Hello,
Would it be possible to explore the idea of having CoreOS and SilverBlue templates? These distros
are designed for containerization and would increase security and flexibility of the current template scene
Hello,
Would it be possible to explore the idea of having CoreOS and SilverBlue templates? These distros
are designed for containerization and would increase security and flexibility of the current template scene
They’re rather designed to provide the functionality of transactional updates to a system that runs predominantly containerised user software. I’m curious how you see this as being any flexible and whether people more knowledgable about Qubes see containerisation as bringing anything meaningful security-wise to an already compartmentalised operating system.
You can create your own templates. It won’t be easy but here are some links:
Why would creating a qube with Fedora Silverblue require so many steps — can’t an iso file be installed on a qube more simply such as in VirtualBox?
Having an immutable OS makes it more difficult for an adversary to escalate privileges within the OS and could help to prevent them from escaping the virtual machine.
I think immutable OS’s is one of the changes @demi (from the Qubes team) noted as important as well in her talk from the 2023 Qubes summit (on youtube). But I can imagine there are some implementation challenges that make it hard to implement.
Feel free to watch Demi’s talk. I can recommend.
Thanks for sharing! Is this the video? There are several 8 hour 2023 summit videos.
This is it https://www.youtube.com/watch?v=_UxndcxIngw (I think it’s the same)
It starts at 2h22m.
It’s actually really interesting! I’m going to go through the whole presentation
(Sorry for the necro)
qubes_builder now has a complete revision in qubes_builder v2, so I don’t think the instructions of that last link work anymore.
I wouldn’t completely assume so, but to install Fedora Silverblue in Qubes, do you just have to change the builder.yml config file from fedora:latest to fedora-silverblue:latest? The last link you included sort of had that type of logic.
Also, the instructions in this PrivSec guide to make a template seem way simpler compared to @unman 's guide. Would all I need to do differently from the PrivSec guide be to copy the vmlinuz
and initramfs
files from Silverblue releases? If so, where would I find these files?
If this simplicity still applies when using Qubes builder v2, then making a Silverblue template sounds promising!
Immutable Linux desktop distributions don’t provide any security benefit over typical ones. Secureblue is a security hardened, atomic, Fedora based Linux distro, but its atomicity/immutability is not what makes it more secure than Fedora Workstation.