View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002599OpenFOAMFeaturepublic2017-07-03 13:472017-07-31 12:26
Reporterjml Assigned Tochris  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
PlatformDell R620 / R630OSCentOSOS Version 7.x
Summary0002599: Docker instance accessed via 'ssh -X' from another machine does not allow X forwarding
DescriptionI'm logged on a linux PC, then i ssh -X(or Y) to a remote host. THe $DISPLAY is localhost:10.0, if i start any x11 application the windows are displayed on my PC Xserver no problem.
But when i start the docker with openfoam4-linux and try to lauch paraFoam we get: paraview: cannot connect to X server localhost:10.0
For us it seems to be an x authentication problem, may be xauth is missing, i don't know, it's a big problem, as we can't run paraFoam when we are remotely connected. We have extensively search on the web, but haven't found any working solution.
Thanks in advance
Best Regards,
JM
Steps To Reproducessh -X (or -Y) user@remotehost
openfoam4-linux
OpenFOAM-4.1(28) cd run/pitzDaily
paraFoam
==> paraview: cannot connect to X server localhost:10.0
TagsNo tags attached.

Relationships

related to 0002553 closedchris Cannot run paraFoam using Docker 

Activities

wyldckat

2017-07-04 00:41

updater   ~0008326

I've gotten too curious about this issue and I didn't want to let this stay unsolved as it was on #2553, specially when in this current report, both local and remote machines are running a Linux Distribution.

After some Googling, I eventually ended up on this answer: https://stackoverflow.com/a/24497915

After several tries and trying to figure it out, I've finally found a solution, although I'm not entirely certain if this is safe or not from a security point of view, because the option "--net=host" is being used and the Docker manual states that this option is:

   use the Docker host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.

Attached is a modified script named "openfoam4-linux-mod_v1".
@jml: If possible, please try using this script, by following these steps:

 1. Place the downloaded file at the folder that "openfoam4-linux" usually suggests, namely the path indicated by this command:

      echo ${HOME}/OpenFOAM/${USER}-4.1

 2. Assign executable permissions by running from within that folder:

      chmod +x openfoam4-linux-mod_v1

 3. Then run the script to start the contained OpenFOAM installation:

      ./openfoam4-linux-mod_v1


 4. If all goes well, try running:

      paraview


Please let us know if this works or not for you. I tested this in an unconventional way, namely I used "ssh -X" from within a virtual machine to log into the real machine and then start the container with the aforementioned scripts... so I know this works for me, but I haven't tested in other environments.


For documentation purposes, the script "openfoam4-linux-mod_v1" will:

  1. Create a modified 'xauthority' file that allows any host-name for the X11 forwarding, so that it's easier to have it tunnelled over SSH.

  2. Start the container with the additional options for this x-authority hack to be used, namely by passing the created/temporary x-authority file and using "--net=host".
openfoam4-linux-mod_v1 (3,807 bytes)    
#!/bin/sh
#------------------------------------------------------------------------------
# =========                 |
# \\      /  F ield         | OpenFOAM: The Open Source CFD Toolbox
#  \\    /   O peration     |
#   \\  /    A nd           | Copyright (C) 2017 OpenFOAM Foundation
#    \\/     M anipulation  |
#-------------------------------------------------------------------------------
# License
#     This program is free software: you can redistribute it and/or modify it
#     under the terms of the GNU General Public License as published by
#     the Free Software Foundation, either version 3 of the License, or
#     (at your option) any later version.
#
#     This program is distributed in the hope that it will be useful, but
#     WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
#     or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
#     for more details.
#
#     You should have received a copy of the GNU General Public License
#     along with OpenFOAM.  If not, see <http://www.gnu.org/licenses/>.
#
# Script
#     openfoam4-linux
#
# Description
#     Run script for an OpenFOAM 4 Docker image at:
#     https://hub.docker.com/r/openfoam
#
#------------------------------------------------------------------------------
Script=${0##*/}
VER=4.1

usage () {
    exec 1>&2
    while [ "$#" -ge 1 ]; do echo "$1"; shift; done
    cat <<USAGE

Usage: ${0##*/} [OPTIONS]
options:
  -d | -dir            host directory mounted (defaults to current directory)
  -h | -help           help

Launches the OpenFOAM ${VER} Docker image.
- Requires installation of docker-engine.
- Runs a "containerized" bash shell environment where the user can run OpenFOAM
  and, optionally, ParaView (see below).
- The container mounts the user's file system so that case files are stored
  permanently.  The container mounts the current directory by default, but the
  user can also specify a particular directory using the "-d" option.
- Mounting the user's HOME directory is disallowed.

Example:
To store data in ${HOME}/OpenFOAM/${USER}-${VER}, the user can launch
${Script} either by:
    cd ${HOME}/OpenFOAM/${USER}-${VER} && ${Script}
or
    ${Script} -d ${HOME}/OpenFOAM/${USER}-${VER}

Further Information:
http://openfoam.org/download/4-1-linux

Note:
The container user name appears as "openfoam" but it is just an alias.

USAGE
    exit 1
}

DOCKER_IMAGE='openfoam/openfoam4-paraview50'
MOUNT_DIR=$(pwd)

while [ "$#" -gt 0 ]
do
   case "$1" in
   -d | -dir)
      [ "$#" -ge 2 ] || usage "'$1' option requires an argument"
      MOUNT_DIR=$2
      shift 2
      ;;
   -h | -help)
      usage
      ;;
   -*)
      usage "Invalid option '$1'"
      ;;
   *)
      break
      ;;
    esac
done

[ -d "$MOUNT_DIR" ] && \
    MOUNT_DIR=$(cd $MOUNT_DIR && pwd -P) || \
    usage "No directory exists: $MOUNT_DIR"

[ "$MOUNT_DIR" = "$(cd $HOME && pwd -P)" ] && \
    usage "Mount directory cannot be the user's home directory" \
          "Make a subdirectory and run from there, e.g." \
          "    mkdir -p ${HOME}/OpenFOAM/$(whoami)-${VER}" \
          "    ${Script} -d ${HOME}/OpenFOAM/$(whoami)-${VER}"

USER_ID=$(id -u 2> /dev/null)
[ -n "$USER_ID" ] && GROUP_ID=$(id -g) || usage "Cannot determine current user ID"

HOME_DIR='/home/openfoam'

echo "Launching $0"
echo "User: \"$(id -un)\" (ID $USER_ID, group ID $GROUP_ID)"

XAUTH_PATH=$MOUNT_DIR/.docker.xauth.$$
xauth nlist $DISPLAY |  sed -e 's/^..../ffff/' | xauth -f $XAUTH_PATH nmerge -

docker run -it \
    --rm \
    -e DISPLAY=$DISPLAY \
    -u $USER_ID:$GROUP_ID \
    -e XAUTHORITY=$XAUTH_PATH \
    -v $XAUTH_PATH:$XAUTH_PATH \
    -v /tmp/.X11-unix:/tmp/.X11-unix \
    -v $MOUNT_DIR:$HOME_DIR \
    --net=host \
    $DOCKER_IMAGE

[ -e $XAUTH_PATH ] && rm $XAUTH_PATH
openfoam4-linux-mod_v1 (3,807 bytes)   

chris

2017-07-08 13:42

manager   ~0008367

@wyldckat, how confident are you that this addition is 100% reliable?
It might be generally beneficial so we could adopt it anyway.

wyldckat

2017-07-08 15:43

updater   ~0008368

@chris: I've tested today using Xming 6.9.0.31 (the last public domain build from 2007) on Windows 10 x64, along with a more recent Putty version (didn't check the version, sorry) and it worked well... had a bit of lagging, but I was using Wi-Fi, so that would explain the low frame rate.
It does seem fairly reliable, although it may depend on the Docker installation settings and SELinux settings that some Linux Distributions have.

