Subuser 0.3 - Xpra X11 bridge + New update system¶
It has been almost a year since the 0.2 release. I haven’t been increasing the version number because subuser is so young and has been changing so quickly that making releases hardly seemed meaningful. Today I am happy to announce the 0.3 release.
The 0.3 release marks a stabilization of the code base and the completion of the basic subuser security features.
The Xpra X11 bridge¶
Since the start of application containerization, X11 has been a sore point for security enthusiasts. There is a general feeling that everyone is waiting for Wayland to solve this problem. Recently, a new project OZ came out and demonstrated that Xpra may be used as a secure bridge between a containers X server and the host. Of course Wayland is still cool, but we have Xpra now.
With the 0.3 release, subuser follows OZ’s lead and uses Xpra to create a secure X11 bridge.
Each graphical application running in subuser gets its own container. This container shares an X11 unix socket with an Xpra server which in turn runs in its own container. The Xpra client runs in yet another container. This allows Xpra to transmit the graphical session on to the host without requiring the container to have Xpra installed. This ensures that subuser images are simple.
It is hard to tell when I am running iceweasel in subuser and when I’m running it on the host. For the most part, everything just works, including full screen video. The only thing that is obviously different is the file system access. When iceweasel is running in subuser it can only see my Downloads directory and not my full home dir.
Future of the X11 bridge¶
The fact that Xpra runs outside the application container also future-proofs subuser. Subuser images can be used with any type of X11 bridge, not just Xpra. This will allow subuser users to seamlessly migrate to Wayland or Mir. Subuser images do not need to change for this transition, only the bridge needs to change.
Another future possibility is running subuser on Windows or Mac. Xpra can carry graphics across virtual machine boundaries.
The Update system¶
Another sore spot for container security is image up-dating. It is estimated that as of May 2015, 30% of official Docker images contained a known security vulnerability due to being out of date. Subuser allows the user to automatically check if their subuser images are out of date and rebuild them if necessary. The system is very simple.
Each subuser image may contain a
/subuser/check-for-updates script. This script is run when the
subuser update all command is issued. If that script returns a non-zero exit code the image is rebuilt. This is a somewhat slow process when you have a large number of subuser images, however it is effective at keeping your images up-to-date.