xpra icon
Bug tracker and wiki

Opened 3 months ago

Closed 3 months ago

#2848 closed task (fixed)

Xpra server sessions disappear when a client establishes an SSH connection

Reported by: heist Owned by: heist
Priority: major Milestone: 4.1
Component: server Version: 3.0.x
Keywords: Cc:

Description

I am spawning an Xpra server by creating a job and sending it to a job scheduler. The job that spawns Xpra is placed on a worker machine. The worker machine is joined to the worker pool by running a Systemd service. All jobs placed on a worker, in this case an Xpra server, are descendants of the Systemd service. The Xpra server spawns successfully and places its files in the $XDG_RUNTIME_DIR.

Xpra server spawned via job scheduler

$ ls -laZ /run/user/$(id -u)
drwx------. heist primarygroup system_u:object_r:user_tmp_t:s0  .
drwxr-xr-x. root  root         system_u:object_r:user_tmp_t:s0  ..
drwx------. heist primarygroup system_u:object_r:user_tmp_t:s0 xpra

$ ls -laZ /run/user/$(id -u)/xpra/
drwx------. heist primarygroup system_u:object_r:user_tmp_t:s0 .
drwx------. heist primarygroup system_u:object_r:user_tmp_t:s0  ..
-rw-r--r--. heist primarygroup system_u:object_r:user_tmp_t:s0 :2.log
-rwx------. heist primarygroup system_u:object_r:user_tmp_t:s0 run-xpra
srw-------. heist primarygroup system_u:object_r:user_tmp_t:s0 $(hostname)-2
-rw-r--r--. heist primarygroup system_u:object_r:user_tmp_t:s0 Xorg.S20868.log

Xpra server spawned directly on host

$ ls -laZ /run/user/445228/
drwx------. heist primarygroup system_u:object_r:user_tmp_t:s0  .
drwxr-xr-x. root  root         system_u:object_r:user_tmp_t:s0  ..
drwx------. heist primarygroup unconfined_u:object_r:user_tmp_t:s0 xpra
$ ls -laZ /run/user/445228/xpra/
drwx------. heist primarygroup unconfined_u:object_r:user_tmp_t:s0 .
drwx------. heist primarygroup system_u:object_r:user_tmp_t:s0  ..
-rw-r--r--. heist primarygroup unconfined_u:object_r:user_tmp_t:s0 :1.log
-rwx------. heist primarygroup unconfined_u:object_r:user_tmp_t:s0 run-xpra
srw-------. heist primarygroup unconfined_u:object_r:user_tmp_t:s0 $(hostname)
-rw-r--r--. heist primarygroup unconfined_u:object_r:user_tmp_t:s0 Xorg.S8408.log

The XDG_RUNTIME_DIR is cleared by PAM when running xpra attach ssh://, as the permissions are incorrect. The SELinux user for Systemd services is system_u and unconfined_u is for users.
https://www.freedesktop.org/software/systemd/man/pam_systemd.html

This causes xpra attach to fail as the files are missing.

xpra attach --ssh="ssh -o LogLevel=ERROR -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ssh://$fqdn/$display

I attempted to change $XDG_RUNTIME_DIR to /tmp/user/$(id -u) to circumvent this issue, but I haven't had success.

Xpra server spawned in job

$ export $XDG_RUNTIME_DIR=/tmp/user/$(id -u)
$ xpra start
$ ls -la /tmp/user/$(id -u)/xpra
total 492
drwx------. 2 heist primarygroup     59 Jul 20 18:40 .
drwx------. 3 heist primarygroup     18 Jul 20 18:40 ..
-rw-r--r--. 1 heist primarygroup  28876 Jul 20 18:41 :3.log
-rwx------. 1 heist primarygroup   9867 Jul 20 18:40 run-xpra
-rw-r--r--. 1 heist primarygroup 354626 Jul 20 18:40 Xorg.S31823.log

Attempted to connect a client

xpra attach --ssh="ssh -o LogLevel=ERROR -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" --remote-xpra="export XDG_RUNTIME_DIR=/tmp/user/$(id -u)" ssh://$fqdn/$display
...
2020-07-20 11:49:32,726 no run-xpra command found

How do you recommend I proceed? The --remote-xpra argument doesn't seem to respect overwriting $XDG_RUNTIME_DIR.

Xpra server arguments:

xpra start -d all \
--opengl=no \
--no-pulseaudio \
--no-microphone \
--no-speaker \
--printing=no \
--terminate-children=yes \
--html=on \
--notifications=no \
--sharing=yes \
--dpi=90 \
--bind-tcp=0.0.0.0:22200 \
--start-child=xfce4-terminal \
--exit-with-children=yes

Xpra server info:

Operating System: Red Hat Enterprise Linux Server release 7.8 (Maipo)
Kernel: Linux 3.10.0-1127.13.1.el7.x86_64
Xpra Version: xpra v3.0.10-r26630

Xpra client info:

Operating System: Debian GNU/Linux rodete
Kernel: Linux 5.5.17-1rodete4-amd64
Xpra Version: xpra v3.0.7-r25629

Change History (3)

comment:1 Changed 3 months ago by heist

Type: enhancementdefect

comment:2 Changed 3 months ago by Antoine Martin

Owner: changed from Antoine Martin to heist
Type: defecttask

Xpra server spawned via job scheduler

You should probably fix how your scheduler impersonates users so that it sets up XDG_RUNTIME_DIR properly.
Or use xpra's --start-via-proxy=yes, which will do this correctly.

--remote-xpra="export XDG_RUNTIME_DIR=/tmp/user/$(id -u)"

This part looks completely wrong.
As per the man page, the remote-xpra option points to a command, so it should be something like --remote-xpra=/path/to/run-xpra.
But really, you should not be needing it as xpra is installed in /usr/bin/ and will be found.

The --remote-xpra argument doesn't seem to respect overwriting $XDG_RUNTIME_DIR.

This statement doesn't make sense.
If you're trying to move the sockets, use the socket-dirs option.
(and I would make this change in the global config file - so your clients command lines don't need to change)

comment:3 Changed 3 months ago by heist

Resolution: fixed
Status: newclosed

Thank you Antoine. --start-via-proxy=yes solved the issue.

Note: See TracTickets for help on using tickets.