Hi, There are these web pages:
https://openvz.org/X_inside_VE http://pve.proxmox.com/wiki/X11_LXDE_in_OpenVZ http://openvz.livejournal.com/31953.html http://www.opennet.ru/tips/2396_firefox_openvz_chroot_limit_virtual.shtml and I just tweeted: <solardiz> Firefox 38 official binary build (still) works in OpenVZ container with CentOS 6 running on Owl 3.1-stable (RHEL5'ish OpenVZ kernel). Handy. However, all of this involves TCP sockets - for SSH (over which X11 is forwarded), for X11 protocol itself (if no SSH layer), or for VNC. It'd be nice to be able to use Unix domain sockets for this. I've tried bind-mounting a directory with X's Unix domain socket from host into a container, but connecting to that socket from inside the container fails with ECONNREFUSED. I didn't investigate this further, but I guess the host's socket is simply not found in net/unix/af_unix.c: unix_find_socket_byname(), which in fact checks ve_accessible_strict(). Maybe we should allow for relaxing this check on a per-container basis, to achieve full native speed in setups like the above, and be able to watch videos, etc. in web browsers setup like that? The TCP overhead isn't adding any security against attacks on the X server anyway - it's the same complicated and fully exposed X protocol anyway. :-( (VNC is probably safer, depending on implementation and settings, but that's a separate matter.) Alexander _______________________________________________ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
