Xrdp in a jail

cellini · Sep 21, 2020

I am planing to have multiple jails running with xrdp for our users at my company to work at over rdp. The reason to use rdp is that I want to keep the sessions going, and vlc seems a little laggy.

The amount of users at our company is 12 and it will probably not be more then 8 using the system at the same time so because of easy backup and fail over I thought one server serving multiple jails with Xrdp should do the trick.

But to my question, I have been fiddling around with jails today and installed xrdp but I get to the same problem every time where when I login xrdp stops working straight away. I have been googling but have not really found anything so I thought it would be smart to start with a clean slate.

Code:

FreeBSD bsdserver 12.1-RELEASE FreeBSD 12.1-RELEASE r354233 GENERIC  amd64

 

tail -f /var/log/xrdp*

Gives the following.

Code:

==> /var/log/xrdp.log <==
[20200922-00:06:40] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:192.168.1.60 port 35812
[20200922-00:06:40] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.1.60 port 3389)
[20200922-00:06:40] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
[20200922-00:06:40] [INFO ] Using default X.509 certificate: /usr/local/etc/xrdp/cert.pem
[20200922-00:06:40] [INFO ] Using default X.509 key file: /usr/local/etc/xrdp/key.pem
[20200922-00:06:40] [DEBUG] TLSv1.3 enabled
[20200922-00:06:40] [DEBUG] TLSv1.2 enabled
[20200922-00:06:40] [DEBUG] Security layer: requested 11, selected 1
[20200922-00:06:40] [INFO ] connected client computer name: HD1913-10
[20200922-00:06:40] [INFO ] adding channel item name rdpdr chan_id 1004 flags 0x80800000
[20200922-00:06:40] [INFO ] adding channel item name rdpsnd chan_id 1005 flags 0xc0000000
[20200922-00:06:40] [INFO ] adding channel item name cliprdr chan_id 1006 flags 0xc0a00000
[20200922-00:06:40] [INFO ] adding channel item name drdynvc chan_id 1007 flags 0xc0800000
[20200922-00:06:40] [INFO ] TLS connection established from ::ffff:192.168.1.60 port 35812: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
[20200922-00:06:40] [DEBUG] xrdp_0000028a_wm_login_mode_event_00000001
[20200922-00:06:40] [INFO ] Loading keymap file /usr/local/etc/xrdp/km-00000409.ini
[20200922-00:06:40] [WARN ] local keymap file for 0x00000409 found and doesn't match built in keymap, using local keymap file
[20200922-00:06:43] [DEBUG] xrdp_wm_log_msg: connecting to sesman ip 127.0.0.1 port 3350

==> /var/log/xrdp-sesman.log <==
[20200922-00:06:43] [INFO ] A connection received from 2001:ffff:ffff::60 port 11501
==> /var/log/xrdp.log <==
[20200922-00:06:43] [INFO ] xrdp_wm_log_msg: sesman connect ok
[20200922-00:06:43] [DEBUG] xrdp_wm_log_msg: sending login info to session manager, please wait...
[20200922-00:06:43] [DEBUG] return value from xrdp_mm_connect 0

==> /var/log/xrdp-sesman.log <==
[20200922-00:06:43] [INFO ] ++ created session (access granted): username anders, ip ::ffff:192.168.1.60:35812 - socket: 12
[20200922-00:06:43] [INFO ] starting Xorg session...
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5910)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6010)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6210)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5911)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6011)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6211)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5912)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6012)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6212)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5913)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6013)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6213)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5914)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6014)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6214)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5915)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6015)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6215)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5916)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6016)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6216)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5917)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6017)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6217)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5918)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6018)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6218)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5919)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6019)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6219)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5920)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6020)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6220)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5921)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6021)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6221)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5922)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6022)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6222)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5923)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6023)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6223)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5924)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6024)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6224)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5925)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6025)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6225)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5926)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6026)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6226)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5927)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6027)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6227)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5928)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6028)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6228)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5929)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6029)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6229)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5930)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6030)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6230)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5931)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6031)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6231)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5932)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6032)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6232)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5933)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6033)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6233)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5934)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6034)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6234)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5935)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6035)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6235)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5936)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6036)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6236)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5937)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6037)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6237)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5938)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6038)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6238)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5939)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6039)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6239)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5940)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6040)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6240)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5941)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6041)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6241)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5942)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6042)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6242)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5943)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6043)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6243)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5944)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6044)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6244)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5945)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6045)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6245)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5946)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6046)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6246)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5947)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6047)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6247)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5948)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6048)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6248)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5949)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6049)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6249)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5950)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6050)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6250)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5951)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6051)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6251)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5952)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6052)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6252)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5953)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6053)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6253)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5954)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6054)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6254)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 5955)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6055)
[20200922-00:06:43] [DEBUG] Closed socket 9 (AF_INET6 :: port 6255)
[20200922-00:06:43] [DEBUG] Closed socket 8 (AF_INET6 2001:ffff:ffff::60 port 3350)

==> /var/log/xrdp.log <==
[20200922-00:06:43] [INFO ] xrdp_wm_log_msg: login successful for display 55

