asd

bump dependencies: xrdp v0.10.0, xorgxrdp v0.10.1, libjpeg-turbo 3.0.3

.github/dependabot.yml

@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://json.schemastore.org/dependabot-2.0.json
+version: 2
+
+updates:
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      docker-all:
+        patterns: ["*"]
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      github-actions-all:
+        patterns: ["*"]

.github/workflows/main.yml

@@ -0,0 +1,94 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: "Main"
+
+on:
+  push:
+    tags: ["*"]
+    branches: ["*"]
+  pull_request:
+    branches: ["*"]
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  build:
+    name: "Build ${{ matrix.arch }} image"
+    runs-on: "ubuntu-latest"
+    permissions:
+      contents: "read"
+    strategy:
+      matrix:
+        arch: ["arm64v8"]
+    steps:
+      - name: "Checkout project"
+        uses: "actions/checkout@v4"
+      - name: "Register binfmt entries"
+        if: "matrix.arch != 'native'"
+        run: |
+          make binfmt-register
+      - name: "Build and save image"
+        run: |
+          make IMAGE_BUILD_OPTS="--pull" "build-${{ matrix.arch }}-image" "save-${{ matrix.arch }}-image"
+      - name: "Upload artifacts"
+        if: "startsWith(github.ref, 'refs/tags/v') && matrix.arch != 'native'"
+        uses: "christopherhx/gitea-upload-artifact@v4"
+        with:
+          name: "dist-${{ matrix.arch }}"
+          path: "./dist/"
+          retention-days: 1
+
+  push:
+    name: "Push ${{ matrix.arch }} image"
+    if: "startsWith(github.ref, 'refs/tags/v')"
+    needs: ["build"]
+    runs-on: "ubuntu-latest"
+    permissions:
+      contents: "read"
+    strategy:
+      matrix:
+        arch: ["arm64v8"]
+    steps:
+      - name: "Checkout project"
+        uses: "actions/checkout@v4"
+      - name: "Download artifacts"
+        uses: "christopherhx/gitea-download-artifact@v4"
+        with:
+          name: "dist-${{ matrix.arch }}"
+          path: "./dist/"
+#      - name: "Login to Docker Hub"
+#        uses: "docker/login-action@v3"
+#        with:
+#          registry: "d.lilpenguins.com"
+      - name: "Load and push image"
+        run: |
+          make "load-${{ matrix.arch }}-image" "push-${{ matrix.arch }}-image"
+
+  push-manifest:
+    name: "Push manifest"
+    if: "startsWith(github.ref, 'refs/tags/v')"
+    needs: ["push"]
+    runs-on: "ubuntu-latest"
+    permissions:
+      contents: "read"
+    steps:
+      - name: "Checkout project"
+        uses: "actions/checkout@v4"
+#      - name: "Login to Docker Hub"
+#        uses: "docker/login-action@v3"
+#        with:
+#          registry: "d.lilpenguins.com"
+      - name: "Push manifest"
+        run: |
+          make push-cross-manifest
+
+  publish-github-release:
+    name: "Publish GitHub release"
+    if: "startsWith(github.ref, 'refs/tags/v')"
+    needs: ["push-manifest"]
+    runs-on: "ubuntu-latest"
+    permissions:
+      contents: "write"
+    steps:
+      - name: "Publish"
+        uses: "hectorm/ghaction-release@066200d04c3549852afa243d631ea3dc93390f68"

.github/workflows/rebuild-latest-release.yml

@@ -0,0 +1,22 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+#name: "Rebuild latest release"
+
+#on:
+#  schedule:
+#    - cron: "20 04 * * 1"
+#  workflow_dispatch:
+
+#permissions: {}
+
+#jobs:
+#  trigger-rebuild:
+#    name: "Trigger rebuild"
+#    runs-on: "ubuntu-latest"
+#    permissions:
+#      actions: "write"
+#      contents: "read"
+#    steps:
+#      - name: "Trigger rebuild"
+#        uses: "hectorm/ghaction-trigger-workflow@04c79e7a4e0c0b94bbcff3829f38359e34f1ea9e"
+#        with:
+#          workflow-id: "main.yml"

.gitlab-ci.yml

@@ -1,137 +0,0 @@
-image: docker:stable
-
-services:
-  - docker:dind
-
-stages:
-  - build:images
-  - push:images
-  - push:manifests
-
-variables:
-  DOCKER_HOST: tcp://docker:2375
-  DOCKER_DRIVER: overlay2
-
-build:native-image:
-  stage: build:images
-  before_script:
-    - docker info
-    - apk add --no-cache coreutils git m4 make xz
-  script:
-    - make build-native-image save-native-image
-  except:
-    - tags
-  artifacts:
-    expire_in: 1 day
-    paths:
-      - dist/
-
-build:amd64-image:
-  stage: build:images
-  before_script:
-    - docker info
-    - apk add --no-cache coreutils git m4 make xz
-    - make binfmt-register
-  script:
-    - make build-amd64-image save-amd64-image
-  only:
-    - /^v([0-9.]+)(-.+)?$/
-  except:
-    - branches
-  artifacts:
-    expire_in: 1 week
-    paths:
-      - dist/
-
-build:arm32v7-image:
-  stage: build:images
-  before_script:
-    - docker info
-    - apk add --no-cache coreutils git m4 make xz
-    - make binfmt-register
-  script:
-    - make build-arm32v7-image save-arm32v7-image
-  only:
-    - /^v([0-9.]+)(-.+)?$/
-  except:
-    - branches
-  artifacts:
-    expire_in: 1 week
-    paths:
-      - dist/
-
-build:arm64v8-image:
-  stage: build:images
-  before_script:
-    - docker info
-    - apk add --no-cache coreutils git m4 make xz
-    - make binfmt-register
-  script:
-    - make build-arm64v8-image save-arm64v8-image
-  only:
-    - /^v([0-9.]+)(-.+)?$/
-  except:
-    - branches
-  artifacts:
-    expire_in: 1 week
-    paths:
-      - dist/
-
-push:amd64-image:
-  stage: push:images
-  before_script:
-    - apk add --no-cache coreutils git make xz
-    - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}" >/dev/null 2>&1
-  script:
-    - make load-amd64-image push-amd64-image
-  only:
-    - /^v([0-9.]+)(-.+)?$/
-  except:
-    - branches
-  dependencies:
-    - build:amd64-image
-
-push:arm32v7-image:
-  stage: push:images
-  before_script:
-    - apk add --no-cache coreutils git make xz
-    - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}" >/dev/null 2>&1
-  script:
-    - make load-arm32v7-image push-arm32v7-image
-  only:
-    - /^v([0-9.]+)(-.+)?$/
-  except:
-    - branches
-  dependencies:
-    - build:arm32v7-image
-
-push:arm64v8-image:
-  stage: push:images
-  before_script:
-    - apk add --no-cache coreutils git make xz
-    - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}" >/dev/null 2>&1
-  script:
-    - make load-arm64v8-image push-arm64v8-image
-  only:
-    - /^v([0-9.]+)(-.+)?$/
-  except:
-    - branches
-  dependencies:
-    - build:arm64v8-image
-
-push:cross-manifest:
-  stage: push:manifests
-  before_script:
-    - apk add --no-cache coreutils git make xz
-    - "mkdir -p ~/.docker/ && printf '%s\n' '{\"experimental\": \"enabled\"}' > ~/.docker/config.json"
-    - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}" >/dev/null 2>&1
-  script:
-    - make push-cross-manifest
-  only:
-    - /^v([0-9.]+)(-.+)?$/
-  except:
-    - branches
-  dependencies:
-    - push:amd64-image
-    - push:arm32v7-image
-    - push:arm64v8-image

Dockerfile.m4

@@ -4,35 +4,49 @@ m4_changequote([[, ]])
 ## "build" stage
 ##################################################
 
-m4_ifdef([[CROSS_ARCH]], [[FROM docker.io/CROSS_ARCH/ubuntu:18.04]], [[FROM docker.io/ubuntu:18.04]]) AS build
-m4_ifdef([[CROSS_QEMU]], [[COPY --from=docker.io/hectormolinero/qemu-user-static:latest CROSS_QEMU CROSS_QEMU]])
+m4_ifdef([[CROSS_ARCH]], [[FROM dtcooper/raspberrypi-os:latest]], [[FROM dtcooper/raspberrypi-os:latest]]) AS build
 
-# Install system packages
-RUN export DEBIAN_FRONTEND=noninteractive \
-	# Remove Canonical's "partner" repository
-	&& sed -i '/archive\.canonical\.com/d;' /etc/apt/sources.list \
-	# Uncomment source packages repositories
-	&& sed -i 's/^#\s*\(deb-src\s\)/\1/g' /etc/apt/sources.list \
-m4_ifelse(ENABLE_32BIT, 1, [[m4_dnl
-	# Enable multiarch support
-	&& dpkg --add-architecture i386 \
-]])m4_dnl
-	&& apt-get update \
-	&& apt-get install -y --no-install-recommends \
+SHELL ["/bin/sh", "-euc"]
+
+# Enable source repositories
+RUN <<-EOF
+	sed -i '/^Types: deb$/s/$/ deb-src/' /etc/apt/sources.list.d/debian.sources
+	sed -i '/^Components: main$/s/$/ contrib non-free non-free-firmware/' /etc/apt/sources.list.d/debian.sources
+EOF
+
+# Install packages
+RUN <<-EOF
+	export DEBIAN_FRONTEND=noninteractive
+	apt-get update
+	apt-get install -y --no-install-recommends -o APT::Immediate-Configure=0 \
 		autoconf \
 		automake \
 		bison \
 		build-essential \
 		ca-certificates \
-		checkinstall \
 		cmake \
+		dbus-x11 \
+		devscripts \
+		doxygen \
+		dpkg-dev \
 		flex \
 		git \
 		intltool \
+		libbz2-dev \
+		libdrm-dev \
+		libegl-dev \
+		libegl1-mesa-dev \
+		libepoxy-dev \
 		libfdk-aac-dev \
-		libfuse-dev \
-		libgl1-mesa-dev \
+		libfreetype-dev \
+		libfuse3-dev \
+		libgbm-dev \
+		libgl-dev \
+		libgles-dev \
 		libglu1-mesa-dev \
+		libglvnd-dev \
+		libglx-dev \
+		libimlib2-dev \
 		libmp3lame-dev \
 		libopus-dev \
 		libpam0g-dev \
@@ -42,49 +56,45 @@ m4_ifelse(ENABLE_32BIT, 1, [[m4_dnl
 		libsystemd-dev \
 		libtool \
 		libx11-dev \
+		libx11-xcb-dev \
+		libx264-dev \
+		libxcb-glx0-dev \
+		libxcb-keysyms1-dev \
+		libxcb1-dev \
 		libxext-dev \
 		libxfixes-dev \
 		libxml2-dev \
 		libxrandr-dev \
+		libxshmfence-dev \
+		libxt-dev \
 		libxtst-dev \
 		libxv-dev \
 		nasm \
+		ocl-icd-opencl-dev \
 		pkg-config \
-		python \
-		python-libxml2 \
 		texinfo \
+		x11-xkb-utils \
+		xauth \
+		xkb-data \
+		xserver-xorg-core \
 		xserver-xorg-dev \
 		xsltproc \
 		xutils-dev \
-m4_ifelse(ENABLE_32BIT, 1, [[m4_dnl
-		g++-multilib \
-		libgl1-mesa-dev:i386 \
-		libglu1-mesa-dev:i386 \
-		libxtst-dev:i386 \
-		libxv-dev:i386 \
-]])m4_dnl
-	&& rm -rf /var/lib/apt/lists/*
+		zlib1g-dev
+	apt-get clean
+EOF
 
 # Build libjpeg-turbo
-ARG LIBJPEG_TURBO_TREEISH=2.0.2
+ARG LIBJPEG_TURBO_TREEISH=3.1.1
 ARG LIBJPEG_TURBO_REMOTE=https://github.com/libjpeg-turbo/libjpeg-turbo.git
 WORKDIR /tmp/libjpeg-turbo/
-RUN git clone "${LIBJPEG_TURBO_REMOTE}" ./
-RUN git checkout "${LIBJPEG_TURBO_TREEISH}"
-RUN git submodule update --init --recursive
-WORKDIR ./build/
-RUN cmake ./ \
-		-G 'Unix Makefiles' \
-		-D PKGNAME=libjpeg-turbo \
-		-D CMAKE_BUILD_TYPE=Release \
-		-D CMAKE_INSTALL_PREFIX=/opt/libjpeg-turbo \
-		-D CMAKE_POSITION_INDEPENDENT_CODE=1 \
-		../
-RUN make -j"$(nproc)" && make deb
-RUN dpkg -i --force-architecture ./libjpeg-turbo_*.deb
-m4_ifelse(ENABLE_32BIT, 1, [[m4_dnl
-WORKDIR ../build32/
-RUN CFLAGS='-m32' CXXFLAGS='-m32' LDFLAGS='-m32' \
+RUN <<-EOF
+	git clone "${LIBJPEG_TURBO_REMOTE:?}" ./
+	git checkout "${LIBJPEG_TURBO_TREEISH:?}"
+	git submodule update --init --recursive
+EOF
+WORKDIR /tmp/libjpeg-turbo/build/
+RUN <<-EOF
 	cmake ./ \
 		-G 'Unix Makefiles' \
 		-D PKGNAME=libjpeg-turbo \
@@ -92,334 +102,485 @@ RUN CFLAGS='-m32' CXXFLAGS='-m32' LDFLAGS='-m32' \
 		-D CMAKE_INSTALL_PREFIX=/opt/libjpeg-turbo \
 		-D CMAKE_POSITION_INDEPENDENT_CODE=1 \
 		../
-RUN make -j"$(nproc)" && make deb
-RUN dpkg -i --force-architecture ./libjpeg-turbo32_*.deb
-]])m4_dnl
+	make -j"$(nproc)" install
+EOF
 
 # Build VirtualGL
-ARG VIRTUALGL_TREEISH=2.6.2
+ARG VIRTUALGL_TREEISH=3.1.3
 ARG VIRTUALGL_REMOTE=https://github.com/VirtualGL/virtualgl.git
 WORKDIR /tmp/virtualgl/
-RUN git clone "${VIRTUALGL_REMOTE}" ./
-RUN git checkout "${VIRTUALGL_TREEISH}"
-RUN git submodule update --init --recursive
-WORKDIR ./build/
-RUN cmake ./ \
-		-G 'Unix Makefiles' \
-		-D PKGNAME=virtualgl \
-		-D CMAKE_BUILD_TYPE=Release \
-		-D CMAKE_INSTALL_PREFIX=/opt/VirtualGL \
-		-D CMAKE_POSITION_INDEPENDENT_CODE=1 \
-		../
-RUN make -j"$(nproc)" && make deb
-RUN dpkg -i --force-architecture ./virtualgl_*.deb
-m4_ifelse(ENABLE_32BIT, 1, [[m4_dnl
-WORKDIR ../build32/
-RUN CFLAGS='-m32' CXXFLAGS='-m32' LDFLAGS='-m32' \
+RUN <<-EOF
+	git clone "${VIRTUALGL_REMOTE:?}" ./
+	git checkout "${VIRTUALGL_TREEISH:?}"
+	git submodule update --init --recursive
+EOF
+WORKDIR /tmp/virtualgl/build/
+RUN <<-EOF
 	cmake ./ \
 		-G 'Unix Makefiles' \
 		-D PKGNAME=virtualgl \
 		-D CMAKE_BUILD_TYPE=Release \
 		-D CMAKE_INSTALL_PREFIX=/opt/VirtualGL \
 		-D CMAKE_POSITION_INDEPENDENT_CODE=1 \
+		-D VGL_EGLBACKEND=1 \
 		../
-RUN make -j"$(nproc)" && make deb
-RUN dpkg -i --force-architecture ./virtualgl32_*.deb
-]])m4_dnl
+	make -j"$(nproc)" install
+EOF
 
-# Build XRDP
-ARG XRDP_TREEISH=v0.9.10
+# Build TurboVNC
+ARG TURBOVNC_TREEISH=3.2
+ARG TURBOVNC_REMOTE=https://github.com/TurboVNC/turbovnc.git
+WORKDIR /tmp/turbovnc/
+RUN <<-EOF
+	git clone "${TURBOVNC_REMOTE:?}" ./
+	git checkout "${TURBOVNC_TREEISH:?}"
+	git submodule update --init --recursive
+EOF
+WORKDIR /tmp/turbovnc/build/
+RUN <<-EOF
+	cmake ./ \
+		-G 'Unix Makefiles' \
+		-D PKGNAME=turbovnc \
+		-D CMAKE_BUILD_TYPE=Release \
+		-D CMAKE_INSTALL_PREFIX=/opt/TurboVNC \
+		-D TVNC_BUILDSERVER=1 \
+		-D TVNC_BUILDWEBSERVER=0 \
+		-D TVNC_BUILDVIEWER=0 \
+		-D TVNC_BUILDHELPER=0 \
+		-D TVNC_SYSTEMLIBS=1 \
+		-D TVNC_SYSTEMX11=1 \
+		-D TVNC_DLOPENSSL=1 \
+		-D TVNC_USEPAM=1 \
+		-D TVNC_GLX=1 \
+		-D TVNC_NVCONTROL=1 \
+		../
+	make -j"$(nproc)" install
+EOF
+
+# Build xrdp
+ARG XRDP_TREEISH=v0.10.3
 ARG XRDP_REMOTE=https://github.com/neutrinolabs/xrdp.git
 WORKDIR /tmp/xrdp/
-RUN git clone "${XRDP_REMOTE}" ./
-RUN git checkout "${XRDP_TREEISH}"
-RUN git submodule update --init --recursive
-RUN ./bootstrap
-RUN ./configure \
-		--prefix=/usr \
+RUN <<-EOF
+	git clone "${XRDP_REMOTE:?}" ./
+	git checkout "${XRDP_TREEISH:?}"
+	git submodule update --init --recursive
+EOF
+RUN <<-EOF
+	./bootstrap
+	./configure \
+		--prefix=/opt/xrdp \
+		--enable-strict-locations \
 		--enable-vsock \
 		--enable-tjpeg \
-		--enable-fuse \
+		--enable-pixman \
+		--enable-x264 \
+		--enable-rfxcodec \
+		--enable-painter \
+		--enable-rdpsndaudin \
 		--enable-fdkaac \
 		--enable-opus \
 		--enable-mp3lame \
-		--enable-pixman
-RUN make -j"$(nproc)"
-RUN checkinstall --default --pkgname=xrdp --pkgversion=0 --pkgrelease=0
+		--enable-fuse \
+		--enable-ipv6 \
+		--with-freetype2 \
+		--with-imlib2
+	make -j"$(nproc)" install
+	rm -f /opt/xrdp/etc/xrdp/rsakeys.ini /opt/xrdp/etc/xrdp/*.pem
+EOF
 
 # Build xorgxrdp
-ARG XORGXRDP_TREEISH=v0.2.10
+ARG XORGXRDP_TREEISH=v0.10.4
 ARG XORGXRDP_REMOTE=https://github.com/neutrinolabs/xorgxrdp.git
 WORKDIR /tmp/xorgxrdp/
-RUN git clone "${XORGXRDP_REMOTE}" ./
-RUN git checkout "${XORGXRDP_TREEISH}"
-RUN git submodule update --init --recursive
-RUN ./bootstrap
-RUN ./configure
-RUN make -j"$(nproc)"
-RUN checkinstall --default --pkgname=xorgxrdp --pkgversion=0 --pkgrelease=0
+RUN <<-EOF
+	git clone "${XORGXRDP_REMOTE:?}" ./
+	git checkout "${XORGXRDP_TREEISH:?}"
+	git submodule update --init --recursive
+EOF
+RUN <<-EOF
+	./bootstrap
+	./configure \
+		--prefix=/opt/xrdp \
+		--enable-strict-locations \
+		--enable-glamor \
+		PKG_CONFIG_PATH=/opt/xrdp/lib/pkgconfig
+	make -j"$(nproc)" install
+EOF
 
-# Build XRDP PulseAudio module
-ARG XRDP_PULSEAUDIO_TREEISH=v0.3
+# Build xrdp PulseAudio module
+ARG XRDP_PULSEAUDIO_TREEISH=v0.8
 ARG XRDP_PULSEAUDIO_REMOTE=https://github.com/neutrinolabs/pulseaudio-module-xrdp.git
-WORKDIR /tmp/xrdp-pulseaudio/
-RUN git clone "${XRDP_PULSEAUDIO_REMOTE}" ./
-RUN git checkout "${XRDP_PULSEAUDIO_TREEISH}"
-RUN git submodule update --init --recursive
-RUN apt-get update
-RUN apt-get build-dep -y pulseaudio
-RUN apt-get source pulseaudio
-WORKDIR ./pulseaudio-11.1/
-RUN ./configure
-WORKDIR ../
-RUN ./bootstrap
-RUN ./configure PULSE_DIR="$(pwd)"/pulseaudio-11.1/
-RUN make -j"$(nproc)"
-RUN checkinstall --default --pkgname=xrdp-pulseaudio --pkgversion=0 --pkgrelease=0
+WORKDIR /tmp/
+RUN <<-EOF
+	DEBIAN_FRONTEND=noninteractive apt-get build-dep -y pulseaudio
+	apt-get source pulseaudio && mv ./pulseaudio-*/ ./pulseaudio/
+	meson setup ./pulseaudio/build/ ./pulseaudio/
+EOF
+WORKDIR /tmp/pulseaudio-module-xrdp/
+RUN <<-EOF
+	git clone "${XRDP_PULSEAUDIO_REMOTE:?}" ./
+	git checkout "${XRDP_PULSEAUDIO_TREEISH:?}"
+	git submodule update --init --recursive
+EOF
+RUN <<-EOF
+	./bootstrap
+	./configure \
+		--prefix=/opt/xrdp \
+		--with-module-dir=/opt/xrdp/lib/pulse/modules \
+		PKG_CONFIG_PATH=/opt/xrdp/lib/pkgconfig \
+		PULSE_DIR=/tmp/pulseaudio/
+	make -j"$(nproc)" install
+EOF
 
 ##################################################
-## "xubuntu" stage
+## "main" stage
 ##################################################
 
-m4_ifdef([[CROSS_ARCH]], [[FROM docker.io/CROSS_ARCH/ubuntu:18.04]], [[FROM docker.io/ubuntu:18.04]]) AS xubuntu
-m4_ifdef([[CROSS_QEMU]], [[COPY --from=docker.io/hectormolinero/qemu-user-static:latest CROSS_QEMU CROSS_QEMU]])
+m4_ifdef([[CROSS_ARCH]], [[FROM dtcooper/raspberrypi-os:latest]], [[FROM dtcooper/raspberrypi-os:latest]]) AS main
 
-# Install system packages
-RUN export DEBIAN_FRONTEND=noninteractive \
-m4_ifelse(ENABLE_32BIT, 1, [[m4_dnl
-	&& dpkg --add-architecture i386 \
-]])m4_dnl
-	&& apt-get update \
-	&& apt-get install -y --no-install-recommends \
-		adwaita-qt \
-		apt-utils \
-		atril \
-		bash \
+SHELL ["/bin/sh", "-euc"]
+
+# Copy APT config
+COPY --chown=root:root ./config/apt/preferences.d/ /etc/apt/preferences.d/
+RUN <<-EOF
+	find /etc/apt/preferences.d/ -type d -not -perm 0755 -exec chmod 0755 '{}' ';'
+	find /etc/apt/preferences.d/ -type f -not -perm 0644 -exec chmod 0644 '{}' ';'
+EOF
+
+RUN <<-EOF
+	sed -i '/^Types: deb$/s/$/ deb-src/' /etc/apt/sources.list.d/debian.sources
+	sed -i '/^Components: main$/s/$/ contrib non-free non-free-firmware/' /etc/apt/sources.list.d/debian.sources
+EOF
+
+# Install base packages
+RUN <<-EOF
+	export DEBIAN_FRONTEND=noninteractive
+	apt-get update
+	apt-get install -y --no-install-recommends -o APT::Immediate-Configure=0 \
+		at-spi2-core \
 		ca-certificates \
+		catatonit \
 		curl \
 		dbus \
 		dbus-x11 \
+		gnupg \
+		libbz2-1.0 \
+		libegl1 \
+		libepoxy0 \
+		libfdk-aac2 \
+		libfreetype6 \
+		libfuse3-3 \
+		libgbm1 \
+		libgl1 \
+		libgl1-mesa-dri \
+		libgles2 \
+		libgles2-mesa \
+		libgles2-mesa-dev \
+		libglu1 \
+		libglvnd0 \
+		libglx-mesa0 \
+		libimlib2 \
+		libmp3lame0 \
+		libopus0 \
+		libpam0g \
+		libpixman-1-0 \
+		libpulse0 \
+		libssl3 \
+		libsystemd0 \
+		libx11-6 \
+		libx11-xcb1 \
+		libx264-164 \
+		libxcb-glx0 \
+		libxcb-keysyms1 \
+		libxcb1 \
+		libxext6 \
+		libxfixes3 \
+		libxml2 \
+		libxrandr2 \
+		libxshmfence1 \
+		libxt6 \
+		libxtst6 \
+		libxv1 \
+		locales \
+		lsb-release \
+		mesa-opencl-icd \
+		mesa-va-drivers \
+		mesa-vdpau-drivers \
+		mesa-vulkan-drivers \
+		ocl-icd-opencl-dev \
+		openssh-server \
+		openssl \
+		perl-base \
+		policykit-1 \
+		pulseaudio \
+		runit \
+		tzdata \
+		udev \
+		xauth \
+		xkb-data \
+		xserver-xorg-core \
+		xserver-xorg-input-evdev \
+		xserver-xorg-input-joystick \
+		xserver-xorg-input-libinput \
+		xserver-xorg-video-dummy \
+		xserver-xorg-video-fbdev \
+		xserver-xorg-video-vesa \
+		xorg-dev \
+		zlib1g
+m4_ifelse(ENABLE_AMD_SUPPORT, 1, [[m4_dnl
+	apt-get install -y --no-install-recommends -o APT::Immediate-Configure=0 \
+		libdrm-amdgpu1 \
+		xserver-xorg-video-amdgpu
+]])m4_dnl
+m4_ifelse(ENABLE_INTEL_SUPPORT, 1, [[m4_dnl
+	apt-get install -y --no-install-recommends -o APT::Immediate-Configure=0 \
+		intel-opencl-icd \
+		libdrm-intel1 \
+		xserver-xorg-video-intel
+]])m4_dnl
+m4_ifelse(ENABLE_NVIDIA_SUPPORT, 1, [[m4_dnl
+	apt-get install -y --no-install-recommends -o APT::Immediate-Configure=0 \
+		libdrm-nouveau2 \
+		libnvidia-cfg1-570 \
+		libnvidia-compute-570 \
+		libnvidia-decode-570 \
+		libnvidia-encode-570 \
+		libnvidia-extra-570 \
+		libnvidia-fbc1-570 \
+		libnvidia-gl-570 \
+		xserver-xorg-video-nouveau \
+		xserver-xorg-video-nvidia-570
+]])m4_dnl
+	rm -rf /var/lib/apt/lists/*
+	rm -f /etc/ssh/ssh_host_*_key
+EOF
+
+# Add Mozilla repository
+RUN <<-EOF
+	curl --proto '=https' --tlsv1.3 -sSf 'https://packages.mozilla.org/apt/repo-signing-key.gpg' | gpg --dearmor -o /etc/apt/trusted.gpg.d/mozilla.gpg
+	printf '%s\n' 'deb [signed-by=/etc/apt/trusted.gpg.d/mozilla.gpg] https://packages.mozilla.org/apt mozilla main' > /etc/apt/sources.list.d/mozilla.list
+EOF
+
+# Install extra packages
+RUN <<-EOF
+	export DEBIAN_FRONTEND=noninteractive
+	apt-get update
+	apt-get install -y --no-install-recommends -o APT::Immediate-Configure=0 \
+		adwaita-icon-theme-full \
+		adwaita-qt \
+		audacity \
+		bash \
+		bash-completion \
+		binutils \
+		clinfo \
 		desktop-file-utils \
 		dialog \
 		engrampa \
+		exo-utils \
 		file \
 		firefox \
 		fonts-dejavu \
 		fonts-liberation \
 		fonts-noto \
 		fonts-noto-color-emoji \
-		fuse \
-		gstreamer1.0-plugins-base \
-		gstreamer1.0-plugins-good \
-		gstreamer1.0-plugins-ugly \
+		fonts-ubuntu \
+		fuse3 \
+		git \
+		gnome-keyring \
 		gtk2-engines-pixbuf \
-		gtk2-engines-xfce \
-		gtk3-engines-xfce \
 		htop \
+		ayatana-indicator-messages \
 		iproute2 \
-		less \
+		iputils-ping \
 		libavcodec-extra \
 		libcanberra-gtk-module \
 		libcanberra-gtk3-module \
-		libfdk-aac1 \
-		libgl1-mesa-dri \
-		libgl1-mesa-glx \
-		libglu1-mesa \
 		libgtk-3-bin \
-		libmp3lame0 \
-		libopus0 \
-		libpam0g \
-		libpixman-1-0 \
-		libpulse0 \
-		libssl1.1 \
-		libsystemd0 \
-		libx11-6 \
-		libxext6 \
-		libxfixes3 \
-		libxml2 \
-		libxrandr2 \
-		libxtst6 \
-		libxv1 \
-		locales \
+		librsvg2-common \
+		lshw \
+		lsof \
+		lsscsi \
+		media-types \
 		menu \
 		menu-xdg \
 		menulibre \
 		mesa-utils \
 		mesa-utils-extra \
-		mime-support \
 		mousepad \
 		mugshot \
 		nano \
-		openssh-server \
-		openssl \
+		net-tools \
+		netcat-openbsd \
+		parole \
 		pavucontrol \
+		pciutils \
 		procps \
 		psmisc \
-		pulseaudio \
 		pulseaudio-utils \
 		ristretto \
-		runit \
+		strace \
 		sudo \
 		thunar-archive-plugin \
-		thunar-volman \
-		tzdata \
+		tumbler \
 		unzip \
-		vlc \
+		usbutils \
+		vulkan-tools \
+		wget \
+		x11-utils \
+		x11-xkb-utils \
 		xauth \
 		xdg-user-dirs \
 		xdg-utils \
 		xfce4 \
 		xfce4-indicator-plugin \
 		xfce4-notifyd \
+		xfce4-panel \
+		xfce4-panel-profiles \
 		xfce4-pulseaudio-plugin \
-		xfce4-statusnotifier-plugin \
+		xfce4-screenshooter \
 		xfce4-taskmanager \
 		xfce4-terminal \
 		xfce4-whiskermenu-plugin \
-		xfce4-xkb-plugin \
 		xfonts-base \
-		xfpanel-switch \
-		xserver-xorg-core \
-		xserver-xorg-video-all \
+		xinput \
 		xterm \
-		xubuntu-default-settings \
+		debian-mate-default-settings \
 		xutils \
 		xz-utils \
 		zenity \
-		zip \
-m4_ifelse(ENABLE_32BIT, 1, [[m4_dnl
-		libgl1-mesa-dri:i386 \
-		libgl1-mesa-glx:i386 \
-		libglu1-mesa:i386 \
-		libxtst6:i386 \
-		libxv1:i386 \
-]])m4_dnl
-	&& rm -rf /var/lib/apt/lists/*
+		zip
+	rm -rf /var/lib/apt/lists/*
+EOF
 
-# Copy Tini build
-m4_define([[TINI_IMAGE_TAG]], m4_ifdef([[CROSS_ARCH]], [[latest-CROSS_ARCH]], [[latest]]))m4_dnl
-COPY --from=docker.io/hectormolinero/tini:TINI_IMAGE_TAG --chown=root:root /usr/bin/tini /usr/bin/tini
+# Copy libjpeg-turbo build
+COPY --from=build /opt/libjpeg-turbo/ /opt/libjpeg-turbo/
 
-# Install libjpeg-turbo from package
-COPY --from=build --chown=root:root /tmp/libjpeg-turbo/build/libjpeg-turbo_*.deb /tmp/libjpeg-turbo.deb
-RUN dpkg -i --force-architecture /tmp/libjpeg-turbo.deb && rm -f /tmp/libjpeg-turbo.deb
-m4_ifelse(ENABLE_32BIT, 1, [[m4_dnl
-COPY --from=build --chown=root:root /tmp/libjpeg-turbo/build32/libjpeg-turbo32_*.deb /tmp/libjpeg-turbo32.deb
-RUN dpkg -i --force-architecture /tmp/libjpeg-turbo32.deb && rm -f /tmp/libjpeg-turbo32.deb
-]])m4_dnl
+# Copy VirtualGL build
+COPY --from=build /opt/VirtualGL/ /opt/VirtualGL/
 
-# Install VirtualGL from package
-COPY --from=build --chown=root:root /tmp/virtualgl/build/virtualgl_*.deb /tmp/virtualgl.deb
-RUN dpkg -i --force-architecture /tmp/virtualgl.deb && rm -f /tmp/virtualgl.deb
-m4_ifelse(ENABLE_32BIT, 1, [[m4_dnl
-COPY --from=build --chown=root:root /tmp/virtualgl/build32/virtualgl32_*.deb /tmp/virtualgl32.deb
-RUN dpkg -i --force-architecture /tmp/virtualgl32.deb && rm -f /tmp/virtualgl32.deb
-]])m4_dnl
+# Copy TurboVNC build
+COPY --from=build /opt/TurboVNC/ /opt/TurboVNC/
 
