Does anyone know of a hosting service that offers Silverblue as a possible choice for OS?
It seems to me that for a server running only docker services the greatly reduced attack surface of an immutable distro presents a definitive advantage.
I use https://fedoraproject.org/coreos/ for my server/website. My host doesn’t offer it as an image so I have to upload it myself, but I use an ISO I made with the CLI to automatically set up everything anyway. It works pretty well, I configured auto updates and I can just forget about it.
Thank you for the tip. Unless my understanding is wrong both OS are similar, Coreos targeting more precisely Kubernetes and cluster management. Had a quick look, but definitively will read more about it.
The immutability isn’t designed to protect against a malicious attacker with root access.
Any system is fucked if that happens.
It’s designed to reduce the workload of the maintainers, because they effectively only need to test and build for one standard image.
I’m using NixOS in Azure - Azure allows creating a VM out of a disk image, and NixOS has tools to create preconfigured disk images. You inject your SSH keys and stuff straight into the image, then upload and create a VM. A bit fiddly, but I got it to work.
I will respond even though this post is several days old because I actually do this. I have some vpses on Hetzner that run Silverblue no problem. It is not an install option available by default there, but support uploaded an iso under my account quickly when asked.
If you do it, change the active firewalld zone. The default is for a desktop, so not great for vps space.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
Thanks, good to know about firewall.
I think it is likely an option on both Linode and Digital ocean
I don’t know about Silverblue, but I know you can use NixOS on pretty much any VPS using the tool nixos-infect.
Not sure how it would reduce your attack surface though. That’s not really the problem that they are trying to solve.
Thank you, good to know. Not as straightforward as directly installing distro but certainly worth considering.
As to why it reduces attack surface please see answer provided to other comment.
nixos-anywhere also works well for this use case.
I use https://fedoraproject.org/coreos/ for my server/website. My host doesn’t offer it as an image so I have to upload it myself, but I use an ISO I made with the CLI to automatically set up everything anyway. It works pretty well, I configured auto updates and I can just forget about it.
Thank you for the tip. Unless my understanding is wrong both OS are similar, Coreos targeting more precisely Kubernetes and cluster management. Had a quick look, but definitively will read more about it.
I’ve used coreos happily on homelab bare metal.
PXE booting it with cloudinit/ignition automation for provisioning.
It’s make for an excellent VPS.
How would describe the “reduced attack surface” of something running a container?
That phrase has practically lost all meaning.
Because even if an attacker could gain access even as root he cannot modify system files. This is why immutable OS distros are called immutable.
They 100% can.
Absitively, use case here IMO is set and forget autoupdate to stay current and SELinux (which actually reduces surface)
An attacker escaping from a container can’t be system root as Podman runs rootless (without some other exploit or weak password).
The filesystem itself is also read-only.
That would be true of podman running anywhere, and is not unique to an immutable distribution.
You can change that real quick if you have root access.
edit: “Immutable” means “all of them are the same”, not “unchangeable”.
You sound confident, but the fact that Fedora is using the term “immutable” makes me wonder if you actually have domain expertise here.Immutable means immutable. It would be strange for them to call it that if it actually means “completely irrelevant from a security perspective”.Unless you provide some evidence to the contrary I’m going to assume you aren’t correct.Someone with root can run ostree admin unlock --hotfix to make /usr writable. Someone with root can also delete all restore points.
See the comment by superkret.
The immutability isn’t designed to protect against a malicious attacker with root access.
Any system is fucked if that happens.
It’s designed to reduce the workload of the maintainers, because they effectively only need to test and build for one standard image.
Wait, why wouldn’t they? They could wipe the entire disk if they so choose
I’m using NixOS in Azure - Azure allows creating a VM out of a disk image, and NixOS has tools to create preconfigured disk images. You inject your SSH keys and stuff straight into the image, then upload and create a VM. A bit fiddly, but I got it to work.
If you want MAC (SELinux or Apparmor) (which I highly recommend) then use Silverblue / CoreOS or even SUSE MicroOS
otherwise I use NixOS. (But like I said, I’m possibly looking into switching because of lacking MAC)
I will respond even though this post is several days old because I actually do this. I have some vpses on Hetzner that run Silverblue no problem. It is not an install option available by default there, but support uploaded an iso under my account quickly when asked.
If you do it, change the active firewalld zone. The default is for a desktop, so not great for vps space.