==> /var/log/xrdp-sesman.log <==
[20200922-00:06:43] [INFO ] calling auth_start_session from pid 981

==> /var/log/xrdp.log <==
[20200922-00:06:43] [DEBUG] xrdp_wm_log_msg: started connecting

==> /var/log/xrdp-sesman.log <==
[20200922-00:06:43] [DEBUG] Closed socket 7 (AF_INET6 2001:ffff:ffff::60 port 3350)
[20200922-00:06:43] [DEBUG] Closed socket 8 (AF_INET6 2001:ffff:ffff::60 port 3350)
[20200922-00:06:43] [INFO ] Xorg :55 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp

==> /var/log/xrdp.log <==
[20200922-00:06:43] [INFO ] lib_mod_log_peer: xrdp_pid=650 connected to X11rdp_pid=0 X11rdp_uid=8 X11rdp_gid=8 client_ip=::ffff:192.168.1.60 client_port=35812
[20200922-00:06:43] [DEBUG] xrdp_wm_log_msg: connected ok

==> /var/log/xrdp-sesman.log <==
[20200922-00:06:43] [CORE ] waiting for window manager (pid 1130) to exit

==> /var/log/xrdp.log <==
[20200922-00:06:43] [DEBUG] xrdp_mm_connect_chansrv: chansrv connect successful
[20200922-00:06:43] [DEBUG] Closed socket 18 (AF_INET6 2001:ffff:ffff::60 port 11501)
[20200922-00:06:43] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.1.60 port 3389)
[20200922-00:06:43] [DEBUG] xrdp_mm_module_cleanup
[20200922-00:06:43] [DEBUG] Closed socket 19 (AF_UNIX)

==> /var/log/xrdp-sesman.log <==
[20200922-00:06:43] [CORE ] window manager (pid 1130) did exit, cleaning up session
[20200922-00:06:43] [INFO ] calling auth_stop_session and auth_end from pid 1009

==> /var/log/xrdp.log <==
[20200922-00:06:43] [DEBUG] Closed socket 20 (AF_UNIX)

==> /var/log/xrdp-sesman.log <==
[20200922-00:06:43] [DEBUG] cleanup_sockets:
[20200922-00:06:43] [DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_out_socket_55
[20200922-00:06:43] [DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_in_socket_55
[20200922-00:06:43] [DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_55
[20200922-00:06:43] [INFO ] ++ terminated session:  username anders, display :55.0, session_pid 981, ip ::ffff:192.168.1.60:35812 - socket: 12

The server the jail is running on is not currently having any Xorg, and I am not sure if this is a problem I have hade a hard time figuring it out, all the help and pointers I can get is appreciated

cellini · Sep 22, 2020

anonymous9 said:
xrdp in jail

I actually had the same problem at first, but after setting a IPv6 address, running service xrdp onestart works fine and I can connect to the jail from another machine but when I enter my username, password and press ok the rdp stops immediately.
This can be viewed in the first log where it is waiting for the window manager to close.

Code:

[20200922-00:06:43] [CORE ] waiting for window manager (pid 1130) to exit

cellini · Sep 22, 2020

Or should i ask in Thread xrdp-in-jail.70282 and delete this one?

olli@ · Sep 22, 2020

Are you sure that the window manager starts up correctly? Which one are you using? From your log output it seems that the window manager terminates immediately upon start. Maybe you should try to find out if that’s really the case, and why.

genneko · Sep 22, 2020

I tried the similar setup a year ago but ended up running xrdp on the host not in the jail.
After reading this post, I gave it one more try but got the same result.
It seems like Xorg started but immediately died when the RDP user logged in.
I have no idea how to handle this...

Excerpts from the jail's ~/.local/share/xorg/Xorg.xx.log

Code:

[ 66050.918] (EE) Backtrace:
[ 66050.920] (EE) 0: /usr/local/bin/Xorg (?+0x0) [0x41bf80]
[ 66050.921] (EE) 1: /lib/libthr.so.3 (pthread_sigmask+0x53e) [0x80091782e]
[ 66050.923] (EE) 2: /lib/libthr.so.3 (pthread_getspecific+0xdef) [0x80091763f]
[ 66050.924] (EE) 3: ? (?+0x0) [0x7ffffffff193]
[ 66050.926] (EE) 4: /lib/libc.so.7 (memcpy+0x140) [0x800aed710]
[ 66050.927] (EE) 5: /usr/local/lib/xorg/modules/libxorgxrdp.so (?+0x0) [0x8019f8b60]
[ 66050.928] (EE) 6: /usr/local/lib/xorg/modules/libxorgxrdp.so (?+0x0) [0x8019f7e70]
[ 66050.930] (EE) 7: /usr/local/bin/Xorg (?+0x0) [0x414bb0]
[ 66050.931] (EE) 8: /usr/local/bin/Xorg (?+0x0) [0x4146b0]
[ 66050.932] (EE) 9: /usr/local/bin/Xorg (?+0x0) [0x295fd0]
[ 66050.934] (EE) 10: /usr/local/bin/Xorg (?+0x0) [0x2a04e0]
[ 66050.935] (EE) 11: /usr/local/bin/Xorg (?+0x0) [0x289000]
[ 66050.937] (EE) 12: ? (?+0x0) [0x800457000]
[ 66050.937] (EE) 
[ 66050.937] (EE) Segmentation fault at address 0x0
[ 66050.937] (EE) 
Fatal server error:
[ 66050.937] (EE) Caught signal 11 (Segmentation fault). Server aborting

olli@ · Sep 22, 2020

Oh by the way, certain Xorg applications require SysV IPC / shared memory to be available. This is not enabled by default within jails. It might be worth a try to enable it.
These are the defaults:

