Running GUI applications in jails

Alexander Leidinger Alexander at leidinger.net
Tue Jun 9 06:49:07 UTC 2020 

Quoting squiggly foo <foo.squiggly at yandex.com> (from Mon, 08 Jun 2020  
21:35:23 -0500):

> Hi Alexander,
>
> You seem to have a lot of experience with X11 so I'm happy to hear  
> your advice.
> To answer your first question about where the graphical output needs  
> to happen:
>
> I am not sure I am understanding your question, but I am using one  
> computer for
> all of this.  The Xserver component of X11 is running on this  
> computer on the host
> (not jailed) and the xclients are the jailed gui applications.  My  
> basic problem is to
> make sure that jailed gui applications cannot access the keystokes  
> of other jailed gui
> applications. I guess I am confused by your question (maybe cause  
> i'm thinking inside
> the box) but what other options are there for running the Xserver  
> and Xclients on a single
> computer.  Or maybe you are suggesting multiple computers running  
> Xservers?  Please
> let me know whatever your are thinking as a solution because I am  
> open to ideas and
> thinking outside the box.

With X11 it doesn't matter if you talk about 1 or multiple computers.  
Within the same network and with a fast enough speed of the network,  
it should work (edge-cases may differ).


> Maybe I was also incorrect about running multiple Xservers on the  
> same machine on
> different ttys but I thought that was an option.  I should check  
> with X11 mailing
> list.
>
> It's funny that you mention running a Xvnc server inside of a jail  
> with each gui
> application.  I have actually done that before but I never  
> considered it as a possible
> option for solving my problem until now that you mentioned it.  So I  
> will look into that
> more.  My only issue with this: the application that I want jailed  
> the most is my
> "general browsing" firefox instance used for media websites like  
> youtube but I am not
> sure how well a 1080p video will look over a vnc connection.  But I  
> haven't tested this
> idea in awhile.

For your particular use cases you will only know if you test it. As  
you are doing this locally, the "network" speed is a combination of  
the internal bus / CPU / memory speed, and some vnc settings like  
compression may play arole here too, but my gut feeling is, that this  
could work.

> I suppose using Xephyr would be a similar yet heavier solution that  
> just using your
> Xvnc server idea inside each jail.  Would you agree?
>
> I might also look into statically compiling Xpra (if possible) so  
> that it at least feels
> cleaner that all the dependencies are inside one binary instead of  
> all over my system.

I do not know Xephyr or Xpra. I had a very quick look at the  
homepages, and it looks like they are "just" a normal X server (with  
some special features) and use the X11 protocol. As such I do not  
expect that their use will solve your problem (read: I expect that you  
will be able to see keystrokes across all jails).

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20200609/1376ee6b/attachment.sig>

More information about the freebsd-jail mailing list