A new open source utility leverages Docker's container technology, using highly granular app permissions to distribute desktop applications Credit: Elena Roussakis Distributing desktop applications for Linux has long been a headache, in large part because apps have to be repackaged for each Linux distribution. And while an app-containerization technology like Docker makes it easier to bundle and distribute apps, it wasn’t really designed for distributing desktop applications. Subuser is a new application-packaging system that allows Dockerized desktop apps to be run as if they were regular Linux applications. It provides just enough permissions to allow the Dockerized app to interact with the local system — for instance, to work with the X11 display server — while still keeping it locked down. Creating a Subuser app essentially involves building a Dockerized app, but with one extra ingredient: a permissions.json file that describes what the app in question can and can’t do. For common defaults used in most cases, users can set one flag, basic-common-permissions, and leave it at that. Users can also set more granular permissions if needed — e.g., if the app doesn’t need access to X11 for the sake of a GUI, that can be restricted. Network, keyboard, clipboard, and privileged operations can all be freed up or locked down if required. Flatpak, another recent project for easy distribution of Linux desktop applications, has gained attention for the way it splits an application off from the dependencies it needs. Subuser focuses more on selectively exposing a Dockerized app to system resources so the user can interact with it. Subuser and Flatpak also have different dependencies for the end user. Both require the user to install some software on the system running the packaged apps. In Subuser’s case, it’s Docker; in Flatpak’s case, it’s systemd. Some Linux distributions are still leery of using systemd, but most modern distros can run Docker — meaning Subuser can theoretically be deployed on a broader swath of Linux systems. Containerization technology came into use as a way to deploy end-user apps in specific Linux distributions. Red Hat’s Fedora distribution now uses containers built with its Project Atomic technology to manage how software’s installed on the system. The Snappy technology for Canonical’s Ubuntu works in roughly the same way. The problem with both of these approaches is that they’re tied to their specific distributions; Subuser intends to be more distro-agnostic. Most of the focus with Docker has been on building distributed applications or enabling consistent workflow for an app through its entire lifecycle. There’s been relatively little discussion of how Docker can also be used to deliver and manage desktop applications. Subuser hints at a lot of untapped potential. Software DevelopmentOpen Source