flatpak-run doesn't work over X11 Forwarding

[mwleeds]

In a shell with X11 Forwarding enabled, flatpak run doesn't work.

In the output below, the Gtk-WARNING at the bottom is the only relevant part (the rest appears when running locally).

$ flatpak run org.gnome.Polari
(flatpak run:31952): flatpak-DEBUG: Allowing x11 access
(flatpak run:31952): flatpak-DEBUG: Allowing wayland access
(flatpak run:31952): flatpak-DEBUG: Running '/usr/local/libexec/flatpak-bwrap --args 16 /usr/local/libexec/flatpak-dbus-proxy --fd=14 unix:path=/run/user/1000/bus /run/user/1000/.session-bus-proxy-PU5ZQY --filter --own=org.gnome.Polari --own=org.gnome.Polari.* --talk=ca.desrt.dconf --talk=org.freedesktop.Telepathy.AccountManager --talk=org.freedesktop.Telepathy.Connection.idle.irc.* --talk=org.freedesktop.portal.* --own=org.freedesktop.Telepathy.Client.Polari --talk=org.freedesktop.secrets --talk=org.freedesktop.Telepathy.ChannelDispatcher'
(process:2): GVFS-RemoteVolumeMonitor-DEBUG: Error: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown

(process:2): GVFS-DEBUG: org.gtk.vfs.MountTracker.listMountableInfo call failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown (g-dbus-error-quark, 2)


(org.gnome.Polari:2): Gtk-WARNING **: cannot open display: 

[alexlarsson]

Yeah, the sandboxing support for X11 is tied to using unix domain sockets, so it will override the DISPLAY env var with an in-sandbox version of the unix domain X11 socket.

I think we should detect this case and leave the display env var alone, but it should work already if you re-set the DISPLAY variable in the sandbox.

[mwleeds]

flatpak run --env=DISPLAY='localhost:13.0' org.gnome.Polari doesn't seem to work for me.

[alexlarsson]

I'm not saying this is a great solution, but can you verify that this works:

flatpak run --command=sh org.gnome.Polari  -c "DISPLAY=:13.0; polari"

[mwleeds]

That still doesn't work, but if I run it without the semicolon I get:

X11 connection rejected because of wrong authentication.

(org.gnome.Polari:2): Gtk-WARNING **: cannot open display: :13.0

[mwleeds]

Apparently it's something specific to Polari because it works for gnome-builder. The manifests look pretty similar so I'm not sure what the relevant difference is.

[jarfil]

Since org.gnome.Polari replaces the home dir, it loses access to the .Xauthority file.
A dirty way to make it work:

mkdir ~/.xauth
rm -f ~/.xauth/.Xauthority
cp -p -f ~/.Xauthority ~/.xauth/.Xauthority
flatpak run --filesystem=~/.xauth --command=sh org.gnome.Polari -c "export DISPLAY=$DISPLAY; cp -p -f ~/.xauth/.Xauthority ~/.Xauthority ; polari"

This should probably get addressed in a much cleaner way.

[bdonnahue]

I am having a similar problem with the monodevelop application found here: http:https://www.monodevelop.com/download/linux/

@jarfil 's solution did not work for me:
[root@localhost ~]# flatpak run --filesystem=~/.xauth --command=sh com.xamarin.MonoDevelop -c "export DISPLAY=$DISPLAY; cp -p .xauth/.Xauthority . ; monodevelop" X11 connection rejected because of wrong authentication. X11 connection rejected because of wrong authentication. X11 connection rejected because of wrong authentication.

This issue reproduced with versions 0.6.12, 0.6.14 on OS Centos 7 and ubuntu 16.10

[jarfil]

@bdonnahue You may have a stale link to an older .Xauthority file in your .xauth dir which you may have to remove. It's probably better to copy it instead of just linking to it anyway, so I've updated my recipe accordingly.

[tygerlord]

Perhaps it's too late but I got same problem for running gedit:

flatpak run --share=network --command=bash org.gnome.gedit - c "DISPLAY=$DISPLAY gedit"

work for me

[andrewharvey]

flatpak run --share=network --command=bash org.gnome.gedit - c "DISPLAY=$DISPLAY gedit"

Unfortunately when I try that with gimp I get:

X11 connection rejected because of wrong authentication.
Cannot open display: 

[ShaunsTestAutomation]

tygerlord solution worked for remote running of AndroidStudio too running remotely on Linux mint distro.
flatpak run --share=network --command=bash com.google.AndroidStudio -c "DISPLAY=$DISPLAY android"

[alexlarsson]

I wonder if we could detect a non-local X11 and set up some proxy using ncat instead. Then it could work even without network access.

[rbi]

I tried the command @tygerlord posted. It worked for me. I use host based authentication for the XServer.
Creating shell scripts for every flatpacked app I want to start is a bit tedious however. It would be great if I could just use the default start menu entries for each app. Is there a way to make --share network and DISPLAY=$DISPLAY global for all apps?

