Hi, Just like "screen" or "tmux", we want to ensure that some xpra sessions (aka "screen for X11", VNC-like but seamless) can survive when the user logs out.
Background: xpra runs X11 applications using an Xvfb server, when client(s) are connected we forward the pixels/keyboard/mouse/etc. Based on the info from this old post "[systemd-devel] tmux / screen": https://lists.freedesktop.org/archives/systemd-devel/2011-June/002624.html my understanding is that we may need both of these things: * wrap our server startup with "systemd-run --scope --user" * get the server to open a new logind session via pam The "systemd-run" wrapping was easy enough, though it does seem to actually make things worse: * long ssh login delays afterwards - probably because of this bug: https://github.com/systemd/systemd/issues/2863 * sessions get killed in circumstances where they did not prior to this change - probably because the whole cgroup containing the daemon gets taken down. The pam_systemd is much more difficult to figure out, since I am not aware of any other packages does this at present - maybe there are? * should we ship a /etc/pam/d/xpra file like this one: session required pam_localuser.so session sufficient pam_systemd.so class=user type=x11 debug=1 * we supply VTNR=0 (we don't have a VT..), XDG_SESSION_TYPE=x11, XDG_SEAT=0 (not sure this is right) as well as the correct PAM_XDISPLAY for the display we've started. But the pam_open_session call fails with: pam_systemd(xpra:session): Failed to create session: Access denied Probably because of this: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.339" (uid=1001 pid=15738 comm="/bin/python /usr/bin/xpra start --systemd-run=yes " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") interface="org.freedesktop.login1.Manager" member="CreateSession" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=1185 comm="/usr/lib/systemd/systemd-logind " label="system_u:system_r:systemd_logind_t:s0") Where / how can we change the policy to allow sufficiently privileged users to create a new session? (which users will get this privilege and how this is configured is not entirely clear at this point - can we somehow keep this simple using unix group permissions?) How is this going to ensure that the cgroup is correct? Isn't that set when the process is started? Any help or pointers would be much appreciated. Cheers Antoine _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
