linuxserver/webtop

May 10, 2026 · View on GitHub

The LinuxServer.io team brings you another container release featuring:

regular and timely application updates
easy user mappings (PGID, PUID)
custom base image with s6 overlay
weekly base OS updates with common layers across the entire LinuxServer.io ecosystem to minimise space usage, down time and bandwidth
regular security updates

Find us at:

Blog - all the things you can do with our containers including How-To guides, opinions and much more!
Discord - realtime support / chat with the community and the team.
Discourse - post on our community forum.
GitHub - view the source for all of our repositories.
Open Collective - please consider helping us by either donating or contributing to our budget

linuxserver/webtop

Webtop - Alpine, Ubuntu, Fedora, and Arch based containers containing full desktop environments in officially supported flavors accessible via any modern web browser.

Supported Architectures

We utilise the docker manifest for multi-platform awareness. More information is available from docker here and our announcement here.

Simply pulling lscr.io/linuxserver/webtop:latest should retrieve the correct image for your arch, but you can also pull specific arch images via tags.

The architectures supported by this image are:

Architecture	Available	Tag
x86-64	✅	amd64-<version tag>
arm64	✅	arm64v8-<version tag>

Version Tags

This image provides various versions that are available via tags. Please read the descriptions carefully and exercise caution when using unstable or development tags.

Tag	Available	Description
latest	✅	XFCE Alpine
alpine-i3	✅	i3 Alpine *Wayland Support
alpine-kde	✅	KDE Alpine *Wayland Only
alpine-mate	✅	MATE Alpine
arch-i3	✅	i3 Arch *Wayland Support
arch-kde	✅	KDE Arch *Wayland Support
arch-mate	✅	MATE Arch
arch-xfce	✅	XFCE Arch *Wayland Support
debian-i3	✅	i3 Debian *Wayland Support
debian-kde	✅	KDE Debian
debian-mate	✅	MATE Debian
debian-xfce	✅	XFCE Debian
fedora-i3	✅	i3 Fedora *Wayland Support
fedora-kde	✅	KDE Fedora *Wayland Support
fedora-mate	✅	MATE Fedora
fedora-xfce	✅	XFCE Fedora
ubuntu-i3	✅	i3 Ubuntu *Wayland Support
ubuntu-kde	✅	KDE Ubuntu *Wayland Only
ubuntu-mate	✅	MATE Ubuntu
ubuntu-xfce	✅	XFCE Ubuntu *Wayland Support

Application Setup

The application can be accessed at:

https://yourhost:3001/

This image uses a self-signed certificate by default. This naturally means the scheme is https. If you are using a reverse proxy which validates certificates, you need to disable this check for the container.

Modern GUI desktop apps may have compatibility issues with the latest Docker syscall restrictions. You can use Docker with the --security-opt seccomp=unconfined setting to allow these syscalls on hosts with older Kernels or libseccomp versions.

Security

Warning

This container provides privileged access to the host system. Do not expose it to the Internet unless you have secured it properly.

HTTPS is required for full functionality. Modern browser features such as WebCodecs, used for video and audio, will not function over an insecure HTTP connection.

By default, this container has no authentication. The optional CUSTOM_USER and PASSWORD environment variables enable basic HTTP auth, which is suitable only for securing the container on a trusted local network. For internet exposure, we strongly recommend placing the container behind a reverse proxy, such as SWAG, with a robust authentication mechanism.

The web interface includes a terminal with passwordless sudo access. Any user with access to the GUI can gain root control within the container, install arbitrary software, and probe your local network.

While not generally recommended, certain legacy environments specifically those with older hardware or outdated Linux distributions may require the deactivation of the standard seccomp profile to get containerized desktop software to run. This can be achieved by utilizing the --security-opt seccomp=unconfined parameter. It is critical to use this option only when absolutely necessary as it disables a key security layer of Docker, elevating the potential for container escape vulnerabilities.

FullColor 4:4:4 Encoding

If you notice blurry text, particularly light text on a black background, you can send true 8-bit color to the browser by enabling the FullColor 4:4:4 encoding in the sidebar, or by using the jpeg encoding mode.

Note on Hardware Acceleration: Currently, only Nvidia GPUs support encoding this color profile in Zero Copy mode. If FullColor 4:4:4 is enabled on Intel or AMD GPUs, the system will fall back to CPU encoding. This forces the CPU to read the pixels back from the GPU, which will cause a significant decrease in performance.

