undefined | Better HN

0 pointspritambaral1y ago0 comments

I run all my dev environments under LXD. Even the IDE: full graphical Emacs (or Vim) over X11 forwarding over SSH. Host is Wayland, so security concerns with X are handled. WayPipe also works, but is jankier than X, probably because X, unlike Wayland, was designed for network transparency.

LXD, unlike Docker, doesn't play fast-and-loose with security. It runs rootless by default, and I don't allow non-root access to the LXD socket on host. Each container is a full userspace, so it's much more convenient to configure and use than Dockerfiles.

SSH from a container to a remote works transparently because I forward my SSH Agent. This is secure because my agent confirms each signing request with a GUI popup (on host).

0 comments

3eb7988a16631y ago

Can you point to a write-up somewhere that details this setup?

Part of the appeals of VMs is that they were built with security as a primary objective. I probably have to do something stupid to break that isolation. A custom ad hoc configuration makes me a bit nervous that I will unknowingly punch a Docker sized hole through my firewall and have less security than if I ran a stock workflow.

cheema331y ago

For me, I don't use LXD, but use Proxmox containers. These are non-root Linux containers by default. Super lightweight compared to a VM. Proxmox makes managing LXC containers a little easier with a UI, compared to managing containers strictly using command line.

If you go this route, create a container template that has everything you want in every instance. And then spin out new containers whenever you need one.

khimaros1y ago

you might be interested in the incus webui

j / k navigate · click thread line to collapse