dit4c/dit4c-container-x11

DIT4C container which provides X11 support via HTML5 VNC.

seccomp compatibility

Unfortunately, Xorg in Debian is currently incompatible with the seccomp profiles used by Docker & rkt. This is because the Xorg server is compiled to uses libudev for device discovery. Annoyingly, libudev calls uses name_to_handle_at during normal operation, which is blacklisted for security reasons.

The long-term fix for this is a patched libudev or Xorg server compiled without libudev support. In the meantime, the syscall name_to_handle_at must be allowed.

Docker

Disable seccomp, as the only other option is writing your own profile.

docker run --security-opt seccomp=unconfined -p 8080:8080 dit4c/dit4c-container-x11

rkt

Generate & patch the ACI to allow the single call required, or disable seccomp entirely.

Patch the ACI

docker2aci docker://dit4c/dit4c-container-x11
export ACBUILD=`which acbuild`
sudo $ACBUILD begin ./dit4c-dit4c-container-fsl-latest.aci
echo '{ "set": ["@rkt/default-whitelist", "name_to_handle_at"] }' | \
  sudo $ACBUILD isolator add "os/linux/seccomp-retain-set" -
sudo $ACBUILD write dit4c-dit4c-container-fsl-latest-with-seccomp.aci
sudo $ACBUILD end

Then run the image normally:

sudo rkt run --insecure-options image --port 8080-tcp:8080 ./dit4c-dit4c-container-x11-latest-with-seccomp.aci

Disable entirely

sudo rkt run --insecure-options image,seccomp --port 8080-tcp:8080 docker://dit4c/dit4c-container-x11

dit4c / dockerfile-dit4c-container-x11

readme

dit4c/dit4c-container-x11

seccomp compatibility

Docker

rkt

Patch the ACI

Disable entirely