user1381 user1381 - 1 year ago 145
Linux Question

Same Docker image forwards X11 one host but not on another

I have created a simple Docker image which contains SSH + xeyes. I run that container, connect to the container via SSH using X11 Forwarding and want to be able to display xeyes.

I have built and run the Docker container on host A. When I connect to the container, it does not work

Error: Can't open display:


I have build and run the Docker container on another host, B. And it works like a charm.

I don't understand the difference...

My Dockerfile:

FROM ubuntu:16.04
ENV SSH_PASSWORD "rootpass"
RUN apt-get update
RUN apt-get install -qqy x11-apps openssh-server ssh

# Install SSH access
RUN mkdir /var/run/sshd
RUN echo "root:$SSH_PASSWORD" | chpasswd
RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd

CMD [ "/usr/sbin/sshd", "-D" ]
EXPOSE 22


On host A and B, I do:


  • Build the image with
    docker build -t myeyes .

  • Run the container with :
    docker run -d -p 7222:22 --name myeyes myeyes
    .



Then, from another host C, I do
xhost +
and I try those containers:

It fails for the container on A:

$ ssh -X -p 7222 root@IP-of-A
...
# env | grep DISPLAY
# xeyes
Error: Can't open display:
# grep X11Forward /etc/ssh/sshd_config
X11Forwarding yes
# ls -al
-rw------- 1 root root 180 Sep 29 09:32 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwx------ 2 root root 4096 Sep 29 09:04 .cache
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile


It works for the container on B:

$ ssh -X -p 7222 root@IP-of-B
...
# env | grep DISPLAY
DISPLAY=localhost:10.0
# grep X11Forward /etc/ssh/sshd_config
X11Forwarding yes
# ls -al
-rw------- 1 root root 58 Sep 29 09:34 .Xauthority
-rw------- 1 root root 59 Sep 29 09:33 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwx------ 2 root root 4096 Sep 29 09:21 .cache
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
# cat .Xauthority
...
MAGIC COOKIE
...
# xeyes


Note that on B, I have a valid .Xauthority and DISPLAY. However, I didn't do anything particular to set them up, so why aren't they being set on the container for A?

Finally host A is a Linux Mint 18.1 laptop. Host B is a Debian Jessie.

Answer Source

Enabling verbose info in ssh, I noticed the following messages:

debug2: x11_get_proto: /usr/bin/xauth list :0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
...
X11 forwarding request failed on channel 0

I then searched the web for "X11 forwarding request failed on channel 0" and found the solution: in /etc/ssh/sshd_config, add:

X11UseLocalhost no

And then ssh -X works correctly everywhere.

So, this command must be added to the Dockerfile for my containers:

RUN echo "X11UseLocalhost no" >> /etc/ssh/sshd_config
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download