View previous topic :: View next topic |
Author |
Message |
nagmat84 Apprentice
Joined: 27 Mar 2007 Posts: 297
|
Posted: Sun Dec 29, 2024 5:44 pm Post subject: Citrix IPA lets xwaylandvideobrige use 100% CPU [SOLVED] |
|
|
Since the last world upgrade, xwaylandvideobridge uses 100% CPU right after I have logged in into KDE. I am note 100% sure, but I am fairly certain that I haven't started any X11 application yet. I see this phenomena on 3 out of 7 PCs. The 4 remaining PCs behave normally. 2 of the affected PCs use the i915 DRM driver, the 2rd affected PC uses the AMDGPU DRM driver.
I have already tried to re-emerge gui-apps/xwaylandvideobridge, kde-plasma/kwin and x11-base/xwayland without luck.
How can I find out, what keeps xwaylandvideobridge busy?
As a temporary work-around I simply kill xwaylandvideobridge manually after I have logged in into KDE. This makes screen sharing for X11 application impossible, but that is still better than draining the battery. However, this is not a fix and not an work-around even not a temporary one for my sister's laptop.
Last edited by nagmat84 on Sun Jan 05, 2025 11:59 am; edited 1 time in total |
|
Back to top |
|
|
JimRockford74 n00b
Joined: 26 Nov 2024 Posts: 8
|
Posted: Mon Dec 30, 2024 1:32 pm Post subject: |
|
|
If your on systemd, you can run this to check your logs for errors or warnings
Code: | journalctl -xe | grep xwaylandvideobridge |
On OpenRC try these
Code: | grep xwaylandvideobridge /var/log/messages |
Code: | tail -f /var/log/messages | grep xwaylandvideobridge |
You can also try these two commands to check which X11 applications are trying to launch
This one to check your processes
This one to check what are running in the background
Code: | ps aux | grep -i x11 |
_________________ This is Jim Rockford. I'm either working a case or waiting for something to finish. If you're selling patience, I'm interested. $200 a day plus expenses. Leave your message at the tone. *beep* |
|
Back to top |
|
|
nagmat84 Apprentice
Joined: 27 Mar 2007 Posts: 297
|
Posted: Tue Dec 31, 2024 5:31 pm Post subject: |
|
|
"journalctl -xe | grep xwaylandvideobridge" returned Code: | Dez 31 18:06:40 matthias-laptop citrix-xwaylandvideobridge[1270]: Failed to connect with logd.
Dez 31 18:06:40 matthias-laptop citrix-xwaylandvideobridge[1270]: Failed to read server_socket from /usr/local/bin/AppProtection/.client.conf
Dez 31 18:06:40 matthias-laptop citrix-xwaylandvideobridge[1270]: Failed to connect with logd.
Dez 31 18:06:40 matthias-laptop citrix-xwaylandvideobridge[1270]: Error: Failed to read AppProtection service config from config file: [/usr/local/bin/AppProtection/.client.conf]
Dez 31 18:06:40 matthias-laptop citrix-xwaylandvideobridge[1270]: Failed to connect with logd.
Dez 31 18:06:40 matthias-laptop citrix-xwaylandvideobridge[1270]: sendmsg(): connect() returned -1: errno=111 Verbindungsaufbau abgelehnt msg=ILOCK_STATUS
Dez 31 18:06:40 matthias-laptop citrix-xwaylandvideobridge[1270]: Failed to connect with logd.
Dez 31 18:06:40 matthias-laptop citrix-xwaylandvideobridge[1270]: Error: Failed to connect to AppProtection Service from client
... [repeated a dozen times] ...
Dez 31 18:09:17 matthias-laptop systemd[771]: app-org.kde.xwaylandvideobridge@autostart.service: Consumed 2min 21.564s CPU time, 21.2M memory peak. | My mother needs the Citrix Workspace App for remote work from home. I installed Citrix Workspace App from the tarball outside the Portage package manager. The component "AppProtection" is a daemon which tries to pre-load certain system libraries and replace them by patched versions from Citrix to catch certain system calls which Citrix considers "dangerous". As this created a lot of problems, I uninstalled the component AppProtection again. (Suprisingly, Citrix Workspace also works without it.) Citrix AppProtection also tries to install its own system logger. (*gulp*)
So it is correct that server_socket from /usr/local/bin/AppProtection/.client.conf cannot be read and that sendmsg fails, because /usr/local/bin/AppProtection/ does not exist anymore. However, I wonder why it the entry in journald is called "citrix-xwaylandvideobridge" and where that "citrix" part comes from. I already tried to grep for "citrix" in all directories, but haven't found any leftovers.
