Thank you for the extensive replies and the links to further resources
It is great to read all the ongoing discussions about Security (AppArmor) and transactional systems (MicroOS).
Yesterday I played a bit around and tried to install Rockstor on a plain openSUSE MircoOS. Although I eventually got stuck I got some insights.
During installation of openSUSE MircoOS I selected the System Role: MicroOS (there are other System Roles as well, with either a podman container runtime or with a desktop environment)
NetworkManager is enabled by default (as opposed to wicked for Leap I assume)
- The default Security Module is SELinux - AppArmor can be selected instead during installation, but the required packages must also be selected manually
After installation the manual installation must be done via
transactional-update shell - which will open a new shell for persistent changes:
zypper --non-interactive addrepo --refresh -p105 https://download.opensuse.org/repositories/home:/rockstor/openSUSE_Tumbleweed/ home_rockstor
zypper --non-interactive addrepo --refresh -p97 https://download.opensuse.org/repositories/home:/rockstor:/branches:/Base:/System/openSUSE_Tumbleweed/ home_rockstor_branches_Base_System
rpm --import https://raw.githubusercontent.com/rockstor/rockstor-core/master/conf/ROCKSTOR-GPG-KEY
zypper addrepo -f http://updates.rockstor.com:8999/rockstor-testing/tumbleweed/ Rockstor-Testing
zypper --non-interactive --gpg-auto-import-keys refresh
zypper install docker rockstor
I changed the repos from this guide to the tumbleweed repos.
During installation there was one conflict regarding the installed package
busybox-which - but the suggested solution (deinstallation of busybox-which) resolved without further issues.
As transactional-updates need a reboot to be visible, a reboot is required before the systemd-services can be enabled:
systemctl enable --now docker
systemctl enable --now rockstor-bootstrap
I also put SELinux (which I left unchanged during installation) into permissive mode, but unfortunately the rockstor-pre service did not start with an
Permission denied error …
I did a quick google search for this Permission denied error but did not find something similar.
As I am not that familiar with Linux that I can resolve the issue on my own I eventually stopped this experiment and installed Rockstor openSUSE Leap 15.4 again - which I will use now.
In the beginning I read a bit about AppArmor and SELinux (both the openSUSE documentation and the discussions here). As I was not able to get Rockstor running without them on MicroOS, I did not try anything further regarding AppArmor or SELinux.
I also noticed that these things are much more complicated than my limited knowledge of Linux.
A few more remarks regarding MicroOS:
AppArmor is an option during installation and I assume it will stay fully supported as @Hooverdan pointed out. From the way the documentation is written and the installer is built, I assume that SELinux is nevertheless the advocated Security Model.
(I don’t want to discourage the use of AppArmor, as I have no idea how complicated it would be to support SELinux in comparison to AppArmor)
- I am also looking forward what ALP will bring to openSUSE. I assume that openSUSE MicroOS will stay around as rolling-release version with transactional-updates. But I am also looking forward to see what will replace openSUSE Leap … let’s wait for an announcement.