Hardware Acceleration & Wayland

We have transitioned our desktop containers from X11 to a modern Wayland stack, which is now the default.

Hardware Fallback Note: On x86_64 architecture, the Wayland stack requires a processor with AVX2 support (Intel Haswell generation or newer). If your processor lacks AVX2 (such as older CPUs or certain low-end Celerons), the container will automatically fall back to X11.

Important: GPU acceleration support for X11 is deprecated. Future development for hardware acceleration is focused entirely on the Wayland stack.

If you experience compatibility issues and need to manually disable Wayland (forcing a fallback to X11), you can do so by setting the following environment variable:

-e PIXELFLUX_WAYLAND=false

Why Wayland?

Zero Copy Encoding: When configured correctly with a GPU, the frame is rendered and encoded on the video card without ever being copied to the system RAM. This drastically lowers CPU usage and latency.
Modern Stack: Single-application containers utilize Labwc (replacing Openbox) and full desktop containers use KDE Plasma Wayland, providing a more modern, performant, and secure compositing environment while retaining the same user experience.

GPU Configuration

To use hardware acceleration in Wayland mode, we distinguish between the card used for Rendering (3D apps/Desktops) and Encoding (Video Stream).

Configuration Variables:

DRINODE: The path to the GPU used for Rendering (EGL).
DRI_NODE: The path to the GPU used for Encoding (VAAPI/NVENC).

If both variables point to the same device, the container will automatically enable Zero Copy encoding, significantly reducing CPU usage and latency. If they are set to different devices one will be used for Rendering and one for Encoding with a cpu readback.

You can also use the environment variable AUTO_GPU=true, with this set the first card detected in the container (IE /dev/dri/renderD128) will be used and configured for Zero Copy.

Intel & AMD (Open Source Drivers)

For Intel and AMD GPUs.

    devices:
      - /dev/dri:/dev/dri
    environment:
      - PIXELFLUX_WAYLAND=true
      # Optional: Specify device if multiple exist (IE: /dev/dri/renderD129)
      - DRINODE=/dev/dri/renderD128
      - DRI_NODE=/dev/dri/renderD128

Nvidia (Proprietary Drivers)

Note: Nvidia support is not available for Alpine-based images.

Prerequisites:

Driver: Proprietary drivers 580 or higher are required. Crucially, you should install the driver using the .run file downloaded directly from the Nvidia website.
- Unraid: Use the production branch from the Nvidia Driver Plugin.
Kernel Parameter: You must set nvidia-drm.modeset=1 nvidia_drm.fbdev=1 in your host bootloader.
- Standard Linux (GRUB): Edit /etc/default/grub and add the parameter to your existing GRUB_CMDLINE_LINUX_DEFAULT line:
```
GRUB_CMDLINE_LINUX_DEFAULT="<other existing options> nvidia-drm.modeset=1 nvidia_drm.fbdev=1"
```
  Then apply the changes by running:
```
sudo update-grub
```
- Unraid (Syslinux): Edit the file /boot/syslinux/syslinux.cfg and add nvidia-drm.modeset=1 nvidia_drm.fbdev=1 to the end of the append line for the Unraid OS boot entry.
Hardware Initialization: On headless systems, the Nvidia video card requires a physical dummy plug inserted into the GPU so that DRM initializes properly.

Docker Runtime: Configure the host docker daemon to use the Nvidia runtime:

sudo nvidia-ctk runtime configure --runtime=docker
sudo systemctl restart docker

Compose Configuration:

---
services:
  webtop:
    image: lscr.io/linuxserver/webtop:latest
    environment:
      - PIXELFLUX_WAYLAND=true
      # Ensure these point to the rendered node injected by the runtime (usually renderD128)
      - DRINODE=/dev/dri/renderD128
      - DRI_NODE=/dev/dri/renderD128
    deploy:
      resources:
        reservations:
          devices:
            - driver: nvidia
              count: 1
              capabilities: [compute,video,graphics,utility]

Unraid: Ensure you're properly setting the DRINODE/DRI_NODE and adding --gpus all --runtime nvidia to your extra parameters.

SealSkin Compatibility

This container is compatible with SealSkin.

