|
|
@@ -6,7 +6,7 @@ Use [docker-nvidia-egl-desktop](https://github.com/ehfd/docker-nvidia-egl-deskto
|
|
|
|
|
|
**Read the [Troubleshooting](#troubleshooting) section first before raising an issue. Support is also available with the [Selkies Discord](https://discord.gg/wDNGDeSW5F). Please redirect issues or discussions regarding the [selkies-gstreamer](https://github.com/selkies-project/selkies-gstreamer) WebRTC HTML5 interface to the [project](https://github.com/selkies-project/selkies-gstreamer).**
|
|
|
|
|
|
-### Usage
|
|
|
+## Usage
|
|
|
|
|
|
Container startup could take some time at first launch as it automatically installs NVIDIA drivers compatible with the host.
|
|
|
|
|
|
@@ -23,7 +23,7 @@ The high performance NVENC backend for the selkies-gstreamer WebRTC interface is
|
|
|
The username is `user` in both the container user account and the web authentication prompt. The environment variable `PASSWD` is the password of the container user account, and `BASIC_AUTH_PASSWORD` is the password for the HTML5 interface authentication prompt. If `ENABLE_BASIC_AUTH` is set to `true` for selkies-gstreamer (not required for noVNC) but `BASIC_AUTH_PASSWORD` is unspecified, the HTML5 interface password will default to `PASSWD`.
|
|
|
> NOTES: Only one web browser can be connected at a time with the selkies-gstreamer WebRTC interface. If the signaling connection works, but the WebRTC connection fails, read the [Using a TURN Server](#using-a-turn-server) section.
|
|
|
|
|
|
-#### Running with Docker
|
|
|
+### Running with Docker
|
|
|
|
|
|
1. Run the container with Docker (or other similar container CLIs like Podman):
|
|
|
|
|
|
@@ -39,7 +39,7 @@ Change `WEBRTC_ENCODER` to `x264enc`, `vp8enc`, or `vp9enc` when using the selki
|
|
|
|
|
|
3. (Not Applicable for noVNC) **Read carefully if the selkies-gstreamer WebRTC HTML5 interface does not connect.** Choose whether to use host networking or a TURN server. The selkies-gstreamer WebRTC HTML5 interface will likely just start working if you add `--network host` to the above `docker run` command. However, this may be restricted or be undesired because of security reasons. If so, check if the container starts working after omitting `--network host`. If it does not work, you need a TURN server. Read the [Using a TURN Server](#using-a-turn-server) section and add the environment variables `-e TURN_HOST=`, `-e TURN_PORT=`, and pick one of `-e TURN_SHARED_SECRET=` or both `-e TURN_USERNAME=` and `-e TURN_PASSWORD=` environment variables to the `docker run` command based on your authentication method.
|
|
|
|
|
|
-#### Running with Kubernetes
|
|
|
+### Running with Kubernetes
|
|
|
|
|
|
1. Create the Kubernetes Secret with your authentication password:
|
|
|
|
|
|
@@ -62,17 +62,17 @@ Change `WEBRTC_ENCODER` to `x264enc`, `vp8enc`, or `vp9enc` when using the selki
|
|
|
|
|
|
4. (Not Applicable for noVNC) **Read carefully if the selkies-gstreamer WebRTC HTML5 interface does not connect.** Choose whether to use host networking or a TURN server. The selkies-gstreamer WebRTC HTML5 interface will likely just start working if you uncomment `hostNetwork: true` in `xgl.yml`. However, this may be restricted or be undesired because of security reasons. If so, check if the container starts working after commenting out `hostNetwork: true`. If it does not work, you need a TURN server. Read the [Using a TURN Server](#using-a-turn-server) section and fill in the environment variables `TURN_HOST` and `TURN_PORT`, then pick one of `TURN_SHARED_SECRET` or both `TURN_USERNAME` and `TURN_PASSWORD` environment variables based on your authentication method.
