Closed Bug 1214809 Opened 8 years ago Closed 8 years ago

Figure out how to run pulseAudio in a docker container

Categories

(Taskcluster Graveyard :: Docker Images, defect)

Product:
Taskcluster Graveyard
Component:
Docker Images
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla44

People

(Reporter: dustin, Assigned: dustin)

References

Details

Attachments

(2 files)

strace of su
36.82 KB, text/plain
Details
MozReview Request: Bug 1214809: use 'sudo' instead of 'su' to drop root privs; r?ted
40 bytes, text/x-review-board-request
ted
: review+
Details 
I had no end of trouble in bug 1213325 trying to get pulseaudio to work, on the assumption it had been done before in the tester image.  I eventually figured out that's not the case, and nobody at Mozilla has successfully run pulseaudio in a docker container.

We'll probably need to sort that out to get tests running that rely on it.
See Also: → 1214194
I've just recently done some unrelated-but-relevant hacking, and found that running PulseAudio inside Docker worked fine, as long as you don't actually care about getting the audio *out* of the container.
You do have to manually start the PulseAudio daemon to make things work, but you can just run `pulseaudio --fail --daemonize --start`. I also ran `pactl load-module module-null-sink` to get a default audio output.
From bug 1213325, it looks like you're trying to get PulseAudio to have access to actual sound devices. I don't think that's something we need to do.

We probably do need to give the test containers access to /dev/videoN so they can run loopback video tests, since unfortunately that requires access to a real device.
Starting pulseaudio with no /dev/snd/* defined failed -- the daemon exited.  Was there some config that you applied to make it work?  Also, I was unable to replicate the container-killing behavior at an interactive shell -- it only occurred when running a shell script that invoked pulseaudio (although it did so both on my desktop and on TC EC2 instances).

The video's a separate issue (I hope!)
I didn't do anything particularly fancy, I built the container using this Dockerfile:
https://github.com/luser/sip-transcribe/blob/master/Dockerfile

Running it with no special options I'm able to launch pulseaudio as per comment 3 and things work. I can run `paplay /path/to.wav` and it runs. (As you can see from the rest of that repository, I've also used the null sink as a loopback device to capture audio being output from another app.)
Assignee: nobody → dustin
Indeed, with no sound devices mounted:

root@taskcluster-worker:~# chown -R worker:worker /home/worker/
root@taskcluster-worker:~# su - worker
worker@taskcluster-worker:~$ pulseaudio --fail --daemonize --start
worker@taskcluster-worker:~$ pactl load-module module-null-sink
17
worker@taskcluster-worker:~$ paplay a2002011001-e02-ulaw.wav
https://tools.taskcluster.net/task-inspector/#QsO_p2HZSC6rSS3m74ywPg/
  "command": [
    "bash",
    "-c",
    "chown -R worker:worker /home/worker && su - worker bash -c 'pulseaudio --fail --daemonize --start && sleep 2 && echo success'"
  ],
=> success

----

https://tools.taskcluster.net/task-inspector/#F2dTVWJvTKqghx4RufaQiw/0
test-linux.sh:
https://hg.mozilla.org/users/dmitchell_mozilla.com/mozilla-central/file/d648607bb9fd/testing/taskcluster/scripts/tester/test-linux.sh
#! /bin/bash -xe

set -x -e

echo "running as" $(id)

    pulseaudio --fail --daemonize --start
    pactl load-module module-null-sink
    echo "let's see.."

    sleep 10
    echo "good!"

=> failure

----

Running the latter from my own desktop (Docker-1.8.2)

+ : GECKO_HEAD_REPOSITORY https://hg.mozilla.org/users/dmitchell_mozilla.com/mozilla-central
+ : GECKO_HEAD_REV d648607bb9fd
+ : WORKSPACE /home/worker/workspace
++ id -u
+ '[' 0 = 0 ']'
+ chown -R worker:worker /home/worker
+ exec su worker /home/worker/bin/test.sh -- --mochitest-suite plain-chunked --total-chunk=5 --this-chunk=1 --installer-url=https://queue.taskcluster.net/v1/task/EAOdruDTTq6OPTPkNB8tUw/artifacts/public/build/target.tar.bz2 --test-packages-url=https://queue.taskcluster.net/v1/task/EAOdruDTTq6OPTPkNB8tUw/artifacts/public/build/test_packages.json --no-read-buildbot-config --download-symbols ondemand
+ : GECKO_HEAD_REPOSITORY https://hg.mozilla.org/users/dmitchell_mozilla.com/mozilla-central
+ : GECKO_HEAD_REV d648607bb9fd
+ : WORKSPACE /home/worker/workspace
++ id -u
+ '[' 1000 = 0 ']'
+ '[' -d /home/worker/workspace ']'
+ mkdir -p /home/worker/workspace
+ cd /home/worker/workspace
+ script=testing/taskcluster/scripts/tester/test-linux.sh
+ url=https://hg.mozilla.org/users/dmitchell_mozilla.com/mozilla-central/raw-file/d648607bb9fd/testing/taskcluster/scripts/tester/test-linux.sh
+ curl --fail -o ./test-linux.sh --retry 10 https://hg.mozilla.org/users/dmitchell_mozilla.com/mozilla-central/raw-file/d648607bb9fd/testing/taskcluster/scripts/tester/test-linux.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   189  100   189    0     0    198      0 --:--:-- --:--:-- --:--:--   322
+ chmod +x ./test-linux.sh
+ exec ./test-linux.sh --mochitest-suite plain-chunked --total-chunk=5 --this-chunk=1 --installer-url=https://queue.taskcluster.net/v1/task/EAOdruDTTq6OPTPkNB8tUw/artifacts/public/build/target.tar.bz2 --test-packages-url=https://queue.taskcluster.net/v1/task/EAOdruDTTq6OPTPkNB8tUw/artifacts/public/build/test_packages.json --no-read-buildbot-config --download-symbols ondemand
+ set -x -e
++ id
+ echo 'running as' 'uid=1000(worker)' 'gid=1000(worker)' 'groups=1000(worker)'
running as uid=1000(worker) gid=1000(worker) groups=1000(worker)
+ pulseaudio --fail --daemonize --start
+ pactl load-module module-null-sink