SealSkin is a self-hosted, client-server platform that provides secure authentication and collaboration features while using a browser extension to intercept user actions such as clicking a link or downloading a file and redirect them to a secure, isolated application environment running on a remote server.

SealSkin Server: Get it Here
Browser Extension: Chrome and Firefox.
Mobile App: iOS and Android

Options in all Selkies-based GUI containers

This container is based on Docker Baseimage Selkies.

Click to expand: Optional Environment Variables

Variable	Description
PIXELFLUX_WAYLAND	If set to true the container will initialize in Wayland mode running Smithay and Labwc while enabling zero copy encoding with a GPU
SELKIES_DESKTOP	If set to true and in Wayland mode, a simple panel will be initialized with labwc
CUSTOM_PORT	Internal port the container listens on for http if it needs to be swapped from the default `3000`
CUSTOM_HTTPS_PORT	Internal port the container listens on for https if it needs to be swapped from the default `3001`
CUSTOM_WS_PORT	Internal port the container listens on for websockets if it needs to be swapped from the default 8082
CUSTOM_USER	HTTP Basic auth username, abc is default.
DRI_NODE	Encoding GPU: Enable VAAPI/NVENC stream encoding and use the specified device IE `/dev/dri/renderD128`
DRINODE	Rendering GPU: Specify which GPU to use for EGL/3D acceleration IE `/dev/dri/renderD129`
AUTO_GPU	If set to true and in Wayland mode, we will automatically use the first GPU available for encoding and rendering IE `/dev/dri/renderD128`
PASSWORD	HTTP Basic auth password, abc is default. If unset there will be no auth
SUBFOLDER	Subfolder for the application if running a subfolder reverse proxy, need both slashes IE `/subfolder/`
TITLE	The page title displayed on the web browser, default "Selkies"
DASHBOARD	Allows the user to set their dashboard. Options: `selkies-dashboard`, `selkies-dashboard-zinc`, `selkies-dashboard-wish`
FILE_MANAGER_PATH	Modifies the default upload/download file path, path must have proper permissions for abc user
START_DOCKER	If set to false a container with privilege will not automatically start the DinD Docker setup
DISABLE_IPV6	If set to true or any value this will disable IPv6
LC_ALL	Set the Language for the container to run as IE `fr_FR.UTF-8` `ar_AE.UTF-8`
NO_DECOR	If set the application will run without window borders for use as a PWA. (Decor can be enabled and disabled with Ctrl+Shift+d)
NO_FULL	Do not autmatically fullscreen applications when using openbox.
NO_GAMEPAD	Disable userspace gamepad interposer injection.
DISABLE_ZINK	Do not set the Zink environment variables if a video card is detected (userspace applications will use CPU rendering)
DISABLE_DRI3	Do not use DRI3 acceleration if a video card is detected (userspace applications will use CPU rendering)
MAX_RES	Pass a larger maximum resolution for the container default is 16k `15360x8640`
WATERMARK_PNG	Full path inside the container to a watermark png IE `/usr/share/selkies/www/icon.png`
WATERMARK_LOCATION	Where to paint the image over the stream integer options below

WATERMARK_LOCATION Options:

1: Top Left
2: Top Right
3: Bottom Left
4: Bottom Right
5: Centered
6: Animated

Click to expand: Optional Run Configurations (DinD & GPU Mounts)

Argument	Description
`--privileged`	Starts a Docker-in-Docker (DinD) environment. For better performance, mount the Docker data directory from the host, e.g., `-v /path/to/docker-data:/var/lib/docker`.
`-v /var/run/docker.sock:/var/run/docker.sock`	Mounts the host's Docker socket to manage host containers from within this container.
`--device /dev/dri:/dev/dri`	Mount a GPU into the container, this can be used in conjunction with the `DRINODE` environment variable to leverage a host video card for GPU accelerated applications.

Click to expand: Legacy X11 Resolution & Acceleration

Note: This section applies only if you are NOT using PIXELFLUX_WAYLAND=true.

When using 3d acceleration via Nvidia DRM or DRI3 in X11 mode, it is important to clamp the virtual display to a reasonable max resolution to avoid memory exhaustion or poor performance.

