Cannot run Wayland GUI app in podman

Ask Fedora
,
1

I’m trying to write a podman command with strict isolation (no home dir, runtime dir, etc.) to replicate what toolbox does (in it, I can run GUI apps just fine).

This is my command:

user_uid=$UID
user_gid=$(id -rg)
user_name=$USER

podman run \
    --rm \
    --security-opt label=disable \
    -e XDG_RUNTIME_DIR=/tmp \
    -e "WAYLAND_DISPLAY=$WAYLAND_DISPLAY" \
    -v "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro" \
    -it \
    fedora \
    bash -euo pipefail -c "
        dnf install -y \
            coreutils bash bash-completion less nano sudo tree util-linux
        groupadd -g $user_gid $user_name
        useradd -u $user_uid -g $user_gid -ms /usr/bin/bash $user_name
        usermod -aG wheel $user_name
        echo '$user_name ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/nopasswd
        cd /home/$user_name
        exec sudo -iu $user_name --preserve-env=XDG_RUNTIME_DIR,WAYLAND_DISPLAY
    "

Then I can install gedit with sudo dnf install. However, when run, this error occurs:

(gedit:9552): Gtk-WARNING **: 21:10:37.323: cannot open display:

I don’t want X, I want Wayland. Why does this not work? What is missing?

2

Oh boy. . . I’ve been down this road before :party: See my other threads on sandbox & SELinux

You have some issues in the script try this :

user_uid=$UID
user_gid=$(id -rg)
user_name=$USER

podman run \
    --rm \
    --security-opt label=disable \
    -e XDG_RUNTIME_DIR=/tmp \
    -e "WAYLAND_DISPLAY=$WAYLAND_DISPLAY" \
    -v "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro" \
    -v /run/user/$user_uid/wayland-0:/tmp/wayland-0:ro \  # Bind mount Wayland socket
    -v /usr/lib/wayland-egl:/usr/lib/wayland-egl:ro \   # Bind mount Wayland libraries
    -v /usr/share/wayland:/usr/share/wayland:ro \     # Bind mount Wayland protocols
    -it \
    fedora \
    bash -euo pipefail -c "
        dnf install -y \
            coreutils bash bash-completion less nano sudo tree util-linux gedit
        groupadd -g $user_gid $user_name
        useradd -u $user_uid -g $user_gid -ms /usr/bin/bash $user_name
        usermod -aG wheel $user_name
        echo '$user_name ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/nopasswd
        cd /home/$user_name
        exec sudo -iu $user_name --preserve-env=XDG_RUNTIME_DIR,WAYLAND_DISPLAY
    "

if you have SELinux and the policy-coreutils you can run a sandbox for a browser/app very easily as well. sandbox -X -w 1920x1080 -H temphome -T tmp -t sandbox_web_t firefox &
The temphome & tmp can preserve the session if you need to reuse the container. There are other usecase with a systemd-nspawn container as well relabeling the container with sandbox_t and passing Wayland as the display.

3

I don’t have any of those dirs:

/usr/lib/wayland-egl
/usr/share/wayland

I use SwayWM so it is quite minimal (no full DE installed)

4

I do not have sway so you can try by removing :

    -v /usr/lib/wayland-egl:/usr/lib/wayland-egl:ro \   # Bind mount Wayland libraries
    -v /usr/share/wayland:/usr/share/wayland:ro \
5

then I end up with what I started. The first line you added is actually a duplicate of what I had already, but differently worded (mount bind wayland socket):

-v "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro" \
6 
-v /run/user/$user_uid/wayland-0:/tmp/wayland-0:ro \

Bind mount Wayland socket

7

In my case I have wayland-1 not wayland-0, and this is what the WAYLAND_DISPLAY env var also correctly has

8

Added podman