DIT4C container which provides X11 support via HTML5 VNC.
Unfortunately, Xorg in Debian is currently incompatible with the seccomp profiles used by Docker & rkt. This is because the Xorg server is compiled to uses libudev for device discovery. Annoyingly, libudev calls uses name_to_handle_at during normal operation, which is blacklisted for security reasons.
The long-term fix for this is a patched libudev or Xorg server compiled without libudev support. In the meantime, the syscall name_to_handle_at must be allowed.
Disable seccomp, as the only other option is writing your own profile.
docker run --security-opt seccomp=unconfined -p 8080:8080 dit4c/dit4c-container-x11
Generate & patch the ACI to allow the single call required, or disable seccomp entirely.
docker2aci docker://dit4c/dit4c-container-x11
export ACBUILD=`which acbuild`
sudo $ACBUILD begin ./dit4c-dit4c-container-fsl-latest.aci
echo '{ "set": ["@rkt/default-whitelist", "name_to_handle_at"] }' | \
sudo $ACBUILD isolator add "os/linux/seccomp-retain-set" -
sudo $ACBUILD write dit4c-dit4c-container-fsl-latest-with-seccomp.aci
sudo $ACBUILD end
Then run the image normally:
sudo rkt run --insecure-options image --port 8080-tcp:8080 ./dit4c-dit4c-container-x11-latest-with-seccomp.aci
sudo rkt run --insecure-options image,seccomp --port 8080-tcp:8080 docker://dit4c/dit4c-container-x11