Skip to content

Instantly share code, notes, and snippets.

@RafaelPalomar
Last active November 28, 2023 16:54
Show Gist options
  • Save RafaelPalomar/f594933bb5c07184408c480184c2afb4 to your computer and use it in GitHub Desktop.
Save RafaelPalomar/f594933bb5c07184408c480184c2afb4 to your computer and use it in GitHub Desktop.
How to run an OpenGL dockerized application with Nvidia #nvidia #docker #opengl

Running OpenGL applications within Nvidia Containers

Preparing the container

This explains how to run an OpenGL applications within containers using Nvidia’s OpenGL.

I prepared a docker image based on Nvidia’s OpenGL container

FROM nvidia/opengl:1.0-glvnd-runtime

#Adding a generic user in the video group
RUN useradd -u 1000 -m -g video user

Based on your configuration you might want to change the user id to something different than 1000. In addition, you might want to change the username to be your host’s system username instead of user. See below how to deal with permissions to connect to Xorg.

Running the conteinerized application

You need to run this container with nvidia-docker. Remember to modify /etc/modprobe.d/nvidia.conf file to include the option NVreg_DeviceFileMode=0666, otherwise your device won’t be seen.

nvidia-docker run [-it] [--rm] \
--name nextcloud-client \
--net=host \
--device=/dev/dri \
-e DISPLAY=$DISPLAY \
--user=1000 \
-v /tmp/.X11-unix:/tmp/.X11-unix \
<containerId> [command]

In some forums I have found you should replace $DISPLAY by unix$DISPLAY.

Dealing with the X server permissions

From http://wiki.ros.org/docker/Tutorials/GUI

Solution 1: the quick and dirty way.

We can then adjust the permissions the X server host. This is not the safest way however, as you then compromise the access control to X server on your host. So with a little effort, someone could display something on your screen, capture user input, in addition to making it easier to exploit other vulnerabilities that might exist in X.

xhost +local:root

you can run xhost -local:root after using the container to be safer.

A better option is opening up xhost only to the specific system that you want, for instance if you are running a container on the local host’s docker daemon with container’s ID stored to the shell variable containerId

    xhost +local:`docker inspect --format='{{ .Config.Hostname }}' $containerId`
docker start $containerId

Solution 2: the safer way.

A another way is to use your own user’s credentials to access the display server. This involves mounting additional directories and requires that the username defined in the container corresponds to your username in the host

nvidia-docker run [-it] [--rm] \
--user=$USER \
--env="DISPLAY" \
--volume="/etc/group:/etc/group:ro" \
--volume="/etc/passwd:/etc/passwd:ro" \
--volume="/etc/shadow:/etc/shadow:ro" \
--volume="/etc/sudoers.d:/etc/sudoers.d:ro" \
--volume="/tmp/.X11-unix:/tmp/.X11-unix:rw" \
<containerId> [command]

In the link above there are additional ways to do this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment