Nobody believes virtualization is perfect, it’s just the best we got because:

• smaller attack surface
• security is the priority over adding new features (the opposite of most other development cycles)
• in practice we have seen how secure it is relative to other systems like the kernel

And anyways, even a separate physical computer can be hacked. If it has networking, there could be a vulnerability in the networking stack. Just making an outbound tcp connection can be enough to be pwned.

I think the closest thing we have to an “invincible” system is seL4, but I rarely hear about amybody using them

copy fail allows VMs to infect the host system? I thought it was a kernel vulnerability, not a hypervisor vulnerability. Containers and LXCs share the kernel with the host, full VMs do not. So a kernel exploit allows container escape but not VM escape.

Kernel exploits happen a few times a year. Hypervisor exploits and VM escapes are VERY rare.

Using SSH for clustering is optional. You can just use normal VMs. You don’t have to install SSH into the VM, you can view it through proxmox. The only difference between a VM and a separate physical machine is the hypervisor, so the only security difference is the security of the hypervisor. And as I mentioned, hypervisor exploits are very rare.

Edit: for a sense of perspective, think about this. Almost every major tech company in the world relies on hypervisors for security. Qubes OS, known in the privacy/security world as one of if not the most secure OSes, relies on the hypervisor for security. An easily exploitable hypervisor escape would be a vulnerability on the scale of the XZ utils backdoor (which was unsuccessful). I have not seen a vulnerability of that scale since heartbleed.

Edit2: a word

I recommend proxmox. One VM for sensitive private data and backups, one VM for stuff exposed to the internet

Depending on the number of devices you have, your threat model, it can be helpful to set up a security hierarchy. So you only need to worry about securing the devices at the top of the hierarchy, and can play loose and careless with the devices lower down. That way it’s less likely to lose everything due to one mistake

Even if you have a password for your ssh key, malware on your system can just wait until you enter the password.

My point is that SSH access is very powerful, and effectively means that the security of the SSH server is reduced to the security of the SSH client. If your SSH client is pwned, so is your server. If you have 10 devices each with ssh access to each other, then if any one device is pwned, all devices are pwned as well.

This is not the case for systems designed for file sharing only. For example with syncthing, if one device gets pwned, all it can do is send files to the other devices.

Most people probably don’t care but it can be a security risk, allowing malware to move “laterally” between all your devices. For my main devices I don’t give them SSH access to each other, but I do give them SSH access to my secondary devices (like a Pi-Hole)

Very cool, I’ll have to spin up some VMs and test it out myself. Thanks for all the info!

Wow cool! I believe you’re the first person I’ve met that actually used a cluster FS (in their homelab at least). I looked into it myself but it felt like nobody was really using it so I didn’t bother.

Does it involve much more work or is it a fairly transparent replacement to traditional storage options? Assuming one is already using Kubernetes. I’m wondering if it’s worth it to switch to a cluster FS for everything, like Radicale or Tiddlywiki.

Have you tried using Ceph or other distributed storage systems in your kubernetes cluster?

I’m aware of databases that support HA, but the vast majority of self-hosted apps I’ve encountered use file storage, even if they have a database as well. It sounds like you’re proposing shared storage like an NFS share. But if you’re upgrading nodes, at some point you have to upgrade the node hosting the shared storage right? Wouldn’t that take down all services? Unless you use a distributed storage system, but I’ve heard those can get very complicated…

have you found many self-hosted services that suppprt that kind of HA? I can’t imagine services like torrent clients allowing you to stream writes to one node while replicating to the other, though maybe I’m misunderstanding the setup

ok first off, this community is about self-hosting, there just happens to be a lot of overlap between people who self-host and people who care about privacy.

And if you thought privacy was about distrust, that is a very unhealthy view. Privacy-minded folk simply have different principles than the mainstream. But if somebody comes along that shares those principles, then trust can be earned.

OP’s product is open-source and self-hostable. This is aligned with the community. I’m not saying to throw money at the product before it’s released, but it’s worth keeping an eye on, and showing support for.

Ok so you’re a troll then. Fearmongering doesn’t help the community. If you’re against something give evidence. There’s a balance between fearmongering and blind hype.

this reply adds nothing. Please explain your position

You don’t have to pre-order, just wait until it’s released and buy it then. And in this case you can get a raspi and test the product for yourself, so why spread FUD?

Matrix. Bitwarden. Nextcloud. There are many examples of open-source, self-hosted applications that have for-profit companies that offer to host them for you as a service. Now if you use one of those Nextcloud providers to store your notes, can that providers read all your data? Of course. But for people who don’t want to self-host, it’s often a more trusted option than Google.

These comments are why privacy products will always be behind. Why open-source is full of dead projects. These people are just trying to make a living off making privacy-focused products. And all the comments are like “They’re a for-profit company? They had marketing material prepped to reply to people’s comments?!”.

The code is open-source, self-hostable, built using commodity hardware (raspi), and they’re just trying to make it sustainable by providing an optional paid service. This is not the enemy.

I think they’re just a privacy-focused startup that just wants to make a living off their work

very cool, I’ll have to look more into it

what remote desktop protocol do they use?