ybox 0.9.8__py3-none-any.whl

ybox/conf/profiles/dev.ini

@@ -0,0 +1,25 @@
+[base]
+name = Profile for creating development environment
+includes = basic.ini
+
+[security]
+# SYS_PTRACE is required by mesa and without this, the following warning can be seen:
+#     WARNING: Kernel has no file descriptor comparison support: Operation not permitted
+caps_add = SYS_PTRACE
+
+[mounts]
+# add your projects and other directories having source code
+#projects = $HOME/projects:$TARGET_HOME/projects
+#pyenv = $HOME/.pyenv:$TARGET_HOME/.pyenv:ro
+
+[env]
+# always pretend desktop to be GNOME since KDE apps required by xdg-* are not installed
+XDG_CURRENT_DESKTOP = GNOME
+XDG_SESSION_DESKTOP = GNOME
+DESKTOP_SESSION = gnome
+
+[apps]
+# some packages for Arch Linux - uncomment and update for your distribution as required
+#ides = intellij-idea-community-edition-jre,visual-studio-code-bin,zed
+#others = aws-cli-bin,aws-session-manager-plugin,helm,kubectl,yq,github-cli,jdk17-openjdk
+#other_deps = gnome-keyring:dep(github-cli)

ybox/conf/profiles/games.ini

@@ -0,0 +1,39 @@
+[base]
+name = Profile for games and other apps requiring NVIDIA acceleration
+includes = basic.ini
+nvidia = on
+
+[security]
+# Steam uses bwrap which needs capability to create new namespaces etc that apparently
+# gives greater security. More details here:
+# https://github.com/ValveSoftware/steam-runtime/issues/297#issuecomment-723004767
+# This is apparently no longer required after adding "--user=1000:1000"
+# or with setpriv/capsh dropping ambient capabilities
+#caps_add = SYS_ADMIN,SYS_CHROOT,NET_ADMIN,SETUID,SETGID,SYS_PTRACE
+
+# SYS_PTRACE is required by mesa and without this, the following warning can be seen:
+#     WARNING: Kernel has no file descriptor comparison support: Operation not permitted
+caps_add = SYS_PTRACE
+
+[mounts]
+video_dev = /dev/video0:/dev/video0
+
+[env]
+NVIDIA_DRIVER_CAPABILITIES = all
+
+[apps]
+# steam and deps for Arch Linux - uncomment and update for your distribution as required
+#steam_deps = lib32-vulkan-intel:dep(steam),lib32-libpulse:dep(steam)
+# these are apparently required but not in the upstream deps
+# https://bugs.archlinux.org/task/74827, https://bugs.archlinux.org/task/75155
+# https://bugs.archlinux.org/task/75443, https://bugs.archlinux.org/task/75590,
+# https://bugs.archlinux.org/task/75156, https://bugs.archlinux.org/task/75157
+# some packages among above are skipped because they are already direct/indirect dependencies
+#steam_opt_deps = lib32-fontconfig:dep(steam),lib32-pipewire:dep(steam),lib32-libxcursor:dep(steam),
+#                 lib32-libva:dep(steam),lib32-libnm:dep(steam),lib32-libxinerama:dep(steam)
+#steam = steam
+
+[app_flags]
+# steam needs setpriv or equivalent to allow user namespace to be used by bubblewrap
+steam = /usr/bin/setpriv --ambient-caps -all !p !a
+steam-runtime = /usr/bin/setpriv --ambient-caps -all !p !a

