--gpu with NVIDIA driver installation: drop --newprivileges=yes #162 #…

…198

CHANGELOG.md

@@ -9,13 +9,14 @@ Project website: https://github.com/mviereck/x11docker
 ## [Unreleased]
 ### Added
  - `--xoverip`: New option to enforce X over TCP/IP. For special setups only.
+   [(#201)](https://github.com/mviereck/x11docker/issues/201)
 ### Changed
  - `--xephyr`: Disabled Xephyr option `-glamor`.
    [(#196)](https://github.com/mviereck/x11docker/issues/196)
  - `TODO.md` outsourced from x11docker script.
  - Run `containerrootrc` with `--privileged`. Does not affect desired 
    container command in `containerrc`. Allows less privileges with NVIDIA
-   driver installation and should avoid bugs like in
+   driver installation and avoids issues like in
    [(#196)](https://github.com/mviereck/x11docker/issues/196)
 ### Fixed
  - Support `snap` installation of Docker.

x11docker

@@ -1578,7 +1578,7 @@ setup_gpu() {                   # option --gpu: share /dev/dri and check nvidia
   # g  $Nvidiainstallerfile   nvidia driver file to install in container in containerrootrc
   # g  $Nividaversion  nvidia driver version on host
 
-  local Gpudevice=
+  local Gpudevice
 
   Containerusergroups="$Containerusergroups video render"
 
@@ -1587,37 +1587,36 @@ setup_gpu() {                   # option --gpu: share /dev/dri and check nvidia
     store_runoption volume "$Gpudevice"
   done < <(find /dev/dri /dev/nvidia* /dev/vga_arbiter -maxdepth 0 2>/dev/null ||:)
 
+  [ -z "$Nvidiaversion" ] && return 0
+
   # check for closed source nvidia driver on host, provide automated installation, warn about disadvantages
-  [ "$Nvidiaversion" ] && {
-    debugnote "NVIDIA: Detected driver version $Nvidiaversion on host."
-    Nvidiainstallerfile="$(find /usr/local/share/x11docker/NVIDIA*$Nvidiaversion*.run $Hostuserhome/.local/share/x11docker/NVIDIA*$Nvidiaversion*.run 2>/dev/null | tail -n1 )"
-    Nvidiainstallerfile="$(myrealpath "$Nvidiainstallerfile" 2>/dev/null)"
-    case "$Runtime" in
-      "nvidia") 
-        debugnote "NVIDIA runtime detected. Not installing driver."
-        Nvidiainstallerfile="" 
-      ;;
-      *)
-        [ -e "$Nvidiainstallerfile" ] && {
-          debugnote "NVIDIA: Found proprietary closed source NVIDIA driver installer
+  debugnote "NVIDIA: Detected driver version $Nvidiaversion on host."
+
+  [ "$Runtime" = "nvidia" ] && {
+    debugnote "NVIDIA: Option --runtime=nvidia: Skipping driver installation."
+    Nvidiainstallerfile="" 
+    return 0
+  }
+
+  Nvidiainstallerfile="$(find /usr/local/share/x11docker/NVIDIA*$Nvidiaversion*.run $Hostuserhome/.local/share/x11docker/NVIDIA*$Nvidiaversion*.run 2>/dev/null | tail -n1 )"
+  Nvidiainstallerfile="$(myrealpath "$Nvidiainstallerfile" 2>/dev/null)"
+
+  [ -e "$Nvidiainstallerfile" ] && {
+    debugnote "NVIDIA: Found proprietary closed source NVIDIA driver installer
   $Nvidiainstallerfile"
-
-#          [ "$Capdropall" = "yes" ] && warning "To install proprietary closed source NVIDIA driver,
-#  x11docker must give some capabilities to container that would be dropped
-#  otherwise for security reasons. Container security is reduced now.
-#  However, given capabilities are still within default Docker capabilities.
-#  You would not have this issue with free nouveau driver on host."
-#          :
-        } || {
-          Nvidiainstallerfile=""
-          note "You are using proprietary closed source NVIDIA driver.
+    return 0
+  }
+
+  Nvidiainstallerfile=""
+
+  note "Option --gpu: You are using the closed source NVIDIA driver.
   GPU acceleration will only work if you have installed the very same driver
   version in image. That makes images less portable.
   It is recommended to use free open source nouveau driver on host instead.
   Ask NVIDIA corporation to at least publish their closed source API,
   or even better to actively support open source driver nouveau."
 
-          note "x11docker can try to automatically install NVIDIA driver
+  note "Option --gpu: x11docker can try to automatically install NVIDIA driver
   version $Nvidiaversion in container on every container startup.
   Drawbacks: Container startup is a bit slower and its security will be reduced.
 
@@ -1633,10 +1632,7 @@ setup_gpu() {                   # option --gpu: share /dev/dri and check nvidia
   Be aware that the version number must match exactly the version on host.
   The file name must begin with 'NVIDIA', contain the version number $Nvidiaversion
   and end with suffix '.run'."
-        }
-      ;;
-    esac
-  }
+
   return 0
 }
 setup_hostdbus() {              # option --hostdbus: connect to host DBus session daemon.
@@ -4001,16 +3997,8 @@ setup_capabilities() {          # check linux capabilities needed by container
   }
   [ "$Switchcontainerusercaps" = "yes" ] && store_runoption cap "SETUID SETGID DAC_OVERRIDE AUDIT_WRITE"
 
-  #[ "$Sharegpu" = "yes" ] && [ "$Nvidiainstallerfile" ] && {
-  [ "$Sharegpu" = "yes" ] && [ "$Nvidiainstallerfile" ] && [ "$Switchcontaineruser" = "yes" ] && {
-    #store_runoption cap "SETUID SETGID DAC_OVERRIDE CHOWN FOWNER"
-    store_runoption cap "CHOWN FOWNER"
-    [ "$Allownewprivileges" = "auto" ] && {
-      note "Option --gpu: Installing NVIDIA driver in container
-  needs advanced privileges. Enabling option --newprivileges=yes"
-      Allownewprivileges="yes"
-    }
-  }
+  # Automated NVIDIA driver installation
+  [ "$Sharegpu" = "yes" ] && [ "$Nvidiainstallerfile" ] && [ "$Switchcontaineruser" = "yes" ] && store_runoption cap "CHOWN FOWNER"
 
   [ "$Allownewprivileges" = "auto" ] && Allownewprivileges="no"
 
@@ -7083,7 +7071,7 @@ option_messages() {             # some messages depending on options, but not ch
     xpra, weston+Xwayland or kwin_wayland+Xwayland,
   or run a second Xorg server with option --xorg." ;;
             *) note "To allow protection against X security leaks 
-  while uing --gpu with NVIDIA, please use option --xorg." ;;
+  while using --gpu with NVIDIA, please use option --xorg." ;;
           esac
         ;;
         no) note "To allow protection against X security leaks,