Does anyone know of a hosting service that offers Silverblue as a possible choice for OS?
It seems to me that for a server running only docker services the greatly reduced attack surface of an immutable distro presents a definitive advantage.
Does anyone know of a hosting service that offers Silverblue as a possible choice for OS?
It seems to me that for a server running only docker services the greatly reduced attack surface of an immutable distro presents a definitive advantage.
An attacker escaping from a container can’t be system root as Podman runs rootless (without some other exploit or weak password).
The filesystem itself is also read-only.
/dev/nvme0n1p4 on /sysroot type xfs (ro) /dev/nvme0n1p4 on /usr type xfs (ro) /dev/nvme0n1p3 on /boot type ext4 (ro)That would be true of podman running anywhere, and is not unique to an immutable distribution.
You can change that real quick if you have root access.
edit: “Immutable” means “all of them are the same”, not “unchangeable”.
You sound confident, but the fact that Fedora is using the term “immutable” makes me wonder if you actually have domain expertise here.Immutable means immutable. It would be strange for them to call it that if it actually means “completely irrelevant from a security perspective”.Unless you provide some evidence to the contrary I’m going to assume you aren’t correct.The immutability isn’t designed to protect against a malicious attacker with root access.
Any system is fucked if that happens.
It’s designed to reduce the workload of the maintainers, because they effectively only need to test and build for one standard image.