Per-container compositor sandbox

dobu-run.sh

@@ -6,7 +6,8 @@ assert_prerequisites
 
 [ -z "$1" ] && die "Expecting 1 argument"
 
-image_name="$(relative_path_to_image_name "apps/$1")"
+app_name="$1"
+image_name="$(relative_path_to_image_name "apps/$app_name")"
 # image_name is of the form dobu/xxxx, while for containers we want dobu-xxx
 container_name="${image_name/\//-}"
 home_path="$HOMEDIR_STORAGE/$1"
@@ -55,9 +56,9 @@ if is_in_array "$1" "${DISPLAY_SERVER_APP_ALLOWLIST[@]}"; then
   fi
 else
   # Make sure we have compositor-sandbox running first
-  ensure_compositor_sandbox
-  WAYLAND_SRC="$DOBU_TMP/xdg_runtime/wayland-10"
-  XORG_SRC="$DOBU_TMP/X11-unix/X1"
+  ensure_compositor_sandbox "$app_name"
+  WAYLAND_SRC="$DOBU_TMP/$app_name/xdg_runtime/wayland-10"
+  XORG_SRC="$DOBU_TMP/$app_name/X11-unix/X1"
 fi
 
 # Prepare $HOME for the container

functions.sh

@@ -91,37 +91,40 @@ container_entrypoint() {
 }
 
 ensure_compositor_sandbox() {
+  local app_name="$1"
+  local sandbox_name=dobu-deps-compositor-sandbox-$app_name
+  local sandbox_tmp="$DOBU_TMP/$app_name"
   assert_image_exists dobu/deps-compositor-sandbox
-  remove_stale_container dobu-deps-compositor-sandbox
-  if container_exists dobu-deps-compositor-sandbox; then
-    existing_config_sha="$(sha1sum "$DOBU_TMP/wl-mitm-config.toml" | awk '{ print $1; }')"
+  remove_stale_container $sandbox_name
+  if container_exists $sandbox_name; then
+    existing_config_sha="$(sha1sum "$sandbox_tmp/wl-mitm-config.toml" | awk '{ print $1; }')"
     new_config_sha="$(sha1sum "$script_path/assets/wl-mitm-config.toml" | awk '{ print $1; }')"
-    [ -S "$DOBU_TMP/X11-unix/X1" ] && [ -S "$DOBU_TMP/xdg_runtime/wayland-10" ] && [ "$existing_config_sha" == "$new_config_sha" ] && return
+    [ -S "$sandbox_tmp/X11-unix/X1" ] && [ -S "$sandbox_tmp/xdg_runtime/wayland-10" ] && [ "$existing_config_sha" == "$new_config_sha" ] && return
     log "Killing non-functional compositor-sandbox container"
-    podman kill dobu-deps-compositor-sandbox
-    podman rm -f dobu-deps-compositor-sandbox
+    podman kill $sandbox_name
+    podman rm -f $sandbox_name
   fi
 
-  rm -rf "$DOBU_TMP/xdg_runtime" || true
-  rm -rf "$DOBU_TMP/X11-unix" || true
-  mkdir -p "$DOBU_TMP/xdg_runtime"
-  mkdir -p "$DOBU_TMP/X11-unix"
-  cp "$script_path/assets/wl-mitm-config.toml" "$DOBU_TMP/wl-mitm-config.toml"
+  rm -rf "$sandbox_tmp/xdg_runtime" || true
+  rm -rf "$sandbox_tmp/X11-unix" || true
+  mkdir -p "$sandbox_tmp/xdg_runtime"
+  mkdir -p "$sandbox_tmp/X11-unix"
+  cp "$script_path/assets/wl-mitm-config.toml" "$sandbox_tmp/wl-mitm-config.toml"
 
   log "Starting compositor-sandbox (wl-mitm for Wayland and X Sommelier for X11)..."
 
-  podman run --rm -d "${podman_security_args[@]}" --name dobu-deps-compositor-sandbox \
-    -v "$DOBU_TMP/xdg_runtime":/xdg_runtime \
+  podman run --rm -d "${podman_security_args[@]}" --name $sandbox_name \
+    -v "$sandbox_tmp/xdg_runtime":/xdg_runtime \
     `# wl-mitm config` \
-    -v "$DOBU_TMP/wl-mitm-config.toml":/tmp/wl-mitm-config.toml \
+    -v "$sandbox_tmp/wl-mitm-config.toml":/tmp/wl-mitm-config.toml \
     `# Pass through host wayland display for Sommelier always as wayland-0` \
     -v "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY":/xdg_runtime/wayland-0 \
     `# X11-unix uses hard-coded path` \
-    -v "$DOBU_TMP/X11-unix":/tmp/.X11-unix \
+    -v "$sandbox_tmp/X11-unix":/tmp/.X11-unix \
     `# DRM render nodes` \
     -v /dev/dri:/dev/dri \
     dobu/deps-compositor-sandbox
-  while [ ! -S "$DOBU_TMP/xdg_runtime/wayland-10" ] || [ ! -S "$DOBU_TMP/X11-unix/X1" ]; do
+  while [ ! -S "$sandbox_tmp/xdg_runtime/wayland-10" ] || [ ! -S "$sandbox_tmp/X11-unix/X1" ]; do
     sleep 0.5
   done
 }