Does anyone know of a hosting service that offers Silverblue as a possible choice for OS?

It seems to me that for a server running only docker services the greatly reduced attack surface of an immutable distro presents a definitive advantage.

  • 908musdf@lemmy.one
    link
    fedilink
    English
    arrow-up
    2
    ·
    4 months ago

    I will respond even though this post is several days old because I actually do this. I have some vpses on Hetzner that run Silverblue no problem. It is not an install option available by default there, but support uploaded an iso under my account quickly when asked.

    If you do it, change the active firewalld zone. The default is for a desktop, so not great for vps space.

  • StrawberryPigtails@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    I don’t know about Silverblue, but I know you can use NixOS on pretty much any VPS using the tool nixos-infect.

    Not sure how it would reduce your attack surface though. That’s not really the problem that they are trying to solve.

      • aordogvan@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        0
        ·
        4 months ago

        Because even if an attacker could gain access even as root he cannot modify system files. This is why immutable OS distros are called immutable.

          • asap@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            4 months ago

            They 100% can.

            An attacker escaping from a container can’t be system root as Podman runs rootless (without some other exploit or weak password).

            The filesystem itself is also read-only.

            /dev/nvme0n1p4 on /sysroot type xfs (ro)
            /dev/nvme0n1p4 on /usr type xfs (ro)
            /dev/nvme0n1p3 on /boot type ext4 (ro)
            
            • myersguy@lemmy.simpl.website
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              4 months ago

              An attacker escaping from a container can’t be system root as Podman runs rootless (without some other exploit or weak password).

              That would be true of podman running anywhere, and is not unique to an immutable distribution.

              The filesystem itself is also read-only.

              You can change that real quick if you have root access.