-# Install XRDP from package
-COPY --from=build --chown=root:root /tmp/xrdp/xrdp_*.deb /tmp/xrdp.deb
-RUN dpkg -i /tmp/xrdp.deb && rm -f /tmp/xrdp.deb
-
-# Install xorgxrdp from package
-COPY --from=build --chown=root:root /tmp/xorgxrdp/xorgxrdp_*.deb /tmp/xorgxrdp.deb
-RUN dpkg -i /tmp/xorgxrdp.deb && rm -f /tmp/xorgxrdp.deb
-
-# Install XRDP PulseAudio module from package
-COPY --from=build --chown=root:root /tmp/xrdp-pulseaudio/xrdp-pulseaudio_*.deb /tmp/xrdp-pulseaudio.deb
-RUN dpkg -i /tmp/xrdp-pulseaudio.deb && rm -f /tmp/xrdp-pulseaudio.deb
+# Copy xrdp, xorgxrdp and PulseAudio module builds
+COPY --from=build /opt/xrdp/ /opt/xrdp/
 
 # Environment
-ENV RDP_TLS_KEY_PATH=/etc/xrdp/key.pem
-ENV RDP_TLS_CERT_PATH=/etc/xrdp/cert.pem
-ENV PATH=/opt/VirtualGL/bin:"${PATH}"
-ENV VGL_DISPLAY=:0
+ENV SVDIR=/etc/service/
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
+ENV PATH=/opt/libjpeg-turbo/bin:/opt/VirtualGL/bin:/opt/TurboVNC/bin:/opt/xrdp/sbin:/opt/xrdp/bin:${PATH}
+ENV UNPRIVILEGED_USER_UID=1000
+ENV UNPRIVILEGED_USER_GID=1000
+ENV UNPRIVILEGED_USER_NAME=user
+ENV UNPRIVILEGED_USER_PASSWORD=password
+ENV UNPRIVILEGED_USER_GROUPS=
+ENV UNPRIVILEGED_USER_SHELL=/bin/bash
+ENV UNPRIVILEGED_USER_HOME=/home/user
+ENV SERVICE_XRDP_BOOTSTRAP_ENABLED=false
+ENV SERVICE_XORG_HEADLESS_ENABLED=false
+ENV XRDP_RSAKEYS_PATH=/etc/xrdp/rsakeys.ini
+ENV XRDP_TLS_KEY_PATH=/etc/xrdp/key.pem
+ENV XRDP_TLS_CRT_PATH=/etc/xrdp/cert.pem
+ENV STARTUP=xfce4-session
+ENV DESKTOP_SESSION=xubuntu
 ENV QT_STYLE_OVERRIDE=Adwaita
 
 # Setup locale
-RUN sed -i 's|^# \(en_US\.UTF-8 UTF-8\)$|\1|' /etc/locale.gen && locale-gen
 ENV LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8
+RUN <<-EOF
+	printf '%s\n' "${LANG:?} UTF-8" > /etc/locale.gen
+	localedef -c -i "${LANG%%.*}" -f UTF-8 "${LANG:?}" ||:
+EOF
 
 # Setup timezone
-ENV TZ=Etc/UTC
-RUN ln -sf /usr/share/zoneinfo/"${TZ}" /etc/localtime
+ENV TZ=UTC
+RUN <<-EOF
+	printf '%s\n' "${TZ:?}" > /etc/timezone
+	ln -snf "/usr/share/zoneinfo/${TZ:?}" /etc/localtime
+EOF
 
 # Setup D-Bus
-RUN mkdir /run/dbus/ && chown messagebus:messagebus /run/dbus/
-RUN dbus-uuidgen > /etc/machine-id && ln -sf /var/lib/dbus/machine-id /etc/machine-id
+RUN <<-EOF
+	dbus-uuidgen > /etc/machine-id
+	ln -sf /etc/machine-id /var/lib/dbus/machine-id
+EOF
+
+# Make sesman read environment variables
+RUN <<-EOF
+	printf '%s\n' 'session required pam_env.so readenv=1' >> /etc/pam.d/xrdp-sesman
+EOF
+
+# Remove default user and group
+RUN <<-EOF
+	if id -u "${UNPRIVILEGED_USER_UID:?}" >/dev/null 2>&1; then userdel -f "$(id -nu "${UNPRIVILEGED_USER_UID:?}")"; fi
+	if id -g "${UNPRIVILEGED_USER_GID:?}" >/dev/null 2>&1; then groupdel "$(id -nu "${UNPRIVILEGED_USER_GID:?}")"; fi
+EOF
+
+# Create symlinks for xrdp RSA keys and TLS certificates
+RUN <<-EOF
+	ln -svf "${XRDP_RSAKEYS_PATH:?}" /opt/xrdp/etc/xrdp/rsakeys.ini
+	ln -svf "${XRDP_TLS_KEY_PATH:?}" /opt/xrdp/etc/xrdp/key.pem
+	ln -svf "${XRDP_TLS_CRT_PATH:?}" /opt/xrdp/etc/xrdp/cert.pem
+EOF
 
 # Forward logs to Docker log collector
-RUN ln -sf /dev/stdout /var/log/xdummy.log
-RUN ln -sf /dev/stdout /var/log/xrdp.log
-RUN ln -sf /dev/stdout /var/log/xrdp-sesman.log
+RUN <<-EOF
+	ln -svf /dev/stdout /var/log/xorg-headless.log
+	ln -svf /dev/stdout /var/log/xrdp.log
+	ln -svf /dev/stdout /var/log/xrdp-sesman.log
+EOF
 
-# Create /etc/skel/.xsession file
-RUN printf '%s\n' 'xfce4-session' \
-		>> /etc/skel/.xsession
+# Copy and enable services
+COPY --chown=root:root ./scripts/service/ /etc/sv/
+RUN <<-EOF
+	find /etc/sv/ -type d -not -perm 0755 -exec chmod 0755 '{}' ';'
+	find /etc/sv/ -type f -not -perm 0755 -exec chmod 0755 '{}' ';'
+	ln -sv /etc/sv/dbus-daemon "${SVDIR:?}"
+	ln -sv /etc/sv/sshd "${SVDIR:?}"
+	ln -sv /etc/sv/udevadm-trigger "${SVDIR:?}"
+	ln -sv /etc/sv/udevd "${SVDIR:?}"
+	ln -sv /etc/sv/xrdp "${SVDIR:?}"
+	ln -sv /etc/sv/xrdp-sesman "${SVDIR:?}"
+EOF
 
-# Create /etc/skel/.xsessionrc file
-RUN printf '%s\n' \
-		'export XDG_CACHE_HOME=${HOME}/.cache' \
-		'export XDG_CONFIG_DIRS=/etc/xdg/xdg-xubuntu:/etc/xdg' \
-		'export XDG_CONFIG_HOME=${HOME}/.config' \
-		'export XDG_CURRENT_DESKTOP=XFCE' \
-		'export XDG_DATA_DIRS=/usr/share/xubuntu:/usr/share/xfce4:/usr/local/share:/usr/share' \
-		'export XDG_DATA_HOME=${HOME}/.local/share' \
-		'export XDG_MENU_PREFIX=xfce-' \
-		'export XDG_RUNTIME_DIR=/run/user/$(id -u)' \
-		'export XDG_SESSION_DESKTOP=xubuntu' \
-		>> /etc/skel/.xsessionrc
+# Copy SSH config
+COPY --chown=root:root ./config/ssh/ /etc/ssh/
+RUN <<-EOF
+	find /etc/ssh/sshd_config -type f -not -perm 0644 -exec chmod 0644 '{}' ';'
+EOF
 
-# Create /etc/skel/.Xauthority file
-RUN touch /etc/skel/.Xauthority
+# Copy X11 config
+COPY --chown=root:root ./config/X11/ /etc/X11/
+RUN <<-EOF
+	find /etc/X11/xorg.conf.d/ -type d -not -perm 0755 -exec chmod 0755 '{}' ';'
+	find /etc/X11/xorg.conf.d/ -type f -not -perm 0644 -exec chmod 0644 '{}' ';'
+EOF
 
-# Create /run/sshd directory
-RUN mkdir /run/sshd/
+# Copy xrdp config
+COPY --chown=root:root ./config/xrdp/ /opt/xrdp/etc/xrdp/
+RUN <<-EOF
+	find /opt/xrdp/etc/xrdp/ -type d -not -perm 0755 -exec chmod 0755 '{}' ';'
+	find /opt/xrdp/etc/xrdp/ -type f -not -perm 0644 -exec chmod 0644 '{}' ';'
+	find /opt/xrdp/etc/xrdp/ -type f -name '*.sh' -not -perm 0755 -exec chmod 0755 '{}' ';'
+EOF
 
-# Create socket directory for X server
-RUN mkdir /tmp/.X11-unix/ \
-	&& chmod 1777 /tmp/.X11-unix/ \
-	&& chown root:root /tmp/.X11-unix/
-
-# Configure server for use with VirtualGL
-RUN vglserver_config -config +s +f -t
-
-# Create guest user and group
-ARG GUEST_USER_UID=1000
-ARG GUEST_USER_GID=1000
-RUN groupadd --gid "${GUEST_USER_GID}" guest
-RUN useradd \
-		--uid "${GUEST_USER_UID}" \
-		--gid "${GUEST_USER_GID}" \
-		--shell "$(command -v bash)" \
-		--groups audio,video \
-		--home-dir /home/guest/ \
-		--create-home \
-		guest
-
-# Set guest user password
-ARG GUEST_USER_PASSWORD=guest
-RUN printf '%s' guest:"${GUEST_USER_PASSWORD}" | chpasswd
-
-# Create /run/user/${GUEST_USER_UID}/dbus-1/ directory
-RUN mkdir -p /run/user/"${GUEST_USER_UID}"/dbus-1/ \
-	&& chmod -R 700 /run/user/"${GUEST_USER_UID}"/ \
-	&& chown -R guest:guest /run/user/"${GUEST_USER_UID}"/
-
-# Copy config
-COPY --chown=root:root config/ssh/sshd_config /etc/ssh/sshd_config
-COPY --chown=root:root config/xrdp/xrdp.ini /etc/xrdp/xrdp.ini
-COPY --chown=root:root config/xrdp/sesman.ini /etc/xrdp/sesman.ini
-
-# Copy services
-COPY --chown=root:root scripts/service/ /etc/sv/
-RUN find /etc/sv/ -type d -mindepth 1 -maxdepth 1 -exec ln -sv '{}' /etc/service/ ';'
+# Copy PulseAudio config
+COPY --chown=root:root ./config/pulse/ /etc/pulse/
+RUN <<-EOF
+	find /etc/pulse/ -type d -not -perm 0755 -exec chmod 0755 '{}' ';'
+	find /etc/pulse/ -type f -not -perm 0644 -exec chmod 0644 '{}' ';'
+EOF
 
 # Copy scripts
-COPY --chown=root:root scripts/bin/ /usr/local/bin/
+COPY --chown=root:root ./scripts/bin/ /usr/local/bin/
+RUN <<-EOF
+	find /usr/local/bin/ -type d -not -perm 0755 -exec chmod 0755 '{}' ';'
+	find /usr/local/bin/ -type f -not -perm 0755 -exec chmod 0755 '{}' ';'
+EOF
 
-# Expose RDP port
+# SSH
+EXPOSE 3322/tcp
+# RDP
 EXPOSE 3389/tcp
 
-WORKDIR /
-ENTRYPOINT ["/usr/bin/tini", "--"]
-CMD ["/usr/local/bin/docker-foreground-cmd"]
+ENTRYPOINT ["/usr/bin/catatonit", "--", "/usr/local/bin/container-init"]

LICENSE.md

@@ -1,7 +1,7 @@
 The MIT License (MIT)
 =====================
 
-Copyright © 2019 Héctor Molinero Fernández
+Copyright © Héctor Molinero Fernández
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -1,37 +1,39 @@
 #!/usr/bin/make -f
 
