Home > Back-end >  Cannot bind X UNIX socket within Docker container
Cannot bind X UNIX socket within Docker container

Time:12-09

I am trying to run Xvfb within a Docker container, but it is failing with the error:

$ Xvfb :0 -nolisten tcp -screen 0 1024x768x24
_XSERVTransSocketUNIXCreateListener: ...SocketCreateListener() failed
_XSERVTransMakeAllCOTSServerListeners: server already running
(EE) 
Fatal server error:
(EE) Cannot establish any listening sockets - Make sure an X server isn't already running(EE)

According to strace, it's trying to bind a UNIX socket at /tmp/.X11-unix/X0:

bind(4, {sa_family=AF_UNIX, sun_path=@"/tmp/.X11-unix/X0"}, 20) = -1 EADDRINUSE (Address already in use)

However, the file does not already exist in the container (verified by ls -l /tmp/.X11-unix).

If I use a different screen number, like :1, the program succeeds.

This container is running in --network host mode, and /tmp/.X11-unix/X0 does exist on the host. Does this create some kind of issue where the container and the host cannot have a UNIX socket at the same path, even if that socket is not visible in the container?

CodePudding user response:

This is an exciting error! You're running into a naming collision in the UNIX domain socket abstract namespace. UNIX domain sockets in Linux can be created in two kinds of places: One, in the normal VFS, which can be inspected with ls; the other is the "abstract namespace", where socket names start with '\0' (yea, a literal null byte) and get cleaned up when the program creating the socket exits.

Now, your strace call shows that it attempts to listen on a socket name in the abstract namespace by showing the sun_path field's value starting with an @. This is not exactly clear, but that's how it goes...

Here's how it shows a "normal", VFS-backed socket:

:;    strace -e bind socat UNIX-LISTEN:/tmp/asf-testing-hi STDOUT
bind(5, {sa_family=AF_UNIX, sun_path="/tmp/asf-testing-hi"}, 21) = 0

And here's a socket in the abstract namespace:

:;    strace -e bind socat ABSTRACT-LISTEN:/tmp/asf-testing-hi STDOUT
bind(5, {sa_family=AF_UNIX, sun_path=@"/tmp/asf-testing-hi"}, 22) = 0

Welp, there's that @ sign.

Back to the original problem, it looks like abstract unix domain socket namespaces are scoped to a network namespace, which means that using "host" mode is guaranteed to result in collisions. What you probably have to do is set up a separate network namespace for that container, and create a bridge for every network interface on the host that you want the container to have available. I believe https://stackunderflow.dev/p/network-namespaces-and-docker/ might have a decent tutorial for doing this manually. Hope this helps!

Page link:https//www.codepudding.com/Backend/636857.html

Prev:get the digest of a docker tar archive
Next:Steps kept being rebuilt again and again, they are never cached
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding