issues with keybase image

[jcalfee]

$ x11docker --clipboard --home --sharedir /home/james/Downloads keybase

This creates a permission denied error:

x11docker: Created container.rootsetup.sh:
  61	echo "james:sac19FwGGTx/A:17293:0:99999:7:::" >> /etc/shadow

x11docker ERROR: Container startup seems to have failed! 

  Last lines of container.log:
mkdir: created directory '/tmp/.font-unix'
lrwxrwxrwx 1 root root 5 Jun 30 01:05 /tmp/.X11-unix/X500 -> /X500
sed: can't read /etc/shadow: Permission denied
/x11docker/container.rootsetup.sh: line 57: /etc/shadow: Permission denied
sed: can't read /etc/shadow: Permission denied
/x11docker/container.rootsetup.sh: line 61: /etc/shadow: Permission denied
rm: cannot remove '/etc/sudoers.d': No such file or directory
rm: cannot remove '/etc/sudoers': No such file or directory
rm: cannot remove '/etc/pam.d/sudo': No such file or directory
mkdir: created directory '/tmp/XDG_RUNTIME_DIR'

  Last lines of command stderr:
[FATAL tini (71)] exec -v failed: No such file or directory
  
  Type 'x11docker --help' for usage information
  For debugging, run x11docker in terminal and/or enable option '--verbose'
  or look afterwards at logfile /home/james/.cache/x11docker/x11docker.log
  Please report issues at https://github.com/mviereck/x11docker

Environment

FROM fedora
RUN yum install -y gtk2 libX11-devel libXtst GConf2 alsa-lib https://prerelease.keybase.io/keybase_amd64.rpm
COPY keybase /
CMD run_keybase

$ docker build -t keybase .
$ x11docker --clipboard --home --sharedir /home/james/Downloads keybase

[mviereck]

The important message here is [FATAL tini (71)] exec -v failed: No such file or directory.
The finally executed command inCMD run_keybase is somehow wrong.
Can you show me the content of run_keybase and the output of

x11docker --debug --clipboard --home --sharedir /home/james/Downloads keybase

[jcalfee]

Yes but I did that on purpose.. I had to use a wrapper script to get run_keybase to work. I tought I could simplify it for you because of the error that happened earlier. Here is the full script, it includes itself in the docker build:

./keybase

set -o errexit

function build() {
  dir=$(dirname "$0")
  base=$(basename "$0")
  docker build -t keybase -f - "$dir" << Dockerfile
FROM fedora
RUN yum install -y gtk2 libX11-devel libXtst GConf2 alsa-lib https://prerelease.keybase.io/keybase_amd64.rpm
COPY keybase /
CMD sh /keybase start
Dockerfile
}

function x11() {
  build
  # SYS_ADMIN added for fuse file mounting (todo --security-opt apparmor:unconfined)
  # todo: --pulseaudio or --alsa
  #-- "--device /dev/fuse --cap-add=SYS_ADMIN"\
  set -o xtrace
  x11docker\
    --hostdisplay --clipboard --home --sharedir $HOME/Downloads --pulseaudio\
    keybase "$@"
}

function start() {
  echo Starting Keybase..
  run_keybase "$@"
  #sleep 5
  #tail -f ~/.cache/keybase/*.log &
  while pgrep Keybase > /dev/null; do sleep 1; done
}

"${@-x11}"

When I run this on another computer it works .. Maybe it is coincidence but the /etc/shadow error only appears on the broken setup. The working computer is docker v17 and the non-working is docker v18.

broken: https://pastebin.com/r7KhzbTy
working: https://pastebin.com/rj974qAm

[mviereck]

There may be different behaviour due to different versions of x11docker, the first one shows 4.3.0, the second one 4.3.5. The second log is somehow incomplete, no output of container.log at all, not sure why.

The error message from your first post does not appear in the first (complete) log: [FATAL tini (71)] exec -v failed: No such file or directory.

It shows: x11docker: Running image command: /x11docker/tini -- sh /keybase start
It seems to me that function start() is executed, some keybase output appears in the log, but the loop does not continue. Maybe pgrep Keybase failes.

Adding set +x to start() and running x11docker with --verbose --debug may help to find the issue.

---

I had to use a wrapper script to get run_keybase to work.

Maybe run_keybase forkes itself into the background like a daemon, and the container stops as it has no foreground process anymore.

---

Don't worry about this part, everything works as intended:

 Last lines of container.log:
mkdir: created directory '/tmp/.font-unix'
lrwxrwxrwx 1 root root 5 Jun 30 01:05 /tmp/.X11-unix/X500 -> /X500
sed: can't read /etc/shadow: Permission denied
/x11docker/container.rootsetup.sh: line 57: /etc/shadow: Permission denied
sed: can't read /etc/shadow: Permission denied
/x11docker/container.rootsetup.sh: line 61: /etc/shadow: Permission denied
rm: cannot remove '/etc/sudoers.d': No such file or directory
rm: cannot remove '/etc/sudoers': No such file or directory
rm: cannot remove '/etc/pam.d/sudo': No such file or directory
mkdir: created directory '/tmp/XDG_RUNTIME_DIR'

[jcalfee]

There may be different behavior due to different versions of x11docker, the first one shows 4.3.0, the second one 4.3.5.

I tested keybase on the working computer under x11docker 4.3.6-beta. It starts up correctly (is functional, aka works).

The second log is somehow incomplete, no output of container.log at all, not sure why.

The container does not shut down properly (known bug in my script) .. needs ctrl+c

Keybase is a bit involved, it has some unique features .. I did transfer over the working keybase docker image and the UI still does not appear, also I changed the while loop to while true > /dev/null; do sleep 1; done .. pastebin.

I tried a reboot too, not sure what is going on.. Very strange that the working version does not show the ascii squirrel but the broken version does. The ascii logo is not related to the while loop change.

[mviereck]

The latest logfile does not show an error. But you expect to get a graphical GUI that does not appear on this system, but it does on the other?

I found a possible issue with xhost authorisation in the logfile that I fixed in an update yet. But I doubt this has been the reason for the GUI not showing up.

Also I see a warning about missing cookies on your host X. Maybe here is a difference between your systems that causes a failure on one but not on the other system.

Can you try with e.g. --xpra or --xephyr instead of --hostdisplay? Especially --xephyr works for nearly everything and is the most reliable X server option.

Does the image contain any other X application like e.g. xterm or xkbwatch you could try to run?

[jcalfee]

Does the image contain any other X application like e.g. xterm or xkbwatch you could try to run?

xterm runs fine

I'm using docker exec -ti 7387b26352b5 bash to go into the running x11docker container and looking at that keybase startup script. It is very involved, I'll come back when I know more and update this ticket. Ok to close.. Thank you for all your help..

[jcalfee]

It was a missing library (gtk3), the install URL for keybase does not have a version .. thanks again

[mviereck]

An afternote:
/etc/shadow: Permission denied is indeed an issue, I did not realize it before, sorry.
Although it was not the root of the keybase issue, it should not have happened.
A look at the file permissions shows a strange result:

$ ls -l /etc/shadow
---------- 1 root root 512 Sep 12  2017 /etc/shadow

Not even root is allowed to read or write /etc/shadow on fedora.
The container would need capability DAC_OVERRIDE that is dropped by x11docker to improve container security.
The solution now is to delete /etc/shadow and to create a new one. Although root is not allowed to read or write it, root is allowed to delete it.