-
Notifications
You must be signed in to change notification settings - Fork 380
Init systems
x11docker provides option --init to specify the init system (PID 1) in container. Init in container solves the zombie reaping issue.
As default x11docker uses tini that is mostly shipped with docker as /usr/bin/docker-init. tini already serves the most important purposes.
Note: The different init systems are currently in review for several container systems.
Init systems runit, openrc and sysvinit degrade container isolation a bit. systemd degrades container isolation a lot. Especially user switching in container will be allowed in container.
- A few applications depend on DBus in container.
- A few applications depend on
systemd-logindthat is only available with systemd. A possible replacement is elogind started with one of--init=openrc|runit|sysvinit.
--init, --init=tini: Default of x11docker. Uses /usr/bin/docker-init from host. In fact it is tini.
- On some distributions
/usr/bin/docker-initis missing in docker package. Compare #23. To provide a replacement, downloadtini-staticfrom https://github.com/krallin/tini and store it at one of following locations:~/local/share/x11docker/usr/local/share/x11docker
Example installation steps:
mkdir -p ~/.local/share/x11docker
cd ~/.local/share/x11docker
wget https://github.com/krallin/tini/releases/download/v0.18.0/tini-static
chmod +x tini-static
--init=systemd: Runs init system systemd in container. systemd needs to be installed in image.
- This includes option
--sharecgroupthat shares/sys/fs/cgroupwith container. - Old systemd versions also need quite insecure and discouraged option
--sys-admin. - Example:
x11docker --init=systemd --desktop x11docker/lxde
--init=openrc: Runs init system OpenRC in container. openrc needs to be installed in image. Optionally --sharecgroup can be provided.
- cgroup usage is possible with option
--sharecgroup. - Example:
x11docker --init=openrc --desktop x11docker/fvwm
--init=runit: Runs init system runit in container. runit needs to be installed in image.
- Example:
x11docker --init=openrc --desktop x11docker/enlightenment
--init=sysvinit: Runs init system SysVinit in container. sysvinit needs to be installed in image.
- Tested with devuan images from gitlab/paddy-hack.
--init=none: Does not run any init system in container. Image command will be PID 1.
A few application depend on DBus and/or a specific init system. It is possible to run DBus system daemon in container directly with option --dbus-system. Due to some issues it is preferred to use one of the init systems systemd, runit, openrc or sysvinit instead to start DBus automatically. Compare README.md: DBus.
elogind is not an init system, but allows to run applications without systemdthat otherwise would depend on systemd-logind. x11docker automatically supports elogind in container with init system options --init=openrc|runit|sysvinit. Set also option --sharecgroup to allow elogind in container.
- If your host does not run with
elogind(but e.g. withsystemd), x11docker needs an elogind cgroup mountpoint at/sys/fs/cgroup/elogind. Run x11docker with root privileges to automatically create it. - Same goes for
elogindon host andsystemdin container; a cgroup mountpoint forsystemdmust be created. x11docker does this automatically if it runs as root. - If you want to manually set up the cgroup:
- Create elogind cgroup mountpoint on a systemd host:
mount -o remount,rw cgroup /sys/fs/cgroup # remove write protection mkdir -p /sys/fs/cgroup/elogind mount -t cgroup cgroup /sys/fs/cgroup/elogind -o none,name=elogind mount -o remount,ro cgroup /sys/fs/cgroup # restore write protection- Create a systemd cgroup mountpoint on an elogind host:
mkdir -p /sys/fs/cgroup/systemd mount -t cgroup cgroup /sys/fs/cgroup/systemd -o none,name=systemd