A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
I don't get it. Where is the idea that "Fedora focuses on security" coming from? Fedora requires an equivalent amount of work like other distros to harden it.
I personally use Alpine because I trust busybox to have less attack surface than normal Linux utils
Alpine also has the advantage of musl, which is a safer alternative to glibc, at the cost of some performance. So, if anything, I'd expect people to consider alternatives to Alpine for that reason, as alpine is already the best choice for security.
Alpine isn't exactly fortified either. It needs some work too. Ideally you'd use a deblobbed kernel with KSPP and use MAC, harden permissions, install hardened_malloc. I don't recall if there's CIS benchmarks or STIGs for Alpine but those are very important too. These are my basic steps for hardening anything. But Alpine has the advantage of being lean from the start. Ideally you'd compile your packages with hardened flags like on Gentoo but for a regular container and VM host that might be too much (or not - depends on your appetite for this stuff).
Secure how? Containers aren't secure because of their base contents since the majority of everything in the image isn't even executed. It's not like running an OS.
A secure container by definition will be the one with the LEAST amount of contents in its base. This is the point of Distroless.
A container is going to get compromised because of its running code 9/10 times, not because the base was compromised. This of course is not including supply chain attacks.
Any podcast telling you that adding more stuff into the container image will make it secure has an inferior bridge. Come check out my much better bridge over here...
In the case of Nextcloud it is written in PHP so it is very important to get PHP security fixes. I get the argument for static binaries like Forgejo. I'm mostly looking at more complex things.
Containers get upgrades when they run. They get updates as static projects, then are built into containers. Fedora being said container will help none of this process at all though.
I have no idea why you're even mentioning Foregjo, I'm lost now.
PHP isn't complex, you just need a webserver (nginx, Apache, etc) and PHP. That's one process (webserver) that runs a few child processes (PHP scripts). When using PHP fpm, use two containers.
Each container should run one process. Each container can run whatever base you want. If you want a newer PHP on an older image, go for it! Nobody is forcing you to use the repo version of PHP, you can install it separately. More complexity should mean more containers, not more complex containers.
Yeah tell that to Nextcloud
Yeah, NextCloud doesn't follow ideal containerization style, but they do have an FPM package, so I can co figure PHP FPM separately from the web server, which is separate from my Collabora container. I don't use the AIO image so I can control each piece separately.
I use alpine for everything but my discord bot which uses python.
Shouldn't you use Redhat(or Rocky) then instead? It is more thoroughly tested than Fedora.
I run some containers based on Fedora, mainly because I know the userspace and I don't care about the size.