Rather weird pet project: https://github.com/Manawyrm/Webbrick 🧱🪟💥
-
Rather weird pet project:
https://github.com/Manawyrm/Webbrick 🧱🪟
Will take a static HTML website and bundle it up with a tiny, hardened Linux kernel and the Caddy webserver into an immutable OS image, which can be run in the cloud.
Just kernel, caddy and busybox, nothing else (~30 MByte total size).
Practical applications are probably few and far between, but it seems to work well...
Creative use-cases or exploit/weakness ideas anyone?
-
Rather weird pet project:
https://github.com/Manawyrm/Webbrick 🧱🪟 Will take a static HTML website and bundle it up with a tiny, hardened Linux kernel and the Caddy webserver into an immutable OS image, which can be run in the cloud.
Just kernel, caddy and busybox, nothing else (~30 MByte total size).
Practical applications are probably few and far between, but it seems to work well...
Creative use-cases or exploit/weakness ideas anyone?
@manawyrm Is that BusyBox really necessary?
Could you go without it entirely, or possibly use u-root and embed Caddy into it? It should work, since Caddy is written in Go, unless CGo is involved. -
Rather weird pet project:
https://github.com/Manawyrm/Webbrick 🧱🪟 Will take a static HTML website and bundle it up with a tiny, hardened Linux kernel and the Caddy webserver into an immutable OS image, which can be run in the cloud.
Just kernel, caddy and busybox, nothing else (~30 MByte total size).
Practical applications are probably few and far between, but it seems to work well...
Creative use-cases or exploit/weakness ideas anyone?
@manawyrm "We have unikernels at home"
-
@manawyrm Is that BusyBox really necessary?
Could you go without it entirely, or possibly use u-root and embed Caddy into it? It should work, since Caddy is written in Go, unless CGo is involved.It's not necessary at all.
Caddy will run completely stand-alone as is, the system just needs something to:
- setup mount points
- configure interfaces & IP addresses/routes
- configure sysctl's
- drop privileges
- run the caddy binaryThat's all definitely easily possible with a simple Go binary.
-
Rather weird pet project:
https://github.com/Manawyrm/Webbrick 🧱🪟 Will take a static HTML website and bundle it up with a tiny, hardened Linux kernel and the Caddy webserver into an immutable OS image, which can be run in the cloud.
Just kernel, caddy and busybox, nothing else (~30 MByte total size).
Practical applications are probably few and far between, but it seems to work well...
Creative use-cases or exploit/weakness ideas anyone?
@manawyrm Reading the readme… Since you mention Hetzner cloud and attestation: I've been looking into "confidential computing" stuff (AMD SEV-SNP and friends) recently and it would be neat if this ever ended up in their offering. I've only found one provider besides the big three offering something like that and they don't have an attestation story at all so it's kinda pointless.
-
Rather weird pet project:
https://github.com/Manawyrm/Webbrick 🧱🪟 Will take a static HTML website and bundle it up with a tiny, hardened Linux kernel and the Caddy webserver into an immutable OS image, which can be run in the cloud.
Just kernel, caddy and busybox, nothing else (~30 MByte total size).
Practical applications are probably few and far between, but it seems to work well...
Creative use-cases or exploit/weakness ideas anyone?
@manawyrm Fun!
-
Rather weird pet project:
https://github.com/Manawyrm/Webbrick 🧱🪟 Will take a static HTML website and bundle it up with a tiny, hardened Linux kernel and the Caddy webserver into an immutable OS image, which can be run in the cloud.
Just kernel, caddy and busybox, nothing else (~30 MByte total size).
Practical applications are probably few and far between, but it seems to work well...
Creative use-cases or exploit/weakness ideas anyone?
Would be an interesting way to publish public keys. #
-
It's not necessary at all.
Caddy will run completely stand-alone as is, the system just needs something to:
- setup mount points
- configure interfaces & IP addresses/routes
- configure sysctl's
- drop privileges
- run the caddy binaryThat's all definitely easily possible with a simple Go binary.
@manawyrm @CyReVolt I was about to say that it’s totally possible in Go, see https://gokrazy.org/
-
Rather weird pet project:
https://github.com/Manawyrm/Webbrick 🧱🪟 Will take a static HTML website and bundle it up with a tiny, hardened Linux kernel and the Caddy webserver into an immutable OS image, which can be run in the cloud.
Just kernel, caddy and busybox, nothing else (~30 MByte total size).
Practical applications are probably few and far between, but it seems to work well...
Creative use-cases or exploit/weakness ideas anyone?
Cool.
Maybe combined with Jekyll or similar tools to generate static website images in a pipeline. -
@manawyrm Reading the readme… Since you mention Hetzner cloud and attestation: I've been looking into "confidential computing" stuff (AMD SEV-SNP and friends) recently and it would be neat if this ever ended up in their offering. I've only found one provider besides the big three offering something like that and they don't have an attestation story at all so it's kinda pointless.
-
@seism0saurus @23n27 I have… feelings about the confidentiality claims
But as long as we (the industry) all agree to close our eyes and wish really hard that we‘d like it to be secure, I‘m sure that‘ll work
-
Cool.
Maybe combined with Jekyll or similar tools to generate static website images in a pipeline.@seism0saurus That‘s why the documentation already mentions Hugo
-
S skorpy@chaos.social shared this topic
