How to run graphics (X11) applications in the Kali LXD container

LXD gives you system containers and virtual machines, usable from the same user interface. You would rather use system containers as they are more lightweight than VMs.

Previously we have seen how to use the Kali LXD containers (includes how to use a USB network adapter). There is documentation on using graphics applications (X11) in the Kali LXD containers at the Kali website. In this post we see again how to use graphics applications (X11) in the Kali LXD containers. The aim is to simplify and make the instructions more robust.

The following assume that you have configured LXD on your system.

Overview of the Kali LXD containers

Let’s have a look at the available Kali images. Currently, there are only container images (no VM images), for the x86_64, armel, arm64, armhf and i386 architectures. They all follow Kali current which is very fresh. There are plain and cloud images. The latter support cloud-init and are more user-friendly. The cloud images create a non-root account for us (username is debian)

$ lxc image list images:kali
|           ALIAS           |             DESCRIPTION             |
| kali (5 more)             | Kali current amd64 (20201112_17:14) |
| kali/arm64 (2 more)       | Kali current arm64 (20201112_17:14) |
| kali/armel (2 more)       | Kali current armel (20201112_17:14) |
| kali/armhf (2 more)       | Kali current armhf (20201112_17:14) |
| kali/cloud (3 more)       | Kali current amd64 (20201112_17:14) |
| kali/cloud/arm64 (1 more) | Kali current arm64 (20201112_17:14) |
| kali/cloud/armel (1 more) | Kali current armel (20201112_17:14) |
| kali/cloud/armhf (1 more) | Kali current armhf (20201112_17:14) |
| kali/cloud/i386 (1 more)  | Kali current i386 (20201112_17:14)  |
| kali/i386 (2 more)        | Kali current i386 (20201112_17:14)  |

From the above list, you would install either kali or kali/cloud. Since these are container images, your LXD will automatically consider your host’s architecture and install the appropriate one. In our case, we are interested in the cloud variant because we want to configure the container while it gets started so that it gets X11 support in an easy way.

LXD profile for Kali containers, X11/graphics support

We are using the following LXD profile to add X11 (graphics) support for applications running in the Kali containers. Download the file and save as x11kali.txt. Then, import the profile into your LXD installation.

$ wget
$ lxc profile create x11kali
$ cat x11kali.txt | lxc profile edit x11kali
$ lxc profile show x11kali

Launching a Kali container with X11 support

We have the LXD profile and we are ready to launch a Kali container with X11 support. We select the Kali container image with cloud-init support. We name the container xkali. We apply first the default profile, then the x11kali profile. Then, we run the cloud-init status --wait command in the container so that it shows the progress until the container is fully ready to be used. It should take a bit because it is updating the package list and installs a few X11 support packages.

$ lxc launch images:kali/cloud xkali --profile default --profile x11kali
Creating xkali
Starting xkali
$ lxc exec xkali -- cloud-init status --wait
status: done

Here is the container.

$ lxc list xkali
| NAME  |  STATE  |        IPV4        |   TYPE    |
| xkali | RUNNING | (eth0) | CONTAINER |

Using the Kali LXD container with X11 support

There are several ways to get a shell into a container. We are using a particular one here, and create a LXD alias for it. Use the following commands that create a kalishell alias to give you a shell (non-root) to the Kali container.

$ lxc alias add kalishell 'exec @ARGS@ --user 1000 --group 1000 --env HOME=/home/debian -- /bin/bash --login'
$ lxc alias list
| ALIAS     | TARGET     |
| kalishell | exec @ARGS@ --user 1000 --group 1000 --env HOME=/home/debian -- /bin/bash --login |

We get a shell into the Kali container and run a few commands to test X11 applications, OpenGL applications and finally play audio. Note that you can also run CUDA applications (not shown below).

$ lxc kalishell xkali
debian@xkali:~$ xclock
debian@xkali:~$ glxgears 
Running synchronized to the vertical refresh.  The framerate should be
approximately the same as the monitor refresh rate.
debian@xkali:~$ sudo apt install -y wget
debian@xkali:~$ wget
debian@xkali:~$ paplay Demo_chorus.ogg

You can now install all sort of packages. Note that to get the whole lot of Kali packages, you can install the kali-linux-default metapackage. If you are only interested in a specific package, you can install just that one instead.

debian@xkali:~$ sudo apt install -y kali-linux-default


You managed to get a Kali LXD container work with X11 applications, so that they will appear on the host. As if you are running Kali on the host but you have properly separated the filesystem and the networking from the host. Still, in the situation described in this post, the X server is that of the host. There is no separation here, and you should not use this setup if you are dealing with malicious code samples, or malicious hosts. You would need a separate X server for a proper separation between the container and the host.

In this post we did not mention any networking configuration, and we have been using the default private bridge that LXD provides to us. Depending on your requirements, you would use something else. Such as setting up a USB network adapter to be used exclusively by the Kali container, or using a bridge, macvlan, ipvlan or routed networking.

Permanent link to this article:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: