Does anyone know of a hosting service that offers Silverblue as a possible choice for OS?
It seems to me that for a server running only docker services the greatly reduced attack surface of an immutable distro presents a definitive advantage.
You must log in or register to comment.
Thanks, good to know about firewall.
I don’t know about Silverblue, but I know you can use NixOS on pretty much any VPS using the tool nixos-infect.
Not sure how it would reduce your attack surface though. That’s not really the problem that they are trying to solve.
I will respond even though this post is several days old because I actually do this. I have some vpses on Hetzner that run Silverblue no problem. It is not an install option available by default there, but support uploaded an iso under my account quickly when asked.
If you do it, change the active firewalld zone. The default is for a desktop, so not great for vps space.
How would describe the “reduced attack surface” of something running a container?
That phrase has practically lost all meaning.
Because even if an attacker could gain access even as root he cannot modify system files. This is why immutable OS distros are called immutable.
Because even if an attacker could gain access even as root he cannot modify system files.
They 100% can.
They 100% can.
An attacker escaping from a container can’t be system root as Podman runs rootless (without some other exploit or weak password).
The filesystem itself is also read-only.
/dev/nvme0n1p4 on /sysroot type xfs (ro) /dev/nvme0n1p4 on /usr type xfs (ro) /dev/nvme0n1p3 on /boot type ext4 (ro)An attacker escaping from a container can’t be system root as Podman runs rootless (without some other exploit or weak password).
That would be true of podman running anywhere, and is not unique to an immutable distribution.
The filesystem itself is also read-only.
You can change that real quick if you have root access.
