VNC server does not work in selenium/standalone-chrome-debug containers on hardended PaX kernels

[sza-1]

Steps:

• Run $ docker run -P -it -p 5900:5900 selenium/standalone-chrome-debug

Output of x11vnc:

15/04/2016 10:44:02 passing arg to libvncserver: -rfbport
15/04/2016 10:44:02 passing arg to libvncserver: 5900
15/04/2016 10:44:02 -usepw: found /root/.vnc/passwd
15/04/2016 10:44:02 x11vnc version: 0.9.13 lastmod: 2011-08-10  pid: 70
15/04/2016 10:44:02 Using X display :99.0
15/04/2016 10:44:02 rootwin: 0x25c reswin: 0x200001 dpy: 0x9f4450
15/04/2016 10:44:02 
15/04/2016 10:44:02 ------------------ USEFUL INFORMATION ------------------

...

X11 MIT Shared Memory Attach failed:
  Is your DISPLAY=:99.0 on a remote machine?
  Suggestion, use: x11vnc -display :0 ... for local display :0

caught X11 error:
15/04/2016 10:44:02 deleted 43 tile_row polling images.
X Error of failed request:  BadAccess (attempt to access private resource denied)
  Major opcode of failed request:  130 (MIT-SHM)
  Minor opcode of failed request:  1 (X_ShmAttach)
  Serial number of failed request:  49
  Current serial number in output stream:  94
Failed to read: session.ignoreBorder
Setting default value

...

If I run (by hands) x11vnc with sudo -u seluser then all works OK and I can connect to it.

[sza-1]

Well, I found that this issues caused by Grsecurity/PaX on host machine (dmesg output is below):

grsec: denied write of overly-permissive IPC object with creator uid 0 by /usr/bin/Xvfb[Xvfb:32377] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/xvfb-run[xvfb-run:32362] uid/euid:1000/1000 gid/egid:1000/1000

And currently it is not clear how to run selenium-*-debug containers properly to solve this.

[elgalu]

@CrazyH

1. do you have your host machine kernel patched?
2. what linux distro and kernel version is running?
3. what's your docker --version?
4. what's the full docker run command and the output?
5. do you have the same issue if using https://github.com/elgalu/docker-selenium#run ?

docker pull elgalu/selenium:2.53.0h

docker run --rm -ti --name=grid -p 4444:24444 -p 5900:25900 \
    -v /dev/shm:/dev/shm -e VNC_PASSWORD=hola elgalu/selenium:2.53.0h

[elgalu]

Sorry I just saw you already put some info on the previous comment, please only answer what's missing

[sza-1]

@elgalu

1. Yes, I used official community hardended kernel with Grsecurity (RBAC is disabled, default PaX settings are not touched)
2. Fresh Arch Linux distro with 4.4.7.201604152208-1-grsec kernel
3. Docker version 1.10.3, build 20f81dd
4. docker run -P -it -p 5900:5900 --rm -v /dev/shm:/dev/shm selenium/standalone-chrome-debug
5. This container works and VNC server starts.

Perhaps I will just add sudo x11vnc for now in selenium/standalone-chrome-debug entry point or will just use your container although it looks over bloated. =) Thank you!

[sza-1]

BTW, I found workaround: just disable kernel.grsecurity.harden_ipc kernel parameter.

sudo sysctl kernel.grsecurity.harden_ipc=0

Also it can be added to /etc/sysctl.d.

I do not like this solution but it works with current version of selenium/standalone-*-debug containers and help if want just debug some single issue in Selenium test.

[sza-1]

what's the full docker run command and the output?

@elgalu I forgot to attach a full output you asked. It is below.

