From 4cf2718077a4329b973f811e14cc6dc62c80197e Mon Sep 17 00:00:00 2001 From: Ralf Vogler Date: Thu, 5 Jun 2025 21:17:09 +0200 Subject: [PATCH 1/6] use TurboVNC with xfce4 instead of Xvfb+X11vnc, 1.36GB -> 1.51GB total --- Dockerfile | 17 +++++++++++++---- docker-entrypoint.sh | 23 +++++++++-------------- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/Dockerfile b/Dockerfile index 17ef9ae..3e20791 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,15 +12,21 @@ ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update \ && apt-get install -y --no-install-recommends curl ca-certificates gnupg \ && mkdir -p /etc/apt/keyrings \ + # Node.js && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \ && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \ + # TurboVNC & VirtualGL instead of Xvfb+X11vnc + && curl -fsSL https://packagecloud.io/dcommander/virtualgl/gpgkey | gpg --dearmor -o /etc/apt/trusted.gpg.d/VirtualGL.gpg \ + && curl -fsSL https://packagecloud.io/dcommander/turbovnc/gpgkey | gpg --dearmor -o /etc/apt/trusted.gpg.d/TurboVNC.gpg \ + && curl -fssl https://raw.githubusercontent.com/VirtualGL/repo/main/VirtualGL.list > /etc/apt/sources.list.d/VirtualGL.list \ + && curl -fssl https://raw.githubusercontent.com/TurboVNC/repo/main/TurboVNC.list > /etc/apt/sources.list.d/TurboVNC.list \ + # update lists and install && apt-get update \ && apt-get install --no-install-recommends -y \ - nodejs \ - xvfb \ - x11vnc \ - tini \ + virtualgl turbovnc xfce4 \ novnc websockify \ + tini \ + nodejs \ dos2unix \ python3-pip \ # RUN npx patchright install-deps chromium @@ -38,6 +44,9 @@ RUN apt-get update \ libpango-1.0-0 \ libcairo2 \ libasound2 \ + # needed for TurboVNC if not installing xfce4: + # libxdamage1 \ + # libxrandr2 \ && apt-get autoremove -y \ # https://www.perplexity.ai/search/what-files-do-i-need-to-remove-imjwdphNSUWK98WzsmQswA && apt-get clean \ diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index d11cdc0..ae17c11 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -18,26 +18,21 @@ rm -f "/fgc/$BROWSER/SingletonLock" # Maybe no longer needed after adding #478's -nolisten unix below rm -f /tmp/.X1-lock -# 6000+SERVERNUM is the TCP port Xvfb is listening on: -# SERVERNUM=$(echo "$DISPLAY" | sed 's/:\([0-9][0-9]*\).*/\1/') - -# Options passed directly to the Xvfb server: -# -ac disables host-based access control mechanisms -# −screen NUM WxHxD creates the screen and sets its width, height, and depth -# -nolisten unix tells the server not to use Unix domain sockets, thus avoiding the need to create /tmp/.X11-unix - export DISPLAY=:1 # need to export this, otherwise playwright complains with 'Looks like you launched a headed browser without having a XServer running.' -Xvfb $DISPLAY -ac -screen 0 "${WIDTH}x${HEIGHT}x${DEPTH}" -nolisten unix +extension GLX +extension RENDER & -echo "Xvfb display server created screen with resolution ${WIDTH}x${HEIGHT}" if [ -z "$VNC_PASSWORD" ]; then - pw="-nopw" + pw="-SecurityTypes None" pwt="no password!" else - pw="-passwd $VNC_PASSWORD" + # pw="-passwd $VNC_PASSWORD" # not supported anymore + pw="-rfbauth ~/.vnc/passwd" + mkdir ~/.vnc/ + echo "$VNC_PASSWORD" | /opt/TurboVNC/bin/vncpasswd -f > ~/.vnc/passwd pwt="with password" fi -x11vnc -display $DISPLAY -forever -shared -rfbport "$VNC_PORT" -bg "$pw" 2>/dev/null 1>&2 -echo "VNC is running on port $VNC_PORT ($pwt)" +# TurboVNC server replaces Xvfb+x11vnc +/opt/TurboVNC/bin/vncserver $DISPLAY -geometry "${WIDTH}x${HEIGHT}" -depth ${DEPTH} -rfbport ${VNC_PORT} $pw -vgl -log /fgc/data/TurboVNC.log -xstartup /usr/bin/startxfce4 2>/dev/null # -noxstartup -novnc /usr/share/novnc/ +echo "TurboVNC is running on port $VNC_PORT ($pwt) with resolution ${WIDTH}x${HEIGHT}" +# TODO keep websockify just for custom NOVNC_PORT? https://www.perplexity.ai/search/how-to-specify-the-novnc-port-rfv96C9tTZufnyFPRye5xA#0 websockify -D --web "/usr/share/novnc/" "$NOVNC_PORT" "localhost:$VNC_PORT" 2>/dev/null 1>&2 & echo "noVNC (VNC via browser) is running on http://localhost:$NOVNC_PORT" echo From a0545beb3a81a31c37fc879e72b0e55f88c05ee1 Mon Sep 17 00:00:00 2001 From: Ralf Vogler Date: Thu, 5 Jun 2025 22:05:12 +0200 Subject: [PATCH 2/6] TurboVNC: run with ratpoison instead of xfce4, 1.51GB -> 1.41GB --- Dockerfile | 5 ++--- docker-entrypoint.sh | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3e20791..27d9074 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,7 @@ RUN apt-get update \ # update lists and install && apt-get update \ && apt-get install --no-install-recommends -y \ - virtualgl turbovnc xfce4 \ + virtualgl turbovnc ratpoison \ novnc websockify \ tini \ nodejs \ @@ -45,8 +45,7 @@ RUN apt-get update \ libcairo2 \ libasound2 \ # needed for TurboVNC if not installing xfce4: - # libxdamage1 \ - # libxrandr2 \ + libxdamage1 \ && apt-get autoremove -y \ # https://www.perplexity.ai/search/what-files-do-i-need-to-remove-imjwdphNSUWK98WzsmQswA && apt-get clean \ diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index ae17c11..517b4a3 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -30,7 +30,7 @@ else pwt="with password" fi # TurboVNC server replaces Xvfb+x11vnc -/opt/TurboVNC/bin/vncserver $DISPLAY -geometry "${WIDTH}x${HEIGHT}" -depth ${DEPTH} -rfbport ${VNC_PORT} $pw -vgl -log /fgc/data/TurboVNC.log -xstartup /usr/bin/startxfce4 2>/dev/null # -noxstartup -novnc /usr/share/novnc/ +/opt/TurboVNC/bin/vncserver $DISPLAY -geometry "${WIDTH}x${HEIGHT}" -depth ${DEPTH} -rfbport ${VNC_PORT} $pw -vgl -log /fgc/data/TurboVNC.log -xstartup /usr/bin/ratpoison 2>/dev/null # -noxstartup -novnc /usr/share/novnc/ echo "TurboVNC is running on port $VNC_PORT ($pwt) with resolution ${WIDTH}x${HEIGHT}" # TODO keep websockify just for custom NOVNC_PORT? https://www.perplexity.ai/search/how-to-specify-the-novnc-port-rfv96C9tTZufnyFPRye5xA#0 websockify -D --web "/usr/share/novnc/" "$NOVNC_PORT" "localhost:$VNC_PORT" 2>/dev/null 1>&2 & From ce3109c2ee348d0e87d4515652c441d81dedcf22 Mon Sep 17 00:00:00 2001 From: Ralf Vogler Date: Thu, 5 Jun 2025 22:20:40 +0200 Subject: [PATCH 3/6] SonarQube: fix curl -L: only allow https redirects --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 27d9074..363786f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,10 +16,10 @@ RUN apt-get update \ && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \ && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \ # TurboVNC & VirtualGL instead of Xvfb+X11vnc - && curl -fsSL https://packagecloud.io/dcommander/virtualgl/gpgkey | gpg --dearmor -o /etc/apt/trusted.gpg.d/VirtualGL.gpg \ - && curl -fsSL https://packagecloud.io/dcommander/turbovnc/gpgkey | gpg --dearmor -o /etc/apt/trusted.gpg.d/TurboVNC.gpg \ - && curl -fssl https://raw.githubusercontent.com/VirtualGL/repo/main/VirtualGL.list > /etc/apt/sources.list.d/VirtualGL.list \ - && curl -fssl https://raw.githubusercontent.com/TurboVNC/repo/main/TurboVNC.list > /etc/apt/sources.list.d/TurboVNC.list \ + && curl -fsSL --proto "=https" https://packagecloud.io/dcommander/virtualgl/gpgkey | gpg --dearmor -o /etc/apt/trusted.gpg.d/VirtualGL.gpg \ + && curl -fsSL --proto "=https" https://packagecloud.io/dcommander/turbovnc/gpgkey | gpg --dearmor -o /etc/apt/trusted.gpg.d/TurboVNC.gpg \ + && curl -fsSL --proto "=https" https://raw.githubusercontent.com/VirtualGL/repo/main/VirtualGL.list > /etc/apt/sources.list.d/VirtualGL.list \ + && curl -fsSL --proto "=https" https://raw.githubusercontent.com/TurboVNC/repo/main/TurboVNC.list > /etc/apt/sources.list.d/TurboVNC.list \ # update lists and install && apt-get update \ && apt-get install --no-install-recommends -y \ From ea598c581b6229fc67a8e02b30400f086f263050 Mon Sep 17 00:00:00 2001 From: Ralf Vogler Date: Thu, 5 Jun 2025 22:32:52 +0200 Subject: [PATCH 4/6] fix shellcheck --- docker-entrypoint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 517b4a3..1e0faef 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -30,7 +30,8 @@ else pwt="with password" fi # TurboVNC server replaces Xvfb+x11vnc -/opt/TurboVNC/bin/vncserver $DISPLAY -geometry "${WIDTH}x${HEIGHT}" -depth ${DEPTH} -rfbport ${VNC_PORT} $pw -vgl -log /fgc/data/TurboVNC.log -xstartup /usr/bin/ratpoison 2>/dev/null # -noxstartup -novnc /usr/share/novnc/ +# shellcheck disable=SC2086 +/opt/TurboVNC/bin/vncserver $DISPLAY -geometry "${WIDTH}x${HEIGHT}" -depth "${DEPTH}" -rfbport "${VNC_PORT}" $pw -vgl -log /fgc/data/TurboVNC.log -xstartup /usr/bin/ratpoison 2>/dev/null # -noxstartup -novnc /usr/share/novnc/ echo "TurboVNC is running on port $VNC_PORT ($pwt) with resolution ${WIDTH}x${HEIGHT}" # TODO keep websockify just for custom NOVNC_PORT? https://www.perplexity.ai/search/how-to-specify-the-novnc-port-rfv96C9tTZufnyFPRye5xA#0 websockify -D --web "/usr/share/novnc/" "$NOVNC_PORT" "localhost:$VNC_PORT" 2>/dev/null 1>&2 & From 33a1a3fe62374f095361de78cf4531fe755d1ceb Mon Sep 17 00:00:00 2001 From: vogler <493741+vogler@users.noreply.github.com> Date: Thu, 5 Jun 2025 20:36:27 +0000 Subject: [PATCH 5/6] [MegaLinter] Apply linters fixes --- docker-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 1e0faef..58b7eb0 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -26,7 +26,7 @@ else # pw="-passwd $VNC_PASSWORD" # not supported anymore pw="-rfbauth ~/.vnc/passwd" mkdir ~/.vnc/ - echo "$VNC_PASSWORD" | /opt/TurboVNC/bin/vncpasswd -f > ~/.vnc/passwd + echo "$VNC_PASSWORD" | /opt/TurboVNC/bin/vncpasswd -f >~/.vnc/passwd pwt="with password" fi # TurboVNC server replaces Xvfb+x11vnc From 3da02e317416049173434b8cb43675959b5b88da Mon Sep 17 00:00:00 2001 From: Ralf Vogler Date: Thu, 5 Jun 2025 22:41:42 +0200 Subject: [PATCH 6/6] SonarQube: curl lacking --tlsv1.2 as well? --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 363786f..edf02a3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,10 +16,10 @@ RUN apt-get update \ && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \ && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \ # TurboVNC & VirtualGL instead of Xvfb+X11vnc - && curl -fsSL --proto "=https" https://packagecloud.io/dcommander/virtualgl/gpgkey | gpg --dearmor -o /etc/apt/trusted.gpg.d/VirtualGL.gpg \ - && curl -fsSL --proto "=https" https://packagecloud.io/dcommander/turbovnc/gpgkey | gpg --dearmor -o /etc/apt/trusted.gpg.d/TurboVNC.gpg \ - && curl -fsSL --proto "=https" https://raw.githubusercontent.com/VirtualGL/repo/main/VirtualGL.list > /etc/apt/sources.list.d/VirtualGL.list \ - && curl -fsSL --proto "=https" https://raw.githubusercontent.com/TurboVNC/repo/main/TurboVNC.list > /etc/apt/sources.list.d/TurboVNC.list \ + && curl --proto "=https" --tlsv1.2 -fsSL https://packagecloud.io/dcommander/virtualgl/gpgkey | gpg --dearmor -o /etc/apt/trusted.gpg.d/VirtualGL.gpg \ + && curl --proto "=https" --tlsv1.2 -fsSL https://packagecloud.io/dcommander/turbovnc/gpgkey | gpg --dearmor -o /etc/apt/trusted.gpg.d/TurboVNC.gpg \ + && curl --proto "=https" --tlsv1.2 -fsSL https://raw.githubusercontent.com/VirtualGL/repo/main/VirtualGL.list > /etc/apt/sources.list.d/VirtualGL.list \ + && curl --proto "=https" --tlsv1.2 -fsSL https://raw.githubusercontent.com/TurboVNC/repo/main/TurboVNC.list > /etc/apt/sources.list.d/TurboVNC.list \ # update lists and install && apt-get update \ && apt-get install --no-install-recommends -y \