Project

General

Profile

Feature #15301

Feature #5688: Tails Server: Self-hosted services behind Tails-powered onion services

Run Tails Server services in containers

Added by segfault over 1 year ago. Updated about 20 hours ago.

Status:
In Progress
Priority:
Low
Assignee:
Category:
-
Target version:
-
Start date:
02/10/2018
Due date:
% Done:

50%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Server

Description

Running the services in their own containers would provide better security by isolation, and ease the cleanup during service uninstallation, which will probably lead to fewer bugs.

History

#1 Updated by segfault over 1 year ago

I currently plan to do this with LXC.

#2 Updated by intrigeri over 1 year ago

Running the services in their own containers would provide better security by isolation

FTR I'm not 100% convinced the (implementation complexity cost / security benefit) ratio is worth it compared to hardening individual services' systemd unit files (+ possibly adding AppArmor profiles): systemd's hardening features are getting very close to what containers can do nowadays, so let's not overstate the additional security we would get from containers. But perhaps your other reason to lean towards containers (robustness) is enough to make the overall cost/benefit worth it, I dunno.

#3 Updated by segfault over 1 year ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 50

LXC in combination with systemd-machined turned out to be buggy. I implemented running the services with systemd-nspawn now.

systemd-nspawn containers cannot be made as secure as LXC containers, because they are always granted a long list of capabilities, including CAP_SYS_ADMIN.

Also, I didn't configure any security features for the containers yet, but plan to do so.

#4 Updated by segfault 12 months ago

  • Target version deleted (Tails_3.9)

#5 Updated by segfault 2 days ago

  • Priority changed from Normal to Low

#6 Updated by segfault about 20 hours ago

  • Affected tool set to Server

Also available in: Atom PDF