Invalid IP given to Pulseaudio #11
Comments
# 29.05.2017 V3.5.3 --pulseaudio: get and use IP of container instead of docker0 IP range (#11), disabling TCP module on exit # 27.05.2017 changed --volume to --sharedir to avoid confusion # 24.05.2017 update usage() # mount $Sharefolder and its content read-only # remove X11-unix from $Sharefolder # set read-only for /dev/dri on --gpu # --security-opt=no-new-privileges added to docker run
|
Thanks for your feedback! I'm a bit surprised, as using docker IP range works fine here (debian 9 with pulseaudio 10.0). Can you tell me your version of pulseaudio? ( I've just uploaded x11docker v3.5.3. Instead of using docker iP range for pulseaudio TCP module, the IP of the container is used now. This is more specific and thus more secure. (Before, simultaneous containers could have tried to access host pulseaudio, too, although not intended). Another change: Before I had trouble after disabling the TCP module, that stopped pulseaudio on host at all for unknown reasons, so I decided not unload the TCP module. Now it seems to work, and the TCP module is disabled on container exit without having troubles on host. Could you check if pulseaudio now works in container, and if it still works on host after terminating the container?
i could try to share pulseaudio unix socket instead of connecting over tcp. That would avoid firewall problems and may be more secure than a TCP connection to possible vulnerable pulseaudio.
Thank you! :-) |
|
Hmm, I'm also using pulseaudio 10.0 (1:10.0-1ubuntu2). I wonder if the issue wasn't rather with differences in the ip command output? I've got iproute2 4.9.0-1ubuntu1, which appears to be the same as Debian, though. The new change works great for me. Audio is working fine both in the container and after closing the container on the host. The unix socket approach sounds intriguing. I believe that could slightly eliminate some latency as well (although this wasn't a problem). For now I just opened up everything on the docker0 interface, that seems fairly harmless. |
Strange; same versions here, and also having IP 172.17.0.1/16 for docker interface. However, it works now. If someone still has problems with a deactivated pulseaudio on host, he will hopefully tell me.
I gave it a try, and it was quite easy. But it has a drawback. I can get some pulseaudio environment variables with I can parse this and have to share the socket and to set PULSE_SERVER and PULSE_COOKIE The drawback: Although this setup works fine ootb with images based on debian with pulseaudio installed, it does not work with kdeneon (based on Ubuntu). I did no further tests, but I assume that all Ubuntu or all KDE based systems will fail due to some different default configuration of pulseaudio.
I think, only sharing the unix socket won't be a great different to a local tcp connection. Sharing I also found this does not work if I choose a container user different from host user. That may be solvable, though.
I wonder if I could somehow check whether the port is blocked or not in a general way. At least I could show a warning if x11docker finds the tcp connection blocked. |
I found an issue with pulseaudio support. When it pulls the docker IP range to use from grepping the ip command, it gets "172.17.0.1/16", which it then uses to authorize pulseaudio. This results in the following error:
May 29 02:47:40 hermes pulseaudio[7973]: [pulseaudio] ipacl.c: Host part of ACL entry '172.17.0.1/16' is not zero!The last number in the allowed IP mask needs to be 0. e.g.
pacmd load-module module-native-protocol-tcp port=35744 auth-ip-acl=172.17.0.0/16This works correctly, however I did have to disable my firewall (ufw).
I'm running Ubuntu 17.04.
PS—I love this script! I was trying to do the same thing using LXD and not having much luck. This really makes it super easy.
The text was updated successfully, but these errors were encountered: