Security: Difference between revisions

Line 46:

NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, do not provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief.

===== Virtual machines =====

[https://en.wikipedia.org/wiki/Virtual_machine Virtual machines] are generally one of the most robust tools available for process isolation. They come with [https://www.brendangregg.com/blog/2017-11-29/aws-ec2-virtualization-2017.html performance penalties] and resource overheads.

NixOS includes support for hosting virtual machines. One of the most accessible is the integrated [https://nixos.org/manual/nixos/unstable/index.html#sec-profile-qemu-guest QEMU guest system profile].

====== Test machines ======

NixOS integrates support for building [[NixOS:nixos-rebuild_build-vm|test VMs]] to test configuration changes to your system.

====== References ======

@@ Line 46: / Line 46: @@
 NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, do not provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief.
+===== Virtual machines =====
+[https://en.wikipedia.org/wiki/Virtual_machine Virtual machines] are generally one of the most robust tools available for process isolation. They come with [https://www.brendangregg.com/blog/2017-11-29/aws-ec2-virtualization-2017.html performance penalties] and resource overheads.
+NixOS includes support for hosting virtual machines. One of the most accessible is the integrated [https://nixos.org/manual/nixos/unstable/index.html#sec-profile-qemu-guest QEMU guest system profile].
+====== Test machines ======
+NixOS integrates support for building [[NixOS:nixos-rebuild_build-vm|test VMs]] to test configuration changes to your system.
 ====== References ======