---
myst:
  html_meta:
    "description lang=en": "How to use the Sysbox Runtime with Kasm Workspaces to provide containers with elevated privileges in an isolated runtime."
    "keywords": "Kasm, How to, How-to, Web, Sysbox, Nestybox, Systemd"
    "property=og:locale": "en_US"
---
```{title} Sysbox Runtime 
```

# Sysbox Runtime

A systemd init methodology is available in the following Kasm Workspaces container core images and all variants built on top of those images:

| Container | Source Code |
| :----: |--- |
| [kasmweb/core-almalinux-8:{{ release }}](https://hub.docker.com/r/kasmweb/core-almalinux-8) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core-oracle) |
| [kasmweb/core-almalinux-9:{{ release }}](https://hub.docker.com/r/kasmweb/core-almalinux-9) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core-oracle) |
| [kasmweb/core-debian-bullseye:{{ release }}](https://hub.docker.com/r/kasmweb/core-debian-bullseye) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core) |
| [kasmweb/core-debian-bookworm:{{ release }}](https://hub.docker.com/r/kasmweb/core-debian-bookworm) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core) |
| [kasmweb/core-kali-rolling:{{ release }}](https://hub.docker.com/r/kasmweb/core-kali-rolling) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core) |
| [kasmweb/core-opensuse-15:{{ release }}](https://hub.docker.com/r/kasmweb/core-opensuse-15) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core-suse) |
| [kasmweb/core-oracle-8:{{ release }}](https://hub.docker.com/r/kasmweb/core-oracle-8) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core-oracle) |
| [kasmweb/core-oracle-9:{{ release }}](https://hub.docker.com/r/kasmweb/core-oracle-9) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core-oracle) |
| [kasmweb/core-parrotos-5:{{ release }}](https://hub.docker.com/r/kasmweb/core-parrotos-5) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core) |
| [kasmweb/core-rockylinux-8:{{ release }}](https://hub.docker.com/r/kasmweb/core-rockylinux-8) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core-oracle) |
| [kasmweb/core-rockylinux-9:{{ release }}](https://hub.docker.com/r/kasmweb/core-rockylinux-9) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core-oracle) |
| [kasmweb/core-ubuntu-focal:{{ release }}](https://hub.docker.com/r/kasmweb/core-ubuntu-focal) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core) |
| [kasmweb/core-ubuntu-jammy:{{ release }}](https://hub.docker.com/r/kasmweb/core-ubuntu-jammy) | [Dockerfile](https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core) |

This allows any container based off of these core images to be run with the [Sysbox Runtime](https://www.nestybox.com/sysbox) and init with [systemd](https://www.freedesktop.org/wiki/Software/systemd/).  
When using Sysbox, containers behave much closer to Virtual Machines and allow users in a shared environment to run at root level in their Workspaces with a lower risk of escaping isolation.

```{note}
When using the Sysbox Runtime for a Kasm Workspaces session it will take much longer for the Workspaces to be ready as compared to launching with native Docker init. This is due to the general overhead of using shiftfs along with a full systemd init chain needing to be run before the KasmVNC service is finally started.
```

## Installing Sysbox

Before getting started see the list of supported host operating systems [here](https://github.com/nestybox/sysbox/blob/master/docs/distro-compat.md#supported-linux-distros), and the official installation guide [here](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/install-package.md). The purpose of this guide is not to replace the existing Sysbox methodology just review our recommended setup for using the `sysbox-runc` runtime. 

Currently we recommend using an [Ubuntu Jammy](https://releases.ubuntu.com/jammy/) host running the 5.15 LTS kernel with a manual installation of [shiftfs-dkms](https://github.com/toby63/shiftfs-dkms).

### Install shiftfs

While Kernel 5.15 in Ubuntu Jammy does support shiftfs it is best to install an up to date version for performance reasons.

```
sudo apt-get update
sudo apt-get install -y make dkms git wget
git clone -b k5.16 https://github.com/toby63/shiftfs-dkms.git shiftfs-k516
cd shiftfs-k516/
./update1
sudo make -f Makefile.dkms
modinfo shiftfs
```

You should see output similar to: 

```
filename:       /lib/modules/5.15.0-1031-aws/updates/dkms/shiftfs.ko
license:        GPL v2
description:    id shifting filesystem
author:         Christian Brauner <christian.brauner@ubuntu.com>
author:         Seth Forshee <seth.forshee@canonical.com>
author:         James Bottomley
alias:          fs-shiftfs
```

At this point shiftfs is ready, but best to reboot the machine before continuing `sudo reboot`.

### Install Sysbox Runtime

As mentioned previously this step should be performed after Docker is installed but before Kasm Workspaces is installed. Sysbox can be installed on top of a machine with an active Kasm Workspaces deployment, but we cannot garuntee containers will not be removed or deleted.

```
sudo apt-get install jq wget
wget https://downloads.nestybox.com/sysbox/releases/v0.6.1/sysbox-ce_0.6.1-0.linux_amd64.deb
sudo apt-get install ./sysbox-ce_0.6.1-0.linux_amd64.deb
```

Post installation confirm the Docker daemon was configured correctly: 

```
cat /etc/docker/daemon.json

{
    "runtimes": {
        "sysbox-runc": {
            "path": "/usr/bin/sysbox-runc"
        }
    },
    "bip": "172.20.0.1/16",
    "default-address-pools": [
        {
            "base": "172.25.0.0/16",
            "size": 24
        }
    ]
}
```

## Configuring Workspaces to use Sysbox Runtime

Any Workspace that you would like to leverage the Sysbox Runtime on will need their runtime set to use systemd for init. This can be achieved with the following `Docker Run Config Override (JSON)`:

```
{
  "runtime": "sysbox-runc",
  "entrypoint": [
    "/sbin/init"
  ],
  "user": 0
}
```

This setting can be Workspace specific under `Admin > Workspaces > Workspaces > Edit > Docker Run Config Override (JSON)` or set at a group level with `Access Management > Groups > Edit > Settings tab > Add Setting > run_config`.

```{note}
When using the Sysbox Runtime the Workspace will lose the ability to leverage an NVIDIA GPU using the [NVIDIA Container Runtime](https://developer.nvidia.com/nvidia-container-runtime). DRI3 using open source drivers will still function in a Sysbox Workspace, for more information on that please see the [DRI3 documentation](../how_to/manual_intel_amd.md).
```