I use a remote X connection for displaying apps of a Linux VM on the Windows host system. This is the best integration into the Windows desktop I could figure out until now. I say this just in case anyone wonders why people still use remote X connections.

[DrChr]

Just leaving a note here for users of Octave.
X11 forwarding does not work for me.

local$ ssh -X remote-host

remote-host$ flatpak run org.octave.Octave
octave: X11 DISPLAY environment variable not set
octave: disabling GUI features
GNU Octave, version 5.1.0

Note: I tried e.g. the alternative below without success.

flatpak run --env=DISPLAY='localhost:10.0' org.octave.Octave --force-gui

Note: Also reported issue at the Octave issue tracker: https://savannah.gnu.org/bugs/index.php?56550

However, the command as per @tygerlord did work (although graphics seems unusually slow):

flatpak run --share=network --command=bash org.octave.Octave -c "DISPLAY=$DISPLAY octave"

[follower]

FWIW I had success with:

flatpak run --share=network --command=sh org.gnome.Builder -c "DISPLAY=$DISPLAY gnome-builder"

[oleid]

Same work-around is needed when using flatpak on WSL2 with an X-Server package like GWSL.

[OmarShawky1]

Same issue here:

$ flatpak run  md.obsidian.Obsidian
[3 preload-host-spawn-strategy] Running: /app/bin/zypak-helper child - /app/obsidian --type=zygote
2022-01-02 20:00:44 Loading updated app package /home/omar/.var/app/md.obsidian.Obsidian/config/obsidian/obsidian-0.13.14.asar
/app/bin/obsidian.sh: line 19:     3 Segmentation fault      zypak-wrapper /app/obsidian $@

$ flatpak run com.github.debauchee.barrier 
The Barrier GUI requires a display. Quitting...
$ flatpak run com.github.debauchee.barrier --share=network -c "DISPLAY=$DISPLAY Barrier"
The Barrier GUI requires a display. Quitting...
$ flatpak run --share=network --command=bash com.github.debauchee.barrier -c "DISPLAY=$DISPLAY Barrier"
bash: line 1: Barrier: command not found
$ flatpak run --share=network com.github.debauchee.barrier -c "DISPLAY=$DISPLAY Barrier"
The Barrier GUI requires a display. Quitting...
$ flatpak run --share=network com.github.debauchee.barrier -c "DISPLAY=$DISPLAY barrier"
The Barrier GUI requires a display. Quitting...

But every other thing that is not flatpak works.

[srd424]

Hmm, my Xauthority file ends up with "FamilyInternet" entries which just store the IP address in binary rather than an ascii hostname (see https://github.com/freedesktop/libXau/blob/master/README) :-

$ xauth extract - $DISPLAY | hd
00000000  00 00 00 04 c0 a8 80 4b  00 01 30 00 12 4d 49 54  |.......K..0..MIT|
00000010  2d 4d 41 47 49 43 2d 43  4f 4f 4b 49 45 2d 31 00  |-MAGIC-COOKIE-1.|
00000020  10 c1 b2 2a 9f 36 4e e2  27 e5 69 df fa 9e dd b5  |...*.6N.'.i.....|
00000030  a0                                                |.|
00000031

xauth_entry_should_propagate() currently doesn't seem to handle that at all :(

[srd424]

Totally horrible hack - bwrap-wrapper:

#! /bin/bash
/usr/bin/bwrap --ro-bind /home/user/.Xauthority /run/flatpak/Xauthority2 "$@"

then

FLATPACK_BWRAP=$HOME/bwrap-wrapper flatpak run --command=/bin/sh org.mozilla.firefox  -c "XAUTHORITY=/run/flatpak/Xauthority2 firefox"

[srd424]

Given doing remote X other than through ssh forwarding is probably pretty niche these days, and likely to become more obsolete as Wayland takes over, perhaps a simple option (or environment variable) to copy or bind mount in a custom Xauthority would be OK? People using X like that are likely to have understand about xauth anyway.

[smcv]

my Xauthority file ends up with "FamilyInternet" entries which just store the IP address in binary rather than an ascii hostname

Please open a separate issue for this, rather than replying to a closed issue. X11 forwarding in general can be made to work since #4706, but X11 forwarding in your specific situation does not.

Given doing remote X other than through ssh forwarding is probably pretty niche these days

Given this, the maintainers of Flatpak (whose available time is limited) are unlikely to treat implementing this as a high priority. If you can propose a concrete implementation as a PR, then reviewing it is a smaller time investment for the maintainers than implementing it, making it more likely to happen.

(Please open an issue describing the problem in as much detail as you can before trying to implement a solution, though - a detailed description of the problem or steps to reproduce it are extremely useful context for a reviewer to be able to assess whether a proposed solution fixes the problem as stated.)

perhaps a simple option (or environment variable) to copy or bind mount in a custom Xauthority would be OK?

Please open a merge request if this is something you want to implement.

I personally am not intending to implement this, because if I did, I would have to wait for another maintainer to become available to review it - but I'll try to find time to review a PR if someone opens one.