 SHELL := /bin/sh
-.SHELLFLAGS := -eu -c
+.SHELLFLAGS := -euc
 
 DOCKER := $(shell command -v docker 2>/dev/null)
 GIT := $(shell command -v git 2>/dev/null)
 M4 := $(shell command -v m4 2>/dev/null)
 
 DISTDIR := ./dist
-VERSION_FILE = ./VERSION
 DOCKERFILE_TEMPLATE := ./Dockerfile.m4
 
-IMAGE_REGISTRY := docker.io
-IMAGE_NAMESPACE := hectormolinero
+IMAGE_REGISTRY := d.lilpenguins.com
+IMAGE_NAMESPACE := desktop
 IMAGE_PROJECT := xubuntu
 IMAGE_NAME := $(IMAGE_REGISTRY)/$(IMAGE_NAMESPACE)/$(IMAGE_PROJECT)
-
-IMAGE_VERSION := v0
-ifneq ($(wildcard $(VERSION_FILE)),)
-	IMAGE_VERSION := $(shell cat '$(VERSION_FILE)')
+ifeq ($(shell '$(GIT)' status --porcelain 2>/dev/null),)
+	IMAGE_GIT_TAG := $(shell '$(GIT)' tag --list --contains HEAD 2>/dev/null)
+	IMAGE_GIT_SHA := $(shell '$(GIT)' rev-parse --verify --short HEAD 2>/dev/null)
+	IMAGE_VERSION := $(if $(IMAGE_GIT_TAG),$(IMAGE_GIT_TAG),$(if $(IMAGE_GIT_SHA),$(IMAGE_GIT_SHA),nil))
+else
+	IMAGE_GIT_BRANCH := $(shell '$(GIT)' symbolic-ref --short HEAD 2>/dev/null)
+	IMAGE_VERSION := $(if $(IMAGE_GIT_BRANCH),$(IMAGE_GIT_BRANCH)-dirty,nil)
 endif
 
+IMAGE_BUILD_OPTS :=
+
 IMAGE_NATIVE_DOCKERFILE := $(DISTDIR)/Dockerfile
-IMAGE_NATIVE_TARBALL := $(DISTDIR)/$(IMAGE_PROJECT).txz
-
+IMAGE_NATIVE_TARBALL := $(DISTDIR)/$(IMAGE_PROJECT).tzst
 IMAGE_AMD64_DOCKERFILE := $(DISTDIR)/Dockerfile.amd64
-IMAGE_AMD64_TARBALL := $(DISTDIR)/$(IMAGE_PROJECT).amd64.txz
-
-IMAGE_ARM32V7_DOCKERFILE := $(DISTDIR)/Dockerfile.arm32v7
-IMAGE_ARM32V7_TARBALL := $(DISTDIR)/$(IMAGE_PROJECT).arm32v7.txz
-
+IMAGE_AMD64_TARBALL := $(DISTDIR)/$(IMAGE_PROJECT).amd64.tzst
 IMAGE_ARM64V8_DOCKERFILE := $(DISTDIR)/Dockerfile.arm64v8
-IMAGE_ARM64V8_TARBALL := $(DISTDIR)/$(IMAGE_PROJECT).arm64v8.txz
+IMAGE_ARM64V8_TARBALL := $(DISTDIR)/$(IMAGE_PROJECT).arm64v8.tzst
+
+export DOCKER_BUILDKIT := 1
+export BUILDKIT_PROGRESS := plain
 
 ##################################################
 ## "all" target
@@ -51,15 +53,17 @@ $(IMAGE_NATIVE_DOCKERFILE): $(DOCKERFILE_TEMPLATE)
 	mkdir -p '$(DISTDIR)'
 	'$(M4)' \
 		--prefix-builtins \
-		-D ENABLE_32BIT=1 \
-		'$(DOCKERFILE_TEMPLATE)' | cat --squeeze-blank > '$@'
-	'$(DOCKER)' build \
+		--define=ENABLE_AMD_SUPPORT=1 \
+		--define=ENABLE_INTEL_SUPPORT=1 \
+		--define=ENABLE_NVIDIA_SUPPORT=1 \
+		'$(DOCKERFILE_TEMPLATE)' > '$@'
+	'$(DOCKER)' build $(IMAGE_BUILD_OPTS) \
 		--tag '$(IMAGE_NAME):$(IMAGE_VERSION)' \
 		--tag '$(IMAGE_NAME):latest' \
 		--file '$@' ./
 
 .PHONY: build-cross-images
-build-cross-images: build-amd64-image build-arm32v7-image build-arm64v8-image
+build-cross-images: build-amd64-image build-arm64v8-image
 
 .PHONY: build-amd64-image
 build-amd64-image: $(IMAGE_AMD64_DOCKERFILE)
@@ -68,28 +72,15 @@ $(IMAGE_AMD64_DOCKERFILE): $(DOCKERFILE_TEMPLATE)
 	mkdir -p '$(DISTDIR)'
 	'$(M4)' \
 		--prefix-builtins \
-		-D CROSS_ARCH=amd64 \
-		-D CROSS_QEMU=/usr/bin/qemu-x86_64-static \
-		-D ENABLE_32BIT=1 \
-		'$(DOCKERFILE_TEMPLATE)' | cat --squeeze-blank > '$@'
-	'$(DOCKER)' build \
+		--define=CROSS_ARCH=amd64 \
+		--define=ENABLE_AMD_SUPPORT=1 \
+		--define=ENABLE_INTEL_SUPPORT=1 \
+		--define=ENABLE_NVIDIA_SUPPORT=1 \
+		'$(DOCKERFILE_TEMPLATE)' > '$@'
+	'$(DOCKER)' build $(IMAGE_BUILD_OPTS) \
 		--tag '$(IMAGE_NAME):$(IMAGE_VERSION)-amd64' \
 		--tag '$(IMAGE_NAME):latest-amd64' \
-		--file '$@' ./
-
-.PHONY: build-arm32v7-image
-build-arm32v7-image: $(IMAGE_ARM32V7_DOCKERFILE)
-
-$(IMAGE_ARM32V7_DOCKERFILE): $(DOCKERFILE_TEMPLATE)
-	mkdir -p '$(DISTDIR)'
-	'$(M4)' \
-		--prefix-builtins \
-		-D CROSS_ARCH=arm32v7 \
-		-D CROSS_QEMU=/usr/bin/qemu-arm-static \
-		'$(DOCKERFILE_TEMPLATE)' | cat --squeeze-blank > '$@'
-	'$(DOCKER)' build \
-		--tag '$(IMAGE_NAME):$(IMAGE_VERSION)-arm32v7' \
-		--tag '$(IMAGE_NAME):latest-arm32v7' \
+		--platform linux/amd64 \
 		--file '$@' ./
 
 .PHONY: build-arm64v8-image
@@ -99,12 +90,12 @@ $(IMAGE_ARM64V8_DOCKERFILE): $(DOCKERFILE_TEMPLATE)
 	mkdir -p '$(DISTDIR)'
 	'$(M4)' \
 		--prefix-builtins \
-		-D CROSS_ARCH=arm64v8 \
-		-D CROSS_QEMU=/usr/bin/qemu-aarch64-static \
-		'$(DOCKERFILE_TEMPLATE)' | cat --squeeze-blank > '$@'
-	'$(DOCKER)' build \
+		--define=CROSS_ARCH=arm64v8 \
+		'$(DOCKERFILE_TEMPLATE)' > '$@'
+	'$(DOCKER)' build $(IMAGE_BUILD_OPTS) \
 		--tag '$(IMAGE_NAME):$(IMAGE_VERSION)-arm64v8' \
 		--tag '$(IMAGE_NAME):latest-arm64v8' \
+		--platform linux/arm64/v8 \
 		--file '$@' ./
 
 ##################################################
@@ -112,7 +103,7 @@ $(IMAGE_ARM64V8_DOCKERFILE): $(DOCKERFILE_TEMPLATE)
 ##################################################
 
 define save_image
-	'$(DOCKER)' save '$(1)' | xz -T0 > '$(2)'
+	'$(DOCKER)' save '$(1)' | zstd -T0 > '$(2)'
 endef
 
 .PHONY: save-native-image
@@ -122,7 +113,7 @@ $(IMAGE_NATIVE_TARBALL): $(IMAGE_NATIVE_DOCKERFILE)
 	$(call save_image,$(IMAGE_NAME):$(IMAGE_VERSION),$@)
 
 .PHONY: save-cross-images
-save-cross-images: save-amd64-image save-arm32v7-image save-arm64v8-image
+save-cross-images: save-amd64-image save-arm64v8-image
 
 .PHONY: save-amd64-image
 save-amd64-image: $(IMAGE_AMD64_TARBALL)
@@ -130,12 +121,6 @@ save-amd64-image: $(IMAGE_AMD64_TARBALL)
 $(IMAGE_AMD64_TARBALL): $(IMAGE_AMD64_DOCKERFILE)
 	$(call save_image,$(IMAGE_NAME):$(IMAGE_VERSION)-amd64,$@)
 
-.PHONY: save-arm32v7-image
-save-arm32v7-image: $(IMAGE_ARM32V7_TARBALL)
-
-$(IMAGE_ARM32V7_TARBALL): $(IMAGE_ARM32V7_DOCKERFILE)
-	$(call save_image,$(IMAGE_NAME):$(IMAGE_VERSION)-arm32v7,$@)
-
 .PHONY: save-arm64v8-image
 save-arm64v8-image: $(IMAGE_ARM64V8_TARBALL)
 
@@ -147,7 +132,7 @@ $(IMAGE_ARM64V8_TARBALL): $(IMAGE_ARM64V8_DOCKERFILE)
 ##################################################
 
 define load_image
-	'$(DOCKER)' load -i '$(1)'
+	zstd -dc '$(1)' | '$(DOCKER)' load
 endef
 
 define tag_image
@@ -160,18 +145,13 @@ load-native-image:
 	$(call tag_image,$(IMAGE_NAME):$(IMAGE_VERSION),$(IMAGE_NAME):latest)
 
 .PHONY: load-cross-images
-load-cross-images: load-amd64-image load-arm32v7-image load-arm64v8-image
+load-cross-images: load-amd64-image load-arm64v8-image
 
 .PHONY: load-amd64-image
 load-amd64-image:
 	$(call load_image,$(IMAGE_AMD64_TARBALL))
 	$(call tag_image,$(IMAGE_NAME):$(IMAGE_VERSION)-amd64,$(IMAGE_NAME):latest-amd64)
 
-.PHONY: load-arm32v7-image
-load-arm32v7-image:
-	$(call load_image,$(IMAGE_ARM32V7_TARBALL))
-	$(call tag_image,$(IMAGE_NAME):$(IMAGE_VERSION)-arm32v7,$(IMAGE_NAME):latest-arm32v7)
-
 .PHONY: load-arm64v8-image
 load-arm64v8-image:
 	$(call load_image,$(IMAGE_ARM64V8_TARBALL))
@@ -186,9 +166,8 @@ define push_image
 endef
 
 define push_cross_manifest
-	'$(DOCKER)' manifest create --amend '$(1)' '$(2)-amd64' '$(2)-arm32v7' '$(2)-arm64v8'
+	'$(DOCKER)' manifest create --amend '$(1)' '$(2)-amd64' '$(2)-arm64v8'
 	'$(DOCKER)' manifest annotate '$(1)' '$(2)-amd64' --os linux --arch amd64
-	'$(DOCKER)' manifest annotate '$(1)' '$(2)-arm32v7' --os linux --arch arm --variant v7
 	'$(DOCKER)' manifest annotate '$(1)' '$(2)-arm64v8' --os linux --arch arm64 --variant v8
 	'$(DOCKER)' manifest push --purge '$(1)'
 endef
@@ -198,18 +177,13 @@ push-native-image:
 	@printf '%s\n' 'Unimplemented'
 
