It costs 25$/month for 2TB, 5TB will cost about 50$/month I guess. 600$/year it costs more then my current setup and still requires a good throughput in the hotel, that is not real.
How much it will cost for me as for the end user to upload and store a one 100MB video using this storage? Looks like 50 video will be for free, then I need a subscription.
It doesn't look as a web-friendly solution, end user has to install a python, but I will check it out, probably it could be improved in the way I can share just a link.
It isolates just "one application" inside "one domain". What I am looking, is lightweight OS with systemd, network stack, etc, docker and other service running inside.
Hi there!
Remote work in Tech is everywhere! To simplify digital nomad life I tried to use one laptop for work and personal tasks. And it becomes tricky. Different employers require to install some proprietary software for communication, work, and security audit. I don't like to do that on a personal laptop. Some proprietary software running as root is a bad idea. On another side, it is not so convenient to travel with a lot of hardware. I tried virtual machines, but they are slow and drain the battery quickly. I tried docker but without systemd support, it doesn't allow us to run a lot of software. Then I discovered LXD, wrote helper scripts, and configured profiles to pass X.org, Pulse Audio, Video devices, etc. It solved the issue, but it is not so user-friendly as it should be. I like the QubesOS approach and UX, but I don't use it because the same reasons VM doesn't work for me.
What do you think about domain-based applications environments Linux distribution with UX similar to QubesOS but based on LXD? For instance, I need the following isolated domains: "work" with Ubuntu 20.04, "personal" with Archlinux, "secops" with KaliLinux for another employer, "media" with Ubuntu Studio. And my host OS just list applications inside domains in applications menu. For me it looks like Firefox Containers (https://addons.mozilla.org/en-US/firefox/addon/multi-account...) but for the applications.
> some proprietary software running as root is a bad idea.
LXD does not provide security for that case.
(unprivileged containers do have some sort of security measure related to this by mapping the uid 0 inside the container to one that is not privileged outside the container. Tools that need root but make no privileged system calls can work inside an unprivileged container. Example: an installation script that wants to call a package manager to install shared libraries as dependencies might require root, but only for filesystem changes inside the container, so that works. Tools that require privileged access to the kernel will not work in unprivileged containers. - this is very simplified - containerization is process isolation and fine tuned privileges can reduce attack surface, but it should not be seen as a "one size fits all" solution for this particular case)
> pass X.org, Pulse Audio, Video devices, etc.
or that one
(this is harder to explain. Basically: X is not designed with security in mind: if you give a keylogger access to your X session it can log your keys. pulse audio means you are doing a deep dive, because if you map the isolated uid to the uid the pulseaudio server, containment is broken. It is possible by assuming the container is "on the network" but nontrivial and lets not talk about microphones or selective access. Finally passing through pcie devices that have direct memory access is the containment equivalent of paying for the bus and asking the process to be home for dinner.)
> LXD does not provide security for that case.
> (unprivileged containers do have some sort of security measure related to this by mapping the uid 0 inside the container to one that is not privileged outside the container)
it is what at least I need, it works with SW I was required to install
> X is not designed with security in mind
I considered risk, I understand that there are still vulnerabilities like some software can read keyboard input from other windows, but I take this risk. BTW, for full isolation I have seen that people start a new X.org session as well.
If you are open to Windows at all, Windows Subsystem 2 handles scenarios like this well for me. The VMs are extremely fast, light-weight and integrated well. The VMs start in under 2 seconds and compile times are virtually identical to running on the host. I use the host Windows system as my "personal" computing space and all work is isolated on the WSL2 VM. I simply run a windows X server for GUI apps (X410 is my goto) and it works flawlessly. Multiple WSL2 instances can be run with different flavors of Linux in each including Arch and Kali as would be the case in your scenario.
I realize having a closed-source Windows host can be a complete non-starter for many.
Heh, I started to learn Computer Science on Windows, then tried Linux and no way to be back to Windows if it is not required by a job or some tasks, like video editing.
I've been looking for something like this. So far I've looked into x11docker (https://github.com/mviereck/x11docker) and dx11 (https://gitlab.com/brickpop/dx11-nim#dx11) but dx11 looks unmaintained and the whole solution feels incomplete. Yes, I know it's not LXD, but I was willing to accept docker as an alternative.
The solution I'm currently checking is ContainerBox (https://github.com/AlexandreDey/ContainerBox). I'm building a container for KDE and I'll get back with results.
My main goals is not to achieve the same security like QubesOS, but to have multiple isolated environments within the same window manager (something like KDE Activities but for separate users).
Presumably, (1) he wants the software to run as within-container root and (2) since this is work-related, he has a limited degree of trust that it at least won't actively try malicious activity like trying to break out of the container
Have you tried completely disconnecting the environments? Large external drive with separate partition / OS per employer? I assume you don't want to share data between them anyway.
External storage per domain is not so conviniet. Time to reboot + USB3 cable doesn't work good to me. Probably, I can consider SD storage. BTW, if we talk about multiboot, I am ok with a few encrypted partitions on internal storage.
