Sysbox Runtime
A systemd init methodology is available in the following Kasm Workspaces container core images and all variants built on top of those images:
Container |
Source Code |
---|---|
This allows any container based off of these core images to be run with the Sysbox Runtime and init with systemd.
When using Sysbox, containers behave much closer to Virtual Machines and allow users in a shared environment to run at root level in their Workspaces with a lower risk of escaping isolation.
Note
When using the Sysbox Runtime for a Kasm Workspaces session it will take much longer for the Workspaces to be ready as compared to launching with native Docker init. This is due to the general overhead of using shiftfs along with a full systemd init chain needing to be run before the KasmVNC service is finally started.
Installing Sysbox
Before getting started see the list of supported host operating systems here, and the official installation guide here. The purpose of this guide is not to replace the existing Sysbox methodology just review our recommended setup for using the sysbox-runc
runtime.
Currently we recommend using an Ubuntu Jammy host running the 5.15 LTS kernel with a manual installation of shiftfs-dkms.
Install shiftfs
While Kernel 5.15 in Ubuntu Jammy does support shiftfs it is best to install an up to date version for performance reasons.
sudo apt-get update
sudo apt-get install -y make dkms git wget
git clone -b k5.16 https://github.com/toby63/shiftfs-dkms.git shiftfs-k516
cd shiftfs-k516/
./update1
sudo make -f Makefile.dkms
modinfo shiftfs
You should see output similar to:
filename: /lib/modules/5.15.0-1031-aws/updates/dkms/shiftfs.ko
license: GPL v2
description: id shifting filesystem
author: Christian Brauner <christian.brauner@ubuntu.com>
author: Seth Forshee <seth.forshee@canonical.com>
author: James Bottomley
alias: fs-shiftfs
At this point shiftfs is ready, but best to reboot the machine before continuing sudo reboot
.
Install Sysbox Runtime
As mentioned previously this step should be performed after Docker is installed but before Kasm Workspaces is installed. Sysbox can be installed on top of a machine with an active Kasm Workspaces deployment, but we cannot garuntee containers will not be removed or deleted.
sudo apt-get install jq wget
wget https://downloads.nestybox.com/sysbox/releases/v0.6.1/sysbox-ce_0.6.1-0.linux_amd64.deb
sudo apt-get install ./sysbox-ce_0.6.1-0.linux_amd64.deb
Post installation confirm the Docker daemon was configured correctly:
cat /etc/docker/daemon.json
{
"runtimes": {
"sysbox-runc": {
"path": "/usr/bin/sysbox-runc"
}
},
"bip": "172.20.0.1/16",
"default-address-pools": [
{
"base": "172.25.0.0/16",
"size": 24
}
]
}
Configuring Workspaces to use Sysbox Runtime
Any Workspace that you would like to leverage the Sysbox Runtime on will need their runtime set to use systemd for init. This can be achieved with the following Docker Run Config Override (JSON)
:
{
"runtime": "sysbox-runc",
"entrypoint": [
"/sbin/init"
],
"user": 0
}
This setting can be Workspace specific under Admin > Workspaces > Workspaces > Edit > Docker Run Config Override (JSON)
or set at a group level with Access Management > Groups > Edit > Settings tab > Add Setting > run_config
.
Note
When using the Sysbox Runtime the Workspace will lose the ability to leverage an NVIDIA GPU using the NVIDIA Container Runtime. DRI3 using open source drivers will still function in a Sysbox Workspace, for more information on that please see the DRI3 documentation.