ybox/conf/resources/entrypoint-base.sh

@@ -0,0 +1,170 @@
+#!/bin/bash
+
+set -e
+
+SCRIPT="$(basename "${BASH_SOURCE[0]}")"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+source "$SCRIPT_DIR/entrypoint-common.sh"
+
+user=ybox
+uid=1000
+name=ybox
+group=ybox
+gid=1000
+secondary_groups=video,input,lp,mail
+localtime=
+timezone=
+
+function show_usage() {
+  echo
+  echo "Usage: $SCRIPT [-u USER] [-U UID] [-n FULLNAME] [-g GROUP] [-G GID]"
+  echo "       [-l LOCALTIME] [-z TIMEZONE] [-h]"
+  echo
+  echo "Options:"
+  echo "  -u USER       login of the user being added"
+  echo "  -U UID        UID of the user"
+  echo "  -n FULLNAME   full name of the user"
+  echo "  -g GROUP      primary group of the user being added"
+  echo "  -G GID        GID of the primary group of the user"
+  echo "  -s GROUPS     secondary groups of the user being added"
+  echo "  -l LOCALTIME  the destination link for /etc/localtime"
+  echo "  -z TIMEZONE   the timezone to be written in /etc/timezone"
+  echo "  -h            show this help message and exit"
+}
+
+function check_space() {
+  check_val="$1"
+  if [[ "$check_val" = *[[:space:]]* ]]; then
+    echo "$0: cannot have white space character in $2 -- $check_val"
+    show_usage
+    exit 1
+  fi
+}
+
+function check_int() {
+  check_val="$1"
+  if ! [ "$check_val" -eq "$check_val" ] 2>/dev/null; then
+    echo "$0: expected integer for $2 -- $check_val"
+    show_usage
+    exit 1
+  fi
+}
+
+while getopts "u:U:n:g:G:s:l:z:h" opt; do
+  case "$opt" in
+    u)
+      check_space "$OPTARG" USER
+      user=$OPTARG
+      ;;
+    U)
+      check_int "$OPTARG" UID
+      uid=$OPTARG
+      ;;
+    n)
+      name="$OPTARG"
+      ;;
+    g)
+      check_space "$OPTARG" GROUP
+      group=$OPTARG
+      ;;
+    G)
+      check_int "$OPTARG" GID
+      gid=$OPTARG
+      ;;
+    s)
+      check_space "$OPTARG" GROUPS
+      secondary_groups=$OPTARG
+      ;;
+    l)
+      localtime="$OPTARG"
+      ;;
+    z)
+      timezone="$OPTARG"
+      ;;
+    h)
+      show_usage
+      exit 0
+      ;;
+    ?)
+      show_usage
+      exit 1
+      ;;
+  esac
+done
+
+# run the distribution specific initialization scripts
+if [ -r "$SCRIPT_DIR/init-base.sh" ]; then
+  /bin/bash "$SCRIPT_DIR/init-base.sh" >/dev/null
+fi
+
+# setup timezone
+if [ -n "$localtime" ]; then
+  echo_color "$fg_blue" "Setting up timezone to $localtime"
+  if [ -e "$localtime" ]; then
+    rm -f /etc/localtime
+    ln -s "$localtime" /etc/localtime
+  fi
+fi
+if [ -n "$timezone" ]; then
+  echo "$timezone" > /etc/timezone
+  chmod 0644 /etc/timezone
+fi
+
+# add the user with the same UID/GID as provided which should normally be the same as the
+# user running this ybox (which avoids --userns=keep-id from increasing the image size
+#   else the image size may get nearly doubled)
+existing_user="$(getent passwd $uid | cut -d: -f1)"
+if [ -n "$existing_user" ]; then
+  deluser --remove-home $existing_user
+fi
+existing_group="$(getent group $gid | cut -d: -f1)"
+if [ -n "$existing_group" ]; then
+  delgroup $existing_group
+fi
+groupadd -g $gid $group
+echo_color "$fg_blue" "Added group '$group'"
+useradd -m -g $group -G $secondary_groups \
+  -u $uid -d /home/$user -s /bin/bash -c "$name" $user
+usermod --lock $user
+
+# add the given user for sudoers with NOPASSWD
+sudoers_file=/etc/sudoers.d/$user
+echo "$user ALL=(ALL:ALL) NOPASSWD: ALL" > $sudoers_file
+chmod 0440 $sudoers_file
+echo_color "$fg_purple" "Added admin user '$user' to sudoers with NOPASSWD"
+
+# generate /etc/machine-id which is required by some apps
+rm -f /etc/machine-id /var/lib/dbus/machine-id
+dbus-uuidgen --ensure=/etc/machine-id
+dbus-uuidgen --ensure
+
+# change ownership of user's /run/user/<uid> tree which may have root ownership due to the
+# docker bind mounts
+run_dir=${XDG_RUNTIME_DIR:-/run/user/$uid}
+mkdir -p $run_dir
+chmod 0700 $run_dir
+chown -Rf $uid:$gid $run_dir
+echo_color "$fg_blue" "Created run directory for '$user' with proper permissions"
+
+# add root user to all user groups for rootless docker that needs to run as the root user
+# (which is mapped to the host's current user allowing for proper file and other permissions)
+usermod -aG $group,$secondary_groups root
+# the home directory of root user should be /root which is assumed to be the target directory
+# by the ybox commands when using docker
+root_home="$(getent passwd root | cut -d: -f6)"
+if [ "$root_home" != "/root" ]; then
+  echo_color "$fg_purple" "Changing home directory of root user from '$root_home' to '/root'"
+  # this should be done at the very end of the entrypoint script to avoid any complications
+  # due to change of root user's home directory in the middle of running commands
+  mkdir -p /root
+  chmod 700 /root
+  sed -i "s|:$root_home:|:/root:|" /etc/passwd
+  if [ "$root_home" != "/" ]; then
+    cd "$root_home"
+    # copy dotfiles skipping `.` and `..` which is done by setting GLOBIGNORE
+    export GLOBIGNORE=.
+    cp -a .* /root/.
+    # not removing $root_home since it can potentially be some system directory (e.g. /usr)
+  fi
+fi

ybox/conf/resources/entrypoint-common.sh

@@ -0,0 +1,23 @@
+# ensure that system path is always searched first for all the system utilities
+export PATH="/usr/sbin:/usr/bin:/sbin:/bin:$PATH"
+
+status_file=/usr/local/ybox-status
+
+fg_red='\033[31m'
+fg_green='\033[32m'
+fg_orange='\033[33m'
+fg_blue='\033[34m'
+fg_purple='\033[35m'
+fg_cyan='\033[36m'
+fg_reset='\033[00m'
+
+function echo_color() {
+  args=
+  while [[ $1 = -* ]]; do
+    args="$args $1"
+    shift
+  done
+  color="$1"
+  shift
+  echo -e $args "$color$@" $fg_reset
+}

ybox/conf/resources/entrypoint-cp.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+
+SCRIPT="$(basename "${BASH_SOURCE[0]}")"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+source "$SCRIPT_DIR/entrypoint-common.sh"
+
+function show_usage() {
+  echo
+  echo "Usage: $SCRIPT SHARED_DIRS SHARED_BIND"
+  echo
+  echo "Arguments:"
+  echo "  SHARED_DIRS     comma separated list of directories to share among containers"
+  echo "  SHARED_BIND     shared bind mount where the DIRS above will be copied"
+}
+
+if [ $# -ne 2 ]; then
+  show_usage
+  exit 1
+fi
+
+shared_dirs="$1"
+shared_bind="$2"
+
+echo_color "$fg_purple" "Copying data from container to shared root mounted on '$shared_bind'"
+IFS="," read -ra shared_dirs_arr <<< "$shared_dirs"
+for dir in "${shared_dirs_arr[@]}"; do
+  echo_color "$fg_orange" "Copying $dir to $shared_bind$dir"
+  cp -a "$dir" "$shared_bind$dir"
+done

ybox/conf/resources/entrypoint-root.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -e
+
+# this script has actions that need to be run as root
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+source "$SCRIPT_DIR/entrypoint-common.sh"
+
+echo_color "$fg_cyan" "Copying prime-run, run-in-dir and run-user-bash-cmd" >> $status_file
+cp -a "$SCRIPT_DIR/prime-run" /usr/local/bin/prime-run
+cp -a "$SCRIPT_DIR/run-in-dir" /usr/local/bin/run-in-dir
+cp -a "$SCRIPT_DIR/run-user-bash-cmd" /usr/local/bin/run-user-bash-cmd
+chmod 0755 /usr/local/bin/prime-run /usr/local/bin/run-in-dir /usr/local/bin/run-user-bash-cmd
+
+# invoke the NVIDIA setup script if present
+if [ -r "$SCRIPT_DIR/nvidia-setup.sh" ]; then
+  /bin/bash "$SCRIPT_DIR/nvidia-setup.sh"
+fi

ybox/conf/resources/entrypoint-user.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+source "$SCRIPT_DIR/entrypoint-common.sh"
+
+current_user="$(id -un)"
+user_home="$(getent passwd "$current_user" | cut -d: -f6)"
+# set gpg keyserver to an available one
+mkdir -p "$user_home/.gnupg" && chmod 0700 "$user_home/.gnupg"
+echo "keyserver $DEFAULT_GPG_KEY_SERVER" > "$user_home/.gnupg/dirmngr.conf"
+rm -f "$user_home"/.gnupg/*/*.lock
+
+echo_color "$fg_cyan" "Enabling python pip installation for $current_user" >> $status_file
+mkdir -p "$user_home/.config/pip"
+cat > "$user_home/.config/pip/pip.conf" << EOF
+[global]
+break-system-packages = true
+EOF

ybox/conf/resources/entrypoint.sh

@@ -0,0 +1,249 @@
+#!/bin/bash
+
+set -e
+
+SCRIPT="$(basename "${BASH_SOURCE[0]}")"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+source "$SCRIPT_DIR/entrypoint-common.sh"
+
+config_list=
+config_dir=
+app_list=
+pkgmgr_conf="$SCRIPT_DIR/pkgmgr.conf"
+startup_list=
+run_user_bash_cmd=/usr/local/bin/run-user-bash-cmd
+
+# first clear the status_file
+echo -n > $status_file
+
+# for docker the container runs as root user but some actions need to be performed as normal
+# user (like installing AUR packages in Arch), so the status file is made writable by both
+# the current user as well as the group of the normal user
+uid="$(id -u)"
+gid="$(id -g)"
+chown $uid:$YBOX_HOST_GID $status_file
+chmod 0660 $status_file
+if [ "$uid" -eq 0 ]; then
+  SUDO=""
+else
+  SUDO="sudo -E"
+fi
+
+function show_usage() {
+  echo
+  echo "Usage: $SCRIPT [-c CONFIG_LIST] [-d CONFIG_DIR] [-a APP_LIST]"
+  echo "       [-s STARTUP_LIST] [-h] BOX_NAME"
+  echo
+  echo "Arguments:"
+  echo "  BOX_NAME         name of the ybox container being created"
+  echo
+  echo "Options:"
+  echo "  -c CONFIG_LIST   file having list of configuration files to be setup in user's HOME"
+  echo "  -d CONFIG_DIR    target directory having the configuration files"
+  echo "  -a APP_LIST      file having list of applications to be installed"
+  echo "                   (each line should start with any additional package manager flags)"
+  echo "  -s STARTUP_LIST  file containing list of startup applications for the container"
+  echo "  -h               show this help message and exit"
+}
+
+# link the configuration files in HOME to the target directory having the required files
+function link_config_files() {
+  # line is of the form <src> -> <dest>; pattern below matches this while trimming spaces
+  echo_color "$fg_orange" "Linking configuration files from $config_dir to user's home" >> $status_file
+  pattern='(.*[^[:space:]]+)[[:space:]]*->[[:space:]]*(.*)'
+  while read -r config; do
+    if [[ "$config" =~ $pattern ]]; then
+      home_file="${BASH_REMATCH[1]}"
+      # expand env variables
+      eval home_file="$home_file"
+      dest_file="$config_dir/${BASH_REMATCH[2]}"
+      # only replace the file if it is already a link (assuming the link target may
+      #   have changed in the config_list file), or a directory containing links
+      if [ -e "$dest_file" ]; then
+        if [ -L "$home_file" ]; then
+          rm -f "$home_file"
+        elif [ -d "$home_file" ]; then
+          do_rmdir=true
+          for f in "$home_file"/*; do
+            if [ -e "$f" -a ! -L "$f" ]; then
+              do_rmdir=false
+              break
+            fi
+          done
+          if [ "$do_rmdir" = true ]; then
+            rm -rf "$home_file"
+          fi
+        fi
+        home_filedir="$(dirname "$home_file")"
+        if [ ! -e "$home_filedir" ]; then
+          mkdir -p "$home_filedir"
+        fi
+        if [ ! -e "$home_file" ]; then
+          ln -s "$dest_file" "$home_file"
+        fi
+      fi
+    else
+      echo_color "$fg_red" "Skipping config line having unknown format: $config" >> $status_file
+    fi
+  done < "$config_list"
+}
+
+# install applications listed in the given file with the configured package manager commands
+function install_apps() {
+  # source PKGMGR_* variables from the configuration file created by 'ybox-create'
+  source "$pkgmgr_conf"
+  if [ -z "$PKGMGR_INSTALL" -o -z "$PKGMGR_CLEAN" ]; then
+    echo_color "$fg_red" "$pkgmgr_conf should define PKGMGR_INSTALL and PKGMGR_CLEAN" >> $status_file
+    exit 1
+  fi
+  # install packages line by line
+  while read -r pkg_line; do
+    echo_color "$fg_orange" "Installing: ${pkg_line:0:40} ..." >> $status_file
+    $run_user_bash_cmd "$PKGMGR_INSTALL $pkg_line"
+    echo_color "$fg_green" "Done." >> $status_file
+  done < "$app_list"
+  echo_color "$fg_green" "Cleaning up." >> $status_file
+  $run_user_bash_cmd "$PKGMGR_CLEAN"
+}
+
+# invoke the startup apps as listed in the container configuration file
+function invoke_startup_apps() {
+  log_dir="$HOME/.local/share/ybox/logs"
+  log_no=1
+  # start apps in the order listed in the file
+  while read -r app_line; do
+    mkdir -p "$log_dir"
+    echo_color "$fg_orange" "Starting: ${app_line:0:40} ..." >> $status_file
+    nohup $app_line >> "$log_dir/app-${log_no}_out.log" 2>> "$log_dir/app-${log_no}_err.log" &
+    sleep 1
+  done < "$startup_list"
+}
+
+
+while getopts "c:d:a:s:h" opt; do
+  case "$opt" in
+    c)
+      config_list="$OPTARG"
+      ;;
+    d)
+      config_dir="$OPTARG"
+      ;;
+    a)
+      app_list="$OPTARG"
+      # assume package manager configuration to be in pkgmgr.conf in same dir as this script
+      if [ ! -r "$pkgmgr_conf" ]; then
+        echo "Cannot find $pkgmgr_conf to apply the given APP_LIST"
+        exit 1
+      fi
+      ;;
+    s)
+      startup_list="$OPTARG"
+      ;;
+    h)
+      show_usage
+      exit 0
+      ;;
+    ?)
+      show_usage
+      exit 1
+      ;;
+  esac
+done
+
+if [ -n "$config_list" -a -z "$config_dir" ]; then
+  echo "$0: missing '-d CONFIG_DIR' option for given CONFIG_LIST -- $config_list"
+  show_usage
+  exit 1
+fi
+
+# handle positional arguments
+if [ $(("$#" - "$OPTIND")) -ne 0 ]; then
+  echo "$0: incorrect number of required arguments"
+  show_usage
+  exit 1
+fi
+box_name="${@:$OPTIND:1}"
+
+# create/update some common directories that are mounted and may have root permissions
+dir_init=". .cache .cache/fontconfig .config .config/pulse .local .local/share"
+dir_init+=" .local/share/ybox .local/share/ybox/$box_name Downloads"
+echo_color "$fg_orange" "Ensuring proper permissions for user directories" >> $status_file
+for d in $dir_init; do
+  dir=$HOME/$d
+  $SUDO mkdir -p $dir || true
+  $SUDO chown $uid:$gid $dir || true
+done
+# change ownership of user's /run/user/<uid> tree which may have root ownership due to the
+# docker bind mounts
+run_dir=${XDG_RUNTIME_DIR:-/run/user/$uid}
+if [ -d $run_dir ]; then
+  $SUDO chown $uid:$gid $run_dir 2>/dev/null || true
+fi
+if [ -n "$(ls $run_dir 2>/dev/null)" ]; then
+  $SUDO chown $uid:$gid $run_dir/* 2>/dev/null || true
+fi
+
+# run actions requiring root access
+$SUDO /bin/bash "$SCRIPT_DIR/entrypoint-root.sh"
+
+# run the distribution specific initialization scripts
+if [ ! -e "$SCRIPT_DIR/ybox-init.done" ]; then
+  if [ -r "$SCRIPT_DIR/init.sh" ]; then
+    echo_color "$fg_orange" "Running distribution's system initialization script" >> $status_file
+    $SUDO /bin/bash "$SCRIPT_DIR/init.sh"
+  fi
+  if [ -r "$SCRIPT_DIR/init-user.sh" ]; then
+    echo_color "$fg_orange" "Running user initialization scripts" >> $status_file
+    # run the common user initialization script for both the root and non-root user
+    $SUDO /bin/bash "$SCRIPT_DIR/entrypoint-user.sh"
+    $run_user_bash_cmd "/bin/bash \"$SCRIPT_DIR/entrypoint-user.sh\""
+    # run the distribution's user initialization script for the non-root user
+    $run_user_bash_cmd "/bin/bash \"$SCRIPT_DIR/init-user.sh\""
+  fi
+  $SUDO rm -rf /root/.cache/*
+  # Update the status file to indicate the stoppage and exit because system libraries
+  # may have been installed/updated by the above scripts.
+  # Caller will restart the container after removing the init scripts.
+  echo stopped >> $status_file
+  sync $status_file
+  exit 0
+fi
+
+# process config files, application installs and invoke startup apps
+if [ -n "$config_list" ]; then
+  link_config_files
+fi
+if [ -n "$app_list" ]; then
+  install_apps
+fi
+if [ -n "$startup_list" ]; then
+  invoke_startup_apps
+fi
+# update the status file to indicate successful startup
+echo started >> $status_file
+
+# finally go into infinite wait using tail on /dev/null but handle TERM signal for clean exit
+tail -s10 -f /dev/null &
+childPID=$!
+
+function cleanup() {
+  # clear status file first just in case other operations do not finish before SIGKILL comes
+  echo -n > $status_file
+  # first send SIGTERM to all "docker exec" processes that will have parent PID as 0 or 1
+  exec_pids="$(ps -e -o ppid=,pid= | \
+    awk '{ if (($1 == 0 || $1 == 1) && $2 != 1 && $2 != '$childPID') print $2 }')"
+  for pid in $exec_pids; do
+    echo "Sending SIGTERM to $pid"
+    kill -TERM $pid
+  done
+  # sleep a bit for $exec_pids to finish
+  [ -n "$exec_pids" ] && sleep 3
+  # lastly kill the infinite tail process
+  kill -TERM $childPID
+}
+
+# truncate status file and cleanly kill the processes on SIGHUP and SIGTERM
+trap "cleanup" 1 15
+
+wait $childPID