 .PHONY: push-cross-images
-push-cross-images: push-amd64-image push-arm32v7-image push-arm64v8-image
+push-cross-images: push-amd64-image push-arm64v8-image
 
 .PHONY: push-amd64-image
 push-amd64-image:
 	$(call push_image,$(IMAGE_NAME):$(IMAGE_VERSION)-amd64)
 	$(call push_image,$(IMAGE_NAME):latest-amd64)
 
-.PHONY: push-arm32v7-image
-push-arm32v7-image:
-	$(call push_image,$(IMAGE_NAME):$(IMAGE_VERSION)-arm32v7)
-	$(call push_image,$(IMAGE_NAME):latest-arm32v7)
-
 .PHONY: push-arm64v8-image
 push-arm64v8-image:
 	$(call push_image,$(IMAGE_NAME):$(IMAGE_VERSION)-arm64v8)
@@ -225,11 +199,7 @@ push-cross-manifest:
 
 .PHONY: binfmt-register
 binfmt-register:
-	'$(DOCKER)' run --rm --privileged docker.io/multiarch/qemu-user-static:register
-
-.PHONY: binfmt-reset
-binfmt-reset:
-	'$(DOCKER)' run --rm --privileged docker.io/multiarch/qemu-user-static:register --reset
+	'$(DOCKER)' run --rm --privileged docker.io/hectorm/qemu-user-static:latest --reset --persistent yes --credential yes
 
 ##################################################
 ## "version" target
@@ -237,13 +207,13 @@ binfmt-reset:
 
 .PHONY: version
 version:
-	@if printf -- '%s' '$(IMAGE_VERSION)' | grep -q '^v[0-9]\{1,\}$$'; then \
-		NEW_IMAGE_VERSION=$$(awk -v 'v=$(IMAGE_VERSION)' 'BEGIN {printf "v%.0f", substr(v,2)+1}'); \
-		printf -- '%s\n' "$${NEW_IMAGE_VERSION}" > '$(VERSION_FILE)'; \
-		'$(GIT)' add '$(VERSION_FILE)'; '$(GIT)' commit -m "$${NEW_IMAGE_VERSION}"; \
-		'$(GIT)' tag -a "$${NEW_IMAGE_VERSION}" -m "$${NEW_IMAGE_VERSION}"; \
+	@LATEST_IMAGE_VERSION=$$('$(GIT)' describe --abbrev=0 2>/dev/null || printf 'v0'); \
+	if printf '%s' "$${LATEST_IMAGE_VERSION:?}" | grep -q '^v[0-9]\{1,\}$$'; then \
+		NEW_IMAGE_VERSION=$$(awk -v v="$${LATEST_IMAGE_VERSION:?}" 'BEGIN {printf("v%.0f", substr(v,2)+1)}'); \
+		'$(GIT)' commit --allow-empty -m "$${NEW_IMAGE_VERSION:?}"; \
+		'$(GIT)' tag -a "$${NEW_IMAGE_VERSION:?}" -m "$${NEW_IMAGE_VERSION:?}"; \
 	else \
-		>&2 printf -- 'Malformed version string: %s\n' '$(IMAGE_VERSION)'; \
+		>&2 printf 'Malformed version string: %s\n' "$${LATEST_IMAGE_VERSION:?}"; \
 		exit 1; \
 	fi
 
@@ -253,6 +223,6 @@ version:
 
 .PHONY: clean
 clean:
-	rm -f '$(IMAGE_NATIVE_DOCKERFILE)' '$(IMAGE_AMD64_DOCKERFILE)' '$(IMAGE_ARM32V7_DOCKERFILE)' '$(IMAGE_ARM64V8_DOCKERFILE)'
-	rm -f '$(IMAGE_NATIVE_TARBALL)' '$(IMAGE_AMD64_TARBALL)' '$(IMAGE_ARM32V7_TARBALL)' '$(IMAGE_ARM64V8_TARBALL)'
+	rm -f '$(IMAGE_NATIVE_DOCKERFILE)' '$(IMAGE_AMD64_DOCKERFILE)' '$(IMAGE_ARM64V8_DOCKERFILE)'
+	rm -f '$(IMAGE_NATIVE_TARBALL)' '$(IMAGE_AMD64_TARBALL)' '$(IMAGE_ARM64V8_TARBALL)'
 	if [ -d '$(DISTDIR)' ] && [ -z "$$(ls -A '$(DISTDIR)')" ]; then rmdir '$(DISTDIR)'; fi

README.md

@@ -1,30 +1,56 @@
 # Xubuntu on Docker
 
-A Docker image based on Ubuntu 18.04 with Xfce desktop environment,
-[VirtualGL](https://github.com/VirtualGL/virtualgl),
-[XRDP](https://github.com/neutrinolabs/xrdp) and
-[XRDP PulseAudio module](https://github.com/neutrinolabs/pulseaudio-module-xrdp).
+A Docker image based on Ubuntu 24.04 with the Xfce desktop environment,
+[xrdp](https://github.com/neutrinolabs/xrdp),
+[xrdp PulseAudio module](https://github.com/neutrinolabs/pulseaudio-module-xrdp) and
+[VirtualGL](https://github.com/VirtualGL/virtualgl).
+
+![Preview](img/preview.png)
 
 ## Start an instance
 
+### Docker CLI
+
 ```sh
-docker run --detach \
+docker run \
   --name xubuntu \
+  --detach \
+  --shm-size 2g \
+  --publish 3322:3322/tcp \
   --publish 3389:3389/tcp \
-  hectormolinero/xubuntu:latest
+  --device /dev/dri:/dev/dri \
+  docker.io/hectorm/xubuntu:latest
 ```
 
-> You will be able to connect to the container via RDP through 3389/tcp port.
+### Docker Compose
 
-> **Important:** if you use the `--privileged` option the container will be able to use the GPU with
-VirtualGL, but this will conflict with the host X server.
+```yaml
+services:
+  xubuntu:
+    image: 'docker.io/hectorm/xubuntu:latest'
+    shm_size: '2gb'
+    ports:
+      - '3322:3322/tcp'
+      - '3389:3389/tcp'
+    devices:
+      - '/dev/dri:/dev/dri'
+```
+
+> You will be able to connect to the container via SSH through 3322/TCP port and RDP through 3389/TCP port.
 
 > **Important:** some software (like Firefox) need the shared memory to be increased, if you
 encounter any problem related to this you may use the `--shm-size` option.
 
 ## Environment variables
 
-* `GUEST_USER_PASSWORD`: guest user password (`guest` by default).
+* `UNPRIVILEGED_USER_UID`: unprivileged user UID (`1000` by default).
+* `UNPRIVILEGED_USER_GID`: unprivileged user GID (`1000` by default).
+* `UNPRIVILEGED_USER_NAME`: unprivileged user name (`user` by default).
+* `UNPRIVILEGED_USER_PASSWORD`: unprivileged user password (`password` by default).
+* `UNPRIVILEGED_USER_GROUPS`: comma-separated list of additional GIDs for the unprivileged user (none by default).
+* `UNPRIVILEGED_USER_SHELL`: unprivileged user shell (`/bin/bash` by default).
+* `SERVICE_XRDP_BOOTSTRAP_ENABLED`: enable xrdp bootstrap service, initialises user session on startup (`false` by default).
+* `SERVICE_XORG_HEADLESS_ENABLED`: enable headless X server service (`false` by default).
 
 ## License
 

VERSION

@@ -1 +0,0 @@
-v1

config/X11/Xsession.d/60virtualgl

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ -z "${VGL_DISPLAY-}" ]; then
+	# Try to use the EGL backend
+	for card in /dev/dri/card*; do
+		if /opt/VirtualGL/bin/eglinfo -B "${card:?}" 2>/dev/null; then
+			export VGL_DISPLAY="${card:?}"
+			break
+		fi
+	done
+	# And fallback to DISPLAY if the EGL backend is not available
+	if [ -z "${VGL_DISPLAY-}" ] && [ -n "${DISPLAY-}" ]; then
+		export VGL_DISPLAY="${DISPLAY:?}"
+	fi
+fi

config/X11/Xsession.d/60xdg

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# shellcheck disable=SC2034
+{
+	set -a
+	XDG_DATA_DIRS=/usr/share/xubuntu:/usr/share/xfce4:/usr/local/share:/usr/share
+	XDG_CONFIG_DIRS=/etc/xdg/xdg-xubuntu:/etc/xdg
+	XDG_CURRENT_DESKTOP=XFCE
+	XDG_SESSION_DESKTOP=xubuntu
+	XDG_SESSION_TYPE=x11
+	XDG_MENU_PREFIX=xfce-
+	XDG_DATA_HOME="${HOME:?}"/.local/share
+	XDG_CONFIG_HOME="${HOME:?}"/.config
+	XDG_CACHE_HOME="${HOME:?}"/.cache
+	XDG_RUNTIME_DIR=/run/user/"$(id -u)"
+	set +a
+}

config/X11/xorg.conf.d/10-headless.conf

@@ -0,0 +1,50 @@
+Section "Module"
+	Disable "glx"
+EndSection
+
+Section "ServerFlags"
+	Option "DefaultServerLayout" "ServerLayout0"
+	Option "DontVTSwitch" "on"
+	Option "PciForceNone" "on"
+	Option "AutoAddDevices" "off"
+	Option "AutoAddGPU" "off"
+EndSection
+
+Section "ServerLayout"
+	Identifier "ServerLayout0"
+	Screen "Screen0"
+	InputDevice "Keyboard0"
+	InputDevice "Mouse0"
+EndSection
+
+Section "Screen"
+	Identifier "Screen0"
+	Monitor "Monitor0"
+	Device "Device0"
+	SubSection "Display"
+		Modes "800x600"
+	EndSubSection
+EndSection
+
+Section "Monitor"
+	Identifier "Monitor0"
+	VendorName "Unknown"
+	ModelName "Unknown"
+EndSection
+
+Section "Device"
+	Identifier "Device0"
+	Driver "dummy"
+EndSection
+
+Section "InputDevice"
+	Identifier "Keyboard0"
+	Driver "void"
+	Option "CoreKeyboard" "true"
+EndSection
+
+Section "InputDevice"
+	Identifier "Mouse0"
+	Driver "void"
+	Option "CorePointer" "true"
+EndSection

config/X11/xorg.conf.d/10-xrdp.conf

@@ -0,0 +1,4 @@
+Section "Files"
+	ModulePath "/usr/lib/xorg/modules"
+	ModulePath "/opt/xrdp/lib/xorg/modules"
+EndSection

