LXD Based Container For Desktop Applications - Some Success - Help (need more)

[DuckHook]

Thanks for the links. Will definitely look into them.

I understand LXD's potential. But at the moment, it is still the province of the gurus and not ready for general desktop use. I suppose that it will only get there if enough people like me take up the challenge of bringing it to the masses, but that is one big challenge.

I appreciate your input. Will try to work up the courage, energy and enthusiasm to tackle eating this elephant.

[DuckHook]

@bmullan2

You clever, wonderful rascal…

Your own post in that reddit thread made audio work for me: https://www.reddit.com/r/LXD/comment...lxc_container/

Combined with the process in #4 above: https://ubuntuforums.org/showthread....1#post13600531

…and the result is both audio and video from my containerized FF.

Thanks for the breakthrough. You've just made my week!

**EDIT**

Unfortunately, procedure described above does not actually work and I jumped the gun in thinking it solved. The mistake arose because I already had FF running in my host and then forget to invoke the contained FF with the -no-remote flag. Without the -no-remote flag, FF will just launch another host-based FF session. Once I used -no-remote, the containerized FF was still missing sound.

Will continue to tinker.

[redger]

woohoo .. breakthrough. From LXD V2.7 it's possible ... see the following link (available via email from Simos on LXC mailing list, updated email 04/05/17 09:04)
https://blog.simos.info/how-to-run-g...buntu-desktop/

I am currently unable to test as I am running "stock" Xenial / 16.04 so LXD still at V 2.0.9 .... but Backports is up to 2.12 (higher than 2.7) ... does anyone have the higher version - able to test ?

[KillerKelvUK]

Hey redger, yup this worked for me albeit I had no .Xauthority file so had to symlink one from /run/user/1000/gdm/Xauthority.

Code:

:~$ lxc list
+---------+---------+----------------------+------+------------+-----------+
|  NAME   |  STATE  |         IPV4         | IPV6 |    TYPE    | SNAPSHOTS |
+---------+---------+----------------------+------+------------+-----------+
| guiapps | RUNNING | 192.168.1.203 (eth0) |      | PERSISTENT | 0         |
+---------+---------+----------------------+------+------------+-----------+

:~$ lxc exec guiapps -- sudo --login --user ubuntu

ubuntu@guiapps:~$ export DISPLAY=:0

ubuntu@guiapps:~$ glxinfo -B
name of display: :0
display: :0  screen: 0
direct rendering: Yes
Extended renderer info (GLX_MESA_query_renderer):
    Vendor: Intel Open Source Technology Center (0x8086)
    Device: Mesa DRI Intel(R) Haswell Desktop  (0x412)
    Version: 12.0.6
    Accelerated: yes
    Video memory: 1536MB
    Unified memory: yes
    Preferred profile: core (0x1)
    Max core profile version: 3.3
    Max compat profile version: 3.0
    Max GLES1 profile version: 1.1
    Max GLES[23] profile version: 3.0
OpenGL vendor string: Intel Open Source Technology Center
OpenGL renderer string: Mesa DRI Intel(R) Haswell Desktop 
OpenGL core profile version string: 3.3 (Core Profile) Mesa 12.0.6
OpenGL core profile shading language version string: 3.30
OpenGL core profile context flags: (none)
OpenGL core profile profile mask: core profile
OpenGL version string: 3.0 Mesa 12.0.6
OpenGL shading language version string: 1.30
OpenGL context flags: (none)
OpenGL ES prpfile version string: OpenGL ES 3.0 Mesa 12.0.6
OpenGL ES profile shading language version string: OpenGL ES GLSL ES 3.00

ubuntu@guiapps:~$ glxgears 
Running synchronized to the vertical refresh.  The framerate should be
approximately the same as the monitor refresh rate.
310 frames in 5.0 seconds = 61.929 FPS
301 frames in 5.0 seconds = 60.001 FPS

ubuntu@guiapps:~$ uname -a
Linux guiapps 4.10.0-20-generic #22-Ubuntu SMP Thu Apr 20 09:22:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

ubuntu@guiapps:~$ lsb_release -a
No LSB modules are available.
Distributor ID:    Ubuntu
Description:    Ubuntu 16.04.2 LTS
Release:    16.04
Codename:    xenial

My host is...

Code:

:~$ uname -a
Linux blackserver 4.10.0-20-generic #22-Ubuntu SMP Thu Apr 20 09:22:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

:~$ lsb_release -a
No LSB modules are available.
Distributor ID:    Ubuntu
Description:    Ubuntu 17.04
Release:    17.04
Codename:    zesty

[redger]

Fantastic, thx Kelv
PS long time no see ..... glad to see you're also on the LXC / LXD bandwagon as well as KVM ... they complement one another nicely

Did you install the newer version of LXD from a PPA or from Backports ? Has it been stable for you (don't want to mess my main server up)
thanks again

[KillerKelvUK]

You know I think the last time we chatted you were getting the rest of us to test out new solutions for you

Yeah started taking a look and dabbling a few months back, always looking for ways to improve and optimise, its bloody quick I know that...beats KVM guest setup times easily!!

No all stock 17.04, I keep my host as clean as possible even tho its not production I'm still a little OCD with it :-/ . But I haven't spent much time testing yet so I can't really comment on stability and I haven't tested the audio routing yet either. However I've plenty of time on my hands at the moment so will dig into this more tomorrow.

[redger]

Mate, I don't know what I'd do without you

I remain on 16.04 for stability and it's generally working well.

LXC/LXD is really useful where you want additional "control" and a bit more security. I run the following containers permanently and have done for the last 3 years -
- Mythtv server - records TV and cuts advertisements etc. Useful to be able to restart, upgrade etc.and confine processing
- Every day browsing. Includes desktop integration and VPN
- Other browsing. Via X2Go with VPN
- Downloads. With VPN
- Programming. Nicely confined (in case I write a hard loop or heavy duty machine learning etc) via X2GO
plus various other special purpose containers which i start when needed.

It's convenient to be able to easily constrain resource allocation and maintain host stability with heavier processing tasks. Also convenient to be able to run multiple different VPNs simultaneously

I confine all containers to processors 1-3, leaving processor 0 available for the host.

For "real" security and separation I use KVM (and currently for GPU passthough) .... but there are no permanently running KVM machines, they're all started and stopped as required - unlike containers ... because containers are so light-weight / low processing overhead (in relative terms).
Anyway ... give them a go - you might like them

[KillerKelvUK]

I only have the one kvm guest running 24x7 the rest are spun up as needed but that one 24x7 machine could transition into a container although my reading says one application per container as best practice which just doesn't make practical sense for my needs. Regardless I need to spend more time learning so its a good pass time. Have you looked into qubes (https://www.qubes-os.org/) before?

[TheFu]

I've looked at Qubes. Last week, they reported a huge security issue with their Xen implementation that allowed one PV to have access to all the memory on the system, including the host. They are frustrated with the Xen project. Let me see if I can find that CVE post somewhere.
BTW, I ran Xen for 3 yrs in production with PVs. A few times a year, there were major issues - like refusing to boot any PV. Happened after kernel updates and never when it was convenient. Always had to roll-back to an older kernel for 1-2 weeks which entailed modifying the VM XML files running on the machine.

https://www.theregister.co.uk/2017/05/03/xen_bugs/ is the original story I caught.
https://www.qubes-os.org/security/bulletins/ have the related bugs #29/#30.

I'm still using KVM/QEMU here. It isn't perfect, but nothing is. It has issues too:
https://www.cvedetails.com/vulnerabi...7506/Qemu.html

[KillerKelvUK]

Actually I think it was your post Fu on another thread that introduced me to qubes. I've only used Xen minimally as an application vendors preferred virt choice in their appliances so my background is pretty much just KVM/QEMU, but like you say nothing is completely secure, defence in depth needed for sure!