So I assume it is safe to say that the problem ist not Gentoo-related, but caused by a 3rd party application. Nonetheless I would be grateful, if someone has any tips how to identify the remaining relics and get rid of them. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 23017
|
Posted: Tue Dec 31, 2024 6:21 pm Post subject: |
|
|
nagmat84 wrote: | My mother needs the Citrix Workspace App for remote work from home. I installed Citrix Workspace App from the tarball outside the Portage package manager. | This was your first mistake. To ease tracking it later, you should have wrapped it in an ebuild that ran the unpack for you, so that you could have Portage record where all the files went. nagmat84 wrote: | The component "AppProtection" is a daemon which tries to pre-load certain system libraries and replace them by patched versions from Citrix to catch certain system calls which Citrix considers "dangerous". | This is the probably the wrong way to do such a filter. If Citrix needs to ban certain system calls, the seccomp filter seems like a better fit, is harder to escape, and is less likely to confuse unrelated things on the system. nagmat84 wrote: | So I assume it is safe to say that the problem ist not Gentoo-related, but caused by a 3rd party application. Nonetheless I would be grateful, if someone has any tips how to identify the remaining relics and get rid of them. | How exactly did you install it in the first place? Was it just tar -xf, or did Citrix supply their own install script (probably that you run through a curlpipesh, because why not pick the worst possible way to do it)? Once we know how big a mess it could have made, we can hunt down what it did. |
|
Back to top |
|
|
nagmat84 Apprentice
Joined: 27 Mar 2007 Posts: 297
|
Posted: Tue Dec 31, 2024 6:53 pm Post subject: |
|
|
Hu wrote: | nagmat84 wrote: | I installed Citrix Workspace App from the tarball outside the Portage package manager. | This was your first mistake. To ease tracking it later, you should have wrapped it in an ebuild. | Sorry! I have never learned how to write my own ebuilds. Probably, it's time to read the Gentoo development documentation. Hu wrote: | nagmat84 wrote: | The component "AppProtection" is a daemon which tries to pre-load certain system libraries and replace them by patched versions from Citrix. | This is the probably the wrong way to do such a filter. The seccomp filter seems like a better fit. | Tell that the Citrix engineers. One of the things, Citrix wants to prevent is that someone takes a screenshot or screencast of the remote desktop running inside the Citrix application. So it makes sense, that xwaylandvideobridge runs havoc. Hu wrote: | How exactly did you install it in the first place? | The tarball is available at https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html. After one has unpacked the tarball, there is a shell script which does the install. If one tries to run the script as a non-root user it first starts, but it tells you that it needs root permission later during the installation routine.[/quote] |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 23017
|
Posted: Tue Dec 31, 2024 8:45 pm Post subject: |
|
|
If they're relying on a root privileged shell script, then they can make quite a mess. I would advise against running it, but it seems a bit late for that.
The page you linked doesn't seem to have working download links. They have non-expandable blocks that, once the incorrect styles are removed, only contain javascript:void(0) anchors, a common mistake by people who shouldn't be doing website development. Perhaps someone with more patience than I will put up with their poor practices and examine this script for you. Sorry. Otherwise, you could examine it yourself, assuming it isn't too ugly. |
|
Back to top |
|
|
nagmat84 Apprentice
Joined: 27 Mar 2007 Posts: 297
|
Posted: Sun Jan 05, 2025 11:57 am Post subject: |
|
|
Hu wrote: | If they're relying on a root privileged shell script, then they can make quite a mess. I would advise against running it, but it seems a bit late for that. | Well, without root privileges you won't be able to install the Citrix client. It's like saying one should run portage without root privileges. An installation routine which modifies the system needs root privileges for obvious reasons. The Citrix client attempts to lock down the host system (i.e. like preventing taking screenshots, capturing network traffic, etc.) and as much as I dislike Citrix approach here, I can understand that the Citrix installation routine requires root privileges for that.