config/apt/preferences.d/firefox.pref

@@ -0,0 +1,3 @@
+Package: firefox
+Pin: release n=mozilla
+Pin-Priority: 1000

config/apt/preferences.d/nosnap.pref

@@ -0,0 +1,3 @@
+Package: snapd
+Pin: release a=*
+Pin-Priority: -10

config/pulse/client.conf

@@ -0,0 +1 @@
+autospawn=yes

config/ssh/sshd_config

@@ -1,29 +1,29 @@
-Protocol 2
-HostKey /etc/ssh/ssh_host_ed25519_key
-HostKey /etc/ssh/ssh_host_rsa_key
-
-Port 3322
-ListenAddress 0.0.0.0
-
-StrictModes yes
-
-UsePAM yes
-PermitRootLogin no
-PubkeyAuthentication yes
-PasswordAuthentication yes
-PermitEmptyPasswords no
+Protocol                        2
+HostKey                         /etc/ssh/ssh_host_ed25519_key
+HostKey                         /etc/ssh/ssh_host_rsa_key
+ListenAddress                   0.0.0.0
+ListenAddress                   ::0
+Port                            3322
+UseDNS                          no
+UsePAM                          yes
+X11Forwarding                   yes
+X11UseLocalhost                 no
+X11DisplayOffset                100
+AllowTcpForwarding              yes
+AcceptEnv                       PULSE_SERVER
+PermitRootLogin                 no
+PermitEmptyPasswords            no
+PermitUserEnvironment           no
+PubkeyAuthentication            yes
+PasswordAuthentication          yes
 ChallengeResponseAuthentication no
-TCPKeepAlive yes
-LoginGraceTime 30
-ClientAliveInterval 300
-ClientAliveCountMax 1
-
-X11Forwarding yes
-X11DisplayOffset 10
-X11UseLocalhost no
-
-PrintMotd no
-PrintLastLog yes
-
-SyslogFacility AUTH
-LogLevel INFO
+GSSAPIAuthentication            no
+Subsystem                       sftp internal-sftp
+LoginGraceTime                  30
+TCPKeepAlive                    yes
+ClientAliveInterval             60
+ClientAliveCountMax             5
+PrintMotd                       no
+PrintLastLog                    no
+SyslogFacility                  AUTH
+LogLevel                        INFO

config/xrdp/sesman.ini

@@ -1,6 +1,4 @@
 [Globals]
-ListenAddress=127.0.0.1
-ListenPort=3350
 EnableUserWindowManager=true
 UserWindowManager=startwm.sh
 DefaultWindowManager=startwm.sh
@@ -14,27 +12,48 @@ AlwaysGroupCheck=false
 [Sessions]
 X11DisplayOffset=10
 MaxSessions=10
-KillDisconnected=true
-DisconnectedTimeLimit=120
+KillDisconnected=false
+DisconnectedTimeLimit=0
 IdleTimeLimit=0
 Policy=Default
 
 [Logging]
 LogFile=/var/log/xrdp-sesman.log
 LogLevel=INFO
-EnableSyslog=0
+EnableSyslog=false
 SyslogLevel=INFO
 
 [Xorg]
 param=/usr/lib/xorg/Xorg
 param=-config
-param=xrdp/xorg.conf
+param=/opt/xrdp/etc/X11/xrdp/xorg.conf
 param=-noreset
 param=-nolisten
 param=tcp
 
+[Xvnc]
+param=/opt/TurboVNC/bin/Xvnc
+param=-bs
+param=-nolisten
+param=tcp
+param=-localhost
+param=-dpi
+param=96
+param=-deferupdate
+param=1
+
 [Chansrv]
+EnableFuseMount=true
 FuseMountName=.thinclient_drives
+FileUmask=077
+
+[ChansrvLogging]
+LogLevel=INFO
+EnableSyslog=false
+SyslogLevel=INFO
+EnableConsole=true
+ConsoleLevel=INFO
 
 [SessionVariables]
-PULSE_SCRIPT=/etc/xrdp/pulse/default.pa
+PULSE_SCRIPT=/opt/xrdp/etc/xrdp/pulse/default.pa
+PULSE_DLPATH=/opt/xrdp/lib/pulse/modules:/usr/lib/pulse-16.1+dfsg1/modules

config/xrdp/xrdp.ini

@@ -1,17 +1,17 @@
 [Globals]
 ini_version=1
 fork=true
-address=0.0.0.0
 port=3389
 use_vsock=false
-tcp_nodelay=true
+tcp_nodelay=false
 tcp_keepalive=true
 security_layer=tls
+crypt_level=high
 key_file=/etc/xrdp/key.pem
 certificate=/etc/xrdp/cert.pem
 ssl_protocols=TLSv1.2, TLSv1.3
 tls_ciphers=HIGH
-autorun=XorgOther
+autorun=
 allow_channels=true
 allow_multimon=true
 bitmap_cache=true
@@ -58,20 +58,19 @@ rail=true
 xrdpvr=true
 tcutils=true
 
-[XorgGuest]
-name=Guest
-lib=libxup.so
-username=guest
-password=ask
-ip=127.0.0.1
-port=-1
-code=20
-
-[XorgOther]
-name=Other
+[Xorg]
+name=Xorg
 lib=libxup.so
 username=ask
 password=ask
 ip=127.0.0.1
 port=-1
 code=20
+
+[Xvnc]
+name=Xvnc
+lib=libvnc.so
+username=ask
+password=ask
+ip=127.0.0.1
+port=-1

run.sh

@@ -3,42 +3,54 @@
 set -eu
 export LC_ALL=C
 
-IMAGE_NAMESPACE=hectormolinero
+DOCKER=$(command -v docker 2>/dev/null)
+
+IMAGE_REGISTRY=docker.io
+IMAGE_NAMESPACE=hectorm
 IMAGE_PROJECT=xubuntu
 IMAGE_TAG=latest
-IMAGE_NAME=${IMAGE_NAMESPACE}/${IMAGE_PROJECT}:${IMAGE_TAG}
-CONTAINER_NAME=${IMAGE_PROJECT}
+IMAGE_NAME=${IMAGE_REGISTRY:?}/${IMAGE_NAMESPACE:?}/${IMAGE_PROJECT:?}:${IMAGE_TAG:?}
+CONTAINER_NAME=${IMAGE_PROJECT:?}
 
-imageExists() { [ -n "$(docker images -q "$1")" ]; }
-containerExists() { docker ps -aqf name="$1" --format '{{.Names}}' | grep -Fxq "$1"; }
-containerIsRunning() { docker ps -qf name="$1" --format '{{.Names}}' | grep -Fxq "$1"; }
+imageExists() { [ -n "$("${DOCKER:?}" images -q "${1:?}")" ]; }
+containerExists() { "${DOCKER:?}" ps -af name="${1:?}" --format '{{.Names}}' | grep -Fxq "${1:?}"; }
+containerIsRunning() { "${DOCKER:?}" ps -f name="${1:?}" --format '{{.Names}}' | grep -Fxq "${1:?}"; }
 
-if ! imageExists "${IMAGE_NAME}"; then
-	>&2 printf -- '%s\n' "\"${IMAGE_NAME}\" image doesn't exist!"
+if ! imageExists "${IMAGE_NAME:?}" && ! imageExists "${IMAGE_NAME#docker.io/}"; then
+	>&2 printf '%s\n' "\"${IMAGE_NAME:?}\" image doesn't exist!"
 	exit 1
 fi
 
-if containerIsRunning "${CONTAINER_NAME}"; then
-	printf -- '%s\n' "Stopping \"${CONTAINER_NAME}\" container..."
-	docker stop "${CONTAINER_NAME}" >/dev/null
+if containerIsRunning "${CONTAINER_NAME:?}"; then
+	printf '%s\n' "Stopping \"${CONTAINER_NAME:?}\" container..."
+	"${DOCKER:?}" stop "${CONTAINER_NAME:?}" >/dev/null
 fi
 
-if containerExists "${CONTAINER_NAME}"; then
-	printf -- '%s\n' "Removing \"${CONTAINER_NAME}\" container..."
-	docker rm "${CONTAINER_NAME}" >/dev/null
+if containerExists "${CONTAINER_NAME:?}"; then
+	printf '%s\n' "Removing \"${CONTAINER_NAME:?}\" container..."
+	"${DOCKER:?}" rm "${CONTAINER_NAME:?}" >/dev/null
 fi
 
-printf -- '%s\n' "Creating \"${CONTAINER_NAME}\" container..."
-docker run --detach \
-	--name "${CONTAINER_NAME}" \
-	--hostname "${CONTAINER_NAME}" \
-	--restart on-failure:3 \
-	--log-opt max-size=32m \
-	--publish 0.0.0.0:3322:3322/tcp \
-	--publish 0.0.0.0:3389:3389/tcp \
-	--privileged \
+CONTAINER_DEVICES=$(find /dev/ -mindepth 1 -maxdepth 1 \
+	'(' -name 'dri' -or -name 'vga_arbiter' -or -name 'nvidia*' -or -name 'nvhost*' -or -name 'nvmap' ')' \
+	-exec printf '--device %s:%s\n' '{}' '{}' ';' \
+)
+
+printf '%s\n' "Creating \"${CONTAINER_NAME:?}\" container..."
+# shellcheck disable=SC2086
+"${DOCKER:?}" run \
+	--name "${CONTAINER_NAME:?}" \
+	--hostname "${CONTAINER_NAME:?}" \
+	--detach \
 	--shm-size 2g \
-	"${IMAGE_NAME}" "$@" >/dev/null
+	--publish 3322:3322/tcp \
+	--publish 3389:3389/tcp \
+	--mount type=tmpfs,dst=/etc/xrdp/ \
+	--mount type=tmpfs,dst=/home/ \
+	--mount type=tmpfs,dst=/tmp/ \
+	--mount type=tmpfs,dst=/run/ \
+	${CONTAINER_DEVICES?} \
+	"${IMAGE_NAME:?}" "$@" >/dev/null
 
-printf -- '%s\n\n' 'Done!'
-exec docker logs -f "${CONTAINER_NAME}"
+printf '%s\n\n' 'Done!'
+exec "${DOCKER:?}" logs -f "${CONTAINER_NAME:?}"

