This explains how to run an OpenGL applications within containers using Nvidia’s OpenGL.
I prepared a docker image based on Nvidia’s OpenGL container
FROM nvidia/opengl:1.0-glvnd-runtime
#Adding a generic user in the video group
RUN useradd -u 1000 -m -g video user
Based on your configuration you might want to change the user id to something
different than 1000
. In addition, you might want to change the username to be
your host’s system username instead of user
. See below how to deal with
permissions to connect to Xorg.
You need to run this container with nvidia-docker
. Remember to modify
/etc/modprobe.d/nvidia.conf
file to include the option
NVreg_DeviceFileMode=0666
, otherwise your device won’t be seen.
nvidia-docker run [-it] [--rm] \
--name nextcloud-client \
--net=host \
--device=/dev/dri \
-e DISPLAY=$DISPLAY \
--user=1000 \
-v /tmp/.X11-unix:/tmp/.X11-unix \
<containerId> [command]
In some forums I have found you should replace $DISPLAY
by unix$DISPLAY
.
From http://wiki.ros.org/docker/Tutorials/GUI
We can then adjust the permissions the X server host. This is not the safest way however, as you then compromise the access control to X server on your host. So with a little effort, someone could display something on your screen, capture user input, in addition to making it easier to exploit other vulnerabilities that might exist in X.
xhost +local:root
you can run xhost -local:root
after using the container to be safer.
A better option is opening up xhost only to the specific system that you want, for instance if you are running a container on the local host’s docker daemon with container’s ID stored to the shell variable containerId
xhost +local:`docker inspect --format='{{ .Config.Hostname }}' $containerId`
docker start $containerId
A another way is to use your own user’s credentials to access the display server. This involves mounting additional directories and requires that the username defined in the container corresponds to your username in the host
nvidia-docker run [-it] [--rm] \
--user=$USER \
--env="DISPLAY" \
--volume="/etc/group:/etc/group:ro" \
--volume="/etc/passwd:/etc/passwd:ro" \
--volume="/etc/shadow:/etc/shadow:ro" \
--volume="/etc/sudoers.d:/etc/sudoers.d:ro" \
--volume="/tmp/.X11-unix:/tmp/.X11-unix:rw" \
<containerId> [command]
In the link above there are additional ways to do this.