Skip to content
DIT4C container which provides X11 support via HTML5 VNC.
HTML Shell
Branch: debian
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


DIT4C container which provides X11 support via HTML5 VNC.

seccomp compatibility

Unfortunately, Xorg in Debian is currently incompatible with the seccomp profiles used by Docker & rkt. This is because the Xorg server is compiled to uses libudev for device discovery. Annoyingly, libudev calls uses name_to_handle_at during normal operation, which is blacklisted for security reasons.

The long-term fix for this is a patched libudev or Xorg server compiled without libudev support. In the meantime, the syscall name_to_handle_at must be allowed.


Disable seccomp, as the only other option is writing your own profile.

docker run --security-opt seccomp=unconfined -p 8080:8080 dit4c/dit4c-container-x11


Generate & patch the ACI to allow the single call required, or disable seccomp entirely.

Patch the ACI

docker2aci docker://dit4c/dit4c-container-x11
export ACBUILD=`which acbuild`
sudo $ACBUILD begin ./dit4c-dit4c-container-fsl-latest.aci
echo '{ "set": ["@rkt/default-whitelist", "name_to_handle_at"] }' | \
  sudo $ACBUILD isolator add "os/linux/seccomp-retain-set" -
sudo $ACBUILD write dit4c-dit4c-container-fsl-latest-with-seccomp.aci
sudo $ACBUILD end

Then run the image normally:

sudo rkt run --insecure-options image --port 8080-tcp:8080 ./dit4c-dit4c-container-x11-latest-with-seccomp.aci

Disable entirely

sudo rkt run --insecure-options image,seccomp --port 8080-tcp:8080 docker://dit4c/dit4c-container-x11
You can’t perform that action at this time.