Chromium doesn't start under docker without `xhost +local:`

$ xhost
access control enabled, only authorized clients can connect

xterm works:

$ docker run --rm -it --network host 
  --volume ~/.Xauthority:/root/.Xauthority:ro 
  --env DISPLAY 
  alpine:3.19 sh -euxc 'apk add xterm; exec xterm'

chromium opens a window and seems to receive keystokes, but the window is empty (output):

$ docker run --rm -it --network host 
  --volume ~/.Xauthority:/root/.Xauthority:ro 
  --env DISPLAY 
  alpine:3.19 sh -euxc 'apk add chromium; exec chromium --no-sandbox'

If I allow local connections with xhost it works:

$ xhost +local:

$ xhost
access control enabled, only authorized clients can connect
LOCAL:

$ docker run --rm -it --network host 
  --volume ~/.Xauthority:/root/.Xauthority:ro 
  --env DISPLAY 
  alpine:3.19 sh -euxc 'apk add chromium; exec chromium --no-sandbox'

$ xhost -local:

One could speculate here that it starts non-root processes which don’t have access to /root/.Xauthority, and that’s why it fails. Then under which user? So that I could provide .Xauthority to all interested parties. How do I debug this? How do I make it work?

Asked By: x-yuri

||

Not exactly an answer, but it probably makes more sense to run chromium under non-root:

$ docker run --rm -it --network host 
  --volume ~/.Xauthority:/.Xauthority:ro 
  --env DISPLAY 
  alpine:3.19 
  sh -euxc 'apk add chromium shadow
            useradd -m a
            cp .Xauthority /home/a
            chown a: /home/a/.Xauthority
            exec su - a -c "DISPLAY="$DISPLAY" exec chromium --no-sandbox --no-first-run"'

Or better yet (I’m assuming you’re running under PID 1000):

Dockerfile:

FROM alpine:3.19
RUN apk add chromium shadow && useradd -m a
$ docker run --rm -it --network host 
  --volume ~/.Xauthority:/home/a/.Xauthority:ro 
  --env DISPLAY 
  -u 1000 
  i chromium --no-sandbox --no-first-run

Or using a chromium seccomp profile (created in 2016), which let’s us avoid --no-sandbox:

$ curl -O https://raw.githubusercontent.com/jessfraz/dotfiles/master/etc/docker/seccomp/chrome.json
$ docker run --rm -it --network host 
  --volume ~/.Xauthority:/home/a/.Xauthority:ro 
  --env DISPLAY 
  -u 1000 
  --security-opt seccomp=chrome.json 
  i chromium --no-first-run

The seccomp profile was taken from these answers, and here’s the description of how it was created.

Answered By: x-yuri
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.