=> failure

----

Reducing test.sh to the following, and running it in an image with /home/worker owned by worker:

#! /bin/bash -vex
set -x -e
if [ $(id -u) = 0 ]; then
    chown -R worker:worker /home/worker
    # drop privileges by re-running this script
    exec su worker /home/worker/bin/test.sh -- "${@}"
fi
pulseaudio --fail --daemonize --start || echo failed
pactl load-module module-null-sink || echo failed
echo "let's see.."
sleep 10
echo "good!"

docker run => failure
docker run -u worker => success

----

docker run:
+ id -a
uid=1000(worker) gid=1000(worker) groups=1000(worker)
+ id -r -g
1000
+ id -r -u
1000
+ id -r -G
1000

docker run -u worker:
+ id -a
uid=1000(worker) gid=1000(worker) groups=1000(worker)
+ id -r -g
1000
+ id -r -u
1000
+ id -r -G
1000

(no difference)

----

replacing 'su' with a python script:
#! /bin/bash -vex
set -x -e
if [ $(id -u) = 0 ]; then
    # drop privileges by re-running this script
    exec python <<'EOF'
import os
os.setgid(1000)
os.setuid(1000)
os.execv('/bin/bash', ['bash', '/home/worker/bin/test.sh'])
EOF
fi
id -a
id -r -g
id -r -u
id -r -G
pulseaudio --fail --daemonize --start || echo failed
pactl load-module module-null-sink || echo failed
echo "let's see.."
sleep 10
echo "good!"

=> success

I ran an strace of the 'su' process to see what silliness it's doing; trace is attached.
Attached file strace of su 

    
    

    
  
The most relevant bits of that strace:

getuid()                                = 0
getuid()                                = 0
getuid()                                = 0
getuid()                                = 0
setgid(1000)                            = 0
setgroups(1, [1000])                    = 0
getuid()                                = 0
getuid()                                = 0
getresuid([0], [0], [0])                = 0
getresgid([1000], [1000], [1000])       = 0
setuid(1000)                            = 0

and even adjusting the python script to make those calls:

import os
print(os.getuid())
os.setgid(1000)
os.setgroups([1000])
os.setuid(1000)
print(os.getresuid())
print(os.getresgid())
os.execv('/bin/bash', ['bash', '/home/worker/bin/test.sh'])

still succeeds.

    
    

    
  
Even simpler, on the advice of
  http://unix.stackexchange.com/questions/132663/how-do-i-drop-root-privileges-in-shell-scripts

#! /bin/bash -vex
set -x -e
if [ $(id -u) = 0 ]; then
    # drop privileges by re-running this script
    exec sudo -u worker bash $0
fi
pulseaudio --fail --daemonize --start || echo failed
pactl load-module module-null-sink || echo failed
echo "let's see.."
sleep 10
echo "good!"

=> success

    
    

    
  
Great Success!!
  https://tools.taskcluster.net/task-inspector/#PW-BDQ_XQVydS6k_lHTpJA/1
(the failures are because I was using one of ahal's task descriptions -- unrelated to this bug)

    
    

    
  


  
Bug 1214809: use 'sudo' instead of 'su' to drop root privs; r?ted

        Attachment #8676524 -
        Flags: review?(ted)

    
    

    
  
Comment on attachment 8676524 [details]
MozReview Request: Bug 1214809: use 'sudo' instead of 'su' to drop root privs; r?ted

https://reviewboard.mozilla.org/r/22741/#review20239

Weird.

        Attachment #8676524 -
        Flags: review?(ted) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/d43d4d4e26fb
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44

    
  
Product: Taskcluster → Taskcluster Graveyard

          You need to log in
          before you can comment on or make changes to this bug.