Comment by Havoc
13 hours ago
I just throw it into an unpriviledged LXC and call it a day.
Threat model for me is more "whoops it deleted my home directory" rather than some elaborate malicious exploit.
13 hours ago
I just throw it into an unpriviledged LXC and call it a day.
Threat model for me is more "whoops it deleted my home directory" rather than some elaborate malicious exploit.
I am considering this in the context of proxmox - what is your workflow for LXC, may I ask?
Tried various routes. Currently using bash scripts straight against the proxmox host. So lots of this
pct exec $CTID -- sh -c "mkdir test"
I've got a script that makes an arch lxc and turns it into a template.
And then bash scripts that deploys it with whatever custom stuff is needed (volume mounts, podman, files pushed into container etc).
Also a pacoloco server (arch/pacman cache) so that all the building and updating for everything is fast & not hitting the upstreams unnecessarily.
Terraform or Ansible also works for this but decided bash is ultimately less moving parts