Init systems

Init in docker container

x11docker provides option --init to specify the init system (PID 1) in container. Init in container solves the zombie reaping issue.

As default x11docker uses tini that is mostly shipped with docker as /usr/bin/docker-init. tini already serves the most important purposes.

Init systems runit, openrc and sysvinit degrade container isolation a bit. systemd degrades container isolation a lot. Especially user switching in container will be allowed.

• Look at Dependencies in image for --init=systemd|sysvinit|openrc|runit.

• A few applications depend on DBus in container.

• A few applications depend on systemd-logind that is only available with systemd. A possible replacement is elogind started with one of --init=openrc|runit|sysvinit or --dbus-system.

tini

--init, --init=tini: Default of x11docker.

• Uses /usr/bin/docker-init from host. In fact it is tini.
• On some distributions /usr/bin/docker-init is missing in docker package. Compare #23. To provide a replacement, download tini-static from https://github.com/krallin/tini and store it at one of following locations:
  • ~/local/share/x11docker
  • /usr/local/share/x11docker

These steps as shell commands:

mkdir -p ~/.local/share/x11docker
cd ~/.local/share/x11docker
wget https://github.com/krallin/tini/releases/download/v0.18.0/tini-static
chmod +x tini-static

systemd

--init=systemd: Runs init system systemd in container.

• This includes option --sharecgroup that shares /sys/fs/cgroup with container.
• Old systemd versions also need quite insecure and discouraged option --sys-admin.
• Example: x11docker --init=systemd --desktop x11docker/lxde

OpenRC

--init=openrc: Runs init system OpenRC in container.

• cgroup usage is possible with option --sharecgroup.
• Example: x11docker --init=openrc --desktop x11docker/fvwm

runit

--init=runit: Runs init system runit in container.

• Example: x11docker --init=runit --desktop x11docker/enlightenment

SysVinit

--init=sysvinit: Runs init system SysVinit in container.

• Tested with devuan images from gitlab/paddy-hack and with debian:buster images.

No init system

--init=none: Does not run any init system in container. Image command will be PID 1.

DBus

A few application depend on DBus and/or a specific init system. It is possible to run DBus system daemon in container directly with option --dbus-system. Due to some issues it is preferred to use one of the init systems systemd, runit, openrc or sysvinit instead to start DBus automatically. Compare README.md: DBus.

elogind

elogind is not an init system, but allows to run applications without systemd that otherwise would depend on systemd-logind.

• x11docker automatically supports elogind in container with init system options --init=openrc|runit|sysvinit and with option --dbus-system.
  • elogind also needs option --sharecgroup.
• Dependencies in image: elogind and libpam-elogind. At least available in devuan and in debian:buster.

elogind cgroup setup

tl;dr: Run x11docker as root to not worry about anything.

• If your host does not run with elogind (but e.g. with systemd), x11docker needs an elogind cgroup mountpoint at /sys/fs/cgroup/elogind. Run x11docker with root privileges to automatically create it.
• Same goes for elogind on host and systemd in container; a cgroup mountpoint for systemd must be created. x11docker does this automatically if it runs as root.
• If you want to manually set up the cgroup:
  • Create elogind cgroup mountpoint on a systemd host:

  mount -o remount,rw cgroup /sys/fs/cgroup  # remove write protection
  mkdir -p /sys/fs/cgroup/elogind
  mount -t cgroup cgroup /sys/fs/cgroup/elogind -o none,name=elogind
  mount -o remount,ro cgroup /sys/fs/cgroup  # restore write protection
  

  • Create a systemd cgroup mountpoint on an elogind host:

  mkdir -p /sys/fs/cgroup/systemd
  mount -t cgroup cgroup /sys/fs/cgroup/systemd -o none,name=systemd