site  contact  subhomenews

Pulseaudio Unix Domain Socket works in container

November 04, 2021 — BarryK

I posted today about the simpler TCP method:

And earlier about Unix Domain Sockets:

A note about that second blog post: I reported the hack of creating a symlink /run/pulse/native to /tmp/pulse-socket, however, I found that creating two separate sockets works. This in /etc/pulse/

load-module module-native-protocol-unix
load-module module-native-protocol-unix auth-group=audio socket=/tmp/pulse-socket

To get sound working in the firefox container, I created this one-line file, /mnt/wkg/containers/firefox/root/.config/pulse/client.conf:

default-server = unix:/tmp/pulse-socket

Then in /usr/local/easy_containers/ec-chroot can, if audio is enabled, bind /tmp/pulse-socket into the container. This is the invocation that runs the container:

DISPLAY=:0  pflask --mount=bind:/mnt/sdc2/easyos/files/shared:/mnt/wkg/files/shared --keepenv \
--mount=bind:/tmp/.X11-unix/X0:/tmp/.X11-unix/X0 --no-ipcns --no-netns --mount=bind:/dev/snd:/dev/snd \
--mount=bind:/dev/mixer:/dev/mixer --mount=bind:/tmp/pulse-socket:/tmp/pulse-socket \
--caps=all,-sys_mount,-sys_admin,-sys_boot,-sys_chroot,-sys_ptrace,-sys_time,-sys_tty_config,-chown,-kill,-dac_override,-dac_read_search,-fowner,-setfcap,-setpcap,-net_admin,-mknod,-sys_module,-sys_nice,-sys_resource \
--no-userns --chroot=/mnt/sdc2/easyos/containers/firefox/container -- /.control/ec-run firefox

EasyContainers uses the 'pflask' utility, that chroots into the container, imposing lots of security restrictions. The highlighted text shows how the pulseaudio socket is bound into the container -- yay it works!    

Tags: easy