Solved X11 applications in iocage jails

I'm trying to install a web browser in a jail (something like this guy did with Linux containers: https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/ ). I've successfully created the jail and installed Xorg and Firefox with iocage. Now I can't start Firefox, either with iocage exec ..... or with ssh -X -Y .....
What am I missing?
PS. My configuration:
Code:
iocage get all firefoxjail
interfaces:vnet0:bridge0,vnet1:bridge1
vnet:off
host_hostname:…
hostname:…
ip4_addr:wlan0|192.168.0.117
ip4_autostart:none
ip4_autoend:none
ip4_autosubnet:none
ip4_saddrsel:1
ip4:new
ip6_addr:none
ip6_saddrsel:1
ip6:new
defaultrouter:none
defaultrouter6:none
resolver:none
exec_fib:0
vnet0_mac:none
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
devfs_ruleset:4
mount_devfs:1
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_poststop:/usr/bin/true
exec_poststart:/usr/bin/true
exec_clean:1
exec_timeout:60
stop_timeout:30
exec_jail_user:root
exec_system_jail_user:0
exec_system_user:root
mount_fdescfs:1
mount_procfs:0
enforce_statfs:2
children_max:0
login_flags:-f root
securelevel:2
allow_set_hostname:0
allow_sysvipc:0
allow_raw_sockets:0
allow_chflags:0
allow_mount:0
allow_mount_devfs:0
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_socket_af:0
host_hostuuid:9ef939ee-5ba9-11e5-be94-485b396e4f99
memoryuse:8G:log
memorylocked:off
vmemoryuse:off
maxproc:off
cputime:off
pcpu:off
datasize:off
stacksize:off
coredumpsize:off
openfiles:off
pseudoterminals:off
swapuse:off
nthr:off
msgqqueued:off
msgqsize:off
nmsgq:off
nsemop:off
nshm:off
shmsize:off
wallclock:off
tag:firefoxjail
template:no
rlimits:off
boot:off
notes:none
owner:root
priority:99
last_started:2015-09-15_16:27:15
type:jail
hostid:84523fa4-2ade-11e5-b638-485b396e4f99
cpuset:off
jail_zfs:off
jail_zfs_dataset:iocage/jails/9ef939ee-5ba9-11e5-be94-485b396e4f99/root/data
release:10.2-RELEASE
hack88:0
sync_stat:-
sync_target:none
sync_tgt_zpool:none
ftphost:-
ftpdir:-
gitlocation:https://github.com
branch:-
 
I have seen this problem reported on PC-BSD forum. Please use iocage to print all Jail parameters for just created Jail and somebody might be able to help you. I use iocage extensively but I have not run X on FreeBSD since 2007.
 
H

hukadan

Guest
Hi spaceille,

Here is what I did to get firefox working in a jail. Create a jail with an ip address of 10.0.0.2 and the hostname injailgui (adapt this to your configuration)
# iocage create hostname=injailgui tag=injailgui ip4_addr="lo1|10.0.0.2"

Then edit the jail configuration file issuing iocage chroot injailgui /bin/sh and edit the /etc/hosts adding the following line
Code:
10.0.0.2                  injailgui
Now the jail is able to resolve its hostname. Next step, still in the jail, edit the /etc/ssh/sshd_config file and add the following lines
Code:
X11Forwarding yes
X11UseLocalhost no
localhost and jails do not play well together ;) . Then, still in the jail, make sure the ssh server is started at (jail) boot by editing /etc/rc.conf.
Code:
sshd_enable="YES"

Now, go back to the host and then, make sure the hostname is correctly set
# iocage set hostname=injailgui injailgui
# iocage start injailgui
# iocage console injailgui


Then, once in the jail, install x11/xauth, you need it for X11 forwarding.
# pkg install -y xauth

Create an user and set a password.
# pw user add myuser -s /bin/tcsh -m
# passwd myuser


That's all you need (plus a gui software to run). If you plan to use www/firefox in the jail, first intall it.
# pkg install -y firefox

Then make sure dbus is started at (jail) boot by editing /etc/rc.conf.
Code:
dbus_enable="YES"
And start the service.
# service dbus start

Now you can go back to the host and start www/firefox.
% ssh -Y myuser@10.0.0.2 firefox --no-remote

Do not forget --no-remote, it will prevent strange behaviours if you already have firefox running on the host. However, if like me you do not like password, it is convenient to use public key authentication :
% ssh-keygen -t rsa -b 4096 -C "myuser@example.com" -f ~/.ssh/injailgui

Then, still on the host, edit/create the file ~/.ssh/config and add :
Code:
Host injailgui
    Hostname 10.0.0.2
    Port 22
    User myuser
    IdentityFile ~/.ssh/injailgui
    ForwardX11 yes
    ForwardX11Trusted yes

Then send the public key on the jail :
% ssh myuser@10.0.0.2 mkdir .ssh
% cat ~/.ssh/injailgui.pub | ssh myuser@10.0.0.2 'cat >> .ssh/authorized_keys'


Then, just go to your terminal and start Firefox over SSH.
% ssh injailgui firefox --no-remote

You can add other software and use them the same way or add aliases to make the syntax even shorter. Of course, this is not as complete as the post you linked. First, there is no sound, but some hints are given in the Thread sound-ssh.2691. Plus, there is nothing about starting and stopping the jail. But I think the small overhead induced by the running jail is not worth the effort. If you want your jail to start at boot, have a look to this part of the documentation.

If you manage to get sound working, please come back here to share.

--- Edit ---
Typo corrected : Identity replaced by IdentityFile on ~/.ssh/config
 
Last edited by a moderator:
H

hukadan

Guest
I was so focused on sound over network that I did not see the obvious.. until I found this Thread enable-sound-inside-jail.23361 almost by accident. Now, the solution is easy to implement. First edit/create /etc/devfs.rules and add the following lines (I took the default one from my /etc/default/devfs.rules and added the two last lines).
Code:
# Devices usually found in a desktop jail for sound support
#
[devfsrules_desktop_jail=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide
add path 'mixer*' unhide
add path 'dsp*' unhide
Then, you just have to set the property of the jail(8).
# iocage set devfs_ruleset=5 injailgui

Now you can have sound for the applications you run in the jail.
 
Top