Home

Awesome

x11docker: x11docker logo Run GUI applications in Docker or podman containers.

Avoid X security leaks and enhance container security

DOI

Table of contents

Introduction

x11docker allows to run graphical desktop applications (and entire desktops) in Linux containers.

Software can be installed in a deployable image with a rudimentary Linux system inside. This can help to run or deploy software that is difficult to install on several systems due to dependency issues. It is possible to run outdated versions or latest development versions side by side. Files to work on can be shared between host and container.

x11docker wiki provides some how-to's for basic setups without x11docker.

Docker Desktop or Docker Engine

Since a while Docker distributes a version called "Docker Desktop" that runs Docker in a QEMU VM. x11docker is not designed to support this VM based version. Instead, use x11docker with the native "Docker Engine Server version" that uses your host kernel to run containers.

TL;DR

For a quick start:

Features

Supported systems

x11docker runs on Linux and (with some setup and limitations) on MS Windows. x11docker does not run on macOS except in a Linux VM.

Terminal syntax

Just type x11docker IMAGENAME [COMMAND].

General syntax:

Usage:
To run a container on a new X server:
  x11docker IMAGE
  x11docker [OPTIONS] IMAGE [COMMAND]
  x11docker [OPTIONS] -- IMAGE [COMMAND [ARG1 ARG2 ...]]
  x11docker [OPTIONS] -- CUSTOM_RUN_OPTIONS -- IMAGE [COMMAND [ARG1 ARG2 ...]]
To run a host application on a new X server:
  x11docker [OPTIONS] --backend=host COMMAND
  x11docker [OPTIONS] --backend=host -- COMMAND [ARG1 ARG2 ...]
  x11docker [OPTIONS] --backend=host -- -- COMMAND [ARG1 ARG2 ...] -- [ARG3]
To run only an empty new X server:
  x11docker [OPTIONS] --xonly

CUSTOM_RUN_OPTIONS are just added to the docker|podman|nerdctl run command without a serious check by x11docker.

Options

Description of some commonly used feature options.

Choice of X servers and Wayland compositors

If no X server option is specified, x11docker automatically chooses one depending on installed dependencies and on given or missing options --desktop, --gpu and --wayland. Most recommended are nxagent and Xephyr.

Desktop or seamless mode

x11docker assumes that you want to run a single application in seamless mode, i.e. a single window on your regular desktop. If you want to run a desktop environment in image, add option --desktop.

Internet access

By default x11docker disables Network access for containers with --network=none because it targets best possible container isolation. To allow internet access set option -I or --network.

Shared folders, volumes and HOME in container

Changes in a running container system will be lost, the created container will be discarded. For persistent data storage you can share host directories or volumes:

Note that x11docker copies files from /etc/skel in container to HOME if HOME is empty. That allows to provide predefined user configurations in the image.

GPU hardware acceleration

Hardware acceleration for OpenGL is possible with option -g, --gpu.

Clipboard

Clipboard sharing is possible with option -c, --clipboard [=ARG].

Sound

Sound is possible with options -p, --pulseaudio and --alsa.

Webcam

Webcams on host can be shared with option --webcam.

Printer

Printers on host can be provided to container with option --printer.

Language locales

x11docker provides option --lang for flexible language locale settings.

Wayland

To run Wayland instead of an X server x11docker provides options --wayland, --weston, --kwin and --hostwayland. For further description loot at wiki: Description of Wayland options.

Init system

x11docker supports several init systems as PID 1 in container with option --init. Init in container solves the zombie reaping issue. As default x11docker uses tini in/usr/bin/docker-init. Also available are systemd, SysVinit, runit, OpenRC and s6-overlay. elogind is supported, too. Look at wiki: Init systems in Docker.

DBus

Some desktop environments and applications need a running DBus system daemon and/or DBus user session. DBus options need dbus in image.

Container runtime

It is possible to run containers with different backends following the OCI runtime specification. Docker's default runtime is runc. You can specify another one with option --runtime=RUNTIME. Container runtimes known and supported by x11docker are:

Using different runtimes is well tested for rootful Docker, but not for other backend setups.

Example: possible runtime configuration in /etc/docker/daemon.json:

{
  "default-runtime": "runc",
  "runtimes": {
    "crun": {
      "path": "/usr/local/bin/crun",
      "runtimeArgs": []
    },
    "nvidia": {
      "path": "nvidia-container-runtime",
      "runtimeArgs": []
    },
    "sysbox-runc": {
      "path": "/usr/bin/sysbox-runc"
    }
  }
}

Backends other than docker

x11docker supports container tools Docker, podman and nerdctl with option --backend=BACKEND in rootful and rootless mode. Supported --backend arguments: docker podman nerdctl host

Container backends:

Other supported backends that are in fact no containers:

Preconfiguration with --preset

For often used option combinations you might want to use option --preset FILENAME to have a command shortcut. FILENAME is a file in ~/.config/x11docker/preset or in /etc/x11docker/preset containing some x11docker options.

Default preset for all x11docker sessions

You can create a default preset file that is applied on all x11docker sessions. You can think of it as a configuration file for x11docker.

The same way you can specify other and more options as default, e.g. --homebasedir=/my/containerhome/path. Note that a local user default file will supersede a system wide default file.

Security

Scope of x11docker is to run containerized GUI applications while preserving and improving container isolation. Core concept is:

That being said, the default docker capabilities and the seccomp/SELinux/apparmor profiles are set up well to protect the host system. Nonetheless, x11docker follows the principle of least privilege. Containers should not have capabilities or privileges that they don't need for their job.

Security weaknesses

Options degrading container isolation

x11docker shows warning messages in terminal if chosen options degrade container isolation. Note that x11docker does not check custom DOCKER_RUN_OPTIONS.

Most important:

Rather special options reducing security, but not needed for regular use:

Sandbox

Container isolation enhanced with x11docker allows to use containers as a sandbox that fairly well protects the host system from possibly malicious or buggy software. Though, no sandbox solution in the wild can provide a perfect secure protection, and Docker even with enhanced security settings from x11docker is no exception.

Using x11docker as a sandbox is not intended to run obviously evil software. Rather use it as:

x11docker already restricts process capabilities. You can additionally restrict access to CPU and RAM with option --limit. As default --limit restricts to 50% of available CPUs and 50% of currently free RAM. Another amount can be specified with --limit=FACTOR with a FACTOR greater than zero and less than or equal one.

For more custom fine tuning have a look at Docker documentation: Limit a container's resources.

WARNING: There is no restriction that can prevent the container from flooding the hard disk storing the container or in shared folders.

Security and feature check

To check container isolation and some feature options use image x11docker/check and try out with several options.

Installation

Note that x11docker is just a bash script without library dependencies. Basically it is just a wrapper for X servers and container backends docker, podman and nerdctl. To allow advanced usage of x11docker abilities have a look at chapter Dependencies.

Installation from distribution repositories

x11docker is available as a package in some distributions.

Stable releases:

GitHub release (latest by date)

Packaging status

Latest git master/beta version:

AUR latest git

Much thanks to the maintainers who decided to provide these packages! There are some hints for packaging x11docker in the wiki.

Manual installation

Installation options

As root you can install, update and remove x11docker in system directories to be available system-wide:

To see the difference between current and coming updated version, you can use optional argument diff for --update and --update-master. Example: x11docker --update-master=diff will show you the code changes from your current installation to latest master/beta version without installing it.

Installed files

What the installation does (just for information):

Shortest way for first installation:

Minimal installation

You can run x11docker from an arbitrary location with bash x11docker or ./x11docker. For minimal system-wide installation make x11docker executable with chmod +x x11docker and move it to /usr/local/bin (or another location in PATH). Other files than script x11docker itself are not essential.

Installation on MS Windows

x11docker can run natively on MS Windows electively in one of:

Further information at wiki: x11docker on MS Windows.

Deinstallation

You can remove x11docker with x11docker --remove. That will remove the files listed above. It will also remove ~/.cache/x11docker and stop all running x11docker containers. x11docker will not remove:

Dependencies

x11docker can run with standard system utilities without additional dependencies on host or in image.

Dependencies in image:

Troubleshooting

For troubleshooting run x11docker in a terminal. x11docker shows warnings if something is insecure, missing or going wrong. Also it shows notes if options don't work and fallbacks are used. It might give hints to fix some issues.

Core checks

1. Make sure your x11docker version is up to date with x11docker --update (latest release) or x11docker --update-master (latest beta).

2. Carefully read the regular x11docker messages. Often they already give a hint what to do.

3. Try another X server option.

Privilege checks

Some applications need more privileges or capabilities than x11docker provides by default. One attempt is to allow several privileges until the setup works. Than reduce privileges to find out which are needed indeed. (Note the -- in the following commands, do not miss them).

1. Adding privileges:

2. Reducing privileges:

3. Open a ticket to ask for possibilities how to optimize the privilege setup.

Other checks

1. Container user: By default x11docker sets up an unprivileged container user similar to your host user.

2. Init and DBus

3. Architecture check of host OS and image

Contact

Feel free to open a ticket if you have a question or encounter an issue.

Issues

If reporting an issue:

Contributing

If you want to contribute to x11docker, please open a ticket before creating a pull request. Often it is possible to accomplish desired tasks with already available options. Note that x11docker is considered to be stable and changes other than bug fixes are less likely to be merged. In general new features are not intended.