Side note: I got the information on how to create the custom X-authority file from here: https://stackoverflow.com/questions/16296753/can-you-run-gui-apps-in-a-docker-container/25280523#25280523


Therefore, I'm attaching the following files:

 - comparison_v2.patch - the differences between the original "openfoam4-linux" script and the attached "openfoam4-linux-mod_v2".

 - openfoam4-linux-mod_v2 - the updated script that now has "-x" or "-xhost" as an additional option, so that this feature is not used by default.

I've added a somewhat long note about this option, therefore perhaps it should be written on the instructions page instead, to keep the usage information shorter?


Regarding safety/security: I've done a bit more investigating into it and I found the following reports:
 - https://github.com/jedisct1/dnscrypt-server-docker/issues/13
 - which then refers to this one: https://github.com/moby/moby/issues/6401

One of the concerns raised there is that in certain conditions, it was possible to use 'halt' or 'shutdown' to control the host from within the container, because D-bus would get accessed to through the network connection that was established by the '--net=host' option in Docker. I've tested this with this container and it complained that it couldn't find said D-bus connection, therefore this specific security issue seems to be fixed.
However, I am using Ubuntu 16.04 (x86_64), which probably already has this issue fixed. I don't know how this might affect a host running CentOS/RHEL 6.x or 5.x, but hopefully Docker has this issue already fixed, as indicated here: https://github.com/moby/moby/issues/14767 - starting from the comments on the 28 Dec 2016.
comparison_v2.patch (2,359 bytes)    
--- /usr/bin/openfoam4-linux	2017-01-26 10:58:19.000000000 +0000
+++ ./openfoam4-linux-mod_v2	2017-07-08 15:18:50.503950368 +0100
@@ -39,6 +39,7 @@
 Usage: ${0##*/} [OPTIONS]
 options:
   -d | -dir            host directory mounted (defaults to current directory)
+  -x | -xhost          use custom X authority and give container host network
   -h | -help           help
 
 Launches the OpenFOAM ${VER} Docker image.
@@ -49,6 +50,12 @@
   permanently.  The container mounts the current directory by default, but the
   user can also specify a particular directory using the "-d" option.
 - Mounting the user's HOME directory is disallowed.
+- The '-xhost' option is useful when accessing the host via 'ssh -X'.
+  This option should only be used when strictly necessary, as it relies on the
+  option '--net=host' when launching the container in Docker, which will
+  give to the container full access to the Docker host network stack and
+  potentially the host's system services that rely on network communication,
+  making it potentially insecure.
 
 Example:
 To store data in ${HOME}/OpenFOAM/${USER}-${VER}, the user can launch
@@ -69,6 +76,8 @@
 
 DOCKER_IMAGE='openfoam/openfoam4-paraview50'
 MOUNT_DIR=$(pwd)
+CUSTOM_XAUTH=""
+DOCKER_OPTIONS=""
 
 while [ "$#" -gt 0 ]
 do
@@ -78,6 +87,10 @@
       MOUNT_DIR=$2
       shift 2
       ;;
+   -x | -xhost)
+      CUSTOM_XAUTH=yes
+      shift
+      ;;
    -h | -help)
       usage
       ;;
@@ -100,6 +113,21 @@
           "    mkdir -p ${HOME}/OpenFOAM/$(whoami)-${VER}" \
           "    ${Script} -d ${HOME}/OpenFOAM/$(whoami)-${VER}"
 
+if [ -n "$CUSTOM_XAUTH" ]
+then
+    XAUTH_PATH="${MOUNT_DIR}/.docker.xauth.$$"
+    touch "${XAUTH_PATH}"
+
+    # Generate a custom X-authority file that allows any hostname
+    xauth nlist $DISPLAY |  sed -e 's/^..../ffff/' | \
+        xauth -f $XAUTH_PATH nmerge -
+
+    DOCKER_OPTIONS="-e XAUTHORITY=$XAUTH_PATH
+                    -v $XAUTH_PATH:$XAUTH_PATH
+                    --net=host"
+fi
+
+
 USER_ID=$(id -u 2> /dev/null)
 [ -n "$USER_ID" ] && GROUP_ID=$(id -g) || usage "Cannot determine current user ID"
 
@@ -114,4 +142,7 @@
     -u $USER_ID:$GROUP_ID \
     -v /tmp/.X11-unix:/tmp/.X11-unix \
     -v $MOUNT_DIR:$HOME_DIR \
+    $DOCKER_OPTIONS \
     $DOCKER_IMAGE
+
+[ -n "$CUSTOM_XAUTH" -a -e "${XAUTH_PATH}" ] && rm "${XAUTH_PATH}"
comparison_v2.patch (2,359 bytes)   

wyldckat

2017-07-08 15:44

updater  

openfoam4-linux-mod_v2 (4,631 bytes)    
#!/bin/sh
#------------------------------------------------------------------------------
# =========                 |
# \\      /  F ield         | OpenFOAM: The Open Source CFD Toolbox
#  \\    /   O peration     |
#   \\  /    A nd           | Copyright (C) 2017 OpenFOAM Foundation
#    \\/     M anipulation  |
#-------------------------------------------------------------------------------
# License
#     This program is free software: you can redistribute it and/or modify it
#     under the terms of the GNU General Public License as published by
#     the Free Software Foundation, either version 3 of the License, or
#     (at your option) any later version.
#
#     This program is distributed in the hope that it will be useful, but
#     WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
#     or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
#     for more details.
#
#     You should have received a copy of the GNU General Public License
#     along with OpenFOAM.  If not, see <http://www.gnu.org/licenses/>.
#
# Script
#     openfoam4-linux
#
# Description
#     Run script for an OpenFOAM 4 Docker image at:
#     https://hub.docker.com/r/openfoam
#
#------------------------------------------------------------------------------
Script=${0##*/}
VER=4.1

usage () {
    exec 1>&2
    while [ "$#" -ge 1 ]; do echo "$1"; shift; done
    cat <<USAGE

Usage: ${0##*/} [OPTIONS]
options:
  -d | -dir            host directory mounted (defaults to current directory)
  -x | -xhost          use custom X authority and give container host network
  -h | -help           help

Launches the OpenFOAM ${VER} Docker image.
- Requires installation of docker-engine.
- Runs a "containerized" bash shell environment where the user can run OpenFOAM
  and, optionally, ParaView (see below).
- The container mounts the user's file system so that case files are stored
  permanently.  The container mounts the current directory by default, but the
  user can also specify a particular directory using the "-d" option.
- Mounting the user's HOME directory is disallowed.
- The '-xhost' option is useful when accessing the host via 'ssh -X'.
  This option should only be used when strictly necessary, as it relies on the
  option '--net=host' when launching the container in Docker, which will
  give to the container full access to the Docker host network stack and
  potentially the host's system services that rely on network communication,
  making it potentially insecure.

Example:
To store data in ${HOME}/OpenFOAM/${USER}-${VER}, the user can launch
${Script} either by:
    cd ${HOME}/OpenFOAM/${USER}-${VER} && ${Script}
or
    ${Script} -d ${HOME}/OpenFOAM/${USER}-${VER}

Further Information:
http://openfoam.org/download/4-1-linux

Note:
The container user name appears as "openfoam" but it is just an alias.

