Coming from #2610
I found no way to allow memory sharing for MIT-SHM only. Docker only allows to share the entire IPC namespace/shared memory for all applications (Docker option --ipc=host).
That's a real shame! As per Understanding the Linux Virtual Memory Manager: The filesystem comes in two variations called shm and tmpfs. They both share core functionality and mainly differ in what they are used for. shm is for use by the kernel for creating file backings for anonymous pages and for backing regions created by shmget(). We need shmget for xshm, so mounting a tmpfs may not be enough. I have not tried it.
So far I did not even found a hint where to look for MIT-SHM in the system.I would assume that lsipc -m
should show it, but it does not.
If you can give me some hints where to look for the memory area or maybe even providing one to Xvfb and/or Xdummy, I might find a solution how to share it with a Docker container.
Ideally it would have a representation in the file system like e.g. /dev/shm/MIT-SHM.X20
. It is easy to share files with a Docker container.
Xpra's xshm bindings can be found here: browser/xpra/trunk/src/xpra/x11/bindings/ximage.pyx, we use:
sys/shm.h
:
int shmget(key_t __key, size_t __size, int __shmflg) void *shmat(int __shmid, const void *__shmaddr, int __shmflg) int shmdt (const void *__shmaddr) int shmctl(int shmid, int cmd, shmid_ds *buf)
X11/extensions/XShm.h
:
Bool XShmQueryExtension(Display *display) Bool XShmQueryVersion(Display *display, int *major, int *minor, Bool *pixmaps) Bool XShmAttach(Display *display, XShmSegmentInfo *shminfo) Bool XShmDetach(Display *display, XShmSegmentInfo *shminfo) XImage *XShmCreateImage(Display *display, Visual *visual, unsigned int depth, int format, char *data, XShmSegmentInfo *shminfo, unsigned int width, unsigned int height) Bool XShmGetImage(Display *display, Drawable d, XImage *image, int x, int y, unsigned long plane_mask) int XShmGetEventBase(Display *display)
So I don't see any way of telling X11 or xpra about different IPC locations / namespaces.
Maybe create a new namespace on the host, start Xvfb there, then use host
to share this IPC namespace with the container? Will this work? (or maybe it will share the host's main IPC namespace?)
Or maybe container
can be overloaded to point to the newly created namespace?
If not, can you somehow inject nsexec
in the docker command to join the IPC namespace created earlier?
Docs:
CLONE_NEWIPC
: This flag has the same effect as the clone(2)
CLONE_NEWIPC
flag. Unshare the IPC namespace, so that the calling process has a private copy of the IPC namespace which is not shared with any other process.
@mviereck: any of this make sense to you?
Not heard back, closing.
Not heard back, closing.
Ups, sorry!!
Much thanks for your ideas and suggestions! I had a look at this some time ago and it gives me some good attempts.
nsexec: Join a namespace and execute a command in the namespace
This one looks quite promising. With command nsenter
I get he functionality of nsexec
. It might work to open an IPC namespace with Docker and to share it with Xvfb as well as with the container.
It will take some time until I try this out because I have some other projects first.
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2647