-e MAX_RES=3840x2160

This will set the total virtual framebuffer to 4K. By default, the virtual monitor is 16K. If you have performance issues in an accelerated X11 session, try clamping the resolution to 1080p and work up from there:

-e SELKIES_MANUAL_WIDTH=1920
-e SELKIES_MANUAL_HEIGHT=1080
-e MAX_RES=1920x1080

Language Support - Internationalization

To launch the desktop session in a different language, set the LC_ALL environment variable. For example:

-e LC_ALL=zh_CN.UTF-8 - Chinese
-e LC_ALL=ja_JP.UTF-8 - Japanese
-e LC_ALL=ko_KR.UTF-8 - Korean
-e LC_ALL=ar_AE.UTF-8 - Arabic
-e LC_ALL=ru_RU.UTF-8 - Russian
-e LC_ALL=es_MX.UTF-8 - Spanish (Latin America)
-e LC_ALL=de_DE.UTF-8 - German
-e LC_ALL=fr_FR.UTF-8 - French
-e LC_ALL=nl_NL.UTF-8 - Netherlands
-e LC_ALL=it_IT.UTF-8 - Italian

Application Management

There are two methods for installing applications inside the container: PRoot Apps (recommended for persistence) and Native Apps.

PRoot Apps (Persistent)

Natively installed packages (e.g., via apt-get install) will not persist if the container is recreated. To retain applications and their settings across container updates, we recommend using proot-apps. These are portable applications installed to the user's persistent $HOME directory.

To install an application, use the command line inside the container:

proot-apps install filezilla

A list of supported applications is available here.

Native Apps (Non-Persistent)

You can install packages from the system's native repository using the universal-package-install mod. This method will increase the container's start time and is not persistent. Add the following to your compose.yaml:

  environment:
    - DOCKER_MODS=linuxserver/mods:universal-package-install
    - INSTALL_PACKAGES=libfuse2|git|gdb

Advanced Configuration

Click to expand: Hardening Options

These variables can be used to lock down the desktop environment for single-application use cases or to restrict user capabilities.

Variable	Description
`HARDEN_DESKTOP`	Enables `DISABLE_OPEN_TOOLS`, `DISABLE_SUDO`, and `DISABLE_TERMINALS`. Also sets related Selkies UI settings (`SELKIES_FILE_TRANSFERS`, `SELKIES_COMMAND_ENABLED`, `SELKIES_UI_SIDEBAR_SHOW_FILES`, `SELKIES_UI_SIDEBAR_SHOW_APPS`) if they are not explicitly set by the user.
`HARDEN_OPENBOX`	Enables `DISABLE_CLOSE_BUTTON`, `DISABLE_MOUSE_BUTTONS`, and `HARDEN_KEYBINDS`. It also flags `RESTART_APP` if not set by the user, ensuring the primary application is automatically restarted if closed.

Individual Hardening Variables:

Variable	Description
`DISABLE_OPEN_TOOLS`	If true, disables `xdg-open` and `exo-open` binaries by removing their execute permissions.
`DISABLE_SUDO`	If true, disables the `sudo` command by removing its execute permissions and invalidating the passwordless sudo configuration.
`DISABLE_TERMINALS`	If true, disables common terminal emulators by removing their execute permissions and hiding them from the Openbox right-click menu.
`DISABLE_CLOSE_BUTTON`	If true, removes the close button from window title bars in the Openbox window manager.
`DISABLE_MOUSE_BUTTONS`	If true, disables the right-click and middle-click context menus and actions within the Openbox window manager.
`HARDEN_KEYBINDS`	If true, disables default Openbox keybinds that can bypass other hardening options (e.g., `Alt+F4` to close windows, `Alt+Escape` to show the root menu).
`RESTART_APP`	If true, enables a watchdog service that automatically restarts the main application if it is closed. The user's autostart script is made read-only and root owned to prevent tampering.

Click to expand: Selkies Application Settings

Using environment variables every facet of the application can be configured.

Booleans and Locking: Boolean settings accept true or false. You can also prevent the user from changing a boolean setting in the UI by appending |locked.

Example: -e SELKIES_USE_CPU="true|locked"

Enums and Lists: These settings accept a comma-separated list of values. The first item becomes default. If only one item is provided, the UI dropdown is hidden.

Example: -e SELKIES_ENCODER="jpeg"

Ranges: Use a hyphen-separated min-max format for a slider, or a single number to lock the value.