|
|
|
|
|
|
-#### Using a TURN server
|
|
|
+## Using a TURN server
|
|
|
|
|
|
Note that this section is only required for the selkies-gstreamer WebRTC HTML5 interface. For an easy fix to when the signaling connection works, but the WebRTC connection fails, add the option `--network host` to your Docker command, or uncomment `hostNetwork: true` in your `xgl.yml` file when using Kubernetes (note that your cluster may have not allowed this, resulting in an error). This exposes your container to the host network, which disables network isolation. If this does not fix the connection issue (normally when the host is behind another firewall) or you cannot use this fix for security or technical reasons, read the below text.
|
|
|
|
|
|
In most cases when either of your server or client has a permissive firewall, the default Google STUN server configuration will work without additional configuration. However, when connecting from networks that cannot be traversed with STUN, a TURN server is required.
|
|
|
|
|
|
-##### Deploying a TURN server
|
|
|
+### Deploying a TURN server
|
|
|
|
|
|
**Read the instructions from [selkies-gstreamer](https://github.com/selkies-project/selkies-gstreamer#using-a-turn-server) if want to deploy a TURN server or use a public TURN server instance.**
|
|
|
|
|
|
-##### Configuring with Docker
|
|
|
+### Configuring with Docker
|
|
|
|
|
|
With Docker (or Podman), use the `-e` option to add the `TURN_HOST`, `TURN_PORT` environment variables. This is the hostname or IP and the port of the TURN server (3478 in most cases).
|
|
|
|
|
|
@@ -80,11 +80,11 @@ You may set `TURN_PROTOCOL` to `tcp` if you are only able to open TCP ports for
|
|
|
|
|
|
You also require to provide either just `TURN_SHARED_SECRET` for time-limited shared secret TURN authentication, or both `TURN_USERNAME` and `TURN_PASSWORD` for legacy long-term TURN authentication, depending on your TURN server configuration. Provide just one of these authentication methods, not both.
|
|
|
|
|
|
-##### Configuring with Kubernetes
|
|
|
+### Configuring with Kubernetes
|
|
|
|
|
|
Your TURN server will use only one out of two ways to authenticate the client, so only provide one type of authentication method. The time-limited shared secret TURN authentication requires to only provide the Base64 encoded `TURN_SHARED_SECRET`. The legacy long-term TURN authentication requires to provide both `TURN_USERNAME` and `TURN_PASSWORD` credentials.
|
|
|
|
|
|
-###### Time-limited shared secret authentication
|
|
|
+#### Time-limited shared secret authentication
|
|
|
|
|
|
1. Create a secret containing the TURN shared secret:
|
|
|
|
|
|
@@ -112,7 +112,7 @@ kubectl create secret generic turn-shared-secret --from-literal=turn-shared-secr
|
|
|
```
|
|
|
> NOTES: It is possible to skip the first step and directly provide the shared secret with `value:`, but this exposes the shared secret in plain text. Set `TURN_PROTOCOL` to `tcp` if you were able to only open TCP ports while creating your own coTURN Deployment/DaemonSet, or if your client network throttles or blocks the UDP protocol.
|
|
|
|
|
|
-###### Legacy long-term authentication
|
|
|
+#### Legacy long-term authentication
|
|
|
|
|
|
1. Create a secret containing the TURN password:
|
|
|
|
|
|
@@ -142,9 +142,9 @@ kubectl create secret generic turn-password --from-literal=turn-password=MY_TURN
|
|
|
```
|
|
|
> NOTES: It is possible to skip the first step and directly provide the TURN password with `value:`, but this exposes the TURN password in plain text. Set `TURN_PROTOCOL` to `tcp` if you were able to only open TCP ports while creating your own coTURN Deployment/DaemonSet, or if your client network throttles or blocks the UDP protocol.
|
|
|
|
|
|
-### Comparison
|
|
|
+## Comparison
|
|
|
|
|
|
-[docker-nvidia-egl-desktop](https://github.com/ehfd/docker-nvidia-egl-desktop): It's generally recommended to use docker-nvidia-glx-desktop when possible for maximum capabilities and performance. It starts its own X server inside the container without exposure to security risks. However, docker-nvidia-egl-desktop is versatile in various environments and has less processes running, meaning less possible errors. It is also possible to be used in HPC clusters with Apptainer/Singularity available, and sharing a GPU with multiple containers is also possible. Unofficial support for Intel and AMD GPUs is also available.
