xpra icon
Bug tracker and wiki

Opened 6 months ago

Closed 3 months ago

Last modified 3 months ago

#2647 closed task (needinfo)

Detecting or setting up MIT-SHM

Reported by: mviereck Owned by: mviereck
Priority: critical Milestone: 4.1
Component: server Version: 3.0.x
Keywords: Cc:

Description (last modified by Antoine Martin)

Coming from #2610

I found no way to allow memory sharing for MIT-SHM only. Docker only allows to share the entire IPC namespace/shared memory for all applications (Docker option --ipc=host).

That's a real shame!
As per ​Understanding the Linux Virtual Memory Manager: The filesystem comes in two variations called shm and tmpfs. They both share core functionality and mainly differ in what they are used for. shm is for use by the kernel for creating file backings for anonymous pages and for backing regions created by shmget().
We need shmget for xshm, so mounting a tmpfs may not be enough. I have not tried it.

So far I did not even found a hint where to look for MIT-SHM in the system.I would assume that lsipc -m should show it, but it does not.
If you can give me some hints where to look for the memory area or maybe even providing one to Xvfb and/or Xdummy, I might find a solution how to share it with a Docker container.

Ideally it would have a representation in the file system like e.g. /dev/shm/MIT-SHM.X20. It is easy to share files with a Docker container.

Change History (4)

comment:1 Changed 6 months ago by Antoine Martin

Description: modified (diff)
Milestone: 4.04.1
Status: newassigned

comment:2 Changed 5 months ago by Antoine Martin

Owner: changed from Antoine Martin to mviereck
Priority: majorcritical
Status: assignednew

Xpra's xshm bindings can be found here: browser/xpra/trunk/src/xpra/x11/bindings/ximage.pyx, we use:

  • from sys/shm.h:
        int shmget(key_t __key, size_t __size, int __shmflg)
        void *shmat(int __shmid, const void *__shmaddr, int __shmflg)
        int shmdt (const void *__shmaddr)
        int shmctl(int shmid, int cmd, shmid_ds *buf)
    
  • from X11/extensions/XShm.h:
        Bool XShmQueryExtension(Display *display)
        Bool XShmQueryVersion(Display *display, int *major, int *minor, Bool *pixmaps)
    
        Bool XShmAttach(Display *display, XShmSegmentInfo *shminfo)
        Bool XShmDetach(Display *display, XShmSegmentInfo *shminfo)
    
        XImage *XShmCreateImage(Display *display, Visual *visual,
                                unsigned int depth, int format, char *data,
                                XShmSegmentInfo *shminfo,
                                unsigned int width, unsigned int height)
    
        Bool XShmGetImage(Display *display, Drawable d, XImage *image,
                          int x, int y,
                          unsigned long plane_mask)
    
        int XShmGetEventBase(Display *display)
    

So I don't see any way of telling X11 or xpra about different IPC locations / namespaces.


docker.com : ipc-settings:

  • ”” Use daemon’s default.
  • “none” Own private IPC namespace, with /dev/shm not mounted.
  • “private” Own private IPC namespace.
  • “shareable” Own private IPC namespace, with a possibility to share it with other containers.
  • “container: <_name-or-ID_>" Join another (“shareable”) container’s IPC namespace.
  • “host” Use the host system’s IPC namespace.

Maybe create a new namespace on the host, start Xvfb there, then use host to share this IPC namespace with the container? Will this work? (or maybe it will share the host's main IPC namespace?)
Or maybe container can be overloaded to point to the newly created namespace?
If not, can you somehow inject nsexec in the docker command to join the IPC namespace created earlier?

Docs:

  • ipc_namespaces
  • unshare: CLONE_NEWIPC: This flag has the same effect as the clone(2) CLONE_NEWIPC flag. Unshare the IPC namespace, so that the calling process has a private copy of the IPC namespace which is not shared with any other process.
  • clone
  • nsexec: Join a namespace and execute a command in the namespace

@mviereck: any of this make sense to you?

comment:3 Changed 3 months ago by Antoine Martin

Resolution: needinfo
Status: newclosed

Not heard back, closing.

comment:4 Changed 3 months ago by mviereck

Not heard back, closing.

Ups, sorry!!

Much thanks for your ideas and suggestions!
I had a look at this some time ago and it gives me some good attempts.

​nsexec: Join a namespace and execute a command in the namespace

This one looks quite promising. With command nsenter I get he functionality of nsexec. It might work to open an IPC namespace with Docker and to share it with Xvfb as well as with the container.

It will take some time until I try this out because I have some other projects first.

Note: See TracTickets for help on using tickets.