Looking for lock file: /tmp/.X??-lock
Waiting xvfb...
08:27:56.777 INFO - Launching a standalone Selenium Server
08:27:56.802 INFO - Java: Oracle Corporation 25.02-b03
08:27:56.802 INFO - OS: Linux 4.4.7.201604152208-1-grsec amd64
08:27:56.816 INFO - v2.53.0, with Core v2.53.0. Built from revision 35ae25b
08:27:56.868 INFO - Driver provider org.openqa.selenium.ie.InternetExplorerDriver registration is skipped:
registration capabilities Capabilities [{ensureCleanSession=true, browserName=internet explorer, version=, platform=WINDOWS}] does not match the current platform LINUX
08:27:56.868 INFO - Driver provider org.openqa.selenium.edge.EdgeDriver registration is skipped:
registration capabilities Capabilities [{browserName=MicrosoftEdge, version=, platform=WINDOWS}] does not match the current platform LINUX
08:27:56.869 INFO - Driver class not found: com.opera.core.systems.OperaDriver
08:27:56.869 INFO - Driver provider com.opera.core.systems.OperaDriver is not registered
08:27:56.869 INFO - Driver provider org.openqa.selenium.safari.SafariDriver registration is skipped:
registration capabilities Capabilities [{browserName=safari, version=, platform=MAC}] does not match the current platform LINUX
08:27:56.870 INFO - Driver class not found: org.openqa.selenium.htmlunit.HtmlUnitDriver
08:27:56.870 INFO - Driver provider org.openqa.selenium.htmlunit.HtmlUnitDriver is not registered
08:27:56.915 INFO - RemoteWebDriver instances should connect to: http://127.0.0.1:4444/wd/hub
08:27:56.915 INFO - Selenium Server is up and running
20/04/2016 08:27:57 passing arg to libvncserver: -rfbport
20/04/2016 08:27:57 passing arg to libvncserver: 5900
20/04/2016 08:27:57 -usepw: found /root/.vnc/passwd
20/04/2016 08:27:57 x11vnc version: 0.9.13 lastmod: 2011-08-10  pid: 71
20/04/2016 08:27:57 Using X display :99.0
20/04/2016 08:27:57 rootwin: 0x25c reswin: 0x200001 dpy: 0x9f4450
20/04/2016 08:27:57 
20/04/2016 08:27:57 ------------------ USEFUL INFORMATION ------------------
20/04/2016 08:27:57 X DAMAGE available on display, using it for polling hints.
20/04/2016 08:27:57   To disable this behavior use: '-noxdamage'
20/04/2016 08:27:57 
20/04/2016 08:27:57   Most compositing window managers like 'compiz' or 'beryl'
20/04/2016 08:27:57   cause X DAMAGE to fail, and so you may not see any screen
20/04/2016 08:27:57   updates via VNC.  Either disable 'compiz' (recommended) or
20/04/2016 08:27:57   supply the x11vnc '-noxdamage' command line option.
20/04/2016 08:27:57 
20/04/2016 08:27:57 Wireframing: -wireframe mode is in effect for window moves.
20/04/2016 08:27:57   If this yields undesired behavior (poor response, painting
20/04/2016 08:27:57   errors, etc) it may be disabled:
20/04/2016 08:27:57    - use '-nowf' to disable wireframing completely.
20/04/2016 08:27:57    - use '-nowcr' to disable the Copy Rectangle after the
20/04/2016 08:27:57      moved window is released in the new position.
20/04/2016 08:27:57   Also see the -help entry for tuning parameters.
20/04/2016 08:27:57   You can press 3 Alt_L's (Left "Alt" key) in a row to 
20/04/2016 08:27:57   repaint the screen, also see the -fixscreen option for
20/04/2016 08:27:57   periodic repaints.
20/04/2016 08:27:58 
20/04/2016 08:27:58 XFIXES available on display, resetting cursor mode
20/04/2016 08:27:58   to: '-cursor most'.
20/04/2016 08:27:58   to disable this behavior use: '-cursor arrow'
20/04/2016 08:27:58   or '-noxfixes'.
20/04/2016 08:27:58 using XFIXES for cursor drawing.
20/04/2016 08:27:58 GrabServer control via XTEST.
20/04/2016 08:27:58 
20/04/2016 08:27:58 Scroll Detection: -scrollcopyrect mode is in effect to
20/04/2016 08:27:58   use RECORD extension to try to detect scrolling windows
20/04/2016 08:27:58   (induced by either user keystroke or mouse input).
20/04/2016 08:27:58   If this yields undesired behavior (poor response, painting
20/04/2016 08:27:58   errors, etc) it may be disabled via: '-noscr'
20/04/2016 08:27:58   Also see the -help entry for tuning parameters.
20/04/2016 08:27:58   You can press 3 Alt_L's (Left "Alt" key) in a row to 
20/04/2016 08:27:58   repaint the screen, also see the -fixscreen option for
20/04/2016 08:27:58   periodic repaints.
20/04/2016 08:27:58 
20/04/2016 08:27:58 XKEYBOARD: number of keysyms per keycode 7 is greater
20/04/2016 08:27:58   than 4 and 51 keysyms are mapped above 4.
20/04/2016 08:27:58   Automatically switching to -xkb mode.
20/04/2016 08:27:58   If this makes the key mapping worse you can
20/04/2016 08:27:58   disable it with the "-noxkb" option.
20/04/2016 08:27:58   Also, remember "-remap DEAD" for accenting characters.
20/04/2016 08:27:58 
20/04/2016 08:27:58 X FBPM extension not supported.
20/04/2016 08:27:58 X display is not capable of DPMS.
20/04/2016 08:27:58 --------------------------------------------------------
20/04/2016 08:27:58 
20/04/2016 08:27:58 Default visual ID: 0x21
20/04/2016 08:27:58 Read initial data from X display into framebuffer.
20/04/2016 08:27:58 initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/5440
20/04/2016 08:27:58 
20/04/2016 08:27:58 X display :99.0 is 32bpp depth=24 true color
20/04/2016 08:27:58 
20/04/2016 08:27:58 Listening for VNC connections on TCP port 5900
20/04/2016 08:27:58 Listening for VNC connections on TCP6 port 5900
20/04/2016 08:27:58 listen6: bind: Address already in use
20/04/2016 08:27:58 Not listening on IPv6 interface.
20/04/2016 08:27:58 
20/04/2016 08:27:58 Xinerama is present and active (e.g. multi-head).
20/04/2016 08:27:58 Xinerama: number of sub-screens: 1
20/04/2016 08:27:58 Xinerama: no blackouts needed (only one sub-screen)
20/04/2016 08:27:58 

