I have created a simple Docker image which contains SSH + xeyes. I run that container, connect to the container via SSH using X11 Forwarding and want to be able to display xeyes.
I have built and run the Docker container on host A. When I connect to the container, it does not work Error: Can't open display:
I have build and run the Docker container on another host, B. And it works like a charm.
I don’t understand the difference…
My Dockerfile:
FROM ubuntu:16.04 ENV SSH_PASSWORD "rootpass" RUN apt-get update RUN apt-get install -qqy x11-apps openssh-server ssh # Install SSH access RUN mkdir /var/run/sshd RUN echo "root:$SSH_PASSWORD" | chpasswd RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config RUN sed 's@sessions*requireds*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd CMD [ "/usr/sbin/sshd", "-D" ] EXPOSE 22
On host A and B, I do:
- Build the image with
docker build -t myeyes .
- Run the container with :
docker run -d -p 7222:22 --name myeyes myeyes
.
Then, from another host C, I do xhost +
and I try those containers:
It fails for the container on A:
$ ssh -X -p 7222 root@IP-of-A ... # env | grep DISPLAY # xeyes Error: Can't open display: # grep X11Forward /etc/ssh/sshd_config X11Forwarding yes # ls -al -rw------- 1 root root 180 Sep 29 09:32 .bash_history -rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc drwx------ 2 root root 4096 Sep 29 09:04 .cache -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
It works for the container on B:
$ ssh -X -p 7222 root@IP-of-B ... # env | grep DISPLAY DISPLAY=localhost:10.0 # grep X11Forward /etc/ssh/sshd_config X11Forwarding yes # ls -al -rw------- 1 root root 58 Sep 29 09:34 .Xauthority -rw------- 1 root root 59 Sep 29 09:33 .bash_history -rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc drwx------ 2 root root 4096 Sep 29 09:21 .cache -rw-r--r-- 1 root root 148 Aug 17 2015 .profile # cat .Xauthority ... MAGIC COOKIE ... # xeyes
Note that on B, I have a valid .Xauthority and DISPLAY. However, I didn’t do anything particular to set them up, so why aren’t they being set on the container for A?
Finally host A is a Linux Mint 18.1 laptop. Host B is a Debian Jessie.
Advertisement
Answer
Enabling verbose info in ssh, I noticed the following messages:
debug2: x11_get_proto: /usr/bin/xauth list :0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. ... X11 forwarding request failed on channel 0
I then searched the web for “X11 forwarding request failed on channel 0” and found the solution: in /etc/ssh/sshd_config, add:
X11UseLocalhost no
And then ssh -X works correctly everywhere.
So, this command must be added to the Dockerfile for my containers:
RUN echo "X11UseLocalhost no" >> /etc/ssh/sshd_config