I have an idea that is quite possibly stupid and dangerous but I think
it'd be interesting. Setup a tilde and give everyone access to a
container of their own.

I've tested it with lxd and I can make everyone have their own container
that they can ssh to with a public key.

You can access containers by their hostname via dns from inside the host
(or other containers)

The idea is that people could spin up any weird nonsense they want on
their container and the host machine could have a webserver only
accessible from inside that will have list of containers and an nmap
scan (to let people find new services)

Perhaps the host machine could have a web page letting you type in a url
and it would fetch that for you, so the outside world could peek at
peoples web pages

the worry is that if I let people be root on the containers they may end
up being able to become root and giving people that much freedom could
lead to them doing something illegal that gets me into trouble since it
would be hosted on a VPS in my name.

Anyone have any thoughts on this?
--- Synchronet 3.19a-Linux NewsLink 1.113

On 2021-12-18, b0b <b0b@cosmic.voyage> wrote:

I have an idea that is quite possibly stupid and dangerous but I think
it'd be interesting. Setup a tilde and give everyone access to a
container of their own.
[...]
Anyone have any thoughts on this?

This is a bad idea for a number of reasons.

First, containers encourage isolation and siloing. The entire point of
the tildeverse is to encourage people to socialize and do things
together. Containers encourage the modern view of Unix as more of a
service host than a socialization hub. I didn't have any interest in the tildeverse as a computing platform until I realized the social
possibilities (and then realized how stupid I was); putting everyone in
their own container doesn't help bring them together.

Beyond this, the resource usage would be a problem. Why give people
containers when we can just run what we need outside of them? The
resource overhead of containers may be small (especially compared to a
VM), but it's still nonzero. tildeverse machines are typically small
Unix machines that can do a lot with a little because textmode
applications don't require much RAM or disk space or CPU; containers
just add another layer on top of that which makes the system less useful
for everyone.

You call out another problem in your own post, the security problem. The
safest way to do this would be to set up resource limitations,
firewalls, and perhaps even network virtualization, limited syscall
access, and filesystem paths for the container processes. I assume you'd
run this on Linux and Linux doesn't have support for the latter features
I've mentioned, so you'd be out of luck there.

In sum, I don't think this is a good fit for a tildeverse system. The
most important problem I see with it is the social one, but the
technical one is what's likely to get you in the most serious trouble.
The goal is admirable, but I don't think it's really necessary here. The
point of a tildeverse pubnix is that you can talk with your sysadmins
and build whatever weird things you want with their support instead of
putting it in a container. which to me has a quintessential connotation
of a lack of trust. That's not why I'm on a tildeverse machine.
--
Luna
--- Synchronet 3.19a-Linux NewsLink 1.113

On 12/18/21 8:08 AM, Luna wrote:

On 2021-12-18, b0b <b0b@cosmic.voyage> wrote:

I have an idea that is quite possibly stupid and dangerous but I think
it'd be interesting. Setup a tilde and give everyone access to a
container of their own.
[...]
Anyone have any thoughts on this?

This is a bad idea for a number of reasons.

First, containers encourage isolation and siloing. The entire point of
the tildeverse is to encourage people to socialize and do things
together. Containers encourage the modern view of Unix as more of a
service host than a socialization hub. I didn't have any interest in the tildeverse as a computing platform until I realized the social
possibilities (and then realized how stupid I was); putting everyone in
their own container doesn't help bring them together.

Beyond this, the resource usage would be a problem. Why give people containers when we can just run what we need outside of them? The
resource overhead of containers may be small (especially compared to a
VM), but it's still nonzero. tildeverse machines are typically small
Unix machines that can do a lot with a little because textmode
applications don't require much RAM or disk space or CPU; containers
just add another layer on top of that which makes the system less useful
for everyone.

You call out another problem in your own post, the security problem. The safest way to do this would be to set up resource limitations,
firewalls, and perhaps even network virtualization, limited syscall
access, and filesystem paths for the container processes. I assume you'd
run this on Linux and Linux doesn't have support for the latter features
I've mentioned, so you'd be out of luck there.

In sum, I don't think this is a good fit for a tildeverse system. The
most important problem I see with it is the social one, but the
technical one is what's likely to get you in the most serious trouble.
The goal is admirable, but I don't think it's really necessary here. The point of a tildeverse pubnix is that you can talk with your sysadmins
and build whatever weird things you want with their support instead of putting it in a container. which to me has a quintessential connotation
of a lack of trust. That's not why I'm on a tildeverse machine.

Rather than containers you can just assign each user a private directory
and a limited shell in the passwd file. Then wrap each allowed command
in a firejail profile in /etc/passwd that guarantees sandboxing to their directory. Then you point their ssh login toward the limited shell and
you are good to go.

