo79 · October 27, 2023, 7:39pm

Will I have to modify the profile that I use from Simos Blog?

EDIT: Yes, that is where I needed to make the edit. This worked. Now to test audio

NetSpasibo79 · October 28, 2023, 7:59pm

Good afternoon, @stgraber.

So I have X11 running thanks to your help, but can’t figure pulseaudio.

This is my X11 profile:

config:
  environment.DISPLAY: :0
  environment.PULSE_SERVER: unix:/home/incus/pulse-native
  user.user-data: |
    #cloud-config
    runcmd:
      - 'sed -i "s/; enable-shm = yes/enable-shm = no/g" /etc/pulse/client.conf'
    packages:
      - x11-apps
      - mesa-utils
      - pulseaudio
description: GUI LXD profile
devices:
  PASocket1:
    bind: container
    connect: unix:/run/user/1922401103/pulse/native
    gid: "1000"
    listen: unix:/home/incus/pulse-native
    mode: "0777"
    security.gid: "1933400513"
    security.uid: "1933401103"
    type: proxy
    uid: "1000"
  X0:
    bind: container
    connect: unix:@/tmp/.X11-unix/X0
    listen: unix:@/tmp/.X11-unix/X0
    security.gid: "1933400513"
    security.uid: "1933401103"
    type: proxy
  mygpu:
    type: gpu
name: gui_internet
used_by:
- /1.0/instances/internet

I decide on using a Debian 12 guest because I do not like how Ubuntu forces snap on you. The security gid and uid are correct for my daily driver user on the host as I used Active Directory on my host to manage access and identity. I created the “incus” user within the guest much like “ubuntu” exists in ubuntu containers.

I install Chromium and navigated to youtube to test audio but unfortunately its not working. Here is the output:

incus@internet:~$ ALSA lib pulse.c:242:(pulse_connect) PulseAudio: Unable to connect: Timeout

[2893:2893:1028/195551.429358:ERROR:alsa_util.cc(204)] PcmOpen: default,Connection refused
E: [pulseaudio] main.c: Daemon startup failed.
ALSA lib pulse.c:242:(pulse_connect) PulseAudio: Unable to connect: Timeout

[2893:2893:1028/195621.457349:ERROR:alsa_util.cc(204)] PcmOpen: plug:default,Connection refused
ALSA lib pulse.c:242:(pulse_connect) PulseAudio: Unable to connect: Connection refused

[2893:2893:1028/195621.459747:ERROR:alsa_util.cc(204)] PcmOpen: default,Connection refused
ALSA lib pulse.c:242:(pulse_connect) PulseAudio: Unable to connect: Connection refused

[2893:2893:1028/195621.460126:ERROR:alsa_util.cc(204)] PcmOpen: plug:default,Connection refused

Unfortunately, systemctl isn’t much help:

Oct 28 19:55:53 internet systemd[151]: pulseaudio.service: start operation timed out. Terminating.
Oct 28 19:55:53 internet systemd[151]: pulseaudio.service: Failed with result 'timeout'.
Oct 28 19:55:53 internet systemd[151]: Failed to start pulseaudio.service - Sound Service.
Oct 28 19:55:53 internet systemd[151]: pulseaudio.service: Scheduled restart job, restart counter is at 7.
Oct 28 19:55:53 internet systemd[151]: Stopped pulseaudio.service - Sound Service.
Oct 28 19:55:53 internet systemd[151]: Starting pulseaudio.service - Sound Service...
Oct 28 19:56:10 internet pulseaudio[203]: Daemon already running.
Oct 28 19:56:10 internet pulseaudio[203]: pa_pid_file_create() failed.
Oct 28 19:57:23 internet systemd[151]: pulseaudio.service: start operation timed out. Terminating.
Oct 28 19:57:23 internet systemd[151]: pulseaudio.service: Failed with result 'timeout'.
Oct 28 19:57:23 internet systemd[151]: Failed to start pulseaudio.service - Sound Service.
Oct 28 19:57:24 internet systemd[151]: pulseaudio.service: Scheduled restart job, restart counter is at 8.
Oct 28 19:57:24 internet systemd[151]: Stopped pulseaudio.service - Sound Service.
Oct 28 19:57:24 internet systemd[151]: Starting pulseaudio.service - Sound Service...

Any ideas?
Thank you!

EDIT: I made some edits to the profile as follows:

config:
  environment.DISPLAY: :0
  environment.PULSE_SERVER: unix:/home/incus/pulse-native
  user.user-data: "#cloud-config\nruncmd:\n  - 'sed -i \"s/; enable-shm = yes/enable-shm
    = no/g\" /etc/pulse/client.conf'\npackages:\n  - x11-apps\n  - mesa-utils\n  -
    pulseaudio\nwrite_files:\n  - owner: root:root\n    permissions: '0644'\n    append:
    true\n    content: |\n      PULSE_SERVER=unix:/var/pulse-native\n    path: /etc/environment
    \n"
description: GUI LXD profile
devices:
  PASocket1:
    bind: container
    connect: unix:/run/user/1922401103/pulse/native
    gid: "1000"
    listen: unix:/var/pulse-native
    mode: "0777"
    security.gid: "1933400513"
    security.uid: "1933401103"
    type: proxy
    uid: "1000"
  X0:
    bind: container
    connect: unix:@/tmp/.X11-unix/X0
    listen: unix:@/tmp/.X11-unix/X0
    security.gid: "1933400513"
    security.uid: "1933401103"
    type: proxy
  mygpu:
    type: gpu
name: gui_internet
used_by:
- /1.0/instances/internet

Same result with same errors

nanjj · November 3, 2023, 1:15pm

Here I am trying to give another solution to run X11 software in incus container:

launch and install xrdp

$ incus launch images:ubuntu/22.04 x11
$ incus shell x11
# apt-get install gnome xrdp
# systemctl start xrdp.service
# shutdown -r now
$ incus list #=> get ip address

access xrdp

# on windows
C:\> mstsc
# on linux
$ rdesktop

If you can not access the container network directly
```
incus network forward create lxdbr0 ...
```

Everything should work correctly.

qkiel · November 16, 2023, 11:15pm

With pulseaudio have you tried to copy a pulseuadio cookie from host ~/.config/pulse/cookie to container?

lxc file push -p --mode=600 --gid=1000 --uid=1000 ~/.config/pulse/cookie <container_name>/home/ubuntu/.config/pulse/

I made a profile where it’s not necessary: