
CoreOS brings end-to-end trusted computing to containers - CrankyBear
http://www.zdnet.com/article/coreos-brings-end-to-end-trusted-computing-to-containers/
======
jdoliner
> Every Google application, even search, runs on Kubernetes-managed
> containers.

I don't think this is true at all. They run on borg which is kubernetes
spiritual predecessor. But a distinctly different, and much more mature, piece
of software.

~~~
jzelinskie
Google is mainly using Borg, but will gladly talk about the few internal
services that they do run on top of Kubernetes, in addition to everything that
runs on GKE (their hosted Kubernetes solution).

------
creshal
> Everyone in IT loves containers.

Do we? I'm using them, but so far I'm not that impressed.

~~~
bkeroack
Containers have a rather narrow use case: efficient, decoupled deployment of
Linux-hosted applications, particularly as part of a CI/CD pipeline. I would
not expect most in "IT" to care too much about it, it's more of a
"DevOps"/developer/SRE thing.

~~~
area51org
There are lots of companies doing a lot more with containers than just using
them in a pipeline. Google, for instance, runs all of its apps (including
search) in containers (using Google's own container framework, LMCTFY),
managed by Kubernetes.

------
irickt
This is a news release. Here are some technical details:
[https://tectonic.com/blog/announcing-distributed-trusted-
com...](https://tectonic.com/blog/announcing-distributed-trusted-computing/)
[https://tectonic.com/assets/pdf/TectonicTrustedComputing.pdf](https://tectonic.com/assets/pdf/TectonicTrustedComputing.pdf)

------
lsllc
Would love to see CoreOS support ARM (32-bit) for IoT devices such as the
BBB/RPi.

~~~
evandev
That would be great. It's surprising to me that every docker startups is
focused on running large clusters, instead of a few focused on running very
few images on small embedded devices. I could see a really nice continuous
integration pipeline for the devices and it would speed up deployment for new
users wanting to explore IoT.

~~~
alexandros
sorry for the self-plug, but we're doing exactly that at resin.io

~~~
evandev
Awesome! I really like how it is "git push to deploy". This is pretty perfect
for a couple ideas are company is planning.

------
ilurk
Could anyone comment on the Linux kernel's limitations that makes containers
insecure as compared to BSD jails or Solaris/IllumOS zones?

Is there anything on Linux roadmap that will change this?

------
mgrennan
Trusted computer is good. But TNO (Trust No One) is the only way to really be
safe. Think. DeLL Cert fiasco and how that sort of think would break this.

------
charisma123
In a trusted environment, I have found managing software updates and verifying
that the updates are safe, challenging. Will be curious to know, how regular
Linux kernel OS updates and runtime updates are managed by the CoreOS. Will
there be someone verifying if the OS and runtime updates are safe and not
compromising?

This is definitely a step in the right direction in the adoption of trusted
computing.

~~~
robszumski
This is a split responsibility between the OS vendor and the customer, just as
with a trusted environment that's not backed by crypto/TPM.

The normal benefits of frequently releasing code are at play here, just at the
OS/kernel level instead of a webapp. Testing can be completed against the
different channels of CoreOS in staging environments as well. It's recommended
to run some beta machines mixed into a fleet of stable machines to catch any
issues specific to your environment.

A unique feature of CoreOS is that it ships an upstream kernel that doesn't
have tons of backports and bugfixes. This means the upstream
testing/performance infrastructure is leveraged for more visibility into the
release.

(CoreOS employee)

