this post was submitted on 30 Aug 2024
25 points (93.1% liked)

Selfhosted

39435 readers
9 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Does anyone know of a hosting service that offers Silverblue as a possible choice for OS?

It seems to me that for a server running only docker services the greatly reduced attack surface of an immutable distro presents a definitive advantage.

all 30 comments
sorted by: hot top controversial new old
[–] [email protected] 12 points 2 months ago (2 children)

I don’t know about Silverblue, but I know you can use NixOS on pretty much any VPS using the tool nixos-infect.

Not sure how it would reduce your attack surface though. That’s not really the problem that they are trying to solve.

[–] [email protected] 2 points 2 months ago

Thank you, good to know. Not as straightforward as directly installing distro but certainly worth considering.

As to why it reduces attack surface please see answer provided to other comment.

[–] [email protected] 2 points 2 months ago

nixos-anywhere also works well for this use case.

[–] JadedBlueEyes 5 points 2 months ago (1 children)

I use https://fedoraproject.org/coreos/ for my server/website. My host doesn't offer it as an image so I have to upload it myself, but I use an ISO I made with the CLI to automatically set up everything anyway. It works pretty well, I configured auto updates and I can just forget about it.

[–] [email protected] 2 points 2 months ago (1 children)

Thank you for the tip. Unless my understanding is wrong both OS are similar, Coreos targeting more precisely Kubernetes and cluster management. Had a quick look, but definitively will read more about it.

[–] [email protected] 1 points 2 months ago

I've used coreos happily on homelab bare metal.

PXE booting it with cloudinit/ignition automation for provisioning.

It's make for an excellent VPS.

[–] [email protected] 4 points 2 months ago

If you want MAC (SELinux or Apparmor) (which I highly recommend) then use Silverblue / CoreOS or even SUSE MicroOS

otherwise I use NixOS. (But like I said, I'm possibly looking into switching because of lacking MAC)

[–] [email protected] 2 points 2 months ago (1 children)

How would describe the "reduced attack surface" of something running a container?

[–] [email protected] 1 points 2 months ago (1 children)

That phrase has practically lost all meaning.

[–] [email protected] -1 points 2 months ago (2 children)

Because even if an attacker could gain access even as root he cannot modify system files. This is why immutable OS distros are called immutable.

[–] [email protected] 9 points 2 months ago (2 children)

Because even if an attacker could gain access even as root he cannot modify system files.

They 100% can.

[–] [email protected] 1 points 2 months ago

Absitively, use case here IMO is set and forget autoupdate to stay current and SELinux (which actually reduces surface)

[–] [email protected] 0 points 2 months ago* (last edited 2 months ago) (1 children)

They 100% can.

An attacker escaping from a container can't be system root as Podman runs rootless (without some other exploit or weak password).

The filesystem itself is also read-only.

/dev/nvme0n1p4 on /sysroot type xfs (ro)
/dev/nvme0n1p4 on /usr type xfs (ro)
/dev/nvme0n1p3 on /boot type ext4 (ro)
[–] [email protected] 5 points 2 months ago* (last edited 2 months ago) (1 children)

An attacker escaping from a container can’t be system root as Podman runs rootless (without some other exploit or weak password).

That would be true of podman running anywhere, and is not unique to an immutable distribution.

The filesystem itself is also read-only.

You can change that real quick if you have root access.

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (2 children)

edit: "Immutable" means "all of them are the same", not "unchangeable".

~~You sound confident, but the fact that Fedora is using the term "immutable" makes me wonder if you actually have domain expertise here.~~

~~Immutable means immutable. It would be strange for them to call it that if it actually means "completely irrelevant from a security perspective".~~

~~Unless you provide some evidence to the contrary I'm going to assume you aren't correct.~~

[–] [email protected] 5 points 2 months ago (1 children)

The immutability isn't designed to protect against a malicious attacker with root access.
Any system is fucked if that happens.
It's designed to reduce the workload of the maintainers, because they effectively only need to test and build for one standard image.

[–] [email protected] 3 points 2 months ago

Makes sense. An "immutable" distro provides no additional security benefit, however CoreOS does have a reduced attack surface area compared to other distros, which itself is a benefit.

[–] [email protected] 1 points 2 months ago (2 children)

Someone with root can run ostree admin unlock --hotfix to make /usr writable. Someone with root can also delete all restore points.

It would be strange for them to call it that if it actually means “completely irrelevant from a security perspective”.

See the comment by superkret.

[–] [email protected] 1 points 2 months ago (1 children)

While you are correct, any system is compromised if you have root, so isn't that irrelevant at that point?

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

While you are correct, any system is compromised if you have root, so isn’t that irrelevant at that point?

The original context for the comment chain was:

Because even if an attacker could gain access even as root he cannot modify system files.

So no, it's completely relevant.

[–] [email protected] 1 points 2 months ago (1 children)

My comment in the comment chain was:

An attacker escaping from a container can't be system root as Podman runs rootless (without some other exploit or weak password).

We could give the op the benefit of the doubt and thinking that they were saying that the attacker inside the container managed to gain root inside the container.

[–] [email protected] 2 points 2 months ago (1 children)

Your comment also contained

The filesystem itself is also read-only.

Which is what led to the further discussion of root making that not so.

I don't believe that to be the intent of the OP's comment, given their second sentence, but they are welcome to state otherwise. I just don't want them thinking that an immutable distribution gives them some kind of bulletproof security that it doesn't.

[–] [email protected] 1 points 2 months ago

Very true. The discussion helped me, as I did think it meant not easily editable.

As root of course you can change the system to be any other type of system (layer packages, rebase, whatever), but I did assume it meant not easily modifiable in it's current state.

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

While what you're saying is theoretically true, don't forget that as far as I know, most attacks are perpetrated by bots. And while it is true that in a fedora based version one could run ostree admin unlock etc... this particular command would need to be included in the attack script.

Now if the script has to be modified to include all possible different immutable systems that could possibly run it would increase the complexity and most importantly the size of said script making it easier to detect.

I'm not saying that its a bulletproof method, I'm just saying that by itself it greatly minimizes the risk, at least until all servers run immutable systems. And even then it still complicates matters for potential attackers quite a bit. So therefore reducing or at least greatly minimizing the potential of the system being compromised.

[–] [email protected] 1 points 2 months ago

Because even if an attacker could gain access even as root he cannot modify system files.

Your comment was already from the position of if an attacker could gain root access. My responses were to that directly, and nothing else.

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago)

Wait, why wouldn't they? They could wipe the entire disk if they so choose

[–] [email protected] 2 points 1 month ago

I will respond even though this post is several days old because I actually do this. I have some vpses on Hetzner that run Silverblue no problem. It is not an install option available by default there, but support uploaded an iso under my account quickly when asked.

If you do it, change the active firewalld zone. The default is for a desktop, so not great for vps space.

[–] [email protected] 1 points 2 months ago

I think it is likely an option on both Linode and Digital ocean

[–] [email protected] 1 points 1 month ago

Thanks, good to know about firewall.