Example: -e SELKIES_FRAMERATE="60"

Manual Resolution Mode: If SELKIES_MANUAL_WIDTH or SELKIES_MANUAL_HEIGHT are set, the resolution is locked to those values.

Environment Variable	Default Value	Description
`SELKIES_UI_TITLE`	`'Selkies'`	Title in top left corner of sidebar.
`SELKIES_UI_SHOW_LOGO`	`True`	Show the Selkies logo in the sidebar.
`SELKIES_UI_SHOW_SIDEBAR`	`True`	Show the main sidebar UI.
`SELKIES_UI_SHOW_CORE_BUTTONS`	`True`	Show the core components buttons display, audio, microphone, and gamepad.
`SELKIES_UI_SIDEBAR_SHOW_VIDEO_SETTINGS`	`True`	Show the video settings section in the sidebar.
`SELKIES_UI_SIDEBAR_SHOW_SCREEN_SETTINGS`	`True`	Show the screen settings section in the sidebar.
`SELKIES_UI_SIDEBAR_SHOW_AUDIO_SETTINGS`	`True`	Show the audio settings section in the sidebar.
`SELKIES_UI_SIDEBAR_SHOW_STATS`	`True`	Show the stats section in the sidebar.
`SELKIES_UI_SIDEBAR_SHOW_CLIPBOARD`	`True`	Show the clipboard section in the sidebar.
`SELKIES_UI_SIDEBAR_SHOW_FILES`	`True`	Show the file transfer section in the sidebar.
`SELKIES_UI_SIDEBAR_SHOW_APPS`	`True`	Show the applications section in the sidebar.
`SELKIES_UI_SIDEBAR_SHOW_SHARING`	`True`	Show the sharing section in the sidebar.
`SELKIES_UI_SIDEBAR_SHOW_GAMEPADS`	`True`	Show the gamepads section in the sidebar.
`SELKIES_UI_SIDEBAR_SHOW_FULLSCREEN`	`True`	Show the fullscreen button in the sidebar.
`SELKIES_UI_SIDEBAR_SHOW_GAMING_MODE`	`True`	Show the gaming mode button in the sidebar.
`SELKIES_UI_SIDEBAR_SHOW_TRACKPAD`	`True`	Show the virtual trackpad button in the sidebar.
`SELKIES_UI_SIDEBAR_SHOW_KEYBOARD_BUTTON`	`True`	Show the on-screen keyboard button in the display area.
`SELKIES_UI_SIDEBAR_SHOW_SOFT_BUTTONS`	`True`	Show the soft buttons section in the sidebar.
`SELKIES_AUDIO_ENABLED`	`True`	Enable server-to-client audio streaming.
`SELKIES_MICROPHONE_ENABLED`	`True`	Enable client-to-server microphone forwarding.
`SELKIES_GAMEPAD_ENABLED`	`True`	Enable gamepad support.
`SELKIES_CLIPBOARD_ENABLED`	`True`	Enable clipboard synchronization.
`SELKIES_COMMAND_ENABLED`	`True`	Enable parsing of command websocket messages.
`SELKIES_FILE_TRANSFERS`	`'upload,download'`	Allowed file transfer directions (comma-separated: "upload,download"). Set to "" or "none" to disable.
`SELKIES_ENCODER`	`'x264enc,x264enc-striped,jpeg'`	The default video encoders.
`SELKIES_FRAMERATE`	`'8-120'`	Allowed framerate range or a fixed value.
`SELKIES_H264_CRF`	`'5-50'`	Allowed H.264 CRF range or a fixed value.
`SELKIES_JPEG_QUALITY`	`'1-100'`	Allowed JPEG quality range or a fixed value.
`SELKIES_H264_FULLCOLOR`	`False`	Enable H.264 full color range for pixelflux encoders.
`SELKIES_H264_STREAMING_MODE`	`False`	Enable H.264 streaming mode for pixelflux encoders.
`SELKIES_USE_CPU`	`False`	Force CPU-based encoding for pixelflux.
`SELKIES_USE_PAINT_OVER_QUALITY`	`True`	Enable high-quality paint-over for static scenes.
`SELKIES_PAINT_OVER_JPEG_QUALITY`	`'1-100'`	Allowed JPEG paint-over quality range or a fixed value.
`SELKIES_H264_PAINTOVER_CRF`	`'5-50'`	Allowed H.264 paint-over CRF range or a fixed value.
`SELKIES_H264_PAINTOVER_BURST_FRAMES`	`'1-30'`	Allowed H.264 paint-over burst frames range or a fixed value.
`SELKIES_SECOND_SCREEN`	`True`	Enable support for a second monitor/display.
`SELKIES_AUDIO_BITRATE`	`'320000'`	The default audio bitrate.
`SELKIES_IS_MANUAL_RESOLUTION_MODE`	`False`	Lock the resolution to the manual width/height values.
`SELKIES_MANUAL_WIDTH`	`0`	Lock width to a fixed value. Setting this forces manual resolution mode.
`SELKIES_MANUAL_HEIGHT`	`0`	Lock height to a fixed value. Setting this forces manual resolution mode.
`SELKIES_SCALING_DPI`	`'96'`	The default DPI for UI scaling.
`SELKIES_ENABLE_BINARY_CLIPBOARD`	`False`	Allow binary data on the clipboard.
`SELKIES_USE_BROWSER_CURSORS`	`False`	Use browser CSS cursors instead of rendering to canvas.
`SELKIES_USE_CSS_SCALING`	`False`	HiDPI when false, if true a lower resolution is sent from the client and the canvas is stretched.
`SELKIES_PORT` (or `CUSTOM_WS_PORT`)	`8082`	Port for the data websocket server.
`SELKIES_DRI_NODE` (or `DRI_NODE`)	`''`	Path to the DRI render node for VA-API.
`SELKIES_AUDIO_DEVICE_NAME`	`'output.monitor'`	Audio device name for pcmflux capture.
`SELKIES_WATERMARK_PATH` (or `WATERMARK_PNG`)	`''`	Absolute path to the watermark PNG file.
`SELKIES_WATERMARK_LOCATION` (or `WATERMARK_LOCATION`)	`-1`	Watermark location enum (0-6).
`SELKIES_DEBUG`	`False`	Enable debug logging.
`SELKIES_ENABLE_SHARING`	`True`	Master toggle for all sharing features.
`SELKIES_ENABLE_COLLAB`	`True`	Enable collaborative (read-write) sharing link.
`SELKIES_ENABLE_SHARED`	`True`	Enable view-only sharing links.
`SELKIES_ENABLE_PLAYER2`	`True`	Enable sharing link for gamepad player 2.
`SELKIES_ENABLE_PLAYER3`	`True`	Enable sharing link for gamepad player 3.
`SELKIES_ENABLE_PLAYER4`	`True`	Enable sharing link for gamepad player 4.

