I’ve discovered systemd added a container utility called systemd-nspawn. It’s basically chroot on steroids. (No, don’t think Docker)
I decided to give it a shot even they don’t consider it stable yet. I tried to implement encryption a bit. Data normally sitting duck on bare-metal unencrypted servers (mainly because encryption seems hard or you trust your data center & country). If someone reboots the server and adds “rescue” to grub kernel line, (s)he will get a root user prompt, bye to personal/commercial sensitive info!
I’m not sure about the security aspect, yet I’m still exploring possibilities. But at least I can say it’s “good enough”. Here is the plan;
Install your favorite distro on the server (with systemd) (Let’s call it L0)
Create and mount an encrypted block device large enough for you (use luks for example)
Create a chrooted install inside this partition (L1)
Dive in and setup your apps inside this chroot. Everything is inside; your apps, your configs, your data.
Backup this block device in binary form (from L0). rsync’s “copy-devices” parameter can use diffs on the encrypted files.
This prevents someone with a physical touch to interfere with data. If someone reboots the server, (s)he will need to remount encrypted partition manually (needs decryption password). You can also copy the partition n times (L2, L3…) for other services. Also moving your fully-working server will be copying one big file with this method, a.k.a. portability.
One other plus should be using cgroups-related benefits on containers (didn’t try this one) for example: resource-limiting!! Maybe you can create more secure/easy solution with an encrypted lvm partition and even Docker/LXC but hey, we’re experimenting here! So far, my experiment works (you can access my blog, right?).