
Why we started CoreOS - philips
https://coreos.com/blog/why-we-started-coreos
======
bogomipz
If Equifax were running a vulnerable version of Apache Struts on CoreOS the
the hack would have still happened.

That the CoreOS CEO has chosen to use the Equifax hack as a marketing
opportunity is equally distasteful and disingenuous.

Also invoking the founding fathers, the Bill of Rights and the great Dr Martin
Luther King in the as part of that marketing pitch is the height of bombast
and absurdity.

This blog post could have been written by Gavin Belson.

~~~
StefanKarpinski
One of the features of their stack is live single-click or even auto-update of
you technology stack while your application keeps running. While that doesn't
necessarily mean that you will keep your stack up-to-date, it makes patching
security issues considerably easier and less painful, which means it's far
less likely that you will be running a known-vulnerable version. So it's not
entirely BS, even though _why_ CoreOS helps security isn't spelled out here. I
happen to have watched a talk where Alex Polvi did spell this out just last
night, which is the only reason I know this. But yes, the rhetoric is a bit
heavy-handed.

~~~
oso2k
This is built-in functionality of Kubernetes (& OpenShift) called Rolling
Update [0]/Rolling Deployments [1] and Image Triggers [2].

[0] [https://kubernetes.io/docs/tasks/run-application/rolling-
upd...](https://kubernetes.io/docs/tasks/run-application/rolling-update-
replication-controller/)

[1] [https://docs.openshift.com/container-
platform/3.6/dev_guide/...](https://docs.openshift.com/container-
platform/3.6/dev_guide/deployments/deployment_strategies.html#rolling-
strategy)

[2] [https://docs.openshift.com/container-
platform/3.6/dev_guide/...](https://docs.openshift.com/container-
platform/3.6/dev_guide/builds/triggering_builds.html#image-change-triggers)

------
hedora
"Install kubernetes in 15 minutes or less -> bare metal" leads to this:

[https://coreos.com/tectonic/docs/latest/install/bare-
metal/r...](https://coreos.com/tectonic/docs/latest/install/bare-
metal/requirements.html)

There are over 15 non-trivial subtasks there (counting "foo and bar" under one
bullet as two subtasks). Worse, this is just prerequisites for before the
actual installation!

I really want something like what CoreOS claims to be to exist, but always
feel like the victim of some inside joke when I actually try to install it.

Does anyone know of any alternatives that can be setup in a matter of hours
and not days?

~~~
kcmastrpc
docker swarm. it really is as simple as installing the docker daemon on a
cluster of machines and issuing a command to link them together.

~~~
fapjacks
I have to agree. Swarm is probably the easiest thing to get going besides the
Docker engine itself. Honestly I felt like I might have been missing some step
or component when I set up a swarm, because it was just really easy. Then I
could start swarm services by making some slight modifications to my pre-
existing Docker Compose files. It is very very easy.

~~~
jazoom
And also runs very stable. It's not perfect, but I've certainly run into fewer
bugs than when I was trying to get Kubernetes set up.

------
arianvanp
I disagree with this article. Coreos wouldn't have helped at all in this
particular case. First of all, struts is not a system dependency. So it
wouldn't be auto updated.

Well okay, how about Claire, the vulnerability scanner? It scans container
layers, aka system dependencies. They don't scan your maven
dependencies.(maybe I'm wrong here). So your entire security relies on someone
not updating dependencies for a project often. Which was already the case.
What did we gain? In this particular case, nothing

Of course kubernetes makes rolling out updates a lot easier. And thus a team
might patch often. But that is not the OS.

Of course for system level security vulns, coreos is great and on the right
track. But saying they would have caught Equifax is a big stretch. Equifax was
not a big hack with multiple zero days. It was a team who didn't update their
application.

------
pm90
While admirable, I don't really see how CoreOS automatically makes the
internet more secure as they claim. I'm assuming this blog is targeted at
other tech folks so definitely expected a little more detail than a small
blurb.

I say this as fan of CoreOS and really appreciate their OpenSource work.

~~~
philips
In a few words. With CoreOS Tectonic we are reducing the toil teams endure to
update both application infrastructure and applications. We believe that
security begins with a simple regular processes for getting updates to
software out the door and that our tools and products remove toil from these
processes.

Two sides of the problem:

Infra: CoreOS Tectonic[1] provides one-click updates of the entire app infra
stack from the VM/bare-metal Linux instances[2] through the Tectonic control
plane including Kubernetes, identity services, monitoring tooling, etc[3]. We
call this automated operations.

App: By leveraging Kubernetes APIs application teams can roll. Further
container scanning tools enable app teams to scan in-use containers for CVEs.

[1] [https://coreos.com/tectonic](https://coreos.com/tectonic)

[2] [https://coreos.com/blog/introducing-container-linux-
update-o...](https://coreos.com/blog/introducing-container-linux-update-
operator)

[3] [https://coreos.com/blog/announcing-
tectonic-1.7.1](https://coreos.com/blog/announcing-tectonic-1.7.1)

~~~
3D5AE1F1
A few years ago I worked at a big company that desperately needed something
like this. Without it we more than did our part to make the internet less
secure.

Without containers, software releases and infrastructure upgrades were highly
interdependent. The result was that the software never released and the
infrastructure never got upgraded.

Being able to upgrade individual services, independently of the
infrastructure, is a bigger enabler than you would think in a large company.
When you enable this, teams are suddenly able to release more often. Features
ship faster and the lifetime of application vulnerabilities shortens.

Meanwhile, if Tectonic works as advertised, your infrastructure can auto-
update but continue to provide a stable API to the services it supports.
Again, the lifetime of vulnerabilities shortens, potentially by a lot.

------
DCKing
I like CoreOS, and I know this is some post that is meant for marketing
purposes. But it's a shame they're propagating a myth that good security is
the result of good tools.

It's a common fallacy to think that these security problems have a technical
solution first. They don't. CoreOS makes tools that helps security aware
companies/organizations implement security, but being sufficiently security
aware is the _first step_. Buying and using CoreOS products and support does
not help you anything if you don't know how to use it well, or if your
organization doesn't allow the engineers to use them effectively. It's become
abundantly clear that mismanagement is the root cause of the Equifax hack, and
that the vulnerable Struts server is just a symptom of it. A fool with a tool
is still a fool.

It's attractive to think CoreOS's products, or some other vendor's product,
would have avoided this. But given the mismanagement it seems unlikely, and at
best it would have just plugged a hole until another one popped up at some
later time. Who knows that they already plugged some earlier worse holes with
some other security products. Making the tools to make the internet more
secure is the _easy part_. The hard part is getting everyone to use them in
the right way. If tools and only buying things were the answer, the internet
would have been a much more secure place already.

So keep doing you CoreOS, keep making those tools. But please don't oversell
yourself.

------
flashdance
> I believe in freedom. Founding fathers, Martin Luther King, Jr. – that kind
> of freedom. It’s the same kind of freedom that motivates my passion for free
> software.

Oh boy, this CEO is laying it on pretty thick here... I'm a pretty steadfast
advocate for free software--and I think open software does make a better
society--but even then, I think it's a bit strange to use a comparison to MLK
for something that seems an order of magnitude less important.

It's giving me serious flashbacks to Silicon Valley.

[https://www.youtube.com/watch?v=J-GVd_HLlps](https://www.youtube.com/watch?v=J-GVd_HLlps)

------
the_common_man
This looks like some epic PR talk for marketing purposes. Maybe they want to
sell it to Equifax like companies?

~~~
1_2__4
And likely not letting a crisis go to waste.

------
siliconc0w
An auto-updating OS doesn't really help you with web application
vulnerabilities. