Completely tangential tip, but in the very-limited video editing I've done recently: I've used Davinci Resolve, rendered as .mov
, and then used ffmpeg to render to my actual desired format. e.g. h264 w/ aac audio so I can upload to Youtube:
ffmpeg -i input.mov -c:v libopenh264 -profile:v high -c:a aac -pix_fmt yuv420p output.mp4
I do think that finding the right flags to pass to ffmpeg is a cursed art. Do I need to specify the video profile and the pix_fmt? I don't know; I thought I did when I adventured to collect these flags. Though maybe it's just a reflection of the video-codec horrors lurking within all video rendering pipelines.
edit: there may also be nvidia-accelerated encoders, like h264_nvenc, see ffmpeg -codecs 2>/dev/null | grep -i 'h\.264'
. I'm not sure if the profile:v
and pix_fmt
options apply to other encoders or just libopenh264.
I got interested, so I spent some time looking into what's going on here. I'm not intimately familiar with X11 or Wayland, but I figured out some stuff.
Why
sudo ip netns exec protected sudo -u user -i
doesn't work for X11 appsShort answer: file permissions and abstract unix sockets (which I didn't know were a thing before now).
File permissions: when I start an X11 login session, the
DISPLAY
is:0
and/tmp/.X11-unix/
has only 1 fileX0
. This file has 777 access. When I start my wayland session with Xwayland, theDISPLAY
is:1
and/tmp/.X11-unix/
has 2 filesX0
(777) andX1
(755). I can't figure out how to connect to display:0
, so I guess I'm stuck with:1
. When you change to a different (non-root) user, the user no longer has access to/tmp/.X11-unix/X1
.Abstract unix sockets: When I start my wayland/xwayland session, it creates abstract unix sockets with ids
@/tmp/.X11-unix/X0
and@/tmp/.X11-unix/X1
. Seess -lnp | grep Xwayland
. The network namespace also sandboxes these abstract unix sockets. Comparesocat ABSTRACT-CONNECT:/tmp/.X11-unix/X1 STDIN
andsudo ip netns exec private socat ABSTRACT-CONNECT:/tmp/.X11-unix/X1 STDIN
.When you do
sudo ip netns exec protected su - user
, you loose access to both the filesystem unix socket/tmp/.X11-unix/X1
and the abstract unix socket@/tmp/.X11-unix/X1
. You need access to one or the other for X11 applications to work.I tried using socat to forward X1 such that it works in the network namespace... and it kinda works.
sudo ip netns exec protected socat ABSTRACT-LISTEN:/tmp/.X11-unix/X1,fork UNIX-CONNECT:/tmp/.X11-unix/X1
. It appears having ABSTRACT-LISTEN before UNIX-CONNECT is important, I guess it would be worth it to properly learn socat. With thissudo ip netns exec protected su - testuser -c 'env DISPLAY=:1 xmessage hi'
works, butsudo ip netns exec protected su - testuser -c 'env DISPLAY=:1 QT_QPA_PLATFORM=xcb kcalc'
does not work. 😞Changing the file permissions on
/tmp/.X11-unix/X1
to give the user access seems to work better.Wayland waypipe
Waypipe works as advertised. But it's still a little bit tricky because you need to have two separate processes for the waypipe client and server, wait for the waypipe socket to be created, adjust file permissions for the waypipe socket file, and set (and probably mkdir)
XDG_RUNTIME_DIR
.Combined
into this script https://github.com/vole-dev/grabbag/blob/main/run-netns-user-wayland.bash