I’m interested using LXD to improve the security of my desktop, by compartmentalizing my development environment, work and personal files.
I’m using Crostini on a Chromebook and it’s mostly the kind of experience I want, but I’ve run into some significant drawbacks:
Crostini is currently crashing after every suspend, yet there is a bug that Crostini is not resilient to crashes.
If your Crostini gets stuck such that the VM won’t start, you can’t use LXD tools for recovery. While you may be able to export a QCOW image of the VM, it may be corrupted and there are no tools currently to import it.
Because the environment is not open, there are other problems that I can’t workaround. For example, Chrome OS remaps the “Alt+Up Arrow” key event. Although they agree they shouldn’t do this any more, The Alt-arrow shortcuts are not getting fixed with any urgency and you can’t re-map it in Crostini. Also, Yubikeys are not currently supported in Crostini, although I think that’s planned to fixed soon.
Simos described how desktop integration can be done with LXD. I’d ideally like to pair something like that with a light host OS that does little outside of the containers.
Clear Linux has a container-centric philosophy, but I don’t like it seems to be tied to Intel processors. It’s also focused on Docker container images. Their built-in support of desktop-apps-in-containers is currently limited to Flatpak. github .com/clearlinux/distribution/issues/593.
Fedora’s Silverblue project also has a similar concept for a desktop, but has some annoyances of it’s own. First, they don’t support Ubuntu containers out of the box. This seems like a logical way to welcome Ubuntu refugees ready to try Fedora as a host OS, but they don’t extend that courtesy. Secondly, the “toolbox” tool makes the questionable security choice of force-mounting your home directory into containers. I don’t see the point of using containers for isolation if you give them all access to your personal data. (Convenience!) The recommended workaround is to use podman manually, but at the point you are manually managing your own containers, what’s the point of using a special distro for that?
Is there another LXD or container-centric desktop experience that you recommend?