ybox/conf/resources/prime-run

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -e
+
+__NV_PRIME_RENDER_OFFLOAD=1
+__GLX_VENDOR_LIBRARY_NAME=nvidia
+__VK_LAYER_NV_optimus=NVIDIA_only
+VK_ICD_FILES=/usr/share/vulkan/icd.d/nvidia_icd.json
+VK_ICD_FILENAMES=/usr/share/vulkan/icd.d/nvidia_icd.json
+
+export __NV_PRIME_RENDER_OFFLOAD __GLX_VENDOR_LIBRARY_NAME __VK_LAYER_NV_optimus VK_ICD_FILES VK_ICD_FILENAMES
+
+exec "$@"

ybox/conf/resources/run-in-dir

@@ -0,0 +1,60 @@
+#!/bin/bash
+
+set -e
+
+dir="$1"
+shift
+
+if [ -n "$dir" -a -d "$dir" ]; then
+  cd "$dir"
+fi
+
+# XAUTHORITY file can change after a re-login or a restart, so search for the passed one
+# by podman/docker exec in the mount point of its parent directory
+if [ -n "$XAUTHORITY" -a -n "$XAUTHORITY_ORIG" -a ! -r "$XAUTHORITY" ]; then
+  # XAUTHORITY is assumed to be either in /run/user or in /tmp
+  run_dir="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}"
+  if [[ "$XAUTHORITY" == $run_dir/* ]]; then
+    host_dir="$run_dir"
+  elif [[ "$XAUTHORITY" == /tmp/* ]]; then
+    host_dir=/tmp
+  else
+    host_dir="$(dirname "$XAUTHORITY")"
+  fi
+  XAUTHORITY="${XAUTHORITY/#$host_dir/${host_dir}-host}" # replace $host_dir by ${host_dir}-host
+  if [ ! -r "$XAUTHORITY" ]; then
+    XAUTHORITY="$XAUTHORITY_ORIG"
+  fi
+  export XAUTHORITY
+fi
+
+# In case NVIDIA driver has been updated, the updated libraries and other files may need to be
+# linked again, so check for a missing library file and invoke the setup script if present
+nvidia_setup="$YBOX_TARGET_SCRIPTS_DIR/nvidia-setup.sh"
+if [ -e "$nvidia_setup" ]; then
+  function is_nvidia_valid() {
+    nvidia_glx_libs="$(echo /usr/local/nvidia/lib*/libGLX_nvidia.so.*)"
+    for lib in $nvidia_glx_libs; do
+      if [ ! -r "$lib" ]; then
+        return 1
+      fi
+    done
+    return 0
+  }
+  if ! is_nvidia_valid; then
+    lock_file="/tmp/nvidia-setup.lock"
+    (
+      # ensure no other instance is trying the same (wait for reasonable time before continuing)
+      lock_fd=100
+      flock -x -w 60 $lock_fd || /bin/true
+      trap "flock -u $lock_fd || /bin/true" 0 1 2 3 4 5 6 7 8 10 11 12 13 14 15
+      if ! is_nvidia_valid; then
+        umask 022
+        sudo /bin/bash "$nvidia_setup" || /bin/true
+      fi
+    ) 100>"$lock_file"
+    break
+  fi
+fi
+
+exec "$@"

ybox/conf/resources/run-user-bash-cmd

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+if [ "$#" -ne 1 ]; then
+  echo "Usage: $0 <full command to run as single argument like passed to '/bin/bash -c'>"
+  exit 1
+fi
+
+if [ "$(id -u)" -eq 0 -a -n "$YBOX_HOST_UID" ] && getent passwd $YBOX_HOST_UID > /dev/null; then
+  exec sudo -u "#$YBOX_HOST_UID" -g "#$YBOX_HOST_GID" /bin/bash -c "$1"
+else
+  eval "$1"
+fi