im not on arch but the explanation is still valuable: https://wiki.archlinux.org/title/Systemd-nspawn
- 0 Posts
- 10 Comments
Joined 1 year ago
Cake day: August 4th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
There are systemd nspawn Containers, you could install debian, or whatever you fancy inside, they provode simmillar isolation to docker containers and you can even integrate them with gui.
Containerized apps will then only see the container folder
11·10 days agoYou could spawn their processes in a isolated network namespace, connected to a proxy via tun interface. You can then setup firewall rules on that interface to block all traffic, except the proxy an maybe your own dns - that should all be out of the users „reach“.
2·3 months agoghostbsd is based on freebsd as far as i know, so most of it should the same but i habe not used it yet
since i forgot to answer the identity part, to get single signon for the services, you can use somthing like keycloak, but not all services support oidc signin. if you need freeipa or AD, you can always use a bhyve vm
https://vermaden.wordpress.com/2024/03/10/keycloak-on-freebsd/
i think this might be worth a watch: https://www.youtube.com/watch?v=S3u8OtjfGFE
FreeBSD ships with jails in the base system, those offer a nice way to isolate services. Its also realy easy to create one:
bsdinstall jail <empty folder>This will guide you through the interactive system install for a jail install. Have a look in jail.conf, and maybe grab a sample config from the handbook. If that is a little involved, you could also install a jailmanager like ipcage or ezjail. (Truenas was a nice webui but wont get updates much longer) Combined with zfs datasets for the different services, you can even get different snapshot and backup options for the different jails and services.
Hope this answers some questions.
I have never had to to do this, but I think the way you would go about this is to pass the card to a linux vm. https://xyinn.org/md/freebsd/wifibox
true enough, video acceleration is a bit harder / more expensive with an extra gpu, thats why i shyed away from suggesting vms