I run the server with --encryption=AES
(see (1)) and this is respected in principle as can be seen when XPRA_ENCRYPTION_KEY
is not specified (see also #1179):
xpra initialization error: encryption AES cannot be used without a keyfile (see --encryption-keyfile option)
However, I can connect with a 0.15.10 client even without specifying the key (I can see the window of the application running on the server and interact with it).
I would instead expect the connection to fail, showing that it was indeed encrypted using a PSK.
Server logs:
2016-04-20 16:15:41,682 created unix domain socket: /home/xpra/.xpra/xpra-test-100 2016-04-20 16:15:46,634 PyOpenCL loaded, header version: 1.2, GL support: True 2016-04-20 16:15:46,675 OpenCL Error: failed to find a working platform and device combination... trying with pyopencl's 'create_some_context' 2016-04-20 16:15:46,675 chosen context has 1 device: 2016-04-20 16:15:46,676 using 3 device: pthread-Intel(R) Xeon(R) CPU E5530 @ 2.40GHz (OpenCL 2.0 pocl / OpenCL C 2.0) 2016-04-20 16:15:46,676 OpenCL YUV to RGB is disabled 13 errors generated. 2016-04-20 16:15:47,136 cannot build the OpenCL program: clbuildprogram failed: BUILD_PROGRAM_FAILURE - Build on <pyopencl.Device 'pthread-Intel(R) Xeon(R) CPU E5530 @ 2.40GHz' on 'Portable Computing Language' at 0x562a7b076eb0>: error: /usr/share/pocl/include/pocl_types.h:46:9 <Spelling=<built-in>:76:37>: cannot combine with previous 'type-name' declaration specifier error: /usr/share/pocl/include/pocl_types.h:46:9 <Spelling=<built-in>:76:28>: 'type-name' cannot be signed or unsigned error: /usr/share/pocl/include/pocl_types.h:47:9 <Spelling=<built-in>:68:31>: cannot combine with previous 'type-name' declaration specifier error: /usr/share/pocl/include/_kernel.h:196:1 <Spelling=/usr/share/pocl/include/_kernel.h:196:27>: invalid application of 'sizeof' to an incomplete type 'size_t' (aka 'struct error_undefined_type_long') error: /usr/share/pocl/include/_kernel.h:197:1 <Spelling=/usr/share/pocl/include/_kernel.h:197:30>: invalid application of 'sizeof' to an incomplete type 'ptrdiff_t' (aka 'struct error_undefined_type_long') error: /usr/share/pocl/include/_kernel.h:198:1 <Spelling=/usr/share/pocl/include/_kernel.h:198:29>: invalid application of 'sizeof' to an incomplete type 'intptr_t' (aka 'struct error_undefined_type_long') error: /usr/share/pocl/include/_kernel.h:199:1 <Spelling=/usr/share/pocl/include/_kernel.h:199:30>: invalid application of 'sizeof' to an incomplete type 'uintptr_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:8:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:9:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:47:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:48:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:66:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:67:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') (options: -I /usr/lib64/python2.7/site-packages/pyopencl/cl) (source saved as /tmp/tmptTPoZz.cl) Traceback (most recent call last): File "/usr/lib64/python2.7/site-packages/xpra/codecs/csc_opencl/colorspace_converter.py", line 441, in build_kernels program.build() File "/usr/lib64/python2.7/site-packages/pyopencl/__init__.py", line 379, in build options=options, source=self._source) File "/usr/lib64/python2.7/site-packages/pyopencl/__init__.py", line 414, in _build_and_catch_errors raise err RuntimeError: clbuildprogram failed: BUILD_PROGRAM_FAILURE - Build on <pyopencl.Device 'pthread-Intel(R) Xeon(R) CPU E5530 @ 2.40GHz' on 'Portable Computing Language' at 0x562a7b076eb0>: error: /usr/share/pocl/include/pocl_types.h:46:9 <Spelling=<built-in>:76:37>: cannot combine with previous 'type-name' declaration specifier error: /usr/share/pocl/include/pocl_types.h:46:9 <Spelling=<built-in>:76:28>: 'type-name' cannot be signed