USAGE
    exit 1
}

DOCKER_IMAGE='openfoam/openfoam4-paraview50'
MOUNT_DIR=$(pwd)
CUSTOM_XAUTH=""
DOCKER_OPTIONS=""

while [ "$#" -gt 0 ]
do
   case "$1" in
   -d | -dir)
      [ "$#" -ge 2 ] || usage "'$1' option requires an argument"
      MOUNT_DIR=$2
      shift 2
      ;;
   -x | -xhost)
      CUSTOM_XAUTH=yes
      shift
      ;;
   -h | -help)
      usage
      ;;
   -*)
      usage "Invalid option '$1'"
      ;;
   *)
      break
      ;;
    esac
done

[ -d "$MOUNT_DIR" ] && \
    MOUNT_DIR=$(cd $MOUNT_DIR && pwd -P) || \
    usage "No directory exists: $MOUNT_DIR"

[ "$MOUNT_DIR" = "$(cd $HOME && pwd -P)" ] && \
    usage "Mount directory cannot be the user's home directory" \
          "Make a subdirectory and run from there, e.g." \
          "    mkdir -p ${HOME}/OpenFOAM/$(whoami)-${VER}" \
          "    ${Script} -d ${HOME}/OpenFOAM/$(whoami)-${VER}"

if [ -n "$CUSTOM_XAUTH" ]
then
    XAUTH_PATH="${MOUNT_DIR}/.docker.xauth.$$"
    touch "${XAUTH_PATH}"

    # Generate a custom X-authority file that allows any hostname
    xauth nlist $DISPLAY |  sed -e 's/^..../ffff/' | \
        xauth -f $XAUTH_PATH nmerge -

    DOCKER_OPTIONS="-e XAUTHORITY=$XAUTH_PATH
                    -v $XAUTH_PATH:$XAUTH_PATH
                    --net=host"
fi


USER_ID=$(id -u 2> /dev/null)
[ -n "$USER_ID" ] && GROUP_ID=$(id -g) || usage "Cannot determine current user ID"

HOME_DIR='/home/openfoam'

echo "Launching $0"
echo "User: \"$(id -un)\" (ID $USER_ID, group ID $GROUP_ID)"

docker run -it \
    --rm \
    -e DISPLAY=$DISPLAY \
    -u $USER_ID:$GROUP_ID \
    -v /tmp/.X11-unix:/tmp/.X11-unix \
    -v $MOUNT_DIR:$HOME_DIR \
    $DOCKER_OPTIONS \
    $DOCKER_IMAGE

[ -n "$CUSTOM_XAUTH" -a -e "${XAUTH_PATH}" ] && rm "${XAUTH_PATH}"
openfoam4-linux-mod_v2 (4,631 bytes)   

wyldckat

2017-07-24 00:25

updater   ~0008446

I should have done this sooner: @LHO, if you get this notification, please check this report that is related to yours. I believe the instructions I wrote above should work for you as well.

chris

2017-07-26 11:42

manager   ~0008455

Thanks @wyldckat.

I have added the modifications to openfoam4-linux,openfoam4-macos, openfoam5-linux and openfoam5-macos. As a command line option it is available for testing and if it turns out to get generally "better", we can make it standard later.

Issue History

Date Modified Username Field Change
2017-07-03 13:47 jml New Issue
2017-07-04 00:26 wyldckat Priority urgent => normal
2017-07-04 00:26 wyldckat Relationship added related to 0002553
2017-07-04 00:41 wyldckat File Added: openfoam4-linux-mod_v1
2017-07-04 00:41 wyldckat Note Added: 0008326
2017-07-04 00:42 wyldckat Summary paraFoam => Docker instance accessed via 'ssh -X' from another machine does not allow X forwarding
2017-07-08 13:42 chris Note Added: 0008367
2017-07-08 15:43 wyldckat File Added: comparison_v2.patch
2017-07-08 15:43 wyldckat Note Added: 0008368
2017-07-08 15:44 wyldckat File Added: openfoam4-linux-mod_v2
2017-07-08 15:48 wyldckat Assigned To => chris
2017-07-08 15:48 wyldckat Status new => assigned
2017-07-24 00:25 wyldckat Note Added: 0008446
2017-07-26 11:42 chris Note Added: 0008455
2017-07-31 12:26 chris Status assigned => closed
2017-07-31 12:26 chris Resolution open => fixed