The purpose of these images is to provide a full featured web native Linux desktop experience for any Linux application or desktop environment. These images replace our old base images at KasmVNC for greatly increased performance, fidelity, and feature set. They ship with passwordless sudo to allow easy package installation, testing, and customization. By default they have no logic to mount out anything but the users home directory, meaning on image updates anything outside of /config will be lost.
- Support for using our base images in your own projects is provided on a Reasonable Endeavours basis, please see our Support Policy for details.
- There is no
latesttag for any of our base images, by design. We often make breaking changes between versions, and we don't publish release notes like we do for the downstream images. - If you're intending to distribute an image using one of our bases, please read our docs on container branding first.
- Images are supported for as long as the upstream release on which they are based, after which we will stop building new base images for that version.
These images contain the following services:
- Selkies - The core technology for interacting with a containerized desktop from a web browser.
- NGINX - Used to serve Selkies with the appropriate paths and provide basic auth.
- Docker - Can be used for interacting with a mounted in Docker socket or if the container is run in privileged mode will start a DinD setup.
- PulseAudio - Sound subsystem used to capture audio from the active desktop session and send it to the browser.
- GStreamer - Used to encode X11 with multiple video codecs and send it to the client.
Authentication for these containers is included as a convenience and to keep in sync with the previous KasmVNC containers they replace. We use bash to substitute in settings user/password and some strings might break that. In general this authentication mechanism should be used to keep the kids out not the internet
If you are looking for a robust secure application gateway please check out SWAG.
All application settings are passed via environment variables:
| Variable | Description |
|---|---|
| CUSTOM_PORT | Internal port the container listens on for http if it needs to be swapped from the default 3000. |
| CUSTOM_HTTPS_PORT | Internal port the container listens on for https if it needs to be swapped from the default 3001. |
| CUSTOM_USER | HTTP Basic auth username, abc is default. |
| PASSWORD | HTTP Basic auth password, abc is default. If unset there will be no auth |
| SUBFOLDER | Subfolder for the application if running a subfolder reverse proxy, need both slashes IE /subfolder/ |
| TITLE | The page title displayed on the web browser, default "Selkies - webrtc". |
| FM_HOME | This is the home directory (landing) for the file manager, default "/config". |
| START_DOCKER | If set to false a container with privilege will not automatically start the DinD Docker setup. |
| DISABLE_IPV6 | If set to true or any value this will disable IPv6 |
| LC_ALL | Set the Language for the container to run as IE fr_FR.UTF-8 ar_AE.UTF-8 |
| NO_DECOR | If set the application will run without window borders for use as a PWA. (Decor can be enabled and disabled with Ctrl+Shift+d) |
| NO_FULL | Do not autmatically fullscreen applications when using openbox. |
| DISABLE_ZINK | Do not set the Zink environment variables if a video card is detected (userspace applications will use CPU rendering) |
The environment variable LC_ALL can be used to start this image in a different language than English simply pass for example to launch the Desktop session in French LC_ALL=fr_FR.UTF-8.
The web interface has an "IME Input Mode" in Settings which will allow non english characters to be used from a non en_US keyboard on the client. Once enabled it will perform the same as a local Linux installation set to your locale.
All base images are built for x86_64 and aarch64 platforms.
| Distro | Current Tag |
|---|---|
| Alpine | alpine321 |
| Arch | arch |
| Debian | debianbookworm |
| Fedora | fedora41 |
| Kali | kali |
| Ubuntu | ubuntunoble |
All images include proot-apps which allow portable applications to be installed to persistent storage in the user's $HOME directory. These applications and their settings will persist upgrades of the base container and can be mounted into different flavors of Selkies containers. IE if you are running an Alpine based container you will be able to use the same /config directory mounted into a Debian based container and retain the same applications and settings as long as they were installed with proot-apps install.
A list of linuxserver.io supported applications is located HERE.
Included in these base images is a simple Openbox DE and the accompanying logic needed to launch a single application. Lets look at the bare minimum needed to create an application container starting with a Dockerfile:
FROM ghcr.io/linuxserver/baseimage-selkies:alpine321
RUN apk add --no-cache firefox
COPY /root /
And we can define the application to start using:
mkdir -p root/defaults
echo "firefox" > root/defaults/autostart
Resulting in a folder that looks like this:
├── Dockerfile
└── root
└── defaults
└── autostart
Now build and test:
docker build -t firefox .
docker run --rm -it -p 3001:3001 firefox bash
On https://localhost:3001 you should be presented with a Firefox web browser interface.
This similar setup can be used to embed any Linux Desktop application in a web accesible container.
If building images it is important to note that many application will not work inside of Docker without --security-opt seccomp=unconfined, they may have launch flags to not use syscalls blocked by Docker like with chromium based applications and --no-sandbox. In general do not expect every application will simply work like a native Linux installation without some modifications
Also included in the init logic is the ability to define application launchers. As the user has the ability to close the application or if they want to open multiple instances of it this can be useful. Here is an example of a menu definition file for Firefox:
<?xml version="1.0" encoding="utf-8"?>
<openbox_menu xmlns="http://openbox.org/3.4/menu">
<menu id="root-menu" label="MENU">
<item label="xterm" icon="/usr/share/pixmaps/xterm-color_48x48.xpm"><action name="Execute"><command>/usr/bin/xterm</command></action></item>
<item label="FireFox" icon="/usr/share/icons/hicolor/48x48/apps/firefox.png"><action name="Execute"><command>/usr/bin/firefox</command></action></item>
</menu>
</openbox_menu>
Simply create this file and add it to your defaults folder as menu.xml:
├── Dockerfile
└── root
└── defaults
└── autostart
└── menu.xml
This allows users to right click the desktop background to launch the application.
When building an application container we are leveraging the Openbox DE to handle window management, but it is also possible to completely replace the DE that is launched on container init using the startwm.sh script, located again in defaults:
├── Dockerfile
└── root
└── defaults
└── startwm.sh
If included in the build logic it will be launched in place of Openbox. Examples for this kind of configuration can be found in our Webtop repository
These base images include an installation of Docker that can be used in two ways. The simple method is simply leveraging the Docker/Docker Compose cli bins to manage the host level Docker installation by mounting in -v /var/run/docker.sock:/var/run/docker.sock.
The base images can also run an isolated in container DinD setup simply by passing --privileged to the container when launching. If for any reason the application needs privilege but Docker is not wanted the -e START_DOCKER=false can be set at runtime or in the Dockerfile.
In container Docker (DinD) will most likely use the fuse-overlayfs driver for storage which is not as fast as native overlay2. To increase perormance the /var/lib/docker/ directory in the container can be mounted out to a Linux host and will use overlay2. Keep in mind Docker runs as root and the contents of this directory will not respect the PUID/PGID environment variables available on all LinuxServer.io containers.
Nvidia is not compatible with Alpine based images
Nvidia support is available by leveraging Zink for OpenGL support. This can be enabled with the following run flags:
| Variable | Description |
|---|---|
| --gpus all | This can be filtered down but for most setups this will pass the one Nvidia GPU on the system |
| --runtime nvidia | Specify the Nvidia runtime which mounts drivers and tools in from the host |
The compose syntax is slightly different for this as you will need to set nvidia as the default runtime:
sudo nvidia-ctk runtime configure --runtime=docker --set-as-default
sudo service docker restart
And to assign the GPU in compose:
services:
myimage:
image: myname/myimage:mytag
deploy:
resources:
reservations:
devices:
- driver: nvidia
count: 1
capabilities: [compute,video,graphics,utility]
This container can also be used as a rapid development environment for the Selkies Project. Simply clone the upstream repo and run the container as shown:
git clone https://github.com/selkies-project/selkies.git
cd selkies
docker run --rm -it \
--shm-size=1gb \
-e DEV_MODE=core \
-e PUID=1000 \
-e PGID=1000 \
-v $(pwd):/config/src \
-p 3001:3001 ghcr.io/linuxserver/baseimage-selkies:latest bash
This will start you up in "core" development mode to mess around with core logic. The container also supports strictly frontend development, if there is an addon named "selkies-dashboard" you can pass that as dev_mode and core will be built on init and your development RDE will run against the frontend.
git clone https://github.com/selkies-project/selkies.git
cd selkies
docker run --rm -it \
--shm-size=1gb \
-e DEV_MODE=selkies-dashboard \
-e PUID=1000 \
-e PGID=1000 \
-v $(pwd):/config/src \
-p 3001:3001 ghcr.io/linuxserver/baseimage-selkies:latest bash
The application will be restarted on code changes to the src directory you mounted in and provide feedback for debugging.
The following line is only in this repo for loop testing:
- { date: "01.01.50:", desc: "I am the release message for this internal repo." }
