OCI entrypoint not treated as PID1

k4my4b · March 3, 2026, 5:14pm

When launching an OCI container image, the configured entrypoint is not executed as process PID 1 inside the container namespace.
This causes failures when images require PID1 semantics, such as images using BusyBoxinit, which performs PID1 validation and refuses to start if not executed as PID 1.
Are there any workarounds for this at the moment? I’ve tried lxc.init.cmd = <init>with no luck, it seems incusd becomes PID 1 regardless.

stgraber · March 3, 2026, 8:45pm

What’s your current entrypoint?

github.com/lxc/incus

internal/server/instance/drivers/driver_lxc.go

main


      
          			}
          		}
          
          		// Compute the entrypoint string.
          		initCmd := shellquote.Join(entrypoint...)
          
          		// As we feed this to execve and not to a real shell, un-escape some sequences.
          		initCmd = strings.ReplaceAll(initCmd, "\\(", "(")
          		initCmd = strings.ReplaceAll(initCmd, "\\)", ")")
          
          		if len(entrypoint) > 0 && slices.Contains([]string{"/init", "/sbin/init", "/s6-init"}, entrypoint[0]) {
          			// For regular init systems, call them directly as PID1.
          			err = lxcSetConfigItem(cc, "lxc.init.cmd", initCmd)
          			if err != nil {
          				return "", nil, err
          			}
          		} else {
          			// For anything else, run them under our own PID1.
          			err = lxcSetConfigItem(cc, "lxc.execute.cmd", initCmd)
          			if err != nil {
          				return "", nil, err

k4my4b · March 3, 2026, 9:05pm

/usr/bin/init (busybox)

in the case of busybox init I can get around it by invoking linuxrc instead of init and that will skip PID 1 enforcement (unsure of side effects):

/* Expect to be invoked as init with PID=1 or be invoked as linuxrc */
if (getpid() != 1
 && (!ENABLE_LINUXRC || applet_name[0] != 'l') /* not linuxrc? */
) {
        bb_simple_error_msg_and_die("must be run as PID 1");
}

stgraber · March 3, 2026, 9:30pm