2 Home
ITmodulo edited this page 6 days ago

Isolation Project

Table of contents

Status

Alpha

You can use it however installation is not yet straightforward and make sure you have read issues

Goals and non-goals

Please read it carefully before you start

Isolation Project is not standalone operating system. Isolation project are conventions, scripts and tools that convert your Linux or BSD distribution to advanced graphical operating system. with possibility to group and isolate apps in virtual environments.

Somebody could call it "QubesOS goodies without its security and hardware virtualization, being close to upstream projects"

Goals

  • More configuration options to clone, isolate and manage apps in isolated groups. (Not available in standard OS)
  • Simplified network mixing (Not available in standard OS)
  • Interesting solutions for coders.
  • Interesting solutions for hackers (Warning, do not confuse hackers with security hackers also called crackers).
  • General-purpose choice for personal computers.
  • Unique configuration and conventions that can be installed on one of supported Linux or BSD.
  • Always: Non-profit, free and open source project.
  • Privacy friendly (do not confuse privacy with security)
  • Stay close to upstream

Non-goals

  • 100% absolute security ever (check QubesOS).
  • Server (or CLI) version (chceck SkiffOS).
  • Native os speed (because of containers)
  • Advanced tools for crackers (penetration-tools etc. See Kali Linux and Black Arch Linux)
  • Original operating system.
  • Independent Linux/BSD distribution.
  • Commercial, for-profit, project.
  • Gaming.
  • Graphics/movie editing.

It May be

  • More secure than traditional configuration of UNIX-like operating system
  • Widely adaptable as it is close to upstream.

Who could use it

People somehow experienced with Unix-like OSes (more than cd and ls )

You should understand all of enumerated words: kernel, bootloader, init system, container, x server/xorg, lvm, luks, loki, TOR, VPN, bridge, lxc, lxd, zfs, jails, cbsd

Who shouldn't probably use (yet)

Normies, newbies, inexperienced, (how do you call them).

Why bother

If you feel that standard OS is not enough for you. If You need separated environments e.g. for apps development (not to install dependenceis on hostos), or you need to "clone" apps. For instance multiple web browsers, multiple chats that do not support multi-account. Another use case is when you want groups of apps to use different exit nodes. Like: home apps -> clear network, untrusted -> TOR, anonymous streaming -> LOKI

History

After controversial political changes in my country I became afraid of my government and stated using QubesOS on daily basis. Right after I saw its advantages over traditional OS, I could never use such again. However QubesOS is strictly concentrated on security thus some decisions were made to keep parts of it "isolated" to eliminate possibility of compromisation. Unfortunately they are dramatically unusable and out-of-date (backported dom0 EOL fedora ). Another constraint are only few VM templates available. The last problematic way is no upgrade mechanism for dom0, so you need to re-install it on LTS upgrade.

In the same time I was working with container technologies on servers and started experimenting with Xorg (that is designed to work over network). Solution was simple. Put it all together.

Modes

Stable:

  • not yet

Work in Progress:

  • Linux LVM LXD btrfs (LLLB mode)
  • HardenedBSD Jail ZFS (HBJZ mode)

Planned:

  • Linux LVM LXD ZFS (LLLZ mode)
  • FreeBSD Jail ZFS (FBJZ mode)
  • DragonflyBSD Jail Hammer2 (DBJH2)

Not planned:

  • DragonflyBSD Jail UFS
  • DragonflyBSD Jail Hammer1
  • FreeBSD/HardenedBSD Jail UFS
  • Linux Docker

Dropped:

  • Linux podman Wayland with x11docker (reason: it was slow, also lack of init system made some apps unusable)

Technologies

Containers Management

  • Dedicated tools: GUI update tool, general management built on top of LXD and CBSD (TODO)

Network Mixing

Network mixing is term that describes changing exit node for your group of application.

  • TOR (service container) TODO
  • whonix vm (optional) TODO
  • Loki (in container) TODO
  • User-defined VPNs (in containers) TODO

Comparison

QubesOS

TODO

Terminology

QubesOS Isolation
dom0 hostOS
domUx guestCx

Features

Term Isolation QubesOS
Display protocol Xorg Own based on Xorg with GPU isolation
Share screen System-wide Only in VM
Files in clipboard yes no, non-goal
Desktop Environments all supporting xorg xfce4, backported kde plasma
Virtualization type light, containers, one kernel xen, type-2 hypervisor, kernel per vm
Arch as hostOS x86-64
Isolates filesystem, apps filesystem, apps, gpu, kernel
Resource-hungry a little bit more than traditional os Huge

Traditional Linux distro.

Features

Term Isolation QubesOS Standard OS
Display protocol Xorg Own based on Xorg with GPU isolation Xorg/Wayland
Resource-hungry a little bit more than traditional os Huge No
Isolates filesystem, apps filesystem, apps, gpu, kernel only apps that are snaps, flatpaks or AppImages - weak

OS support

Linux

Authors choices:

  • openSUSE Leap (reason: recent lxd, Open Build Service community ports, easy zfs, )
  • openSUSE Tumbleweed (reason: recent lxd, Open Build Service community ports, easy zfs, XanMod kernel, rolling)
  • Void Linux (reason: recent version of packages, stable but rolling, XanMod kernel available)

Author won't support

  • Any commercial (open/closed source) distribution unless you pay me and you are not from any government
  • Closed-source distributions, I'm open-source fan, also working with propietary software is much more unnecessary effort.
  • Ugly distributions (commercial or not, closed/open) that may have issues with user privacy (like inbuilt aggressive telemetry, backdoors) (Providing such services is unfair.
  • Suspected distributions, that may be(come) ugly but nobody has time to check it. Mainly data hungry big-tech designed. However if you can truly prove their integrity, I can move one to community section.
  • Legacy distributions - because of rare updates, you ruin security.
  • Niche distributions - due to lack of continuous security fixes or unnecessary sophisticated solutions.
  • Pragmatic distributions - In my opinion closed code has to be separated from open. Is it hard to distinguish it by placing in subrepos? No! So why do you create a mess?

Community

Disclaimer: To be possible for Ubuntu to appear here, include in installation script removal of cannonical telemetry packages using APT! In all distros please remove flatpak and snapd, as those are unused sandbox technologies in Isolation Project.

Distros that someone decide to port without my help.

  • none yet

BSD

  • HardenedBSD (WIP)
  • FreeBSD (TODO)
  • DragonflyBSD (TODO)

Requirements

TODO

Linux

  • Recent LXC and LXD support

BSD

  • Jails support
  • CBSD support
  • Advanced FS like ZFS/HAMMER2 to improve I/O

Design

Chart

TODO

Description

QubesOS is based on Xen, that means that group of apps are separated in standalone virtual machines. In Isolation project you don't have VMs but containers. This form of virtualization is definitely lighter as in most cases there's one kernel running (which is btw. less secure than full virtualization) but gives opportunity to clone and separate apps like in VMs.

In Qubes you have separated VM for graphics. In isolation hostOS is responsible for it.

TODO

License

  • Scripts: GPL-3.0-or-later
  • Apps: GPL-3.0-or-later
  • Logo: Proprietary