or unsigned error: /usr/share/pocl/include/pocl_types.h:47:9 <Spelling=<built-in>:68:31>: cannot combine with previous 'type-name' declaration specifier error: /usr/share/pocl/include/_kernel.h:196:1 <Spelling=/usr/share/pocl/include/_kernel.h:196:27>: invalid application of 'sizeof' to an incomplete type 'size_t' (aka 'struct error_undefined_type_long') error: /usr/share/pocl/include/_kernel.h:197:1 <Spelling=/usr/share/pocl/include/_kernel.h:197:30>: invalid application of 'sizeof' to an incomplete type 'ptrdiff_t' (aka 'struct error_undefined_type_long') error: /usr/share/pocl/include/_kernel.h:198:1 <Spelling=/usr/share/pocl/include/_kernel.h:198:29>: invalid application of 'sizeof' to an incomplete type 'intptr_t' (aka 'struct error_undefined_type_long') error: /usr/share/pocl/include/_kernel.h:199:1 <Spelling=/usr/share/pocl/include/_kernel.h:199:30>: invalid application of 'sizeof' to an incomplete type 'uintptr_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:8:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:9:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:47:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:48:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:66:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:67:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') (options: -I /usr/lib64/python2.7/site-packages/pyopencl/cl) (source saved as /tmp/tmptTPoZz.cl) 2016-04-20 16:15:47,138 all warnings: 2016-04-20 16:15:47,138 Error importing OpenCL colorspace conversion (csc_opencl) 2016-04-20 16:15:47,138 cannot build the OpenCL program: clbuildprogram failed: BUILD_PROGRAM_FAILURE - Build on <pyopencl.Device 'pthread-Intel(R) Xeon(R) CPU E5530 @ 2.40GHz' on 'Portable Computing Language' at 0x562a7b076eb0>: error: /usr/share/pocl/include/pocl_types.h:46:9 <Spelling=<built-in>:76:37>: cannot combine with previous 'type-name' declaration specifier error: /usr/share/pocl/include/pocl_types.h:46:9 <Spelling=<built-in>:76:28>: 'type-name' cannot be signed or unsigned error: /usr/share/pocl/include/pocl_types.h:47:9 <Spelling=<built-in>:68:31>: cannot combine with previous 'type-name' declaration specifier error: /usr/share/pocl/include/_kernel.h:196:1 <Spelling=/usr/share/pocl/include/_kernel.h:196:27>: invalid application of 'sizeof' to an incomplete type 'size_t' (aka 'struct error_undefined_type_long') error: /usr/share/pocl/include/_kernel.h:197:1 <Spelling=/usr/share/pocl/include/_kernel.h:197:30>: invalid application of 'sizeof' to an incomplete type 'ptrdiff_t' (aka 'struct error_undefined_type_long') error: /usr/share/pocl/include/_kernel.h:198:1 <Spelling=/usr/share/pocl/include/_kernel.h:198:29>: invalid application of 'sizeof' to an incomplete type 'intptr_t' (aka 'struct error_undefined_type_long') error: /usr/share/pocl/include/_kernel.h:199:1 <Spelling=/usr/share/pocl/include/_kernel.h:199:30>: invalid application of 'sizeof' to an incomplete type 'uintptr_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:8:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:9:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:47:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:48:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:66:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') error: /home/xpra/.cache/pocl/kcache/temp_JY7FIw.cl:67:21: calling 'get_global_id' with incomplete return type 'size_t' (aka 'struct error_undefined_type_long') (options: -I /usr/lib64/python2.7/site-packages/pyopencl/cl) (source saved as /tmp/tmptTPoZz.cl) 2016-04-20 16:15:51,968 Warning: webcam forwarding is disabled 2016-04-20 16:15:51,968 the virtual video directory '/sys/devices/virtual/video4linux' was not found 2016-04-20 16:15:51,968 make sure that the 'v4l2loopback' kernel module is installed and loaded 2016-04-20 