I ran a pretty default nspawn container with firefox running inside a Xephyr window. Then I ran firefox on the host with Xephyr. I get different results.
On the host I get the seemingly expected behavior - since Xephyr basically forces firefox to software render I get little artifacts/tearing when playing a youtube video.
But when I run it inside nspawn’s Xephyr I get the smoothest video playback, no artifacts or graphics stuttering, up to 1080p, basically if playing on the host without any Xephyr.
So I am wondering if nspawn has some loophole that passes through stuff to the graphics card somehow and doesn’t isolate the container graphics-wise. It just doesn’t make sense why I’m getting this behavior.
The nspawn container does have user isolation on, but otherwise, just a default container.
Ok, it’s really weird, but it seems this may be because I was wrapping firefox in TWO Xephyr windows in the nspawn container. That’s so crazyyyy, but it works. I wrapped firefox in two Xephyr containers on the host, compared it side by side with wrapping firefox in one Xephyr container on the host, and there is a huge difference in graphics performance…there’s no virtually no tearing, everything is smooth. It must have something to do with the way Xephyr compositor works probably. Anyway, I hope this is useful to someone someday.
Nspawn firefox is insecure too because of the nonfunction of SELinux inside nspawn containers. Yes, you get namespace isolation and network abstraction, but if the entire container is pawned your internet experience is compromised, at the very least…?