SSH to Docker container and run X11 on Mac Pro Host Machine

 So, I have an CoMA3 X11 app.  It is a genetic analysis pipeline.  I can run its Docker container on MAC OS like so:

docker run -it -e DISPLAY=$IP:0 -e XAUTHORITY=/.Xauthority --net=host --ipc=host -v /tmp/.X11-unix:/tmp/.X11-unix -v ~/.Xauthority:/.Xauthority -v $(pwd):/home sebh87/coma3 bash


 Actually, I have to change it to this:

docker run -it -e DISPLAY=host.docker.internal:0 -e XAUTHORITY=/.Xauthority --net=host --ipc=host -v /tmp/.X11-unix:/tmp/.X11-unix -v ~/.Xauthority:/.Xauthority -v $(pwd):/home sebh87/coma3 bash

but before running it I have to do this xhost + localhost.

It is not too bad since I am using .Xauthority's magic cookie for authentication.  The communication between my X11 client and server is over plan text so not so good.  I would like to run this over ssh instead.  So, I edited the original Dockerfile to this:

FROM sebh87/coma3:latest


RUN apt update && apt install  openssh-server sudo -y


RUN useradd -rm -d /home/ubuntu -s /bin/bash -g root -G sudo -u 1000 test 


RUN  echo 'test:test' | chpasswd


RUN service ssh start


EXPOSE 22


RUN apt install net-tools iputils-ping sudo -y


WORKDIR /usr/local/Pipeline/lotus2/usearch


RUN wget https://drive5.com/downloads/usearch11.0.667_i86linux32.gz


RUN gunzip *


RUN mv * usearch


RUN chmod 111 *


WORKDIR /usr/local/Pipeline


RUN mkdir projects


WORKDIR /usr/local/Pipeline/projects


RUN mkdir sample_data && cd sample_data && wget https://www2.uibk.ac.at/downloads/CoMA/CoMA_Tutorial.tar.gz && tar -xzf CoMA_Tutorial.tar.gz


WORKDIR /home


# adjust OpenSSH config

RUN echo "PermitUserEnvironment yes" >> /etc/ssh/sshd_config && \

  echo "X11Forwarding yes" >> /etc/ssh/sshd_config && \

  echo "X11UseLocalhost no" >> /etc/ssh/sshd_config


CMD ["/usr/sbin/sshd","-D"]


After that, I can do xhost - to block X11 connections all together.


So, now I can run docker like this:

docker run -p 2022:22 -d --rm -v $(pwd):/home private/coma3v7:latest

Note that I am mapping port 2022 because MAC host already has use for this port.

ssh -p 2022 test@0.0.0.0 

test@0.0.0.0's password: 

Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.10.124-linuxkit x86_64)


 * Documentation:  https://help.ubuntu.com

 * Management:     https://landscape.canonical.com

 * Support:        https://ubuntu.com/advantage


This system has been minimized by removing packages and content that are

not required on a system that users do not log into.


To restore this content, you can run the 'unminimize' command.

Last login: Fri Oct  7 03:09:25 2022 from 172.17.0.1

To run a command as administrator (user "root"), use "sudo <command>".

See "man sudo_root" for details.


test@bd3c4d0ffcb3:~$ env

_=/usr/bin/env

SSH_TTY=/dev/pts/0

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

SSH_CLIENT=172.17.0.1 64062 22

SHLVL=1

USER=test

TERM=xterm-256color

SSH_CONNECTION=172.17.0.1 64062 172.17.0.2 22

LANG=C.UTF-8

HOME=/home/ubuntu

MOTD_SHOWN=pam

TZ=Europe/Vienna

LOGNAME=test

PWD=/home/ubuntu

SHELL=/bin/bash

test@bd3c4d0ffcb3:~$ xeyes

Error: Can't open display: 

test@bd3c4d0ffcb3:~$ export DISPLAY=host.docker.internal:0

test@bd3c4d0ffcb3:~$ xeyes


That seems to work fine with a few security problems one being the password is in the Dockerfile.  Also the DISPLAY env var is set manually.  I guess this can be part of the Dockerfile as well and the SSH key can be saved in Docker secret and mount to the container at runtime.

If this is ran on a Linux instead of a Mac, things might be a little bit better because Docker behavior is a little different on Mac than it is on Linux host system.  I think Mac has a VM on it to make Docker work.  There is an extra layer of indirection I believe.  Could be wrong but I don't have enough interest to look deeper.

The advantage of no rely on "docker run" start the X11 session with ssh, I could reach the container app from anywhere routable.  The annoyance with the DISPLAY env var might be solvable with a little bit digging. 

Correction: xhost + <X server host name> still required.

Comments

Post a Comment

Popular posts from this blog

LB + amp agar plate protocol

Image
 LB + amp agar plate is used in bio labs often.  Preparing agar plates is a good skill to have.  Below are the steps or protocol to do it but I also an online protocol as reference.   The LB in powder form should have proportion information there.  The one I have say dissolve 40g of mix in 1 liter of water.  The 40g is a mixture of NaCL 10g, Trypton 10g, Yeast Extract 5g, and Agar 15g.  The plate I use is 100mm x 15mm.  Below is the scale for reference: I have 10 of these 100mm x 15mm plates and each will take 10mL to 15mL of agar.  If I select to do 10mL per plate so we need 10mL x 10 = 100mL of Agar.  If I select to do 15mL per plate then I would need 15mL x 10 = 150mL.  I feel 15mL is better to give me extra margin or error. I can take a 500mL bottle and will it up to 200mL of water + agar powder.  So, 40g/1.0 liter where 1.0 liter equals to 1000mL.  I can do the following algebra: 40g/1000mL = Xg/200mL then X = 8...
Read more

DevOps Madness

The problem with DevOps is there are too many technology to know.  The only way to manage DevOps work is follow some principles.  Here are some principles: Build self service infrastructure Build evolvable infrastructure Be anti-expertise Build disposable infrastructure Over communicate Do no harm Pay down technical debts AWS is a totally self service infrastructure.  They have great documentation, their GUI is intuitive, and they have great support to show you how things are done.  I can pretty much compose infrastructure on my own in AWS without needing to ask AWS engineers to build stuff for me.  Granted from time to time, I need to ask them to increase quotas.  DevOps should aim to provide same level of service to internal customers.  DevOps tools are constantly evolving, GitOps has gain acceptance in the field and it is a great thing.  GitOps is a great help in moving DevOps services toward a self service model.  Just do it until a b...
Read more