16:15:51,968 found 0 virtual video devices Warning: failed to import GStreamer: GStreamer 1.0: No module named gi GStreamer 0.10: No module named pygst 2016-04-20 16:15:52,463 Error: failed to query sound subsystem: 2016-04-20 16:15:52,463 query did not return any data 2016-04-20 16:15:52,466 D-Bus notification forwarding is available 2016-04-20 16:15:52,950 started command 'xterm' with pid 49 2016-04-20 16:15:52,951 xpra X11 version 0.17.0-r12447 2016-04-20 16:15:52,951 running with pid 1 on Linux Fedora 24 Rawhide 2016-04-20 16:15:52,951 on display :100 2016-04-20 16:15:53,349 xpra is ready. 2016-04-20 16:15:53,349 Error: lpinfo command failed to run 2016-04-20 16:15:53,350 [Errno 2] No such file or directory 2016-04-20 16:15:53,350 command used: '/usr/sbin/lpinfo --make-and-model Generic PDF Printer -m' 2016-04-20 16:15:53,770 Error: lpinfo command failed to run 2016-04-20 16:15:53,770 [Errno 2] No such file or directory 2016-04-20 16:15:53,770 command used: '/usr/sbin/lpinfo --make-and-model Generic PostScript Printer -m' 2016-04-20 16:15:53,771 Warning: no printer definitions found, cannot enable printing 2016-04-20 16:16:06,215 New tcp connection received from 10.2.8.0:46048 2016-04-20 16:16:06,236 challenge: ('2c672bb8bade41948a91b8c034b42713720d43d3d49c480a82ecb7d9663d6ffb', 'hmac') 2016-04-20 16:16:06,236 Authentication required by env authenticator module 2016-04-20 16:16:06,236 sending challenge for 'tf128' using hmac digest 2016-04-20 16:16:06,366 Handshake complete; enabling connection 2016-04-20 16:16:06,464 Python/Gtk2 Linux Ubuntu 14.04 trusty client version 0.15.10-r11439 2016-04-20 16:16:06,464 connected from 'c07060' as 'tf128' - 'Schridde Dennis' 2016-04-20 16:16:06,465 using vp9 as primary encoding also available: 2016-04-20 16:16:06,465 vp8, png, png/P, png/L, webp, rgb24, jpeg, rgb32 2016-04-20 16:16:06,468 client root window size is 1920x1080 with 1 display: 2016-04-20 16:16:06,468 :0.0 (508x285 mm - DPI: 96x96) 2016-04-20 16:16:06,468 DP2 (509x286 mm - DPI: 95x95) 2016-04-20 16:16:06,655 server virtual display now set to 1920x1080 2016-04-20 16:16:06,657 setting key repeat rate from client: 660ms delay / 40ms interval 2016-04-20 16:16:06,659 setting keymap: rules=evdev, model=pc104, layout=us,de 2016-04-20 16:16:06,741 keymapping removed invalid keycode entry 108 pointing to more than one modifier (set(['mod1', 'mod5'])): set([('Alt_R', 0), ('Meta_R', 1), ('ISO_Level3_Shift', 2)]) 2016-04-20 16:16:06,775 DPI set to 23 x 25 (wanted 96 x 96) 2016-04-20 16:16:06,775 you may experience scaling problems, such as huge or small fonts, etc 2016-04-20 16:16:06,775 to fix this issue, try the dpi switch, or use a patched Xorg dummy driver
Client logs:
2016-04-20 18:16:05,863 xpra gtk2 client version 0.15.10 (r11439) 2016-04-20 18:16:06,117 OpenGL_accelerate module loaded 2016-04-20 18:16:06,117 PyOpenGL warning: missing array format handlers: numeric, vbo, vbooffset 2016-04-20 18:16:06,118 OpenGL Version: 3.0 Mesa 11.0.2 2016-04-20 18:16:06,118 Using accelerated ArrayDatatype 2016-04-20 18:16:06,158 keyboard layouts: us,de 2016-04-20 18:16:06,239 detected keyboard: rules=evdev, model=pc104, layout=us,de 2016-04-20 18:16:06,240 desktop size is 1920x1080 with 1 screen(s): 2016-04-20 18:16:06,240 ':0.0' (508x285 mm - DPI: 96x96) 2016-04-20 18:16:06,240 DP2 (509x286 mm - DPI: 95x95) 2016-04-20 18:16:06,756 server: Linux Fedora 24 Rawhide, Xpra version 0.17.0 (r12447) 2016-04-20 18:16:06,758 Attached to tcp:129.206.10.209:30000 (press Control-C to detach)
(1): https://github.com/urzds/xpra-docker/commit/b0ccff7833a9dab30b4f3f43176fa7fa53a36c7a
Can you please include the exact command lines used at both ends? If doesn't matter which client version I use, if the server has encryption enabled, the client is rejected unless it also specified encryption.
I was using this command line on the server:
exec xpra start :100 --exit-with-children --daemon=no --mdns=no --pulseaudio=no --log-dir=/tmp --socket-dir=/tmp --auth=env --encryption=AES --bind-tcp=0.0.0.0:$PORT --start-child="xterm"
This is the script that executes xpra: https://github.com/urzds/xpra-docker/blob/master/entrypoint.sh
The environment of the server contains XPRA_PASSWORD
and XPRA_ENCRYPTION_KEY
.
The client is started with:
env DISPLAY=:0 XPRA_PASSWORD=the-real-password XPRA_ENCRYPTION_KEY=any-value-works xpra attach tcp:$IP:$PORT
--encryption=AES
with --tcp-encryption=AES
--tcp-encryption=AES
If this is for docker, I'm not convinced that you need any encryption at all if you're connecting over a loopback device: the encryption + decryption can be expensive and any attacker that can read your loopback traffic is already in control.
btw, if you're using xpra with docker, you may need to do a bit of work to get mmap working - but the performance improvements are huge.
replace
--encryption=AES
with--tcp-encryption=AES
Thanks for the info! I assumed from the description that --encryption
enables encryption generally for all transports, while --tcp-encryption
only enables it for TCP.
Would it maybe more convenient to also enable encryption automatically if XPRA_ENCRYPTION_KEY
(or XPRA_PASSWORD
) is set?
If this is for docker, I'm not convinced that you need any encryption at all if you're connecting over a loopback device: the encryption + decryption can be expensive and any attacker that can read your loopback traffic is already in control.
The container runs as a Pod on a Kubernetes cluster and is exposed to the outside world using a Service.
btw, if you're using xpra with docker, you may need to do a bit of work to get mmap working - but the performance improvements are huge.
Thanks!
−−mmap=yes|no
Enable or disable memory mapped pixel data transfer. By default it is normally enabled automatically if the server and the client reside on the same filesystem namespace. This method of data transfer offers much lower overheads and reduces both CPU consumption and local network traffic.
From this description I gather that it will not bring any improvements in my case, will it?
I am not familiar with Kubernetes, but if it resides on the same host, you can and should use mmap.
I am closing this ticket as invalid since no code changes are needed. I may try to clarify the documentation a bit.
I can confirm that after changing --encryption
to --tcp-encryption
, I am unable to connect with Xpra 0.15.
Since I am also unable to compile Xpra 0.17 on my Ubuntu 14.04 machine, I will now upgrade to Debian 9/Stretch and then try again...
FYI: compiling on Ubuntu 14.04 is possible, but leaves out so much functionality that it is not recommended (no h264, no opengl, ..).
I ran straight into some GTK header bug. Some typedef void (*GtkFooStuff)();
"is not a function declaration", or similar.
I ran straight into some GTK header bug
That's a known issue with the Debian headers, which you are likely to hit on other Ubuntu / Debian releases, for which you need to apply a patch before building: browser/xpra/tags/v0.17.x/debian/patches/no-strict-prototypes-gtkitemfactory.patch
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1180