
Subuser turns Docker containers into normal Linux programs, limiting privileges - bpierre
http://subuser.org/
======
heavenlyhash
This is really cool! The first time I tried to run a GUI app in a container, I
discovered there's a LOT of practical gaps between "okay I have containers"
and "I want to run a graphical application". Subuser bridges those gaps
nicely.

My favorite part of reading the docs for subuser is how completely direct and
honest they are about security of various features. E.g., if you enable some
features of X bridging, you're accepting security risks, because that's how X
works. (And if you don't need those features, don't enable them; it looks like
subuser has it down to a one-word config flag, which is _amazing_.) By
comparison, if you start out on your own... there's lots of brief tutorials on
the internet about using xephyr, or xpra, or doing something really wildly
unsafe like just plain mounting the X sockets in. But not only are all these
things rough to get started on by yourself, the brief explanations thrown
around are often not clear on the security implications. Subuser seems like a
great way to do the right things... out of the box. And with excellent truth
in packaging.

I've accumulated a lot of scripts in my personal `~/bin` over the last couple
years that do stuff like "mount cwd and interesting dir $x, make sure image
with $prog is here or fetch it, now pass args and invoke $prog with $HOME=..."
\-- and while these have been really useful to _me_ , they've been ad-hoc and
almost impossible to usefully share with others. Subuser's format for making
valuable configuration like this _sharable_ is extremely interesting.

------
raesene4
FWIW I think this is pretty cool. The main docker use-case is not desktop
software, and some of it's choices are unlikely to suit that use-case well.

So, good to see a project look at that aspect. I would quite like to be able
to run all my apps which access untrusted services (e.g. all browsers) in a
container which I can easily wipe/reset.

~~~
timthelion
You are correct that Docker has some server centric designs. But luckly, the
Docker project has split of runc (Docker's container runtime) and since images
are just bare directory trees, there is really no claustrophobia about Docker
being a bad choice...

------
sandGorgon
spectacular. now build a package repo, and give me "sbu-get install
postgresql-9.5" which runs on both fedora and debian... and we are golden.

I wonder how it compares with zeroinstall or nix

~~~
txutxu
Are you used you download a zip or tar.gz from upstream full of bundled
dependencies?.

I don't like that.

As this is opensource and I get the source, I will download a full OS image or
containerized binaries from third parties. Mmmm so spectacular.

Apps running on chroots? We've that since the 90's, the relaxed security model
of Xorg and it's client/server architecture was there already, and it was the
reason to left windows 3.11/95 behind.

But marketing campaigns are spectacular in effect in current money surrounded
culture. Yes. Their network effect is spectacular. I would say so.

Edited: missing question mark

~~~
timthelion
Subuser is not a revolutionary peice of software. You are right that it is a
LOT like a zip file or tar.gz file full of bundled dependencies. It is,
however, a big improvement on just that. Subuser contains the subusers, so
they cannot mess with the rest of your system, making a lot eisier to trust
those bundled dependencies. It also provides some rather primitive update
mechanisms for those bundled dependencies. But it's main advantage is the
containment and the "blank slate".

In the future, I would like to expand on the vision, to include the ability to
do deduplication, so that all those zip files with bundled dependencies take
up less space. And deduplication done right, will save bandwidth too. Indeed,
when you have these "deduplicated zip files", with deduplication done
algorithmically, you'll save even MORE space and MORE bandwidth than with a
traditional dependency resolving file manager. Take for example debian. Debian
uses packages. These packages have dependencies. The dependencies are shared.
This saves space over a case where you have a bunch of zip files with unshared
dependencies. But when you update a dependency, even if only one line of one
file has changed, that dependency must be downloaded completely anew. But with
algorithmic de-duplication, updating one line of one file means you only have
to download one line of one file anew.

Space savings are there for a similar reason.

~~~
sandGorgon
It is revolutionary - if you manage to build the ecosystem. Remember that
Docker itself was not considered revolutionary ("yawn.. Use lxc").

I would really recommend you look at nix, zeroinstall, click packages and
[http://0pointer.net/blog/revisiting-how-we-put-together-
linu...](http://0pointer.net/blog/revisiting-how-we-put-together-linux-
systems.html)

~~~
timthelion
zeroinstall and click are interesting. But zeroinstall doesn't do anything on
the security front. Click is rather confusing, I haven't found a webpage for
it yet, or any information about how to like install and use a click package
on Debian(I think that this is because it's not possible/supported). However,
I don't see nix or redhats various efforts(they have annoced a new universal
package format every year or two for a decade now) to be very serious. The
problem with these efforts is that they always want to impose some opinion on
HOW things should be packaged. And I don't think that is useful as a global
standard.

~~~
sandGorgon
you should really kickstarter this project if you are really serious. I think
this can really be something if pushed hard. For all its hate, systemd is a
one man effort that changed Linux. And so was git.

There are people out there who would love to financially support this if you
ask and have a good sense of what you want to do. IMHO your post above (about
zeroinstall and click) are jumping the gun.

Would love to see what you come up with.. once the excitement has died down ;)

~~~
digi_owl
I keep wondering how much traction systemd would have gotten without having a
long standing project like udev latched onto it (never mind the consolekit
replacement logind).

I'm just waiting for some project to be wholly dependent on the existence of
networkd or some such...

------
ilovefood
Awesome! Now that I know this I can finally get to learn docker. The
functionality provided by this tool is exactly what I was doing with several
shitty Python scripts. Thanks mate!

