enable X display access for local user

I am using GitLab CI to run automated tests on an Ubuntu 14.04 setup. The GitLab CI runner created a new user, gitlab-runner, which executes all the tests. Now these tests include GUI components, so I need an X display - which I force on even without a physical display via the ConnectedMonitor and CustomEDID options in the xorg.conf.

The problem is that when a test is started by the user gitlab-runner via DISPLAY=:0.0 ./runTestApp, I get a "Could not connect to display :0.0" error. I can fix it by logging in as a regular user on the workstation and run sudo DISPLAY=:0.0 xhost +.

However:

  1. I haven't found a way to successfully automatically run xhost + on startup (tried putting it in /etc/rc.local)
  2. The man page says that xhost + is actually very insecure, but I haven't found out what to do instead. It feels like it might have to do with an .Xauthority file (which my regular user has, but gitlab-runner doesn't)

What's the best way to give gitlab-runner permanent access to the X display?


Solution 1:

First, to give access only to the Gitlab CI runner, you need to use a more restricted command:

xhost +SI:localuser:gitlab-runner

Second, /etc/rc.local runs way too early for this command to have effect, and further, you need to set $DISPLAY for it to work.

It depends on how your X server is being started. If you're using LightDM, I think you can make it work by adding the following line to /etc/lightdm/lightdm.conf:

greeter-setup-script=xhost +SI:localuser:gitlab-runner

Solution 2:

If you do a ps alxww|grep X you should see that your X server is running with the option -auth followed by some filename. This file holds a random number called the MIT-MAGIC-COOKIE-1. Only X11 clients that can present this number to the X11 server in the protocol startup are allowed to connect. Apps run by the same user who started the server will find the cookie value in the ~/.Xauthority file, which is normally not readable by others.

You can either remove the -auth option from the launch of the server, by looking in the config of whatever xdm, gdm etc startup mechanism you use, or you can copy the cookie from the login user to your other user, or you can give them read access to the .Xauthority file.

Eg to copy the cookie, as user pholz:

xauth list :0 >/tmp/toadd
chmod a+r /tmp/toadd

and as user gitlab-runner:

xauth add $(</tmp/toadd)

Or to allow read access:

chmod a+r /home/pholz/.Xauthority
chmod a+rx /home/pholz/

and then in the gitlab-runner environment set:

export XAUTHORITY=/home/pholz/.Xauthority

Of course, if you dont really need a display, you can launch a separate X11 server which displays into memory, and is completely independent of any user login and screen. You need only do:

sudo apt-get install xvfb
Xvfb :1 -noreset &
export DISPLAY=:1

Then all your apps will display into this virtual framebuffer. If you want to check what's on the screen you can use screen dumps, remote desktops, or Xnest.