Security: Difference between revisions

Line 52:

NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, do not provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief.

====== References ======

* [https://nixos.org/manual/nixos/unstable/index.html#ch-containers NixOS Manual - Administration: Containers Chapter].

** The manual — notably — currently has no mention of using unprivileged containers.

* [https://stgraber.org/2014/01/01/lxc-1-0-security-features/ LXC 1.0 Release, Security Features Coverage (user namespaces, unprivileged containers)]

* [https://www.youtube.com/watch?v=J17rXQ5XkDE Youtube - Red Hat: How containers use PID namespaces to provide process isolation]

===== Virtual machines =====

Line 62:

Line 69:

NixOS integrates support for building [[NixOS:nixos-rebuild_build-vm|test VMs]] to test configuration changes to your system.

~~====== References ======~~

* [https://nixos.org/manual/nixos/unstable/index.html#ch-containers NixOS Manual - Administration: Containers Chapter].

** The manual — notably — currently has no mention of using unprivileged containers.

* [https://stgraber.org/2014/01/01/lxc-1-0-security-features/ LXC 1.0 Release, Security Features Coverage (user namespaces, unprivileged containers)]

* [https://www.youtube.com/watch?v=J17rXQ5XkDE Youtube - Red Hat: How containers use PID namespaces to provide process isolation]

== Nix official references ==

@@ Line 52: / Line 52: @@
 NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, do not provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief.
+====== References ======
+* [https://nixos.org/manual/nixos/unstable/index.html#ch-containers NixOS Manual - Administration: Containers Chapter].
+** The manual &mdash; notably &mdash; currently has no mention of using unprivileged containers.
+* [https://stgraber.org/2014/01/01/lxc-1-0-security-features/ LXC 1.0 Release, Security Features Coverage (user namespaces, unprivileged containers)]
+* [https://www.youtube.com/watch?v=J17rXQ5XkDE Youtube - Red Hat: How containers use PID namespaces to provide process isolation]
 ===== Virtual machines =====
@@ Line 62: / Line 69: @@
 NixOS integrates support for building [[NixOS:nixos-rebuild_build-vm|test VMs]] to test configuration changes to your system.
-====== References ======
-* [https://nixos.org/manual/nixos/unstable/index.html#ch-containers NixOS Manual - Administration: Containers Chapter].
-** The manual &mdash; notably &mdash; currently has no mention of using unprivileged containers.
-* [https://stgraber.org/2014/01/01/lxc-1-0-security-features/ LXC 1.0 Release, Security Features Coverage (user namespaces, unprivileged containers)]
-* [https://www.youtube.com/watch?v=J17rXQ5XkDE Youtube - Red Hat: How containers use PID namespaces to provide process isolation]
 == Nix official references ==