It looks like we may just need to add this polkit permission:

com.ubuntu.pkexec.synaptic

That at least gets by the prompting issue..but then I'm having problems opening the display, I probably just need to update something else to fix that as I also have the transparent window problem.

Got this working by doing all of the following:

1. Give the user the com.ubuntu.pkexec.synaptic permission for polkit
2. Generate a .Xauthority file by doing the following:
touch ~/.Xauthority
xauth add ${HOST}:0 . $(xxd -l 16 -p /dev/urandom)
3. (I hacked around this a different way, but same effect) Pass the following argument to Xwayland when sommelier launches it:
-auth $HOME/.Xauthority

First change is part of garcon config.
Second change can be part of the postinst process for sommelier.
Third part will then be a change in sommelier itself.

I verified that sommelier/Xwayland still work fine if you pass in an Xauth path that doesn't exist so there's no race condition between these changes.

We can't do any of the home directory stuff in sommelier postinst since that happens before any users are added.

This would need to be done as a part of the SetUpUser stuff in tremplin.

OK...I'll look into doing that in Tremplin then since my Go coding is no longer rusty from all the tast-tests. :)

Shouldn't I put it in both places though? The postinst would check if .Xauthority exists first. That way current installs that get upgraded would have this (since they won't be calling SetUpUser again).

CrostiniManager calls SetUpUser every time it calls StartLxdContainer, so just adding it to tremplin should be sufficient.

That sounds reasonable...I'll just do it in tremplin then.

'xauth add' is typically done when starting the X server (in our case as part of sommelier-x@ startup). There's never a need to maintain the same key between X server instances. It's preferred not do so, as stealing an old key will then not allow access to a new X sever instance.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/bf9284aa1a9c1434a934ec498c57f4b47fdfb002

commit bf9284aa1a9c1434a934ec498c57f4b47fdfb002
Author: Jeffrey Kardatzke <jkardatzke@google.com>
Date: Wed Oct 17 21:23:28 2018

vm_tools: sommelier: Pass xauth flag to Xwayland

This is to enable apps like synaptic to work properly where they elevate
their privileges to root and then need to connect to the X server. We
setup the .Xauthority file in the service file for sommelier-x. Then we
pass the path to the .Xauthority file to Xwayland.

This also adds a xasprintf method which removes the snprintf usage and
cleans up some parts of the code.

BUG= chromium:876846 
TEST=Verified synaptic-pkexec works with both X servers (0 and 1)

Change-Id: I538b6d5a72c7c268ffc3229f9903adaa7620a6ed
Reviewed-on: https://chromium-review.googlesource.com/1279105
Commit-Ready: Jeffrey Kardatzke <jkardatzke@google.com>
Tested-by: Jeffrey Kardatzke <jkardatzke@google.com>
Reviewed-by: Jeffrey Kardatzke <jkardatzke@google.com>

[modify] https://crrev.com/bf9284aa1a9c1434a934ec498c57f4b47fdfb002/vm_tools/sommelier/sommelier.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/containers/cros-container-guest-tools/+/ff801fb0690db4a856fde17f32c155993b9692e8

commit ff801fb0690db4a856fde17f32c155993b9692e8
Author: Jeffrey Kardatzke <jkardatzke@google.com>
Date: Wed Oct 31 19:42:30 2018

Add synaptic auth and Xauthority creation

This is part of the fix for synaptic to work in the container. It adds
the polkit permission required for it to run and it also creates the
.Xauthority file when sommelier starts up so it can use the X server
when it has elevated its privileges to root. There's a corresponding
change in sommelier where it'll pass the .Xauthority file to Xwayland so
it will use it as well.

BUG= chromium:876846 
TEST=Manually verified with synaptic on both X servers (0 and 1)

Change-Id: I26e426332d7ce3993fd93da0f1d3adb42072cb93
Reviewed-on: https://chromium-review.googlesource.com/1279069
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Jeffrey Kardatzke <jkardatzke@google.com>
Reviewed-by: Jeffrey Kardatzke <jkardatzke@google.com>

[modify] https://crrev.com/ff801fb0690db4a856fde17f32c155993b9692e8/cros-sommelier/sommelier-x@.service
[modify] https://crrev.com/ff801fb0690db4a856fde17f32c155993b9692e8/cros-sommelier/BUILD
[modify] https://crrev.com/ff801fb0690db4a856fde17f32c155993b9692e8/cros-garcon/BUILD
[add] https://crrev.com/ff801fb0690db4a856fde17f32c155993b9692e8/cros-garcon/garcon-synaptic.pkla

Has this fix been available to the container? I am still seeing an error which could be something new?

kiavash@penguin:~$ sudo synaptic
No protocol specified
Unable to init server: Could not connect: Connection refused

(synaptic:962): Gtk-WARNING **: cannot open display: :0
kiavash@penguin:~$ uname -a
Linux penguin 4.14.67-07156-gc116f2c8c400 #1 SMP PREEMPT Sun Sep 9 14:28:13 PDT 2018 x86_64 GNU/Linux

This also needs a new VM version which you'd only get if you're on dev channel.

Dang it! Just recently powerwashed to stable. Hopefully it will roll to Stable in 6 weeks?