Does anyone else miss the golden age of stack exchange?
this post was submitted on 16 Feb 2024
18 points (100.0% liked)
Selfhosted
37442 readers
43 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
I would check enabling it from cloud-init and/or during an initial provisioning step using ansible
I will probably have to run cloud-init/ansible on the PVE host for this to work. I'd probably go with Ansible, but I would have liked for this to be possible directly through Terraform. I don't know if it's the developer of the provider who didn't include this.
With that said, we do have AppArmour support for VMs, which is a secure enclave too (if I understand correctly). Don't quite know if switching on and using both SGX and AppArmour would be a good choice - would you happen to know about this?
I would have liked for this to be possible directly through Terraform
Is it this proxmox provider? It does allow specifying cloud-init settings: https://registry.terraform.io/providers/Telmate/proxmox/latest/docs/resources/cloud_init_disk. So you can use runcmd or similar to do whatever is needed inside the host to enable Intel SGX, during the terraform provisioning step.
AppArmour support for VMs, which is a secure enclave too (if I understand correctly).
Nope, Apparmor is a Mandatory Access Control (MAC)) framework [1], similar to SELinux. It complements traditional Linux permissions (DAC, Discretionary Access Control). Apparmor is already enabled by default on Debian derivatives/Ubuntu.
I was under the impression that cloud-init could only really be used to run commands inside the guest? Well, I could technically use Ansible and edit the file every time I provision something - this was just an example of however much the community tries, there might be something missing in the provider because proxmox doesn't take this on directly.
I should have worded that better. In using MAC, AppArmor effectively reduces access to files that would be essential for the VM to run. That is the sense in which I mentioned "security enclave" but I can see now that that isn't quite correct.
Either way, that is my philosophical reasoning for complaining this much. Ansible is pretty decent and has decent Proxmox integration, but Terraform is, in my opinion, superior when it comes to deploying infrastructure. That might be a bias from my side, of course. For now, I'm also going through the OpenStack documentation to see if the things I want to achieve can be done there, because they have an official Ansible project alongside their version of Cloudformation - Heat.
Thanks
I was under the impression that cloud-init could only really be used to run commands inside the guest?
Yes that's correct, I didn't realize you had something to do outside the guest to enable it. What exactly? How do you solve it manually for now?
Intel SGX requires for me to set a CPU flag in the .conf file. For now, it's a shell script and I can do it with Ansible, but I'd like to not have to do such half-baked measures
I see, agree with you that it should be supported by the terraform provider if it is at the VM .conf level... maybe a new attribute in https://registry.terraform.io/providers/Telmate/proxmox/latest/docs/resources/vm_qemu#smbios-block? I would start by requesting this feature in https://github.com/Telmate/terraform-provider-proxmox/issues, and maybe try to add it yourself? Scratch your own itch, fix it for everyone in the process). Good luck
I don't have much actual experience with it but you can run arbitrary shell commands in at least cloud-init, the others should be able to do the same. Maybe that could work? Definitely better than manually running scripts, at least.
Can't cloud-init only really run scripts in the guest and not on the host?
Yeah, you're probably right. I didn't connect the dots that's what you'd need here, my bad.
New Lemmy Post: How would I automate (VM/LXC)-agnostic templates in Proxmox without creating golden images? (https://lemmy.world/post/12016911)
Tagging: #SelfHosted
(Replying in the OP of this thread (NOT THIS BOT!) will appear as a comment in the lemmy discussion.)
I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md