Code:

$ sysctl security.jail | grep sysv
security.jail.param.sysvshm.: 0
security.jail.param.sysvsem.: 0
security.jail.param.sysvmsg.: 0
security.jail.param.allow.sysvipc: 0
security.jail.sysvipc_allowed: 0

I also seem to remember that Xorg requires access to /dev/io and /dev/kmem, which is not enabled by default within jails for security reasons. But I’m not sure if that holds true for Xrdp because it doesn’t have a physical display attached, so it doesn’t have to accress GPU hardware and display RAM. Apart from that, I don’t know how to enable access to /dev/io and /dev/kmem for a jail.

genneko · Sep 22, 2020

Wow! Thanks. It works like a charm.

olli@ said:
Oh by the way, certain Xorg applications require SysV IPC / shared memory to be available. This is not enabled by default within jails. It might be worth a try to enable it.

I've added sysvshm = new; to the jail's config in /etc/jail.conf and restarted the jail, then xrdp runs fine in the jail.

Code:

xrdp {
        ...
        sysvshm = new;
        ...
}

While I was logged in to the jail via xrdp, I could see the following shared memory segments were used.
The PIDs shown here were Xorg, xrdp and xfwm4.

Code:

Host$ sudo jexec xrdp ipcs -p
Message Queues:
T           ID          KEY MODE        OWNER    GROUP           LSPID        LRPID

Shared Memory:
T           ID          KEY MODE        OWNER    GROUP            CPID         LPID
m      1310757            0 --rwarwarwa genneko  genneko         70398        70394
m       786471            0 --rwarwarwa genneko  genneko         70427        70427

Semaphores:
T           ID          KEY MODE        OWNER    GROUP

Thank you so much for your insight!

cellini · Sep 22, 2020

olli@ said:
Are you sure that the window manager starts up correctly? Which one are you using? From your log output it seems that the window manager terminates immediately upon start. Maybe you should try to find out if that’s really the case, and why.

I actually had xterm as start up program, as i thought that would demand the least upond start up.

genneko said:
Wow! Thanks. It works like a charm.

I've added sysvshm = new; to the jail's config in /etc/jail.conf and restarted the jail, then xrdp runs fine in the jail.

Code:

xrdp { ... sysvshm = new; ... }

While I was logged in to the jail via xrdp, I could see the following shared memory segments were used.
The PIDs shown here were Xorg, xrdp and xfwm4.

Code:

Host$ sudo jexec xrdp ipcs -p Message Queues: T ID KEY MODE OWNER GROUP LSPID LRPID Shared Memory: T ID KEY MODE OWNER GROUP CPID LPID m 1310757 0 --rwarwarwa genneko genneko 70398 70394 m 786471 0 --rwarwarwa genneko genneko 70427 70427 Semaphores: T ID KEY MODE OWNER GROUP

Thank you so much for your insight!

This was what i was missing, added in sysvshm = new; and xrdp was showing me my xterm, after that i switched over to startxfce4. so this is perfect, one step closer to the ultimate terminal server.

But a side note, do you guys know it is possible to use a graphics card to generate the image? i guess it is now being generated with the CPU? i got a NVIDIA970 in the machine now and it is running fine, but it could be a little better when i do some work in FreeCAD. do you know if is is possible, and if should i have one graphics card for each jail or can i have them sharing?

olli@ · Sep 22, 2020

cellini said:
But a side note, do you guys know it is possible to use a graphics card to generate the image? i guess it is now being generated with the CPU? i got a NVIDIA970 in the machine now and it is running fine, but it could be a little better when i do some work in FreeCAD. do you know if is is possible, and if should i have one graphics card for each jail or can i have them sharing?

I’m afraid that doesn’t work.

shkhln · Sep 22, 2020

There might be some kind of solution involving VirtualGL, although allowing jails direct access to video hardware seems kind of self-defeating. And I have no idea whether it works with xrdp.

cellini · Sep 24, 2020

In my case i want to protect the users on the system against each other, its not that the users are evil or ill-intent it is just that they do stupid things so my plan is to have them in each there jails then they can install software from a package repository and i can give them a certain amount of memory and cores. Most of them will never use much of it, but the ones that do, myself included will have the chance.

I had a look at VirtualGL and it looks good, but could not find any example of someone doing something similar with jails. But thanks for the pointers and if i get it working i will probably write about it, for myself and if someone else might have the use something similar.