Skip to content
Advertisement

Same Docker image forwards X11 one host but not on another

I have created a simple Docker image which contains SSH + xeyes. I run that container, connect to the container via SSH using X11 Forwarding and want to be able to display xeyes.

I have built and run the Docker container on host A. When I connect to the container, it does not work Error: Can't open display:

I have build and run the Docker container on another host, B. And it works like a charm.

I don’t understand the difference…

My Dockerfile:

FROM ubuntu:16.04
ENV SSH_PASSWORD "rootpass"
RUN apt-get update
RUN apt-get install -qqy x11-apps openssh-server ssh

# Install SSH access
RUN mkdir /var/run/sshd
RUN echo "root:$SSH_PASSWORD" | chpasswd
RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed 's@sessions*requireds*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd

CMD [ "/usr/sbin/sshd", "-D" ]
EXPOSE 22

On host A and B, I do:

  • Build the image with docker build -t myeyes .
  • Run the container with : docker run -d -p 7222:22 --name myeyes myeyes.

Then, from another host C, I do xhost + and I try those containers:

It fails for the container on A:

$ ssh -X -p 7222 root@IP-of-A
...
# env | grep DISPLAY
# xeyes 
Error: Can't open display: 
# grep X11Forward /etc/ssh/sshd_config 
X11Forwarding yes
# ls -al 
-rw-------  1 root root  180 Sep 29 09:32 .bash_history
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwx------  2 root root 4096 Sep 29 09:04 .cache
-rw-r--r--  1 root root  148 Aug 17  2015 .profile

It works for the container on B:

$ ssh -X -p 7222 root@IP-of-B
...
# env | grep DISPLAY
DISPLAY=localhost:10.0
# grep X11Forward /etc/ssh/sshd_config 
X11Forwarding yes
# ls -al
-rw-------  1 root root   58 Sep 29 09:34 .Xauthority
-rw-------  1 root root   59 Sep 29 09:33 .bash_history
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwx------  2 root root 4096 Sep 29 09:21 .cache
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
# cat .Xauthority
...
MAGIC COOKIE
...
# xeyes 

Note that on B, I have a valid .Xauthority and DISPLAY. However, I didn’t do anything particular to set them up, so why aren’t they being set on the container for A?

Finally host A is a Linux Mint 18.1 laptop. Host B is a Debian Jessie.

Advertisement

Answer

Enabling verbose info in ssh, I noticed the following messages:

debug2: x11_get_proto: /usr/bin/xauth list :0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
...
X11 forwarding request failed on channel 0

I then searched the web for “X11 forwarding request failed on channel 0” and found the solution: in /etc/ssh/sshd_config, add:

X11UseLocalhost no

And then ssh -X works correctly everywhere.

So, this command must be added to the Dockerfile for my containers:

RUN echo "X11UseLocalhost no" >> /etc/ssh/sshd_config
User contributions licensed under: CC BY-SA
7 People found this is helpful
Advertisement