-
Notifications
You must be signed in to change notification settings - Fork 379
Init systems
x11docker provides option --init
to specify the init system (PID 1) in container. Init in container solves the zombie reaping issue.
As default x11docker uses tini that is mostly shipped with docker as /usr/bin/docker-init
. tini
already serves the most important purposes.
Init systems runit
, openrc
and sysvinit
degrade container isolation a bit. systemd
degrades container isolation a lot. Especially user switching in container will be allowed.
-
Look at Dependencies in image for
--init=systemd|sysvinit|openrc|runit
. -
A few applications depend on DBus in container. A user session daemon only can be started with
--dbus
independend from--init
. A DBus system daemon is started along with--init=systemd|openrc|runit|sysvinit
. -
A few applications depend on
systemd-logind
that is only available with systemd. A possible replacement is elogind started with one of--init=openrc|runit|sysvinit
.
--init
, --init=tini
: Default of x11docker.
- Uses
/usr/bin/docker-init
from host. In fact it is tini. - On some distributions
/usr/bin/docker-init
is missing in docker package. Compare #23. To provide a replacement, downloadtini-static
from https://github.com/krallin/tini and store it at one of following locations:~/local/share/x11docker
/usr/local/share/x11docker
These steps as shell commands:
mkdir -p ~/.local/share/x11docker
cd ~/.local/share/x11docker
wget https://github.com/krallin/tini/releases/download/v0.18.0/tini-static
chmod +x tini-static
--init=systemd
: Runs init system systemd in container.
- With cpgroupv1 this includes option
--sharecgroup
that shares/sys/fs/cgroup
with container. - Example:
x11docker --init=systemd --desktop x11docker/lxde
--init=openrc
: Runs init system OpenRC in container.
- cgroup usage is possible with option
--sharecgroup
. - Example:
x11docker --init=openrc --desktop x11docker/fvwm
--init=runit
: Runs init system runit in container.
- Example:
x11docker --init=runit --desktop x11docker/enlightenment
--init=sysvinit
: Runs init system SysVinit in container.
- Tested with devuan images from gitlab/paddy-hack and with
debian:buster
images.
--init=none
: Does not run any init system in container. Image command will be PID 1.
elogind
is not an init system, but allows to run applications without systemd
that otherwise would depend on systemd-logind
.
- x11docker automatically supports
elogind
in container with init system options--init=openrc|runit|sysvinit
and with option--dbus=system
.-
elogind
also needs option--sharecgroup
.
-
- Dependencies in image:
elogind
andlibpam-elogind
.
tl;dr: Run x11docker as root to not worry about anything.
- If your host does not run with
elogind
(but e.g. withsystemd
), x11docker needs an elogind cgroup mountpoint at/sys/fs/cgroup/elogind
. Run x11docker with root privileges to automatically create it. - Same goes for
elogind
on host andsystemd
in container; a cgroup mountpoint forsystemd
must be created. x11docker does this automatically if it runs as root. - If you want to manually set up the cgroup:
- Create elogind cgroup mountpoint on a systemd host:
mount -o remount,rw cgroup /sys/fs/cgroup # remove write protection mkdir -p /sys/fs/cgroup/elogind mount -t cgroup cgroup /sys/fs/cgroup/elogind -o none,name=elogind mount -o remount,ro cgroup /sys/fs/cgroup # restore write protection
- Create a systemd cgroup mountpoint on an elogind host:
mkdir -p /sys/fs/cgroup/systemd mount -t cgroup cgroup /sys/fs/cgroup/systemd -o none,name=systemd