Toolship: A more secure workstation

68 点作者 yapret超过 1 年前

22 条评论

zoomzoom超过 1 年前

The best answer to keeping your workstation clean & secure is, in my view, a thin-client paired with ephemeral remote environments:Immutable or chain-of-trust based host OS (e.g. nix or iOS)Minimal software installed (including docker, which itself is heavy and full of vulns or opens the door to them)Do everything on ephemeral remote environments where the configuration is stored in reviewable tools (e.g. GitHub) and the state can be wiped at will. This means you reduce your surface area for persistent malware to supply chain and network attacks, which require careful practices to avoid but which are well-understoodRemote envs are preferred to local virtualization (e.g. quebes) because they lend themselves to team use and sharing more, and so are more likely to be widely adopted and collectively improved. Also easier to create different hardware configurations as needed (when you need a bigger GPU temporarily), as well as different environment types - e.g. always-on previews for QA testing. Also eliminates persistent paths in the local OS for malware storage

评论 #37603504 未加载

lijok超过 1 年前

Your workstation will never be secure. Ever. It's not possible. Give up and work to implement zero trust. Ephemeral environments like CI/CD are not inherently secure because they're ephemeral either.

评论 #37586543 未加载

mr-karan超过 1 年前

Interesting approach to maintaining a clean dev environment using containers. This approach reminds me of Fedora Silverblue[1] that I’ve been wanting to try. It leverages OSTree for atomic upgrades and rollbacks. Users can run containers for CLI utils using toolbox[2]. This way, the base OS remains pristine, and there's less risk of "dependency hell" or inadvertent “package upgrades gone wrong”.[1]: <a href="https://fedoraproject.org/silverblue/" rel="nofollow noreferrer">https://fedoraproject.org/silverblue/</a>[2]: <a href="https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/" rel="nofollow noreferrer">https://docs.fedoraproject.org/en-US/fedora-silverblue/toolb...</a>

评论 #37593255 未加载

评论 #37586683 未加载

评论 #37585898 未加载

imiric超过 1 年前

Docker seems a bit unwieldy for this use case. Given it runs in a Linux VM on macOS, wouldn't all these commands have considerable overhead?On Linux, the pledge utility[1] seems like a better fit for this. I'm not aware of what the macOS alternative would be, but considering this functionality stems from OpenBSD, maybe it can be ported to Darwin?[1]: <a href="https://justine.lol/pledge/" rel="nofollow noreferrer">https://justine.lol/pledge/</a>

评论 #37586401 未加载

DavyJone超过 1 年前

You might enjoy <a href="https://github.com/jessfraz/dotfiles/blob/master/.dockerfunc">https://github.com/jessfraz/dotfiles/blob/master/.dockerfunc</a> I think she had an article about this as well.

评论 #37585408 未加载

screamingninja超过 1 年前

I would also recommend looking into NixOS reproducible builds, which allows declaratively specifying the entire system configuration and precisely defining which packages are installed, their versions, and dependencies. The OS remains immutable and consistent. A quite powerful tool for creating a secure and minimalistic workstation environment.<a href="https://nixos.org/" rel="nofollow noreferrer">https://nixos.org/</a>

评论 #37584796 未加载

LocalPCGuy超过 1 年前

A more extreme version of this would be to install something like Prox-mox on a machine (doesn't have to be the actual machine you're using, but probably could be) instead of the standard OS, and then create virtualized containers for each "use case" (and then use good security practices on each containerized OS as well of course).Setup correctly, if any one container was to get compromised, it shouldn't leak out to anywhere of the other ones. Would be super inconvenient, I'm guessing to actually have a semblance of efficiency there would still likely be a "main" container and you'd SSH into others in order to do tasks associated with that container. Not too much different than the "clean OS" described here, probably the helper scripts could be similarly adapted to utilize the individual containers instead of docker containers.I personally would be hard pressed to consider something like that, but seems like the logical continuation of this type of machine configuration/setup.

评论 #37586535 未加载

评论 #37587153 未加载

skywhopper超过 1 年前

I was nodding along until it became clear the Docker containers were being run as root...

评论 #37584943 未加载

ssfrr超过 1 年前

I think if I were going to the trouble of dockerizing and isolating all my tools, I wouldn’t want to rely on someone else’s registry of dockerfiles.This reminds me a lot of the cycle of sandboxing:<a href="https://xkcd.com/2044/" rel="nofollow noreferrer">https://xkcd.com/2044/</a>

zokier超过 1 年前

I dream of situation where I'd be developing software on plain Debian Stable with nothing else needed. It is already an immense platform so it does feel bit ridiculous that I'd truly need much more than that.

efrecon超过 1 年前

I have written dew (<a href="https://github.com/efrecon/dew">https://github.com/efrecon/dew</a>) for more or less the same purpose. I hardly keep any binary (and dependency) in my installation, they are all inside containers that I can easily dispose of at any time. The default in dew is to run them as your user. At the command prompt, instead of running, for example, kubectl xxx, I run dew kubectl xxx. It's a bit slower but provides an increased level of security.

ritchiey超过 1 年前

I have the same concern. Something might be worth looking into is replacing docker with Podman because it runs as the authenticated user rather than using a daemon running as root. Also, I believe Podman desktop allows for multiple VMs.Also consider QubesOS. Where everything runs in a VM (if you can find appropriate hardware on which to run it).Less flexible but easier to install is ChromeOS FLEX (or a high end Chromebook). Like QubesOS, ChromeOS lets you run Linux in a VM but with the ability to open native windows.

kjok超过 1 年前

I understand the benefits of VM/Docker based isolation. But, how to efficiently share data across boundaries and still stay protected? How can a development VM protect against malicious NPM packages that steal sensitive data (e.g., secrets/keys/confidential code needed for development and present inside the VM)? Am I missing something here?

评论 #37587819 未加载

评论 #37588413 未加载

omani超过 1 年前

I do this for years. but instead of docker I use LXD (even for GUI stuff). my base system is always clean and idempotent (chezmoi). all my clients look the same. laptop, desktop workstation, etc.I even have a portable LXD environment which always looks the same, on a USB flash drive. wherever I go, I have the same environment.

Ancapistani超过 1 年前

Anyone see a reason this couldn’t work for a fully “remote” dev environment, if the Docker daemon were running somewhere else?

mongol超过 1 年前

I have been thinking how to work with multiple users in a convenient way. The problem is that file permissions causes problems when you want to switch between users. I have not found a really ideal way of working using different users, but I think it needs some approach, I just haven't found it yet.

评论 #37586511 未加载

coreyh14444超过 1 年前

WSL is quite good for this type of thing.

评论 #37584785 未加载

mnahkies超过 1 年前

Firejail can also be a useful option, though no good if you're on Mac <a href="https://firejail.wordpress.com/" rel="nofollow noreferrer">https://firejail.wordpress.com/</a>Uses the same Linux primitives as docker etc, but can be a bit more ergonomic for this use case

sneak超过 1 年前

Reminder: Docker Hub image tags are not cryptographically secure. They can be replaced by DockerHub or their colo or government at any time.You need something like org/image@sha256:<hash> instead.

评论 #37587589 未加载

tedajax超过 1 年前

Workstation security is definitely in the category of things I'll only vaguely pretend to care about if you're paying me.

jan_Sate超过 1 年前

The favicon of the site looks like familiar.

surfer7837超过 1 年前

Docker is not a trust boundary CMV