From 043f014e9cfd2b68ffc10e844b853b095e917bbc Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Sun, 9 Mar 2025 18:03:39 -0400 Subject: [PATCH 1/2] Nuke sommelier entirely --- deps/compositor-sandbox/Containerfile | 45 ++++++++++----------------- deps/compositor-sandbox/entrypoint.sh | 14 ++++----- deps/sommelier/Containerfile | 39 ----------------------- deps/sommelier/entrypoint.sh | 36 --------------------- dobu-run.sh | 5 ++- 5 files changed, 24 insertions(+), 115 deletions(-) delete mode 100644 deps/sommelier/Containerfile delete mode 100755 deps/sommelier/entrypoint.sh diff --git a/deps/compositor-sandbox/Containerfile b/deps/compositor-sandbox/Containerfile index 2442bbb..6255ee1 100644 --- a/deps/compositor-sandbox/Containerfile +++ b/deps/compositor-sandbox/Containerfile @@ -1,58 +1,45 @@ ARG WL_MITM_COMMIT=cf723891cbb72078ee19c40908104b2837e88f9d -ARG SOMMELIER_COMMIT=984b27ad47ee08178a3128d5c7e96eb109fe09da +ARG XWAYLAND_SATELLITE_COMMIT=10cb041a80bb815cc1789cfa305923f1f9e3713d -FROM docker.io/archlinux:base-devel-20250302.0.316047 AS builder-wl-mitm -ARG WL_MITM_COMMIT +FROM docker.io/archlinux:base-devel-20250302.0.316047 AS builder-rust RUN pacman-key --init && pacman -Sy --noconfirm archlinux-keyring RUN pacman -Syu --noconfirm \ - && pacman -S --noconfirm git rustup \ + && pacman -S --noconfirm git rustup xorg-xwayland wayland libdrm pixman mesa \ + libxcb libxkbcommon-x11 xcb-util-cursor clang \ && rustup default nightly \ && rustup update +ARG WL_MITM_COMMIT RUN mkdir /build && cd /build \ && git clone https://gitea.angry.im/PeterCxy/wl-mitm \ && cd wl-mitm \ - && git checkout $SOMMELIER_COMMIT + && git checkout $WL_MITM_COMMIT RUN cd /build/wl-mitm && ./generate.sh && cargo build --release -FROM docker.io/archlinux:base-devel-20250302.0.316047 AS builder-sommelier -ARG SOMMELIER_COMMIT +ARG XWAYLAND_SATELLITE_COMMIT +RUN cd /build \ + && git clone https://github.com/Supreeeme/xwayland-satellite \ + && cd xwayland-satellite \ + && git checkout $XWAYLAND_SATELLITE_COMMIT -RUN pacman-key --init && pacman -Sy --noconfirm archlinux-keyring - -RUN pacman -Syu --noconfirm \ - && pacman -S --noconfirm git meson ninja python python-jinja \ - xorg-xwayland wayland libdrm pixman mesa \ - libxcb libxkbcommon-x11 - -RUN mkdir /build && cd /build \ - && git clone https://chromium.googlesource.com/chromiumos/platform2 \ - && cd platform2 \ - && git checkout $SOMMELIER_COMMIT - -RUN cd /build/platform2/vm_tools/sommelier \ - && sed -i 's/args\[i++\] = "-rootless";/args[i++] = "-rootless"; args[i++] = "-extension"; args[i++] = "MIT-SHM";/' sommelier.cc \ - && sed -i 's/bool noop_driver = false;/bool noop_driver = true;/' sommelier.cc \ - && meson build -Dwith_tests=false && ninja -C build +RUN cd /build/xwayland-satellite && cargo build --release # Build from ../base-archlinux FROM dobu/deps-base-archlinux:latest RUN pacman -Syu --noconfirm \ - && pacman -S --noconfirm xorg-xwayland pixman libnotify + && pacman -S --noconfirm xorg-xwayland pixman libnotify libxcb libxkbcommon-x11 xcb-util-cursor -COPY --from=builder-wl-mitm /build/wl-mitm/target/release/wl-mitm /usr/bin/ -COPY --from=builder-wl-mitm /build/wl-mitm/contrib/notify-libnotify.sh /usr/bin/ -COPY --from=builder-sommelier /build/platform2/vm_tools/sommelier/build/sommelier /usr/bin/ +COPY --from=builder-rust /build/wl-mitm/target/release/wl-mitm /usr/bin/ +COPY --from=builder-rust /build/wl-mitm/contrib/notify-libnotify.sh /usr/bin/ +COPY --from=builder-rust /build/xwayland-satellite/target/release/xwayland-satellite /usr/bin/ COPY ./entrypoint.sh / USER user -ENV WM_RENDER_NODE=/dev/dri/renderD128 - # These paths MUST be bind-mounted from host VOLUME /xdg_runtime VOLUME /tmp/.X11-unix diff --git a/deps/compositor-sandbox/entrypoint.sh b/deps/compositor-sandbox/entrypoint.sh index 2fca816..7658fc1 100755 --- a/deps/compositor-sandbox/entrypoint.sh +++ b/deps/compositor-sandbox/entrypoint.sh @@ -15,12 +15,10 @@ if [ ! -S /xdg_runtime/wayland-10 ]; then exit 1 fi -# X Sommelier (will listen on :1) -echo "Starting X11 Sommelier" -sommelier --display=wayland-10 --xwayland-path=/usr/bin/Xwayland \ - -X --glamor --x-display=1 --xwayland-gl-driver-path=/usr/lib/dri \ - --force-drm-device=$WM_RENDER_NODE --direct-scale --noop-driver sleep infinity & -SOMMELIER_X=$! +# XWayland Satellite (will listen on :1) +echo "Starting XWayland Satellite" +XDG_RUNTIME_DIR=/xdg_runtime WAYLAND_DISPLAY=wayland-10 xwayland-satellite :1 & +XWAYLAND_SATELLITE=$! for i in $(seq 1 5); do [ -S /tmp/.X11-unix/X1 ] && break @@ -28,9 +26,9 @@ for i in $(seq 1 5); do done if [ ! -S /tmp/.X11-unix/X1 ]; then - echo "X Sommelier did not start" + echo "XWayland Satellite did not start" exit 1 fi -wait $SOMMELIER_X +wait $XWAYLAND_SATELLITE wait $WL_MITM diff --git a/deps/sommelier/Containerfile b/deps/sommelier/Containerfile deleted file mode 100644 index 67d1dcd..0000000 --- a/deps/sommelier/Containerfile +++ /dev/null @@ -1,39 +0,0 @@ -FROM docker.io/archlinux:base-devel-20250209.0.306557 AS builder - -ARG SOMMELIER_COMMIT=984b27ad47ee08178a3128d5c7e96eb109fe09da - -RUN pacman-key --init && pacman -Sy --noconfirm archlinux-keyring - -RUN pacman -Syu --noconfirm \ - && pacman -S --noconfirm git meson ninja python python-jinja \ - xorg-xwayland wayland libdrm pixman mesa \ - libxcb libxkbcommon-x11 - -RUN mkdir /build && cd /build \ - && git clone https://chromium.googlesource.com/chromiumos/platform2 \ - && cd platform2 \ - && git checkout $SOMMELIER_COMMIT - -RUN cd /build/platform2/vm_tools/sommelier \ - && sed -i 's/args\[i++\] = "-rootless";/args[i++] = "-rootless"; args[i++] = "-extension"; args[i++] = "MIT-SHM";/' sommelier.cc \ - && sed -i 's/bool noop_driver = false;/bool noop_driver = true;/' sommelier.cc \ - && meson build -Dwith_tests=false && ninja -C build - -# Build from ../base-archlinux -FROM dobu/deps-base-archlinux:latest - -RUN pacman -Syu --noconfirm \ - && pacman -S --noconfirm xorg-xwayland pixman - -COPY --from=builder /build/platform2/vm_tools/sommelier/build/sommelier /usr/bin/ -COPY ./entrypoint.sh / - -USER user - -ENV WM_RENDER_NODE=/dev/dri/renderD128 - -# These paths MUST be bind-mounted from host -VOLUME /xdg_runtime -VOLUME /tmp/.X11-unix - -ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/deps/sommelier/entrypoint.sh b/deps/sommelier/entrypoint.sh deleted file mode 100755 index 3ef7e33..0000000 --- a/deps/sommelier/entrypoint.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env bash - -# X Sommelier (will listen on :1) -echo "Starting X11 Sommelier" -sommelier --display=wayland-0 --xwayland-path=/usr/bin/Xwayland \ - -X --glamor --x-display=1 --xwayland-gl-driver-path=/usr/lib/dri \ - --force-drm-device=$WM_RENDER_NODE --direct-scale --noop-driver sleep infinity & -SOMMELIER_X=$! - -for i in $(seq 1 5); do - [ -S /tmp/.X11-unix/X1 ] && break - sleep 1 -done - -if [ ! -S /tmp/.X11-unix/X1 ]; then - echo "X Sommelier did not start" - exit 1 -fi - -# Wayland Sommelier (will listen on wayland-1) -echo "Starting Wayland Parent Sommelier" -sommelier --display=wayland-0 --socket=wayland-1 --force-drm-device=$WM_RENDER_NODE --noop-driver --parent & -SOMMELIER_WL=$! - -for i in $(seq 1 5); do - [ -S /xdg_runtime/wayland-1 ] && break - sleep 1 -done - -if [ ! -S /xdg_runtime/wayland-1 ]; then - echo "Wayland Sommelier did not start" - exit 1 -fi - -wait $SOMMELIER_X -wait $SOMMELIER_WL diff --git a/dobu-run.sh b/dobu-run.sh index 90ea61e..29cee05 100755 --- a/dobu-run.sh +++ b/dobu-run.sh @@ -110,16 +110,15 @@ if [[ "$(declare -p ${bind_mount_var_name} 2>&1)" =~ "declare -a" ]]; then fi # The fun part: start the container! -# Don't detach like we did with Sommelier, though podman run --rm "${podman_security_args[@]}" --name "$container_name" \ `# Create tmpfs mountpoints for runtime directories` \ --mount type=tmpfs,destination=/xdg_runtime,chown,tmpfs-mode=0700 \ --mount type=tmpfs,destination=/tmp/.X11-unix,chown,tmpfs-mode=0700 \ - `# Pass through Sommelier Wayland socket` \ + `# Pass through wl-mitm socket` \ `# Note that XDG_RUNTIME_DIR is already set in the image` \ -v "${WAYLAND_SRC}":/xdg_runtime/wayland-0 \ -e WAYLAND_DISPLAY=wayland-0 \ - `# Pass through Sommelier X11 socket` \ + `# Pass through XWayland Satellite socket` \ -v "${XORG_SRC}":/tmp/.X11-unix/X0 \ -e DISPLAY=:0 \ `# DRM render nodes` \ From 82a0dc47e358edd88c8f5b92442b6cc37196e0c2 Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Sun, 9 Mar 2025 18:10:28 -0400 Subject: [PATCH 2/2] Only expose xwayland-satellite when absolutely needed --- apps/steam/Containerfile | 3 +++ dobu-run.sh | 14 +++++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/apps/steam/Containerfile b/apps/steam/Containerfile index 1763985..614bf19 100644 --- a/apps/steam/Containerfile +++ b/apps/steam/Containerfile @@ -15,4 +15,7 @@ LABEL net.typeblog.dobu.desktop_file_path="/usr/share/applications/steam.desktop # Don't use it if you don't trust their sandboxing (pressure-vessel). LABEL net.typeblog.dobu.unsafe_i_know_what_i_am_doing_allow_namespaces="true" +# We also need X11 +LABEL net.typeblog.dobu.x11_required="true" + ENTRYPOINT [ "/usr/games/steam" ] diff --git a/dobu-run.sh b/dobu-run.sh index 29cee05..5aca253 100755 --- a/dobu-run.sh +++ b/dobu-run.sh @@ -34,6 +34,12 @@ if [ "$(get_image_label "$image_name" net.typeblog.dobu.unsafe_i_know_what_i_am_ update_podman_security_args "seccomp_unsafe.json" fi +x11_required=false + +if [ "$(get_image_label "$image_name" net.typeblog.dobu.x11_required)" == "true" ]; then + x11_required=true +fi + if [[ -n $PULSE_SERVER ]]; then # remove prefix host_pulse=${PULSE_SERVER#unix:} else # default guess @@ -79,6 +85,11 @@ mkdir -p "$home_path/.local/share" extra_args="" +# If X11 is required, expose XWayland via xwayland-satellite +if $x11_required; then + extra_args="$extra_args -v ${XORG_SRC}:/tmp/.X11-unix/X0 -e DISPLAY=:0" +fi + # Expose Pipewire socket if it exists if [ -S "$XDG_RUNTIME_DIR/pipewire-0" ]; then extra_args="$extra_args -v $XDG_RUNTIME_DIR/pipewire-0:/xdg_runtime/pipewire-0" @@ -118,9 +129,6 @@ podman run --rm "${podman_security_args[@]}" --name "$container_name" \ `# Note that XDG_RUNTIME_DIR is already set in the image` \ -v "${WAYLAND_SRC}":/xdg_runtime/wayland-0 \ -e WAYLAND_DISPLAY=wayland-0 \ - `# Pass through XWayland Satellite socket` \ - -v "${XORG_SRC}":/tmp/.X11-unix/X0 \ - -e DISPLAY=:0 \ `# DRM render nodes` \ -v /dev/dri:/dev/dri \ `# Pass through PulseAudio` \