Usage

To help you get started creating a container from this image you can either use docker-compose or the docker cli.

Note

Unless a parameter is flagged as 'optional', it is mandatory and a value must be provided.

docker-compose (recommended, click here for more info)

---
services:
  webtop:
    image: lscr.io/linuxserver/webtop:latest
    container_name: webtop
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
    volumes:
      - /path/to/data:/config
    ports:
      - 3000:3000
      - 3001:3001
    shm_size: "1gb"
    restart: unless-stopped

docker cli (click here for more info)

docker run -d \
  --name=webtop \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -p 3000:3000 \
  -p 3001:3001 \
  -v /path/to/data:/config \
  --shm-size="1gb" \
  --restart unless-stopped \
  lscr.io/linuxserver/webtop:latest

Parameters

Containers are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate <external>:<internal> respectively. For example, -p 8080:80 would expose port 80 from inside the container to be accessible from the host's IP on port 8080 outside the container.

Parameter	Function
`-p 3000:3000`	Web Desktop GUI HTTP, must be proxied
`-p 3001:3001`	Web Desktop GUI HTTPS
`-e PUID=1000`	for UserID - see below for explanation
`-e PGID=1000`	for GroupID - see below for explanation
`-e TZ=Etc/UTC`	specify a timezone to use, see this list.
`-v /config`	abc users home directory
`--shm-size=`	Recommended for all desktop images.

Environment variables from files (Docker secrets)

You can set any environment variable from a file by using a special prepend FILE__.

As an example:

-e FILE__MYVAR=/run/secrets/mysecretvariable

Will set the environment variable MYVAR based on the contents of the /run/secrets/mysecretvariable file.

Umask for running applications

For all of our images we provide the ability to override the default umask settings for services started within the containers using the optional -e UMASK=022 setting. Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up here before asking for support.

