Details
-
Bug
-
Resolution: Out of scope
-
Not Evaluated
-
None
-
5.11.1
-
None
-
docker container
Description
Running recent QT5 (5.11.1) applications in docker containers fail due to a forbidden syscall. Same applications based on older QT5 versions (5.7.1) succeed.
Most seen error message (plugin name can differ):
This application failed to start because it could not find or load the Qt platform plugin "xcb" in "".
Related forum thread: https://forum.qt.io/topic/92783/qt-doesn-t-work-in-my-archlinux-docker
A workaround is to run with docker run option `--security-opt seccomp=unconfined`. This disables some docker security features and must not be a general solution. docker sets up a seccomp profile to forbid some sensible syscalls that container applications should not need.
docker seccomp documentation: https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile
Steps to reproduce:
Dockerfile to build an image:
FROM debian:buster RUN apt-get update RUN apt-get install -y calibre CMD calibre
Build this image with:
docker build -t qt5test /path/to/Dockerfile/
Run:
xhost +SI:localuser:root docker run -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix qt5test
If you add `--security-opt seccomp=unconfined`, it succeeds.
If you change `FROM debian:buster` to `FROM debian:stretch`, it succeeds.
Adding `-e QT_DEBUG_PLUGINS=1` gives:
QFactoryLoader::QFactoryLoader() checking directory path "/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms" ... QFactoryLoader::QFactoryLoader() looking at "/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqeglfs.so" /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqeglfs.so: Cannot allocate memory "Out of memory while loading plugin '/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqeglfs.so'." not a plugin QFactoryLoader::QFactoryLoader() looking at "/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqlinuxfb.so" /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqlinuxfb.so: Cannot allocate memory "Out of memory while loading plugin '/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqlinuxfb.so'." not a plugin QFactoryLoader::QFactoryLoader() looking at "/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqminimal.so" /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqminimal.so: Cannot allocate memory "Out of memory while loading plugin '/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqminimal.so'." not a plugin QFactoryLoader::QFactoryLoader() looking at "/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqminimalegl.so" /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqminimalegl.so: Cannot allocate memory "Out of memory while loading plugin '/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqminimalegl.so'." not a plugin QFactoryLoader::QFactoryLoader() looking at "/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqoffscreen.so" /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqoffscreen.so: Cannot allocate memory "Out of memory while loading plugin '/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqoffscreen.so'." not a plugin QFactoryLoader::QFactoryLoader() looking at "/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqvnc.so" /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqvnc.so: Cannot allocate memory "Out of memory while loading plugin '/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqvnc.so'." not a plugin QFactoryLoader::QFactoryLoader() looking at "/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so" /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so: Cannot allocate memory "Out of memory while loading plugin '/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so'." not a plugin QFactoryLoader::QFactoryLoader() checking directory path "//platforms" ... qt.qpa.plugin: Could not find the Qt platform plugin "xcb" in "" This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem. Aborted (core dumped)
The issue is specific to recent QT5 in docker.
The issue is confirmed for images based on fedora 28, debian buster and arch linux. It does not appear with debian stretch images that ship with QT 5.7.1.
I don't know which syscall is failing here. The docker seccomp documentation may help.
I would prefer to see this to be fixed in QT5 instead of shrinking down the docker security profile.