scripts/bin/container-init

@@ -0,0 +1,125 @@
+#!/bin/sh
+
+set -eu
+
+# Remove leftover files
+find /tmp/ /run/ -mindepth 1 -delete ||:
+
+# Add GPU devices groups to additional groups
+for dev in /dev/dri/*; do
+	[ -c "${dev:?}" ] || continue
+	gid=$(stat -c '%g' "${dev:?}")
+	uug=${UNPRIVILEGED_USER_GROUPS?}
+	UNPRIVILEGED_USER_GROUPS="${uug:+${uug:?},}${gid:?}"
+done
+
+# Create additional groups
+_IFS=${IFS}; IFS=,
+for gid in ${UNPRIVILEGED_USER_GROUPS?}; do
+	if ! getent group "${gid:?}" >/dev/null 2>&1; then
+		groupadd --gid "${gid:?}" "g_${gid:?}"
+	fi
+done
+IFS=$_IFS
+
+# Create unprivileged user and group
+if ! getent group "${UNPRIVILEGED_USER_GID:?}" >/dev/null 2>&1; then
+	groupadd --gid "${UNPRIVILEGED_USER_GID:?}" "${UNPRIVILEGED_USER_NAME:?}"
+fi
+if ! getent passwd "${UNPRIVILEGED_USER_UID:?}" >/dev/null 2>&1; then
+	useradd \
+		--uid "${UNPRIVILEGED_USER_UID:?}" \
+		--gid "${UNPRIVILEGED_USER_GID:?}" \
+		--groups "${UNPRIVILEGED_USER_GROUPS?}" \
+		--shell "${UNPRIVILEGED_USER_SHELL:?}" \
+		--home-dir "${UNPRIVILEGED_USER_HOME:?}" \
+		--create-home \
+		"${UNPRIVILEGED_USER_NAME:?}"
+fi
+
+# Set unprivileged user password
+if [ -n "${UNPRIVILEGED_USER_PASSWORD?}" ]; then
+	printf '%s' "${UNPRIVILEGED_USER_NAME:?}:${UNPRIVILEGED_USER_PASSWORD:?}" | chpasswd
+else
+	passwd -d "${UNPRIVILEGED_USER_NAME:?}"
+fi
+
+if [ -w "${UNPRIVILEGED_USER_HOME:?}" ]; then
+	# Copy /etc/skel/ to unprivileged user home if certain files do not exist
+	if [ ! -e "${UNPRIVILEGED_USER_HOME:?}"/.profile ]; then
+		cp -aT /etc/skel/ "${UNPRIVILEGED_USER_HOME:?}" ||:
+		find /etc/skel/ -mindepth 1 -exec sh -c 'chown "$1:" "$2/${3#/etc/skel/}"' _ "${UNPRIVILEGED_USER_NAME:?}" "${UNPRIVILEGED_USER_HOME:?}" '{}' ';'
+	fi
+
+	# Set unprivileged user home permissions
+	if [ "$(stat -c '%u' "${UNPRIVILEGED_USER_HOME:?}")" != "${UNPRIVILEGED_USER_UID:?}" ]; then
+		chown "${UNPRIVILEGED_USER_NAME:?}:" "${UNPRIVILEGED_USER_HOME:?}"
+	fi
+	if [ "$(stat -c '%a' "${UNPRIVILEGED_USER_HOME:?}")" != '750' ]; then
+		chmod 750 "${UNPRIVILEGED_USER_HOME:?}"
+	fi
+fi
+
+# Create /run/user/${UNPRIVILEGED_USER_UID}/ directory if it does not exist
+if [ ! -d /run/user/"${UNPRIVILEGED_USER_UID:?}"/ ]; then
+	mkdir -p /run/user/"${UNPRIVILEGED_USER_UID:?}"/
+	chmod 700 /run/user/"${UNPRIVILEGED_USER_UID:?}"/
+	chown "${UNPRIVILEGED_USER_NAME:?}:" /run/user/"${UNPRIVILEGED_USER_UID:?}"/
+fi
+
+# Disable glx module if /dev/dri/ does not exist
+if [ ! -d /dev/dri/ ]; then
+	printf '%s\n' '"/dev/dri/" does not exist, glx module will be disabled' 1>&2
+	sed -i 's|Load \("glx"\)|Disable \1|g' /opt/xrdp/etc/X11/xrdp/xorg.conf
+fi
+
+# Enable xrdp bootstrap service
+if [ "${SERVICE_XRDP_BOOTSTRAP_ENABLED:?}" = 'true' ] && [ ! -L "${SVDIR:?}"/xrdp-bootstrap ]; then
+	ln -s /etc/sv/xrdp-bootstrap "${SVDIR:?}"
+fi
+
+# Enable headless X server service
+if [ "${SERVICE_XORG_HEADLESS_ENABLED:?}" = 'true' ] && [ ! -L "${SVDIR:?}"/xorg-headless ]; then
+	ln -s /etc/sv/xorg-headless "${SVDIR:?}"
+fi
+
+# Generate SSH keys if they do not exist
+if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
+	ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' >/dev/null
+fi
+if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
+	ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N '' >/dev/null
+fi
+
+# Generate xrdp RSA keys if they do not exist
+if [ ! -f "${XRDP_RSAKEYS_PATH:?}" ]; then
+	mkdir -p "$(dirname "${XRDP_RSAKEYS_PATH:?}")"
+	(umask 077 \
+		&& xrdp-keygen xrdp "${XRDP_RSAKEYS_PATH:?}" \
+	) >/dev/null
+fi
+
+# Generate RDP certificate if it does not exist
+if [ ! -f "${XRDP_TLS_KEY_PATH:?}" ] || [ ! -f "${XRDP_TLS_CRT_PATH:?}" ]; then
+	FQDN=$(hostname --fqdn)
+
+	mkdir -p "$(dirname "${XRDP_TLS_KEY_PATH:?}")"
+	(umask 077 \
+		&& openssl ecparam -genkey -name prime256v1 > "${XRDP_TLS_KEY_PATH:?}" \
+	) >/dev/null
+
+	mkdir -p "$(dirname "${XRDP_TLS_CRT_PATH:?}")"
+	(umask 022 \
+		&& openssl req -x509 -sha256 -days 3650 -subj "/CN=${FQDN:?}" -addext "subjectAltName=DNS:${FQDN:?}" -key "${XRDP_TLS_KEY_PATH:?}" > "${XRDP_TLS_CRT_PATH:?}" \
+	) >/dev/null
+fi
+
+# Print RDP certificate fingerprint
+openssl x509 -in "${XRDP_TLS_CRT_PATH:?}" -noout -fingerprint -sha1
+openssl x509 -in "${XRDP_TLS_CRT_PATH:?}" -noout -fingerprint -sha256
+
+# Dump environment variables
+env | grep -Ev '^(PWD|OLDPWD|HOME|USER|SHELL|TERM|([^=]*(PASSWORD|SECRET)[^=]*))=' | sort > /etc/environment
+
+# Start runit
+exec runsvdir -P "${SVDIR:?}"

scripts/bin/docker-foreground-cmd

@@ -1,37 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-# Disable xdummy if there is no graphics card
-if [ ! -d /dev/dri/ ]; then
-	unlink /etc/service/xdummy
-fi
-
-# Update guest user password
-if [ -n "${GUEST_USER_PASSWORD-}" ]; then
-	printf '%s' "guest:${GUEST_USER_PASSWORD}" | chpasswd
-	unset GUEST_USER_PASSWORD
-fi
-
-# Dump environment variables
-export-env >> /etc/profile.d/env.sh
-
-# Generate self-signed certificate
-if [ ! -f "${RDP_TLS_KEY_PATH}" ] || [ ! -f "${RDP_TLS_CERT_PATH}" ]; then
-	KEY_FILE=${RDP_TLS_KEY_PATH}
-	CRT_FILE=${RDP_TLS_CERT_PATH}
-	CSR_FILE=$(mktemp -u)
-
-	(umask 077 \
-		&& openssl genrsa -out "${KEY_FILE}" 2048 \
-	) >/dev/null
-
-	(umask 022 \
-		&& openssl req -new -subj "/CN=$(uname -n)" -key "${KEY_FILE}" -out "${CSR_FILE}" \
-		&& openssl x509 -req -days 3650 -signkey "${KEY_FILE}" -in "${CSR_FILE}" -out "${CRT_FILE}" \
-		&& rm -f "${CSR_FILE}" \
-	) >/dev/null
-fi
-
-# Start all services
-exec runsvdir -P /etc/service/

scripts/bin/export-env

@@ -1,12 +0,0 @@
-#!/usr/bin/awk -f
-
-BEGIN {
-	for (v in ENVIRON) {
-		if (v !~ /^(HOME|PWD|SHELL|USER|GROUP|UID|GID)$/) {
-			gsub(/[^0-9A-Za-z]/, "_", v)
-			gsub(/\n/, " ", ENVIRON[v])
-			gsub(/'/, "'\\''", ENVIRON[v])
-			print "export '"v"="ENVIRON[v]"'"
-		}
-	}
-}

scripts/service/dbus-daemon/run

@@ -1,3 +1,10 @@
 #!/bin/sh
 
-exec /usr/bin/sudo -u messagebus /usr/bin/dbus-daemon --system --nofork
+set -eu
+
+if [ ! -d /run/dbus/ ]; then
+	install -m 755 -o messagebus -g messagebus -d /run/dbus/
+fi
+
+exec 2>&1
+exec chpst -u messagebus dbus-daemon --system --nofork --nopidfile

scripts/service/sshd/run

@@ -1,3 +1,10 @@
 #!/bin/sh
 
+set -eu
+
+if [ ! -d /run/sshd/ ]; then
+	install -m 755 -o root -g root -d /run/sshd/
+fi
+
+exec 2>&1
 exec /usr/sbin/sshd -D

scripts/service/udevadm-trigger/run

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -eu
+
+sv start udevd >/dev/null
+
+exec 2>&1
+udevadm trigger ||:
+exec chpst -b udevadm-trigger perl -MPOSIX -e 'pause()'

scripts/service/udevd/run

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -eu
+
+if [ ! -d /run/udev/ ]; then
+	install -m 755 -o root -g root -d /run/udev/
+fi
+
+exec 2>&1
+exec /lib/systemd/systemd-udevd

scripts/service/xdummy/run

@@ -1,7 +0,0 @@
-#!/bin/sh
-
-exec /usr/bin/Xorg \
-		-noreset -nolisten tcp \
-		+extension GLX +extension RANDR +extension RENDER \
-		-logfile /var/log/xdummy.log \
-		:0

scripts/service/xorg-headless/run

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -eu
+
+exec 2>&1
+exec /usr/lib/xorg/Xorg -noreset -nolisten tcp -logfile /var/log/xorg-headless.log :0.0

scripts/service/xrdp-bootstrap/run

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -eu
+
+sv start xrdp >/dev/null
+sv start xrdp-sesman >/dev/null
+
+exec 2>&1
+xrdp-sesrun -p "${UNPRIVILEGED_USER_PASSWORD?}" "${UNPRIVILEGED_USER_NAME:?}"
+exec chpst -b xrdp-bootstrap perl -MPOSIX -e 'pause()'

scripts/service/xrdp-sesman/run

@@ -1,3 +1,6 @@
 #!/bin/sh
 
-exec /usr/sbin/xrdp-sesman --nodaemon
+set -eu
+
+exec 2>&1
+exec xrdp-sesman --config /opt/xrdp/etc/xrdp/sesman.ini --nodaemon

scripts/service/xrdp/run

@@ -1,3 +1,6 @@
 #!/bin/sh
 
-exec /usr/sbin/xrdp --nodaemon
+set -eu
+
+exec 2>&1
+exec xrdp --config /opt/xrdp/etc/xrdp/xrdp.ini --nodaemon

wlfreerdp.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -eu
+export LC_ALL=C
+
+RDP_HOST=127.0.0.1
+RDP_PORT=3389
+RDP_DOMAIN=Xorg
+RDP_USER=user
+RDP_PASSWORD=password
+
+exec wlfreerdp3 \
+	/v:"${RDP_HOST:?}":"${RDP_PORT:?}" \
+	/u:"${RDP_DOMAIN:?}"\\"${RDP_USER:?}" /p:"${RDP_PASSWORD:?}" \
+	/log-level:INFO /cert:ignore \
+	/gfx:AVC444v2 /bpp:32 /dynamic-resolution \
+	/audio-mode:0 /sound:sys:pulse,rate:44100 \
+	/microphone:sys:pulse,rate:44100 \
+	+clipboard +home-drive \
+	-compression -encryption

xfreerdp.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -eu
+export LC_ALL=C
+
+RDP_HOST=127.0.0.1
+RDP_PORT=3389
+RDP_DOMAIN=Xorg
+RDP_USER=user
+RDP_PASSWORD=password
+
+exec xfreerdp3 \
+	/v:"${RDP_HOST:?}":"${RDP_PORT:?}" \
+	/u:"${RDP_DOMAIN:?}"\\"${RDP_USER:?}" /p:"${RDP_PASSWORD:?}" \
+	/log-level:INFO /cert:ignore \
+	/gfx:AVC444v2 /bpp:32 /dynamic-resolution \
+	/audio-mode:0 /sound:sys:pulse,rate:44100 \
+	/microphone:sys:pulse,rate:44100 \
+	+clipboard +home-drive \
+	-compression -encryption