docker does not expose VNC port

[pmhahn]

Image
consol/debian-xfce-vnc:latest

Tag
3f2464498c9d

Short overview
Following you README.md:

docker run -d -p 5901:5901 consol/debian-xfce-vnc
nc 127.0.0.1 5901

times out. The TCP port 5901 on the outside-host is handled by docker-proxy and is reachable, but inside the docker container the corresponding port 5901 TigerVNC is listening on cannot be connected to.

Detailed error description
Inside the docker container TigerVNC only listened on the interface lo which is not enough for docker-proxy to forward any TCP connection from outside the container to the exported port inside the container.

Additional content
Looking at vnc_starup.sh it executes /usr/bin/vncserver, which then will fork /usr/bin/Xtigervnc … -localhost=1 ….

Inside the docker container the VNC server is only bound to the interface lo, which makes it inaccessible to any service using the docker containers IP address, which the docker port forwarding mechanism uses: Docker runs the following process outside the container:

/usr/sbin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 5901 -container-ip 172.17.0.2 -container-port 5901

As you see it will try to connect to the docker containers internal IP address 172.17.0.2 and not to 127.0.0.1, which is (technically) impossible: As the process has to run outside the container on the host to open the listening port there, 127.0.0.1 will reference the host there and it has to use normal network routing to access any service inside the container. But as Xtigervnc is only listening on lo, it is unreachable — even for the docker-proxy process.

Reading /etc/tigervnc/vncserver-config-defaults has this section:

# $localhost should the TigerVNC server only listen on localhost for incoming VNC connections.
…
# Default: $localhost = "yes"; # if $SecurityTypes does not contain any TLS*
#                              #    or X509* security types or the $SecurityTypes
#                              #    does contain at least on *None security type.
# Default: $localhost = "no";  # Otherwise

As no TLS is setup TigerVNC defaults to yes.

lsof -p $(pidof Xtigervnc) -a -d 0-255
…
Xtigervnc  38 default    9u     IPv4           31697694      0t0      TCP localhost:5901 (LISTEN)

Fix:

cat ./bug96/Dockerfile
  FROM consol/debian-xfce-vnc
  USER 0
  RUN printf '$localhost = "no";\n1;\n' >/etc/tigervnc/vncserver-config-defaults
  USER 1000

docker build -t debian-xfce-vnc ./bug96
docker run -d -p 5901:5901 --name bug96 debian-xfce-vnc
nc 127.0.0.1 5901
  RFB 003.008

docker exec -ti bug96 bash
lsof -p $(pidof Xtigervnc) -a -d 0-255
…
  Xtigervnc  39 default    9u     IPv4           31792380      0t0      TCP *:5901 (LISTEN)
  Xtigervnc  39 default   10u     IPv6           31792381      0t0      TCP *:5901 (LISTEN)

This is my finding while working on sibson/vncdotool#96 myself.

[sni]

Thanks for bringing this to my attention. Tbh i only tested the webvnc thing when i took over this project.
Since you did all the work already, the fix was easy. I added some unit tests in 5b8537f to make sure it keeps on working.