I also use alpine as the main/root environment. But I rarely use any applications from alpine. For that I have Arch, Fedora and Debian rootfs dirs into which I pivot_root with the help of bubblewrap (bwrap) in shell scripts. There is no overhead and the GPU can be easily attached. You can also dynamically attach ro/rw CWD and target paths (`for arg in "$@"`).
Everything that I care about just works and I get a separation of concerns. Use of network namespaces allows further flexibility. For example, I have a netns that is forced through a Tor gateway such that any traffic originating in it can only go through Tor.
This type of setup is not hardened against kernel vulnerabilities, the kernel treats applications running in namespaces as if they are isolated from other namespaces but those applications can still interact with broad surfaces of the kernel and therefore potentially exploit it.
For kernel safety applications must be denied direct access to the host kernel, this is usually achieved with virtual machines.
coppsilgold|2 years ago
Everything that I care about just works and I get a separation of concerns. Use of network namespaces allows further flexibility. For example, I have a netns that is forced through a Tor gateway such that any traffic originating in it can only go through Tor.
This type of setup is not hardened against kernel vulnerabilities, the kernel treats applications running in namespaces as if they are isolated from other namespaces but those applications can still interact with broad surfaces of the kernel and therefore potentially exploit it.
For kernel safety applications must be denied direct access to the host kernel, this is usually achieved with virtual machines.
palata|2 years ago
And that is what QubesOS does, if I understand correctly?
yard2010|2 years ago