feat(cli): skip xauth setup when peer-credential auth is sufficient#1551
feat(cli): skip xauth setup when peer-credential auth is sufficient#1551agirault wants to merge 1 commit into
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
agirault
requested review from
bhashemian and
tbirdso
and removed request for
bhashemian
Greptile SummaryThis PR adds a pre-probe step to
Confidence Score: 5/5Safe to merge — the probe is read-only, has a hard timeout, fails closed on any error, and the two previously raised concerns have both been addressed in this revision. The change is narrow and defensive: a short-lived subprocess probe that always returns False on any failure, an early-return guard that changes nothing for non-peer-creds paths, and five dedicated tests covering the key branches. No data is mutated, no new mounts are added, and the fallback to the existing cookie path is intact. No files require special attention. Important Files Changed
Reviews (2): Last reviewed commit: "feat(cli): skip xauth setup when peer-cr..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Probe the X server with `XAUTHORITY=/dev/null xset -display $DISPLAY q` before reaching for the xauth cookie path. If that succeeds, a non-cookie auth family (typically SI:localuser, granted to the same UID via the X server's peer-credential check) is already accepting the connection, and the container - running as the same UID via `-u $(id -u):$(id -g)` and sharing the X UNIX socket - will be accepted by the same mechanism. The cookie dance, the warning when no entries are found, and the temp file are all skipped in that case. This eliminates a noisy "xauth nlist returned no entries" warning that fired on local DISPLAYs whose cookies live in a display-manager-owned Xauthority file outside `\$HOME/.Xauthority`, even though X11 worked fine inside the container via peer-creds. Signed-off-by: Alexis Girault <agirault@nvidia.com>
agirault
force-pushed
the
peer-creds-probe
branch
from
e56527a to
8253490
Compare
|
@agirault considering the recent refactoring into |
2 participants
Summary
Probe the X server with
XAUTHORITY=/dev/null xset -display $DISPLAY qbefore attempting the xauth cookie setup. If that succeeds, a non-cookie auth family (typicallySI:localuser, granted to the same UID via the X server's peer-credential check on the UNIX socket) is already accepting the connection. The container runs as the same UID via-u $(id -u):$(id -g)and shares the X socket, so the same auth applies inside. Cookie setup, temp file, and the "no entries" warning are all skipped in that case.Why
A user reported this warning after the original X11/Wayland auto-detect PR landed:
with X11 still working fine inside the container. Root cause: on most modern Linux desktops, the cookie for the active local display is written to a display-manager-owned Xauthority file (
/run/user/<uid>/gdm/Xauthority, etc.), not the user's default~/.Xauthority. Whenxauth nlistreads the default file in a fresh shell, it finds nothing. The container still works because the X server is granting access viaSI:localuser:<user>peer-credential auth on the UNIX socket, which does not require a cookie at all.Probe cost
One
xsetinvocation (~5 ms),timeout=2so a staleDISPLAYcannot hang. Read-only, no side effects.Behavior
DISPLAY, or a host withoutSI:localuser): fall through to existing cookie path; warning fires only if cookie path also fails.xsetnot installed: probe returnsFalse, behavior identical to today.Test plan
python3 -m unittest utilities.cli.tests.test_container-> 27 tests pass (1 new)xauth nlistis empty: no warning, GUI still renders inside containerDISPLAY(localhost:NSSH-forwarded): probe fails, cookie path runs, warning silentxset: probe returns False, cookie path runs as today