Running Xephyr inside a docker container

Question

I am trying to run the nested X-server Xephyr inside a docker container with direct access to the X11 socket, but I am getting weird graphical errors which I currently do not understand.

The contents of the Dockerfile are just

FROM ubuntu:14.04

RUN apt-get update
RUN apt-get install -qqy xserver-xephyr

# Clean up APT when done.
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

Building it with

sudo docker build -t xephyrtest .

and running it with

sudo docker run -e DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix xephyrtest Xephyr :1

outputs the following:

Xephyr unable to use SHM XImages
Initializing built-in extension Generic Event Extension
Initializing built-in extension SHAPE
Initializing built-in extension MIT-SHM
Initializing built-in extension XInputExtension
Initializing built-in extension XTEST
Initializing built-in extension BIG-REQUESTS
Initializing built-in extension SYNC
Initializing built-in extension XKEYBOARD
Initializing built-in extension XC-MISC
Initializing built-in extension SECURITY
Initializing built-in extension XINERAMA
Initializing built-in extension XFIXES
Initializing built-in extension RENDER
Initializing built-in extension RANDR
Initializing built-in extension COMPOSITE
Initializing built-in extension DAMAGE
Initializing built-in extension MIT-SCREEN-SAVER
Initializing built-in extension DOUBLE-BUFFER
Initializing built-in extension RECORD
Initializing built-in extension DPMS
Initializing built-in extension Present
Initializing built-in extension DRI3
Initializing built-in extension X-Resource
Initializing built-in extension XVideo
Initializing built-in extension XVideo-MotionCompensation
Initializing built-in extension SELinux
Initializing built-in extension GLX
[dix] Could not init font path element /usr/share/fonts/X11/cyrillic, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/100dpi/:unscaled, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/75dpi/:unscaled, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/Type1, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/100dpi, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/75dpi, removing from list!

Here, the first line Xephyr unable to use SHM XImages seems to be the most important, since it doesn't show up on my host where Xephyr is working properly.

Although a Xephyr window pops up, apps using the :1 display show weird glitches. E.g. DISPLAY=:1 gedit looks like this (and the output changes rapidly when the mouse is moving within the window):

What does SHM XImages mean and how can I fix it's unavailability within a container?

Answer 1

It turned out that it is actually pretty easy to run Xephyr within a docker container since Docker 1.5 using the command

sudo docker run -e DISPLAY -v /tmp:/tmp --ipc=host --pid=host xephyrtest Xephyr :1

The two additional parameters are

• --ipc=host allows the container to use the same IPC namespace as the host and hence also has access to the same shared memory segments
• --pid=host lets the container see (and modify) the processes of the host. This is necessary, since X server port locking is done via /tmp/.Xi-lock lock files (replace i with your display port), which contains the pid of the X server running on port i.

You also have to change -v /tmp/.X11-unix:/tmp/.X11-unix to -v /tmp:/tmp in order to access the lock files in addition to the X11 unix socket within the container.

Although this works pretty well, you have to be aware that the two additional parameters and the access to the host's /tmp folder grant the container significant privileges which might pose a security risk in certain situations.