Difference between revisions of "Talk:Packaging/Binaries"
(Silverblue mostly working with Flatpaks) |
(add comment, remove indents) |
||
| Line 12: | Line 12: | ||
--[[User:Milahu|Milahu]] ([[User talk:Milahu|talk]]) 16:47, 1 October 2021 (UTC) | --[[User:Milahu|Milahu]] ([[User talk:Milahu|talk]]) 16:47, 1 October 2021 (UTC) | ||
| − | + | A virtual machine is most robust. X11docker a good combo; x11docker supports [https://katacontainers.io/ Kata Containers], which aims to combine the security of VMs with speed of containers. [[Security]] a good page for this too. [https://spectrum-os.org/design.html Spectrum OS] is a Nix-based design with similar aims; they were looking at crosvm with virtio_wl. — [[User:Nix|Nix]] ([[User talk:Nix|talk]]) 09:24, 2 October 2021 (UTC) | |
| − | + | : There is a demo here: https://alyssa.is/using-virtio-wl/#demo — [[User:Nix|Nix]] ([[User talk:Nix|talk]]) 09:28, 2 October 2021 (UTC) | |
| − | + | Another relevant approach is Microsoft's [https://xdc2020.x.org/event/9/contributions/611/attachments/702/1298/XDC2020_-_X11_and_Wayland_applications_in_WSL.pdf development of VAIL with RDP] (extending Wayland's Weston compositing manager's RDP support) in order to support low-latency zero-copy GPU-accelerated X11/Wayland-graphical Linux virtual machines on Windows. The same technology could be deployed very similarly with a Linux-guest-on-Linux-host approach for the sake of of security. — [[User:Nix|Nix]] ([[User talk:Nix|talk]]) 23:59, 7 October 2021 (UTC) | |
| − | + | I did some looking into [https://ostreedev.github.io/ostree/introduction/#introduction OSTree] today. They bill themselves as "git for operating system binaries," and were [https://ostree.readthedocs.io/en/stable/manual/related-projects/#nixos-nix largely inspired by] NixOS. Fedora is building [https://getfedora.org/coreos CoreOS] for containerized-cloud and [https://docs.fedoraproject.org/en-US/fedora-silverblue/ Silverblue] as an immutable containerized workstation OS. There's also projects like [https://github.com/containers/toolbox Toolbox] built around OSTree which look inspired by nix-shell, but adds containerization. Particularly interesting for this discussion is the model of Silverblue. They seem mostly to lean on Flatpaks though, which isn't very sound [https://flatkill.org as is]. — [[User:Nix|Nix]] ([[User talk:Nix|talk]]) 00:47, 8 October 2021 (UTC) | |
| − | https:// | + | complex stuff! assuming that containers are too insecure, probably the simplest solution for running (and packaging) UNTRUSTED binaries is a microvm like [https://github.com/firecracker-microvm/firecracker firecracker], managed with [https://github.com/weaveworks/ignite ignite]. both packages are in nixpkgs. we can also use firecracker directly as in [https://github.com/astro/microvm.nix microvm.nix]. no need to install a new OS. no need for wayland. no need for sudo. it just takes some hours to compile a custom guest kernel, but sooner or later, the firecracker-kernel will be on cache.nixos.org. --[[User:Milahu|Milahu]] ([[User talk:Milahu|talk]]) 10:27, 8 October 2021 (UTC) |
Latest revision as of 10:27, 8 October 2021
untrusted binaries
packaging and running untrusted binaries on nixos?
- NixOS Containers?
- firejail?
- virtual machine?
- https://github.com/mviereck/x11docker - "Run GUI applications and desktops in docker. Focus on security." (via stackexchange)
for example jdownloader is closed source, so i want to limit access to files, clipboard, etc.
--Milahu (talk) 16:47, 1 October 2021 (UTC)
A virtual machine is most robust. X11docker a good combo; x11docker supports Kata Containers, which aims to combine the security of VMs with speed of containers. Security a good page for this too. Spectrum OS is a Nix-based design with similar aims; they were looking at crosvm with virtio_wl. — Nix (talk) 09:24, 2 October 2021 (UTC)
- There is a demo here: https://alyssa.is/using-virtio-wl/#demo — Nix (talk) 09:28, 2 October 2021 (UTC)
Another relevant approach is Microsoft's development of VAIL with RDP (extending Wayland's Weston compositing manager's RDP support) in order to support low-latency zero-copy GPU-accelerated X11/Wayland-graphical Linux virtual machines on Windows. The same technology could be deployed very similarly with a Linux-guest-on-Linux-host approach for the sake of of security. — Nix (talk) 23:59, 7 October 2021 (UTC)
I did some looking into OSTree today. They bill themselves as "git for operating system binaries," and were largely inspired by NixOS. Fedora is building CoreOS for containerized-cloud and Silverblue as an immutable containerized workstation OS. There's also projects like Toolbox built around OSTree which look inspired by nix-shell, but adds containerization. Particularly interesting for this discussion is the model of Silverblue. They seem mostly to lean on Flatpaks though, which isn't very sound as is. — Nix (talk) 00:47, 8 October 2021 (UTC)
complex stuff! assuming that containers are too insecure, probably the simplest solution for running (and packaging) UNTRUSTED binaries is a microvm like firecracker, managed with ignite. both packages are in nixpkgs. we can also use firecracker directly as in microvm.nix. no need to install a new OS. no need for wayland. no need for sudo. it just takes some hours to compile a custom guest kernel, but sooner or later, the firecracker-kernel will be on cache.nixos.org. --Milahu (talk) 10:27, 8 October 2021 (UTC)