Off-Topic > Off-Topic - Tiny Core Lounge
PodMan, the future for rootless containers
nick65go:
Hi @gadget42, thanks for the tips about https://easyos.org/
I started to read it for fun, and it seams to use some solid concepts same as tiny-core, and some more "modern". For example:
- it use a small boot loader limine (same proposal as CachyOS used by me) which knows both BIOS/UEFI in very small size files. (not critical but limine knows only FAT12/32 I think, but is good enough for uefi ESP partition).
- for distribution, it uses "modern" image (FAT + EXT4), just dd it, auto-expand to full USB size, instead of ISO format.
- for containers, it uses layered autofs /union= base-SquashFS (read-only) + RW layer. Same idea of SquashFS + in RAM files, as TC, but over zramfs instead of tmpfs.
- protection from some Linux kernel Capabilities limiting, same as podman.
- small desktop (jwm, instead of fltk) and small file manager - same as TC.
I do not know (yet) how dependency hell is solved, or about package manager, speed of new package release etc.
About security: good for nomad USB, but not yet the degree of security I wish on a fixed disk.
Anyway, I do not intend to describe here this distro, But it seams interesting maybe also for some TC users.
hiro:
the more "natural" jail still uses root and then the idea of dropping privileges one by one, in order to achieve separation.
so in the fight between podman (redhat) and docker, it will not support the argument against docker.
the most novel departure from traditional unix "root first + privilege drops (changeuser, chroot)" perms is on plan9, where every user who wants to log in has to first gain privileges against the system via a trusted auth server. without those privileges there is no access to non-world-readable data, and since there's no setuid flags there's no way to break out. chroot is not needed either bec. the namespace can be minimized before the user even logs in: i.e. the daemon service listening for incoming connections is running as user "none" which has the least possible privileges.
rootless is an *insult* to this.
hiro:
and one more warning:
don't overdo it with the separation on a single machine, because of diminishing returns: spectre, meltdown, etc. are not gonna go away.
nick65go:
Hi @hiro, I like your "rootless is an *insult* to this" :) referring to (RedHat) free podman (which does not use setuid, but merely sub-domain uid, kernel namespace and sockets). Not many use plan9 (inferno incarnation) yet.
For an OS, it matters its collection of apps, ever better if they are compiled by others (trusted big distributions like Debian, Archlinux, Fedora, Alpinelinux) to keep apps up-to-date against vulnerabilities.
My actual / temporary "solution" is an independent laptop, with nothing private/ secret on it. It is a spare machine (yes, I can afford less than $1,000 for 8 years on a laptop, cheaper than alcohol / tobacco / drugs, to indulge myself) to play / learn with it. The only concern about it, is to not get a firmware rootkit. All other can be easy erased and start again in minutes, form external spare USB.
Navigation
[0] Message Index
[*] Previous page
Go to full version