|
|
|
+[docker-nvidia-egl-desktop](https://github.com/ehfd/docker-nvidia-egl-desktop): It's generally recommended to use docker-nvidia-glx-desktop when possible for maximum capabilities and performance. It starts its own X server inside the container without exposure to security risks. However, docker-nvidia-egl-desktop is versatile in various environments and has less processes running, meaning less possible complications in restricted environments. It is also possible to be used in HPC clusters with Apptainer/Singularity available, and sharing a GPU with multiple containers is also possible. Unofficial support for Intel and AMD GPUs is also available.
|
|
|
|
|
|
[Sunshine](https://github.com/LizardByte/Sunshine): This repository is an open-source server for NVIDIA's GameStream protocol, supporting all clients that can install [Moonlight](https://github.com/moonlight-stream). Try it if you don't need username/password authentication and you don't need to use containers. [Games on Whales](https://github.com/games-on-whales/gow) is a container implementation of Sunshine. However, many container ports have to be accessible to the internet, and because of its requirement for the `/dev/uinput` device, unsafe `privileged` access for containers are required. The [selkies-gstreamer](https://github.com/selkies-project/selkies-gstreamer) project, which is integrated to our container, does not require more than one port open from the container (TURN server may be required but can be deployed in a different environment with flexibility), and has almost equal performance while using only a web browser as a client.
|
|
|
|
|
|
@@ -166,9 +166,9 @@ kubectl create secret generic turn-password --from-literal=turn-password=MY_TURN
|
|
|
|
|
|
[GamingAnywhere](https://github.com/chunying/gaminganywhere): This is the father of all open-source remote desktop and game streaming protocols. However, it has been created a long time ago and thus reached its end of life.
|
|
|
|
|
|
-### Troubleshooting
|
|
|
+## Troubleshooting
|
|
|
|
|
|
-#### The container does not work.
|
|
|
+### The container does not work.
|
|
|
|
|
|
Check that the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/install-guide.html) is properly configured in the host. After that, check the environment variable `NVIDIA_DRIVER_CAPABILITIES` after starting a shell interface inside the container.
|
|
|
|
|
|
@@ -176,11 +176,11 @@ Check that the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/clo
|
|
|
|
|
|
If you checked everything here, scroll down.
|
|
|
|
|
|
-#### I want to share one GPU with multiple containers to run GUI workloads.
|
|
|
+### I want to share one GPU with multiple containers to run GUI workloads.
|
|
|
|
|
|
Note that because of restrictions from Xorg, it is not possible to share one GPU to multiple Xorg servers running in different containers. Use [docker-nvidia-egl-desktop](https://github.com/ehfd/docker-nvidia-egl-desktop) if you intend to do this.
|
|
|
|
|
|
-#### The container does not work if an existing GUI, desktop environment, or X server is running in the host outside the container. / I want to use this container in `--privileged` mode or with `--cap-add` and do not want other containers to interfere.
|
|
|
+### The container does not work if an existing GUI, desktop environment, or X server is running in the host outside the container. / I want to use this container in `--privileged` mode or with `--cap-add` and do not want other containers to interfere.
|
|
|
|
|
|
In order to use an X server on the host for your monitor with one GPU, and provision the other GPUs to the containers, you must change your `/etc/X11/xorg.conf` configuration of the host.
|
|
|
|
|
|
@@ -213,17 +213,17 @@ If you restart your OS or the Xorg server, you will now be able to use one GPU f
|
|
|
|
|
|
Then, you must avoid the GPU of which you are using for your host X server. Use `docker --gpus '"device=1,2"'` to provision GPUs with device IDs 1 and 2 to the container, avoiding the GPU with the ID of 0 that is used by the host X server, if you set `GPU_SELECT` to the ID of 0. Note that `--gpus 1` means any single GPU, not the GPU device ID of 1.
|
|
|
|
|
|
-#### Vulkan does not work.
|
|
|
+### Vulkan does not work.
|
|
|
|
|
|
Make sure that the `NVIDIA_DRIVER_CAPABILITIES` environment variable is set to `all`, or includes both `graphics` and `display`. The `display` capability is especially crucial to Vulkan, but the container does start without noticeable issues other than Vulkan without `display`, despite its name.
|
|
|
|
|
|
-#### The container does not work if I set the resolution above 1920 x 1200 or 2560 x 1600 in 60 hz.
|
|
|
+### The container does not work if I set the resolution above 1920 x 1200 or 2560 x 1600 in 60 hz.
|
|
|
|
|
|
-##### Short answer
|
|
|
+#### Short answer
|
|
|
|
|
|
If your GPU is a consumer or professional GPU, change the `VIDEO_PORT` environment variable from `DFP` to `DP-0` if `DP-0` is empty, or any empty `DP-*` port. Set `VIDEO_PORT` to where your monitor is connected if you want to show the remote desktop in a real monitor. If your GPU is a Datacenter (Tesla) GPU, keep the `VIDEO_PORT` environment variable to `DFP`, and your maximum resolution is at 2560 x 1600. To go above this restriction, you may set `VIDEO_PORT` to `none`, but you must use borderless window instead of fullscreen, and this may lead to quite a lot of applications not starting, showing errors related to `XRANDR` or `RANDR`.
|
|
|
|
|
|
-##### Long answer
|
|
|
+#### Long answer
|
|
|
|
|
|
The container simulates the GPU to become plugged into a physical DVI-D/HDMI/DisplayPort digital video interface in consumer and professional GPUs with the `ConnectedMonitor` NVIDIA driver option. The container uses virtualized DVI-D ports for this purpose in Datacenter (Tesla) GPUs.
|
|
|
|
|
|
@@ -237,6 +237,12 @@ Since this container simulates the GPU being virtually plugged into a physical m
|
|
|
|
|
|
Datacenter (Tesla) GPUs seem to only support resolutions of up to around 2560 x 1600 at 60 hz (`VIDEO_PORT` must be kept to `DFP` instead of changing to `DP-0` or other DisplayPort identifiers). The K40 (Kepler) GPU did not support RandR (required for some graphical applications using SDL and other graphical frameworks). Other Kepler generation Datacenter GPUs (maybe except the GRID K1 and K2 GPUs with vGPU capabilities) are also unlikely to support RandR, thus Datacenter GPU RandR support probably starts from Maxwell. Other tested Datacenter GPUs (V100, T4, A40, A100) support all graphical applications that consumer GPUs support. However, the performances were not better than consumer GPUs that usually cost a fraction of Datacenter GPUs, and the maximum supported resolutions were even lower.
|
|
|
|
|
|
+### I want to use `systemd`, FUSE mounts, or sandboxed (containerized) application distribution systems like Flatpak, Snapcraft (snap), AppImage, and etc.
|
|
|
+
|
|
|
+**Use the option `--appimage-extract-and-run` or `--appimage-extract` with your AppImage to run them in a container. Alternatively, set `export APPIMAGE_EXTRACT_AND_RUN=1` to your current shell.**
|
|
|
+
|
|
|
+For `systemd`, FUSE mounts, or other sandboxed application distribution systems, do not use them with containers. You can use them if you add unsafe capabilities to your containers, but it will break the isolation of the containers. This is especially bad if you are using Kubernetes. There will likely be an alternative way to install the applications, including [Personal Package Archives](https://launchpad.net/ubuntu/+ppas). For some applications, there will be options to disable sandboxing when running or options to extract files before running.
|
|
|
+
|
|
|
---
|
|
|
This project involved a collaboration effort with members of the [Selkies Project](https://github.com/selkies-project), incorporating the [selkies-gstreamer](https://github.com/selkies-project/selkies-gstreamer) WebRTC remote desktop streaming application. Commercial support for this container is available with [itopia Spaces](https://itopiaspaces.com).
|
|
|
|
ehfd