User / Group Identifiers

When using volumes (-v flags), permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user PUID and group PGID.

Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.

In this instance PUID=1000 and PGID=1000, to find yours use id your_user as below:

id your_user

Example output:

uid=1000(your_user) gid=1000(your_user) groups=1000(your_user)

Docker Mods

We publish various Docker Mods to enable additional functionality within the containers. The list of Mods available for this image (if any) as well as universal mods that can be applied to any one of our images can be accessed via the dynamic badges above.

Support Info

Shell access whilst the container is running:
```
docker exec -it webtop /bin/bash
```
To monitor the logs of the container in realtime:
```
docker logs -f webtop
```

Container version number:

docker inspect -f '{{ index .Config.Labels "build_version" }}' webtop

Image version number:

docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/webtop:latest

Updating Info

Most of our images are static, versioned, and require an image update and container recreation to update the app inside. With some exceptions (noted in the relevant readme.md), we do not recommend or support updating apps inside the container. Please consult the Application Setup section above to see if it is recommended for the image.

Below are the instructions for updating containers:

Via Docker Compose

Update images:

All images:
```
docker-compose pull
```
Single image:
```
docker-compose pull webtop
```

Update containers:

All containers:
```
docker-compose up -d
```
Single container:
```
docker-compose up -d webtop
```

You can also remove the old dangling images:
```
docker image prune
```

Via Docker Run

Update the image:

docker pull lscr.io/linuxserver/webtop:latest

Stop the running container:
```
docker stop webtop
```
Delete the container:
```
docker rm webtop
```
Recreate a new container with the same docker run parameters as instructed above (if mapped correctly to a host folder, your /config folder and settings will be preserved)
You can also remove the old dangling images:
```
docker image prune
```

Image Update Notifications - Diun (Docker Image Update Notifier)

Tip

We recommend Diun for update notifications. Other tools that automatically update containers unattended are not recommended or supported.

Building locally

If you want to make local modifications to these images for development purposes or just to customize the logic:

git clone https://github.com/linuxserver/docker-webtop.git
cd docker-webtop
docker build \
  --no-cache \
  --pull \
  -t lscr.io/linuxserver/webtop:latest .

The ARM variants can be built on x86_64 hardware and vice versa using lscr.io/linuxserver/qemu-static

docker run --rm --privileged lscr.io/linuxserver/qemu-static --reset

Once registered you can define the dockerfile to use with -f Dockerfile.aarch64.

Versions

07.05.26: - Deprecate Enterprise Linux tags.
07.04.26: - Rebase Ubuntu images to Resolute.
26.03.26: - Rebase Fedora images to 44.
24.03.26: - Update tags that support Wayland to pass ozone platform for chromium.
27.12.25: - Rebase Alpine images to 3.23.
17.11.25: - Rebase Fedora images to 43.
24.07.25: - Rebase Debian images to Trixie.
17.06.25: - Rebase all images to Selkies, drop openbox and icewm, bump Alpine to 3.22, bump Fedora to 42.
10.01.25: - Rebase Fedora to 41.
06.12.24: - Rebase Alpine to 3.21.
26.09.24: - Swap from firefox to chromium on Alpine images.
23.05.24: - Rebase Alpine to 3.20, document Nvidia support.
22.04.24: - Rebase Ubuntu to Noble.
16.04.24: - Add docs on PRoot Apps.
14.04.24: - Rebase Fedora to 40.
11.02.24: - Add PWA icons and title variants properly.
06.02.24: - Update Readme about native language support.
29.12.23: - Rebase Alpine to 3.19 and swap back to Firefox.
07.11.23: - Rebase Fedora to 39.
14.06.23: - Rebase to Debian Bookworm.
13.05.23: - Rebase to Alpine 3.18 and Fedora 38.
23.03.23: - Rebase all Webtops to KasmVNC base image.
21.10.22: - Rebase xfce to Alpine 3.16, migrate to s6v3.
12.03.22: - Add documentation for mounting in a GPU.
05.02.22: - Rebase KDE Ubuntu to Jammy, add new documentation for updated gclient, stop recommending priv mode.
21.09.21: - Add Fedora and Arch images, show seccomp settings in readme.
26.09.21: - Rebase to Alpine versions to 3.14.
20.04.21: - Initial release.