Skip to content

feat: add --init-image flag for specifying custom init filesystem images per VM #937

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
manuschillerdev wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add --init-image flag for specifying custom init filesystem images per VM #937

manuschillerdev wants to merge 1 commit into from

Conversation

@manuschillerdev
Copy link

@manuschillerdev manuschillerdev commented Dec 7, 2025

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

Motivation and Context

I've been tinkering with ways to extend container with a primitive for interacting with the VM layer. One approach: expose the internal init filesystem as a user-configurable option via --init-image.

What this enables:

  • Custom boot-time logic before the OCI container starts
  • Running additional processes and daemons (e.g., daemons to configure eBPF network filters, logging agents) inside the VM (not the container)
  • Debugging/instrumenting the init process

In my current approach, the custom image wraps the default vminitd, so it's currently behaving like an entrypoint.
Curious if this direction aligns with the project's goals, or if there's a better abstraction for these use cases.
If there is interest, I would add proper docs and tests.

Example for a minimal entry point binary

// custom-init/wrapper.go
package main

import (
    "fmt"
    "os"
    "syscall"
)

func main() {
    kmsg, err := os.OpenFile("/dev/kmsg", os.O_WRONLY, 0)
    if err == nil {
        kmsg.WriteString("<6>custom-init: === CUSTOM INIT IMAGE RUNNING ===\n")
        kmsg.Close()
    }

    err = syscall.Exec("/sbin/vminitd.real", os.Args, os.Environ())
    if err != nil {
        fmt.Fprintf(os.Stderr, "Failed to exec vminitd.real: %v\n", err)
        os.Exit(1)
    }
}

Containerfile

# custom-init/Containerfile
FROM ghcr.io/apple/containerization/vminit:0.12.1 AS base

FROM ghcr.io/apple/containerization/vminit:0.12.1
COPY --from=base /sbin/vminitd /sbin/vminitd.real
COPY wrapper /sbin/vminitd
  • build the binary with cd custom-init && CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o wrapper wrapper.go
  • build the image with bin/container build -t local/custom-init:0.1.2 custom-init/
  • run the container with our custom init-image: bin/container run --name init-test --init-image local/custom-init:0.1.2 alpine:latest echo "hello"
  • check the logs with cat "/Users/$USER/Library/Application Support/com.apple.container/containers/init-test/vminitd.log" | head -50

Testing

  • Tested locally
  • Added/updated tests
  • Added/updated docs

@manuschillerdev manuschillerdev changed the title feat: add init-image flag for specifying custom init filesystem images per VM feat: add --init-image flag for specifying custom init filesystem images per VM Dec 7, 2025
@jglogan
Copy link
Contributor

jglogan commented Dec 7, 2025

@dcantah see also #838

jglogan
jglogan reviewed Dec 7, 2025
View reviewed changes
@manuschillerdev
Copy link
Author

manuschillerdev commented Dec 19, 2025

@dcantah @jglogan would that be of interest for the project? Would be totally open to other suggestions on how one can interact with the startup process. Exposing --init-fs seemed like a viable option here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jglogan jglogan jglogan left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@manuschillerdev @jglogan