After my recent complaint about AppImage, I thought I’d describe how I solved my problem. I needed a small patch to Digikam, which was already in Debian’s 5.9.0 package, and the thought of rebuilding the AppImage was… unpleasant.
I thought – why not just run it inside Buster in Docker? There are various sources on the Internet for X11 apps in Docker. It took a little twiddling to make it work, but I did.
My Dockerfile was pretty simple:
FROM debian:buster MAINTAINER John Goerzen
RUN apt-get update && \ apt-get -yu dist-upgrade && \ apt-get --install-recommends -y install firefox-esr digikam digikam-doc \ ffmpegthumbs imagemagick minidlna hugin enblend enfuse minidlna pulseaudio \ strace xterm less breeze && \ apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* RUN adduser --disabled-password --uid 1000 --gecos "John Goerzen" jgoerzen && \ rm -r /home/jgoerzen/.[a-z]* RUN rm /etc/machine-id CMD /usr/bin/docker RUN mkdir -p /nfs/personalmedia /run/user/1000 && chown -R jgoerzen:jgoerzen /nfs /run/user/1000
I basically create the container and my account in it.
Then this script starts up Digikam:
#!/bin/bash set -e # This will be unnecessary with docker 18.04 theoretically.... --privileged see # https://stackoverflow.com/questions/48995826/which-capabilities-are-needed-for-statx-to-stop-giving-eperm # and https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250 docker run -ti \ -v /tmp/.X11-unix:/tmp/.X11-unix -v "/run/user/1000/pulse:/run/user/1000/pulse" -v /etc/machine-id:/etc/machine-id \ -v /etc/localtime:/etc/localtime \ -v /dev/shm:/dev/shm -v /var/lib/dbus:/var/lib/dbus -v /var/run/dbus:/var/run/dbus -v /run/user/1000/bus:/run/user/1000/bus \ -v "$HOME:$HOME" -v "/nfs/personalmedia/Pictures:/nfs/personalmedia/Pictures" \ -e DISPLAY="$DISPLAY" \ -e XDG_RUNTIME_DIR="$XDG_RUNTIME_DIR" \ -e DBUS_SESSION_BUS_ADDRESS="$DBUS_SESSION_BUS_ADDRESS" \ -e LANG="$LANG" \ --user "$USER" \ --hostname=digikam \ --name=digikam \ --privileged \ --rm \ jgoerzen/digikam "$@" /usr/bin/digikam
The goal here was not total security isolation; if it had been, then all the dbus mounting and $HOME mounting was a poor idea. But as an alternative to AppImage — well, it worked perfectly. I could even get security updates if I wanted.