Support

Please open a ticket if you need support. Please note that x11docker is a non-commercial project maintained in free time. I'll help where I can, but there is no organisation behind x11docker that can provide large scale support.

Donation

If you like to make a donation: Thank you! :) Please have a look at my sponsor site.

Instead of sponsoring me, you can as well spend some money to Galsan Tschinag in Mongolia (Wikipedia). One of his great projects is the afforestation of Mongolia. A donation account in Germany is provided by Förderverein Mongolei e.V..

Förderverein Mongolei e.V.
IBAN DE7261290120 0394 3660 00
BIC GENODES1NUE
Volksbank Kirchheim-Nürtingen

I personally know some of the people behind this. I assure that they are trustworthy and have a great heart and soul and do a good thing.

Examples

Some x11docker image examples with desktop environments can be found on docker hub. A special one to check features and container isolation is x11docker/check.

Docker does not provide automated builds for free anymore, so the images are becoming outdated. Instead of pulling them, rather build them locally with x11docker option --build.

Some x11docker Dockerfiles are provided at https://github.com/mviereck?tab=repositories; look for repositories beginning with dockerfile-x11docker. You can build locally from these Dockerfiles with x11docker option --build. Example:

x11docker --build x11docker/fvwm

Single applications

Applicationx11docker command
Xfce4 Terminalx11docker x11docker/xfce xfce4-terminal
GLXgears with hardware accelerationx11docker --gpu x11docker/xfce glxgears
Kodi media center with hardware <br> acceleration, Pulseaudio sound <br> and shared Videos folder. <br> For setup look at ehough/docker-kodi.x11docker --gpu --pulseaudio --share ~/Videos erichough/kodi.
XaoS fractal generatorx11docker patricknw/xaos
Telegram messenger with persistent <br> HOME for configuration storagex11docker --home xorilog/telegram
Firefox with shared Download folder<br> and internet access.x11docker -I --share $HOME/Downloads -- --tmpfs /dev/shm -- jess/firefox
Tor browserx11docker -I jess/tor-browser
Chromium browser with restricted resource usagex11docker -I --limit -- jess/chromium --no-sandbox
VLC media player with shared Videos <br> folder and Pulseaudio soundx11docker --pulseaudio --share=$HOME/Videos jess/vlc
GNU Octave Scientific Programming Language built for arm & arm64x11docker aptman/dbhi:bionic-octave octave

Desktop environments

Desktop environment <br> (most based on Debian)x11docker command
Cinnamonx11docker --desktop --gpu --init=systemd --cap-default x11docker/cinnamon
deepin (website) (3D desktop from China)x11docker --desktop --gpu --init=systemd -- --cap-add=IPC_LOCK -- x11docker/deepin
Enlightenment (based on Void Linux)x11docker --desktop --gpu --runit x11docker/enlightenment
Fluxbox (based on Debian, 87 MB)x11docker --desktop x11docker/fluxbox
FVWM (based on Alpine, 22.5 MB)x11docker --desktop x11docker/fvwm
Gnome 3x11docker --desktop --gpu --init=systemd x11docker/gnome
KDE Plasma on Xx11docker --desktop --gpu --init=systemd x11docker/kde-plasma
KDE Plasma on Waylandx11docker --kwin --wayland x11docker/kde-plasma plasmashell
KDE Plasma as nested Wayland compositorx11docker --gpu --init=systemd -- --cap-add SYS_RESOURCE -- x11docker/kde-plasma startplasma-wayland
Lumina (website) (based on Void Linux)x11docker --desktop x11docker/lumina
LiriOS (based on Fedora)x11docker --desktop --gpu lirios/unstable
LXDEx11docker --desktop x11docker/lxde
LXDE with wine and PlayOnLinux and <br> a persistent HOME folder to preserve <br> installed Windows applications, <br> and with Pulseaudio sound.x11docker --desktop --home --pulseaudio x11docker/lxde-wine
LXQtx11docker --desktop x11docker/lxqt
Matex11docker --desktop x11docker/mate
Trinity (website) (successor of KDE 3)x11docker --desktop x11docker/trinity
Xfcex11docker --desktop x11docker/xfce

Adjust images for your needs

For persistent changes of image system adjust Dockerfile and rebuild. To add custom applications to x11docker example images you can create a new Dockerfile based on them. Example:

# xfce desktop with VLC media player
FROM x11docker/xfce
RUN apt-get update && apt-get install -y vlc

Screenshots

More screenshots are stored in screenshot branch

x11docker --desktop x11docker/lxqt screenshot

x11docker --desktop x11docker/lxde-wine screenshot

x11docker --desktop --gpu --init=systemd -- --cap-add=IPC_LOCK --security-opt seccomp=unconfined -- x11docker/deepin screenshot