Termux environment for Docker/Podman.

A Termux environment packaged into Docker image. Environment doesn't have Android runtime components, so certain things will not be available (DalvikVM, OpenSLES, etc...).

How to use

Requirements

You should have a properly configured and running Docker or Podman container systems. Further instructions will provide examples only for Docker.

Basic usage

This will start interactive login shell. Everything will look like in a normal Termux installation.

docker run -it termux/termux-docker

When using no tag, or the tag latest, the container will automatically match the device architecture.

Other architectures can be installed using different tags. Available tags:

• aarch64
• arm
• i686
• x86_64
• latest (multiplatform)

The other package manager for Termux, pacman, is available in a separate image:

docker run -it termux/termux-docker-pacman

If architecture is not compatible with host, the additional setup will be needed. Read this document further to learn how you can run containers of incompatible CPU architecture.

Running ARM containers

In order to run AArch64 container on x86(64) host, you need to setup QEMU emulator through binfmt_misc. This can be easily done by one command:

docker run --rm --privileged aptman/qus -s -- -p aarch64 arm

Note that AArch64 and ARM containers (and in certain rare situations, some x86 containers) sometimes work properly only in privileged mode, even on some real ARM devices. If you want your containers to have standard privileges, a custom seccomp profile or a custom build of Docker might be required. The custom build of Docker limits the customizations to purely what is necessary for the personality() system call, leaving the security settings of all other system calls untouched.

Variant with privileged container:

docker run -it --privileged termux/termux-docker:aarch64

Variant with seccomp unconfined profile:

docker run -it --security-opt seccomp:unconfined termux/termux-docker:aarch64

Variant with custom build of Docker:

sudo apt build-dep docker.io
apt source docker.io
cp /path/to/termux-docker/custom-docker-with-unrestricted-personality.patch docker.io-*/debian/patches/
echo 'custom-docker-with-unrestricted-personality.patch' >> docker.io-*/debian/patches/series 
cd docker.io-*/
DEB_BUILD_OPTIONS=nocheck debuild -b -uc -us
rm ../golang*
sudo apt install ../*.deb
docker run -it termux/termux-docker

You might then want to temporarily use sudo apt-mark hold docker.io to ensure the package is not automatically upgraded, causing termux-docker to stop working on the device in the future, but not upgrading can be a security risk. If using the patch, it is recommended to patch and recompile the Docker daemon after every upgrade.

Non-interactive execution of commands

You can run commands in non-interactive mode. Just append them to Docker command line.

Example:

docker run -it --rm termux/termux-docker bash -c "apt update && apt install -yq clang"

Root shell

By default root shell is disabled in container as Termux doesn't really support usage of package manager under root account. In cases where you really need shell with root privileges, entrypoint should be overridden.

The provided images have 2 entry points:

• /entrypoint.sh - the standard one which drops privileges to system user.
• /entrypoint_root.sh - alternate entrypoint that does not drop privileges.

Usage example:

docker run -it --entrypoint /entrypoint_root.sh termux/termux-docker

Building image

Docker:

./generate.sh

Podman:

./generate.sh --podman

Pacman:

export TERMUX_PACKAGE_MANAGER=pacman
./generate.sh

Known issues

There a number of known issues which may not be resolved:

• ARM containers (and in certain rare situations, some x86 containers) might require a custom seccomp profile or custom build of Docker to remove restrictions from the personality() system call.

• When running certain multi threaded program in 32bit containers, the PIDs can balloon and easily exceed libc's limit. The only way to fix this is to set /proc/sys/kernel/pid_max to 65535. See termux-docker#40.