For data science, it depends on what GPU you plan to use. If it’s an Nvidia brand GPU, go with Ubuntu or Fedora. I say from personal experience that it is easier to get Nvidia drivers working on Ubuntu or Fedora than on most other distros I have tried. If it is a Radeon GPU, it will work fine on pretty much any distro at all since Radeon does a good job following Linux standard APIs for graphics card drivers, so for Radeon products I would also recommend Debian or Mint (along side Fedora and Ubuntu).
Isolate them from your main network. If possible have then on a different public IP either using a VLAN or better yet with an entire physical network just for that - avoids VLAN hopping attacks and DDoS attacks to the server that will also take your internet down;
If you’re using VLANs then configure your switch properly. Decent switches allows you to restrict the WebUI to a certain VLAN / physical port - this will make sure if your server is hacked they won’t be able to access the Switch’s UI and reconfigure their own port to access the entire network. Note that cheap TP-Link switches usually don’t have a way to specify this;
Only expose required services (nginx, game server, program x) to the Internet. Everything else such as SSH, configuration interfaces and whatnot can be moved to another private network and/or a WireGuard VPN you can connect to when you want to manage the server;
Use custom ports with 5 digits for everything - something like 23901 (up to 65535) to make your service(s) harder to find;
Disable IPv6? Might be easier than dealing with a dual stack firewall and/or other complexities;
Use nftables / iptables / another firewall and set it to drop everything but those ports you need for services and management VPN access to work - 10 minute guide;
Use your firewall to restrict what countries are allowed to access your server. If you’re just doing it for a few friends only allow incoming connection from your country (wiki.nftables.org/wiki-nftables/…/GeoIP_matching)
Realistically speaking if you’re doing this just for a few friends why not require them to access the server through WireGuard VPN? This will reduce the risk a LOT and won’t probably impact the performance. This is a decent setup guide digitalocean.com/…/how-to-set-up-wireguard-on-deb… and you might use this GUI to add/remove clients easily github.com/ngoduykhanh/wireguard-ui
I have a Microsoft Surface tablet and Fedora with GNOME works pretty well on it. I usually use a stylus or the magnetic keyboard with it but when I do use the touch screen I dont encounter issues. I use PaperWM on top of GNOME and it makes it all so easy to use.
We use EL (Specifically Rocky, a rebuild of Redhat) for this, but I strongly suspect that any of the main distros will be absolutely fine provided they have modern enough versions of the software you need.
Both Docker and Podman pretty much handle all of those so I think you’re good. The last aspect about networking can easily be fixed with a few iptables/nftables/firewalld rules. One final addition could be NGINX in front of web services or something dedicated to handling web requests on the open Internet to reduce potential exploits in the embedded web servers in your apps. But other than that, you’ve got it all covered yourself.
There’s all the options needed to limit CPU usage, memory usage or generally prevent using up all the system’s resources in docker/podman-compose files as well.
If you want an additional layer of security, you could also run it all in a VM, so a container escape leads to a VM that does nothing else but run containers. So another major layer to break.
linux
Active
This magazine is from a federated server and may be incomplete. Browse more on the original instance.