Citrix client within jail

[Alexander Leidinger]

Quoting André Olsson <Andre.olsson at c2solutions.se> (from Thu, 17 Jan  
2008 11:30:00 +0100):

> Hi
>
> we are trying to set up a client with FreeBSD 6.2-RELEASE as the   
> host OS and with two jails configured on it.
> Each jail is going to run a Citrix-client against two different   
> separated Citrix-systems.
>
> Since the user is going to work locally on the client we need it to   
> be possible to run both the X-server and the
> X-application (citrix client) from within the same jail.

You need kernel patches to be able to run an X-server in a jail. The  
trick is to allow access to /dev/mem (or some similar sensible device,  
can't remember from the top of my head) even from a jail. Then you  
need to add /dev/mem and some other devices to the jail (I use a  
custom ruleset for devfs). I only have patches for 7.x or -current  
(not online).

> Our goal is to connect one jail1 to one Display and the jail2 to   
> another Display and for the User to
> to jump inbetween the citrix-sessions ( Ctrl-Alt- F3...Ctrl-Alt-F4).

Because of the access to the /dev/mem, root of one jail can take over  
the entire machine. Below I will propose something different.

I don't know if it is possible to switch via Fx to different servers  
(I never tried this). You can have two graphic cards (or one with two  
outputs) in the machine and connect two screens (and optionally two  
keyboards/mice) to it, and have them displayed at the same time.

> * syntax to start xterm within jail
>
> ssh -f -X -T 192.168.0.155 xterm &
>
> " output from above syntax
> xterm Xt error: Cant open display: %s
> xterm: DISPLAY is not set

If you want to have the xterm displayed on the system where you ssh  
from, you need to check some things. Maybe the path to xauth is not  
set correctly in sshd (the path changed with a recent ports tree).

> We've never runned any X-applications within a jail before, only   
> bind,apache,mysql and such, but I hope
> I've made my question understandable anyway:)
> Maybe we are barkin up the wrong tree and there is an easier way to   
> connect 2 jails to 2 different
> local displays?

There are several. The following ones don't open up a side-channel  
between jails which have /dev/mem accessible.

You start the X-server(s) on the host (not in a jail), and in the  
startup you connect to the jails via a passwordless ssh-key and let  
the applications from the two jails display their stuff on the  
X-server of the host.

You start a vnc server in each jail and let the user connect to the  
vnc server either from the host with one X server running on it  
(alternatively you can connect to the vnc server from other machines).

Bye,
Alexander.

-- 
The value of a program is proportional to the weight of its output.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137