X11 MIT Shared Memory Attach failed:
  Is your DISPLAY=:99.0 on a remote machine?
  Suggestion, use: x11vnc -display :0 ... for local display :0

caught X11 error:
20/04/2016 08:27:58 deleted 43 tile_row polling images.
X Error of failed request:  BadAccess (attempt to access private resource denied)
  Major opcode of failed request:  130 (MIT-SHM)
  Minor opcode of failed request:  1 (X_ShmAttach)
  Serial number of failed request:  49
  Current serial number in output stream:  94
Failed to read: session.ignoreBorder
Setting default value
Failed to read: session.forcePseudoTransparency
Setting default value
Failed to read: session.colorsPerChannel
Setting default value
Failed to read: session.doubleClickInterval
Setting default value
Failed to read: session.tabPadding
Setting default value
Failed to read: session.styleOverlay
Setting default value
Failed to read: session.slitlistFile
Setting default value
Failed to read: session.appsFile
Setting default value
Failed to read: session.tabsAttachArea
Setting default value
Failed to read: session.cacheLife
Setting default value
Failed to read: session.cacheMax
Setting default value
Failed to read: session.autoRaiseDelay
Setting default value
Failed to read: session.ignoreBorder
Setting default value
Failed to read: session.forcePseudoTransparency
Setting default value
Failed to read: session.colorsPerChannel
Setting default value
Failed to read: session.doubleClickInterval
Setting default value
Failed to read: session.tabPadding
Setting default value
Failed to read: session.styleOverlay
Setting default value
Failed to read: session.slitlistFile
Setting default value
Failed to read: session.appsFile
Setting default value
Failed to read: session.tabsAttachArea
Setting default value
Failed to read: session.cacheLife
Setting default value
Failed to read: session.cacheMax
Setting default value
Failed to read: session.autoRaiseDelay
Setting default value
Failed to read: session.screen0.opaqueMove
Setting default value
Failed to read: session.screen0.fullMaximization
Setting default value
Failed to read: session.screen0.maxIgnoreIncrement
Setting default value
Failed to read: session.screen0.maxDisableMove
Setting default value
Failed to read: session.screen0.maxDisableResize
Setting default value
Failed to read: session.screen0.workspacewarping
Setting default value
Failed to read: session.screen0.showwindowposition
Setting default value
Failed to read: session.screen0.autoRaise
Setting default value
Failed to read: session.screen0.clickRaises
Setting default value
Failed to read: session.screen0.defaultDeco
Setting default value
Failed to read: session.screen0.tab.placement
Setting default value
Failed to read: session.screen0.windowMenu
Setting default value
Failed to read: session.screen0.noFocusWhileTypingDelay
Setting default value
Failed to read: session.screen0.workspaces
Setting default value
Failed to read: session.screen0.edgeSnapThreshold
Setting default value
Failed to read: session.screen0.window.focus.alpha
Setting default value
Failed to read: session.screen0.window.unfocus.alpha
Setting default value
Failed to read: session.screen0.menu.alpha
Setting default value
Failed to read: session.screen0.menuDelay
Setting default value
Failed to read: session.screen0.tab.width
Setting default value
Failed to read: session.screen0.tooltipDelay
Setting default value
Failed to read: session.screen0.allowRemoteActions
Setting default value
Failed to read: session.screen0.clientMenu.usePixmap
Setting default value
Failed to read: session.screen0.tabs.usePixmap
Setting default value
Failed to read: session.screen0.tabs.maxOver
Setting default value
Failed to read: session.screen0.tabs.intitlebar
Setting default value
Failed to read: session.screen0.focusModel
Setting default value
Failed to read: session.screen0.tabFocusModel
Setting default value
Failed to read: session.screen0.focusNewWindows
Setting default value
Failed to read: session.screen0.focusSameHead
Setting default value
Failed to read: session.screen0.rowPlacementDirection
Setting default value
Failed to read: session.screen0.colPlacementDirection
Setting default value
Failed to read: session.screen0.windowPlacement
Setting default value
Failed to read: session.ignoreBorder
Setting default value
Failed to read: session.forcePseudoTransparency