Hu wrote: | The page you linked doesn't seem to have working download links. They have non-expandable blocks that, once the incorrect styles are removed, only contain javascript:void(0) anchors, a common mistake by people who shouldn't be doing website development. | I assume you haven't accepted to cookies and the EULA. That's your good right to do. I could have posted a direct download link here, but that would have been in violation of that EULA. We could philosophize whether Citrix should insist on its own EULA or whether the Citrix client shouldn't be open source, but that a different discussion. My step's mum employer decided to use a Citrix-based solution and so neither me nor her have much of a choice here (unless she decides to quit her job, of course, but that is only a hypothetical option).
Anyway it seems as if I had found the solution. I also had the grep for "ctx" (instead of "citrix") as there are some files which go by that name. This unveiled three more locations with left-overs. I didn't bother to check individually which one was the culprit. I removed all three at once. For anyone who comes across the same problem as me, here is the list:- /etc/ld.so.preload: Citrix creates this file to override some GUI toolkit libraries (GTK and QT). In my case the all paths pointed to the already non-existing location /opt/Citrix/ICAClient/....
- /etc/dconf/db/local.d/00-extensions: Citrix adds entries here for its "screen cast prevention module". I removed all configuration lines and executed "dconf compile" afterwards.
- /etc/chromium/native-messaging-hosts/com.citrix.chrome.ipcbridge.json: Citrix add a system-wide Chromium extensions which pointed to the already non-existing /opt/Citrix/ICAClient/ceb/CtxChromiumBrowser/native_bridge. Again, this browser extension seems to be somehow related to screen cast prevention. I removed the JSON file.
After that everything seems to be back to normal. I am not sure which one was to blame, because all three pointed to already non-existing files. So I would have assumes that each left-over should be a no-op. But obviously it wasn't.
I believe we can consider this thread to be solved. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 23017
|
Posted: Sun Jan 05, 2025 4:13 pm Post subject: |
|
|
nagmat84 wrote: | Hu wrote: | If they're relying on a root privileged shell script, then they can make quite a mess. I would advise against running it, but it seems a bit late for that. | Well, without root privileges you won't be able to install the Citrix client. | Better behaved software can be installed in a user's home directory, without the need for privilege. nagmat84 wrote: | It's like saying one should run portage without root privileges. An installation routine which modifies the system needs root privileges for obvious reasons. | Yes, modifying the system needs root, but I am doubtful that Citrix even should be modifying the system. I especially disagree with the idea that they should be doing it without adequate tracking to revert those changes when you uninstall their program. Portage is very good at providing such tracking (as are the major package managers from other distributions). nagmat84 wrote: | I assume you haven't accepted to cookies and the EULA. That's your good right to do. | I was never prompted about cookies or a EULA, not that I would have accepted them had they appeared. I think the page was too broken to even try to ask for a EULA. nagmat84 wrote: | - /etc/ld.so.preload: Citrix creates this file to override some GUI toolkit libraries (GTK and QT). In my case the all paths pointed to the already non-existing location /opt/Citrix/ICAClient/....
| This should be a no-op when the dynamic loader fails to find these files. It would slow down starting very slightly. Depending on what those hacked up toolkit libraries did, having them around might cause serious problems elsewhere, when applications wrongly loaded those instead of the newer versions installed by Portage that the application thought it would get. A literal reading of your description makes me wonder if they were also preloading their hacked libraries into things that didn't even want a GUI library.
Incidentally, if they supplied a hacked version of GTK, that version ought to be under the Lesser GNU General Public License, due to the licensing of upstream GTK. I encourage you to obtain a copy of the complete corresponding machine-readable source code for their hacked version, and find what they changed.
I would not let Citrix be installed outside a virtual machine or other sacrificial container if this is part of their standard process.
Notably absent from your list is how they actually prevent capturing X11 screenshots. It seems like they didn't even achieve their stated goal. nagmat84 wrote: | I believe we can consider this thread to be solved. | Good to see. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|