x11docker

x11docker [--gpu] [--home] [--pulseaudio] [options] image [command]

x11docker runs graphical applications from Docker containers with secure X11 display forwarding. It provides isolated display access using multiple backends including Xephyr, Xpra, and nxagent, preventing containers from accessing the host's X server directly.The tool supports GPU hardware acceleration, PulseAudio integration, and clipboard sharing between the container and host. This security-focused approach allows running untrusted GUI applications in containers while maintaining display isolation from the host desktop environment.

--gpu

Enable hardware OpenGL acceleration.

Provide a persistent per-container home directory on the host.

Enable PulseAudio sound support.

Enable ALSA sound support.

Enable PipeWire sound support.

Share clipboard between host and container.

Run a full desktop environment rather than a single application.

Use the Xephyr nested X server (default fallback).

Use Xpra as the X server backend.

Use nxagent as the X server backend.

Run in a Wayland compositor.

Share the host X socket (less secure, fallback).

Share a host file or folder with the container.

Allow network access from the container.

Use an init system (e.g., systemd, runit, tini).

Choose container backend: docker, podman, or host.

Share webcams with the container.

Share host CUPS printers.

Run the container as a specific user.

Requires Docker or Podman. At least one nested X server backend (Xephyr, Xpra, nxagent, or Xwayland) must be installed on the host. Using --hostdisplay reduces isolation. GPU acceleration requires compatible drivers inside the container.

x11docker was created by Martin Viereck to run Docker containers with GUI applications while preserving host security. It predates modern Wayland-native container workflows and remains a widely-used solution for desktop containerization.

docker(1), xhost(1), xephyr(1)