Setting default value
Failed to read: session.colorsPerChannel
Setting default value
Failed to read: session.doubleClickInterval
Setting default value
Failed to read: session.tabPadding
Setting default value
Failed to read: session.styleOverlay
Setting default value
Failed to read: session.slitlistFile
Setting default value
Failed to read: session.appsFile
Setting default value
Failed to read: session.tabsAttachArea
Setting default value
Failed to read: session.cacheLife
Setting default value
Failed to read: session.cacheMax
Setting default value
Failed to read: session.autoRaiseDelay
Setting default value
Failed to read: session.screen0.opaqueMove
Setting default value
Failed to read: session.screen0.fullMaximization
Setting default value
Failed to read: session.screen0.maxIgnoreIncrement
Setting default value
Failed to read: session.screen0.maxDisableMove
Setting default value
Failed to read: session.screen0.maxDisableResize
Setting default value
Failed to read: session.screen0.workspacewarping
Setting default value
Failed to read: session.screen0.showwindowposition
Setting default value
Failed to read: session.screen0.autoRaise
Setting default value
Failed to read: session.screen0.clickRaises
Setting default value
Failed to read: session.screen0.defaultDeco
Setting default value
Failed to read: session.screen0.tab.placement
Setting default value
Failed to read: session.screen0.windowMenu
Setting default value
Failed to read: session.screen0.noFocusWhileTypingDelay
Setting default value
Failed to read: session.screen0.workspaces
Setting default value
Failed to read: session.screen0.edgeSnapThreshold
Setting default value
Failed to read: session.screen0.window.focus.alpha
Setting default value
Failed to read: session.screen0.window.unfocus.alpha
Setting default value
Failed to read: session.screen0.menu.alpha
Setting default value
Failed to read: session.screen0.menuDelay
Setting default value
Failed to read: session.screen0.tab.width
Setting default value
Failed to read: session.screen0.tooltipDelay
Setting default value
Failed to read: session.screen0.allowRemoteActions
Setting default value
Failed to read: session.screen0.clientMenu.usePixmap
Setting default value
Failed to read: session.screen0.tabs.usePixmap
Setting default value
Failed to read: session.screen0.tabs.maxOver
Setting default value
Failed to read: session.screen0.tabs.intitlebar
Setting default value
Failed to read: session.screen0.focusModel
Setting default value
Failed to read: session.screen0.tabFocusModel
Setting default value
Failed to read: session.screen0.focusNewWindows
Setting default value
Failed to read: session.screen0.focusSameHead
Setting default value
Failed to read: session.screen0.rowPlacementDirection
Setting default value
Failed to read: session.screen0.colPlacementDirection
Setting default value
Failed to read: session.screen0.windowPlacement
Setting default value
Failed to read: session.screen0.slit.acceptKdeDockapps
Setting default value
Failed to read: session.screen0.slit.autoHide
Setting default value
Failed to read: session.screen0.slit.maxOver
Setting default value
Failed to read: session.screen0.slit.placement
Setting default value
Failed to read: session.screen0.slit.alpha
Setting default value
Failed to read: session.screen0.slit.onhead
Setting default value
Failed to read: session.screen0.slit.layer
Setting default value
Failed to read: session.screen0.toolbar.autoHide
Setting default value
Failed to read: session.screen0.toolbar.maxOver
Setting default value
Failed to read: session.screen0.toolbar.visible
Setting default value
Failed to read: session.screen0.toolbar.alpha
Setting default value
Failed to read: session.screen0.toolbar.layer
Setting default value
Failed to read: session.screen0.toolbar.onhead
Setting default value
Failed to read: session.screen0.toolbar.placement
Setting default value
Failed to read: session.screen0.toolbar.height
Setting default value
Failed to read: session.screen0.iconbar.mode
Setting default value
Failed to read: session.screen0.iconbar.alignment
Setting default value
Failed to read: session.screen0.iconbar.iconWidth
Setting default value
Failed to read: session.screen0.iconbar.iconTextPadding
Setting default value
Failed to read: session.screen0.iconbar.usePixmap
Setting default value