hardcore-sushi / torvirt Goto Github PK

STEP 1/7: FROM alpine:latest
STEP 2/7: RUN apk add tor
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.17/main: temporary error (try again later)
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/main: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.17/community: temporary error (try again later)
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/community: No such file or directory
ERROR: unable to select packages:
  tor (no such package):
    required by: world[tor]
Error: building at STEP "RUN apk add tor": while running runtime: exit status 1

I am using Fedora Kinoite, Distrobox and virt-manager are already installed and used. Your solution sounds great, but the container creation process fails for some reason.

I love this project! It's portable and I was able to get it running in minutes! The only issue I had was setting up an obfs4 bridge due to censorship here. I have some changes that installs lyrebird from the alpine testing repo and configures torrc. I think there should also be some documentation for rebuilding the container.

In gateway/Containerfile

FROM alpine:latest
-RUN apk add tor
+RUN apk add tor lyrebird --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing/

In gateway/torrc

DNSPort 10.2.2.254:5353
+
+UseBridges 1
+ClientTransportPlugin obfs4 exec /usr/bin/lyrebird managed
+bridge obfs4 <bridge stuff from https://bridges.torproject.org/bridges/?transport=obfs4>

Luca, the creator of Distrobox, has created a great guide on how to use libvirt, qemu etc. in a Distrobox Container and then connect that to your client in another container using ssh

As far as I understood this has many benefits. If the containers are adapted to have the right filesystem permissions and all, they should be pretty tight. I imagine only /var/lib/libvirt and ssh, thats it. The client, for example virt-manager could be on your host OS or even also in a container. I tried this and it works great!

And the tor bridge would sit in another container, tight apart from the tor traffic, but no filesystem permissions at all.

The current guide is not hardened in that way, its simply "make this run on an immutable System without layering anything". And its great! But I think this also has greeeat potential for a really secure Qubes-like OS, but not using virtualization like crazy, but well isolated containers.

What do you think?