Does anyone know of a hosting service that offers Silverblue as a possible choice for OS?

It seems to me that for a server running only docker services the greatly reduced attack surface of an immutable distro presents a definitive advantage.

  • @[email protected]
    link
    fedilink
    English
    123 months ago

    I don’t know about Silverblue, but I know you can use NixOS on pretty much any VPS using the tool nixos-infect.

    Not sure how it would reduce your attack surface though. That’s not really the problem that they are trying to solve.

    • @aordogvanOP
      link
      English
      23 months ago

      Thank you, good to know. Not as straightforward as directly installing distro but certainly worth considering.

      As to why it reduces attack surface please see answer provided to other comment.

  • Jade
    link
    fedilink
    English
    53 months ago

    I use https://fedoraproject.org/coreos/ for my server/website. My host doesn’t offer it as an image so I have to upload it myself, but I use an ISO I made with the CLI to automatically set up everything anyway. It works pretty well, I configured auto updates and I can just forget about it.

    • @aordogvanOP
      link
      English
      23 months ago

      Thank you for the tip. Unless my understanding is wrong both OS are similar, Coreos targeting more precisely Kubernetes and cluster management. Had a quick look, but definitively will read more about it.

      • @[email protected]
        link
        fedilink
        English
        13 months ago

        I’ve used coreos happily on homelab bare metal.

        PXE booting it with cloudinit/ignition automation for provisioning.

        It’s make for an excellent VPS.

  • @[email protected]
    link
    fedilink
    English
    23 months ago

    I will respond even though this post is several days old because I actually do this. I have some vpses on Hetzner that run Silverblue no problem. It is not an install option available by default there, but support uploaded an iso under my account quickly when asked.

    If you do it, change the active firewalld zone. The default is for a desktop, so not great for vps space.

  • @just_another_person
    link
    English
    23 months ago

    How would describe the “reduced attack surface” of something running a container?

      • @aordogvanOP
        link
        English
        -13 months ago

        Because even if an attacker could gain access even as root he cannot modify system files. This is why immutable OS distros are called immutable.

        • @[email protected]
          link
          fedilink
          English
          93 months ago

          Because even if an attacker could gain access even as root he cannot modify system files.

          They 100% can.

          • @[email protected]
            link
            fedilink
            English
            13 months ago

            Absitively, use case here IMO is set and forget autoupdate to stay current and SELinux (which actually reduces surface)

          • @asap
            link
            English
            0
            edit-2
            3 months ago

            They 100% can.

            An attacker escaping from a container can’t be system root as Podman runs rootless (without some other exploit or weak password).

            The filesystem itself is also read-only.

            /dev/nvme0n1p4 on /sysroot type xfs (ro)
            /dev/nvme0n1p4 on /usr type xfs (ro)
            /dev/nvme0n1p3 on /boot type ext4 (ro)
            
            • @[email protected]
              link
              fedilink
              English
              5
              edit-2
              3 months ago

              An attacker escaping from a container can’t be system root as Podman runs rootless (without some other exploit or weak password).

              That would be true of podman running anywhere, and is not unique to an immutable distribution.

              The filesystem itself is also read-only.

              You can change that real quick if you have root access.

              • @asap
                link
                English
                1
                edit-2
                3 months ago

                edit: “Immutable” means “all of them are the same”, not “unchangeable”.

                You sound confident, but the fact that Fedora is using the term “immutable” makes me wonder if you actually have domain expertise here.

                Immutable means immutable. It would be strange for them to call it that if it actually means “completely irrelevant from a security perspective”.

                Unless you provide some evidence to the contrary I’m going to assume you aren’t correct.

                • @[email protected]
                  link
                  fedilink
                  English
                  63 months ago

                  The immutability isn’t designed to protect against a malicious attacker with root access.
                  Any system is fucked if that happens.
                  It’s designed to reduce the workload of the maintainers, because they effectively only need to test and build for one standard image.

                • @[email protected]
                  link
                  fedilink
                  English
                  23 months ago

                  Someone with root can run ostree admin unlock --hotfix to make /usr writable. Someone with root can also delete all restore points.

                  It would be strange for them to call it that if it actually means “completely irrelevant from a security perspective”.

                  See the comment by superkret.

        • Possibly linux
          link
          fedilink
          English
          2
          edit-2
          3 months ago

          Wait, why wouldn’t they? They could wipe the entire disk if they so choose

  • @aordogvanOP
    link
    English
    13 months ago

    Thanks, good to know about firewall.