Distro profiles
Each distro profile maps a slug to a Docker image plus OS metadata used to make deckies look like heterogeneous machines on the LAN. Profiles control the base container image, the hostname convention, and the build base used for service-container Dockerfiles.
Source of truth: decnet/distros.py.
INI snippet
[linux-fleet]
archetype=linux-server
distros=debian,ubuntu22,rocky9,fedora
amount=6
See INI format. At deploy time each decky draws a distro from the comma-separated list (or from the archetype's preferred rotation when omitted).
Registered profiles
| Slug | Image | Display name | Hostname style | Build base |
|---|---|---|---|---|
debian |
debian:bookworm-slim |
Debian 12 (Bookworm) | generic | debian:bookworm-slim |
ubuntu22 |
ubuntu:22.04 |
Ubuntu 22.04 LTS (Jammy) | generic | ubuntu:22.04 |
ubuntu20 |
ubuntu:20.04 |
Ubuntu 20.04 LTS (Focal) | generic | ubuntu:20.04 |
rocky9 |
rockylinux:9-minimal |
Rocky Linux 9 | rhel | debian:bookworm-slim |
centos7 |
centos:7 |
CentOS 7 | rhel | debian:bookworm-slim |
alpine |
alpine:3.19 |
Alpine Linux 3.19 | minimal | debian:bookworm-slim |
fedora |
fedora:39 |
Fedora 39 | rhel | debian:bookworm-slim |
kali |
kalilinux/kali-rolling |
Kali Linux (Rolling) | rolling | kalilinux/kali-rolling |
arch |
archlinux:latest |
Arch Linux | rolling | debian:bookworm-slim |
Image vs. build base
image is the distro the decky's base (IP-holder) container runs. This is
what an attacker sees when they probe the host — package manager, /etc/os-release,
userland, and so on.
build_base is what DECNET's service containers are built FROM. Because
the service Dockerfiles use apt-get, non-Debian distros (Rocky, CentOS, Alpine,
Fedora, Arch) fall back to debian:bookworm-slim for their services. Debian,
Ubuntu, and Kali use their own image as the build base since they are apt-based.
This split keeps the attacker-facing surface diverse while keeping the service implementations maintainable as a single Debian Dockerfile per service.
/etc/os-release
DECNET does not template /etc/os-release. Each distro's file is whatever the
upstream image ships. Hostname style is set per-distro via random_hostname():
generic—SRV-WORD-NN(Debian, Ubuntu)rhel—word{10..99}.localdomain(Rocky, CentOS, Fedora)minimal—word-NN(Alpine)rolling—word-word(Kali, Arch)
Default package manager
| Distro | Package manager |
|---|---|
| debian, ubuntu22, ubuntu20, kali | apt |
| rocky9, centos7, fedora | dnf / yum |
| alpine | apk |
| arch | pacman |
Service containers built for non-Debian deckies still ship apt-built payloads
because of the shared build_base fallback noted above.
See also
DECNET
User docs
- Quick-Start
- Installation
- Requirements-and-Python-Versions
- CLI-Reference
- INI-Config-Format
- Custom-Services
- Services-Catalog
- Service-Personas
- Archetypes
- Distro-Profiles
- OS-Fingerprint-Spoofing
- Networking-MACVLAN-IPVLAN
- Deployment-Modes
- SWARM-Mode
- MazeNET
- Remote-Updates
- Environment-Variables
- Teardown-and-State
- Database-Drivers
- Systemd-Setup
- Logging-and-Syslog
- Service-Bus
- Web-Dashboard
- REST-API-Reference
- Mutation-and-Randomization
- Troubleshooting
Developer docs
DECNET — honeypot deception-network framework. Pre-1.0, active development — use with caution. See Sponsors to support the project. Contact: samuel@securejump.cl