~~~
timthelion
I hope you find it useful. Please file a bug report if you have any problems!

------
shiftoutbox
Great so you made capisicum with docker .

[https://www.cl.cam.ac.uk/research/security/capsicum/](https://www.cl.cam.ac.uk/research/security/capsicum/)

Docker docker docker docker

~~~
timthelion
How does capisicum solve X11 insecurity? Subuser uses XPRA...

~~~
Sanddancer
The X11 part would be solved by xpra. Capsicum, however, feels like the better
tool for the job of privilege isolation here. One of the more important things
is that you're able to lock down access much more finely than you can with
docker. You can use this to ensure that the locked down application can only
communicate with xpra and put files only in certain folders, for example,
without being able to see or interact with other processes.

Your approach has the problem of needing the inherent insecurities of docker.
Because everything within docker has to be managed either by root or someone
within the docker group, you have a greater surface area exposed where if an
malicious app is able to get hold of the docker socket file, it now owns your
system. A capability-based security system, on the other hand, wouldn't be
able to touch the docker socket, even if it was run as root.

------
geggam
but wouldnt it be easier to chroot / limit a program with a pre / post hook
script and leverage existing package managers ?

~~~
bencollier49
Of course not! The existing package managers don't have a cute logo and an
unrealistic valuation.

~~~
timthelion
Unrealistic valuation? Is that what you call a couple hundred "stars" on
github? If you ask me, stars aren't hardly worth squat. Perhaps a pull request
every month or two... But I'm glad to see subuser getting some attention on HN
now. Perhaps the PRs will start rolling in :D

~~~
bencollier49
I guess it would only be fair for Docker to cut you a couple of million,
seeing as they're swimming in cash (apparently?)

~~~
timthelion
Unfortunately for me, I was asked to leave the Docker project after I got
upset about SUSE wanting to add EULAs to Docker images:
[https://github.com/docker/docker/issues/7153](https://github.com/docker/docker/issues/7153)

So I guess I don't get any millions. :(

------
api
Like I said: Docker wants to be a linker and a binary format:

[http://adamierymenko.com/docker-not-even-a-
linker/](http://adamierymenko.com/docker-not-even-a-linker/)

If everything (mysql, pgsql, etc.) were a library you could achieve much of
what it does with -static and privilege dropping on launch.

------
nyan4
How is Docker + Subuser different than just using firejail?

~~~
timthelion
firejail is security centered. It allows you to secure the apps you already
have on your system.

Zeroinstall is distribution centered. It allows you to easilly distribute
software across distros.

Subuser is like zeroinstall + firejail.

------
anc84
I was always taught that Docker is not suitable for securely separating stuff,
just for compartmentalisation. Something about running as root iirc?

~~~
lojack
> Something about running as root iirc?

The daemon runs as root, so your containers are only as secure as the daemon
itself.

~~~
cyphar
> > Something about running as root iirc?

> The daemon runs as root, so your containers are only as secure as the daemon
> itself.

This is not correct. The daemon only starts and monitors processes in this
case. You can start a process as a different user. You can also use user
namespaces to make "root in the container" not root on the host.

------
256TiB
What I would very much like is a program that allows me to run a Windows
program like Photoshop on Linux through something like Docker. I know I can
run PS for instance with Wine and CS2, but due to professional needs I need CC
.. Gimp won't cut it. This would free me up to great extend from Microsoft and
Apple.

I understand this is solely for Linux programs?

~~~
m12k
[http://askubuntu.com/questions/530110/how-can-i-install-
phot...](http://askubuntu.com/questions/530110/how-can-i-install-photoshop-
cs6-on-ubuntu-14-04)

~~~
heavenlyhash
So wine can do it? That's pretty sweet.

It seems like it would make sense to combine this with subuser to make sure
you keep a known-good version of wine and its configuration. I've known wine
compatibility to drift unpleasantly from time to time, or accidentally lost
obscure config changes I made once...

(I have fond memories of a time when I could play Supreme Commander on linux
in wine... but I've since lost that machine, and I haven't been able to
reproduce the dang setup again since :( If subuser had existed back then, I'd
probably have a snapshot and I'd be happily playing right now...)

~~~
zzzcpan
> So wine can do it? That's pretty sweet.

Probably not. Technically, wine was able to run various versions of Photoshop
for years. But it was never stable nor complete enough to use it
professionally, with wacom tablets and such.

------
sscarduzio
I still can't understand why can't this work in docker-machine in osx. Or can
it?

~~~
timthelion
There is not any really strong reason why it cannot work. I just haven't got
an OSX machine, and now PRs have come in yet.

------
jdoliner
Very cool stuff. How compatible is this with docker-machine?

~~~
Gys
Only for Linux:
[http://subuser.org/installation.html](http://subuser.org/installation.html)

~~~
alexlarsson
From that page:

Warning: Being a member of the docker group is equivalent to having root
access.

Not a great way to limit privileges.

~~~
Filligree
The user using this has to be in that group, the programs being run do not.

For a single-user machine, it may be okay. But I don't trust Docker's security
very much.

~~~
raesene4
any particular reasons you don't trust Docker security?

~~~
cyphar
The daemon has had many security issues. They also only recently grew support
for ACLs (which are only available as plugins), so any user that can write to
the Docker socket is essentially equivalent to root.

