I’ve discovered systemd added a container utility called systemd-nspawn. It’s basically chroot on steroids. I don’t think it’s comparable with Docker. (I think Docker is an overengineered solution on the microkernel path anyway)
Well, I decided to give it a shot even they don’t consider it stable yet.
I tried to implement encryption a bit. Data normally sitting duck on bare-metal unencrypted servers (mainly because encryption seems hard or you trust your data center & country). If someone reboots the server and adds “rescue” to grub kernel line, (s)he will get a root user prompt, bye to personal/commercial sensitive info!
I’m not sure about the security aspect, yet I’m still exploring possibilities. But at least I can say it’s “good enough”.
Here is the plan;
- Install your favorite distro on the server (with systemd) (Let’s call it L0)
- Create and mount an encrypted block device large enough for you (use luks for example)
- Create a chrooted install inside this partition (L1)
- Dive in and setup your apps inside this chroot. Everything is inside; your apps, your configs, your data.
- Backup this block device in binary form (from L0). rsync’s “copy-devices” parameter can use diffs on the encrypted files.
This prevents someone with a physical touch to interfere with data. If someone reboots the server, (s)he will need to remount encrypted partition manually (needs decryption password). You can also copy the partition n times (L2, L3…) for other services (lol Docker?!).
Also moving your fully-working server will be copying one big file with this method, a.k.a. portability.
One other plus should be using cgroups-related benefits on containers (didn’t try this one) for example: resource-limiting!!
Maybe you can create more secure/easy solution with an encrypted lvm partition and even Docker/LXC but hey, we’re experimenting here!
So far, my experiment works (you can access my blog, right?).