Init systems

Init in docker container

x11docker provides option --init to specify the init system (PID 1) in container. Init in container solves the zombie reaping issue.

As default x11docker uses tini that is mostly shipped with docker as /usr/bin/docker-init. tini already serves the most important purposes.

Init systems runit, openrc and sysvinit degrade container isolation a bit. systemd degrades container isolation a lot. Especially user switching in container will be allowed.

• Look at Dependencies in image for --init=systemd|sysvinit|openrc|runit.

• A few applications depend on DBus in container.

• A few applications depend on systemd-logind that is only available with systemd. A possible replacement is elogind started with one of --init=openrc|runit|sysvinit or --dbus-system.

tini

--init, --init=tini: Default of x11docker.

• Uses /usr/bin/docker-init from host. In fact it is tini.
• On some distributions /usr/bin/docker-init is missing in docker package. Compare #23. To provide a replacement, download tini-static from https://github.com/krallin/tini and store it at one of following locations:
  • ~/local/share/x11docker
  • /usr/local/share/x11docker

These steps as shell commands:

mkdir -p ~/.local/share/x11docker
cd ~/.local/share/x11docker
wget https://github.com/krallin/tini/releases/download/v0.18.0/tini-static
chmod +x tini-static

systemd

--init=systemd: Runs init system systemd in container.

• This includes option --sharecgroup that shares /sys/fs/cgroup with container.
• Old systemd versions also need quite insecure and discouraged option --sys-admin.
• Example: x11docker --init=systemd --desktop x11docker/lxde

OpenRC

--init=openrc: Runs init system OpenRC in container.

• cgroup usage is possible with option --sharecgroup.
• Example: x11docker --init=openrc --desktop x11docker/fvwm

runit

--init=runit: Runs init system runit in container.

• Example: x11docker --init=runit --desktop x11docker/enlightenment

SysVinit

--init=sysvinit: Runs init system SysVinit in container.

• Tested with devuan images from gitlab/paddy-hack and with debian:buster images.

No init system

--init=none: Does not run any init system in container. Image command will be PID 1.

elogind

elogind is not an init system, but allows to run applications without systemd that otherwise would depend on systemd-logind.

• x11docker automatically supports elogind in container with init system options --init=openrc|runit|sysvinit and with option --dbus-system.
  • elogind also needs option --sharecgroup.
• Dependencies in image: elogind and libpam-elogind.

elogind cgroup setup

tl;dr: Run x11docker as root to not worry about anything.

• If your host does not run with elogind (but e.g. with systemd), x11docker needs an elogind cgroup mountpoint at /sys/fs/cgroup/elogind. Run x11docker with root privileges to automatically create it.
• Same goes for elogind on host and systemd in container; a cgroup mountpoint for systemd must be created. x11docker does this automatically if it runs as root.
• If you want to manually set up the cgroup:
  • Create elogind cgroup mountpoint on a systemd host:

  mount -o remount,rw cgroup /sys/fs/cgroup  # remove write protection
  mkdir -p /sys/fs/cgroup/elogind
  mount -t cgroup cgroup /sys/fs/cgroup/elogind -o none,name=elogind
  mount -o remount,ro cgroup /sys/fs/cgroup  # restore write protection
  

  • Create a systemd cgroup mountpoint on an elogind host:

  mkdir -p /sys/fs/cgroup/systemd
  mount -t cgroup cgroup /sys/fs/cgroup/systemd -o none,name=systemd