In this way they can't get root and can't install software as root, so
any scripts they run can't get SUID. And this is far less overhead than
LXC, since the overhead for firejail only occurs while a command is
running until it exits then is automatically freed up. Whereas
containers and hypervisors have a constant overhead, using jails like
this only has a overhead during execution of a script or command.

Using firejail this way, with about 324 KB overhead per command
execution, 3236 simultaneous command executions would consume 1GB of
memory, and each 324 KB is freed up when the command exits. So a machine
with 8GB would support 25890 simultaneous firejail executions leaving
4GB of memory for the scripts and services.

A properly setup passwd profile for users with a custom limited shell,
and firejail wrappers, cannot be escalated or broken out of. It is very,
very secure.

When you want to make a new command available to all users you just
create a firejail profile for it then add that to the passwd profile.

You could combine this with fail2ban rules that detect attempts at
malicious usage, such as port scanning, spinning up bot clusters and the
like, to shut that nonsense down right away.
--- Synchronet 3.19a-Linux NewsLink 1.113

On 12/18/21 10:46 AM, P2P wrote:

When you want to make a new command available to all users you just
create a firejail profile for it then add that to the passwd profile.

You could combine this with fail2ban rules that detect attempts at
malicious usage, such as port scanning, spinning up bot clusters and the like, to shut that nonsense down right away.

The point behind giving people a container was to build a tiny LAN
within the host. I don't think firejail would do that.

Like I'm thinking the machine that runs all the containers could have
whatever tools or commands people want.

I just want to build a tiny network inside of a machine and let people
have a machine on it and see what happens
--- Synchronet 3.19a-Linux NewsLink 1.113

On 12/18/21 10:46 AM, P2P wrote:

The point behind giving people a container was to build a tiny LAN
within the host. I don't think firejail would do that.

Like I'm thinking the machine that runs all the containers could have whatever tools or commands people want.

I just want to build a tiny network inside of a machine and let people
have a machine on it and see what happens

I kinda see what your getting at .. But maybe calling it a tilde wouldn't really work. Since the working together/social aspect is very much a part of what makes a tilde these days.

On 12/18/21 8:05 PM, Deepend wrote:

To: b0b

On 12/18/21 10:46 AM, P2P wrote:

The point behind giving people a container was to build a tiny LAN
within the host. I don't think firejail would do that.

Like I'm thinking the machine that runs all the containers could have
whatever tools or commands people want.

I just want to build a tiny network inside of a machine and let people
have a machine on it and see what happens

I kinda see what your getting at .. But maybe calling it a tilde wouldn't really work. Since the working together/social aspect is very much a part of what makes a tilde these days.
--- Synchronet 3.19a-Linux NewsLink 1.113
message from RetroDigtal BBS - telnet://rdnetbbs.com

True I guess I dont really know what to call it. But I was thinking you
could setup a mail server and and irc server and such for the social
aspect as well.
--- Synchronet 3.19a-Linux NewsLink 1.113

b0b <b0b@cosmic.voyage> writes:

I have an idea that is quite possibly stupid and dangerous but I think
it'd be interesting. Setup a tilde and give everyone access to a
container of their own.

Better everyone has a Pi (or similar) at home and we mesh those "really existing fake containers".

Everyone would have all data at home and be responsible for it and all
the traffic.
--
Take Back Control! — Mesh The Planet!
smtp/tor: yeti@anetphabw4n7gheupc7d2gla4m4yuec622f6qadfypd6lgnhipodbyqd.onion finger yeti@tilde.institute
--- Synchronet 3.19a-Linux NewsLink 1.113

On 12/18/21 2:32 PM, b0b wrote:

On 12/18/21 10:46 AM, P2P wrote:

When you want to make a new command available to all users you just
create a firejail profile for it then add that to the passwd profile.

You could combine this with fail2ban rules that detect attempts at
malicious usage, such as port scanning, spinning up bot clusters and the
like, to shut that nonsense down right away.

The point behind giving people a container was to build a tiny LAN
within the host. I don't think firejail would do that.

Firejail will let you do that. It has a whole bunch of network shaping
options. You can tell the jail to assign a local subnet IP to any
process that is started in the jail.

Like I'm thinking the machine that runs all the containers could have whatever tools or commands people want.

I get it. But can you afford to pay for all that compute? If 5000 people
sign up, you'll have to pay for all that hardware power and bandwidth.

I just want to build a tiny network inside of a machine and let people
have a machine on it and see what happens

You can emulate the machine and availability of binaries with a
custom-made shell. With things like servers you can just automate a root directory for each user to access instead of spinning up a separate
instance of the servers for each user.

I you have the money to lay out for all the compute I say go for it.
Otherwise jails is a better option.

If you're not particular to Linux you can also offer virtual machines
natively with FreeBSD with BSD jails, capsicum, bastille, etc.

Maybe check out what FreeBSD offers to reduce compute expense and still
get a lot of what you want.


--- Synchronet 3.19a-Linux NewsLink 1.113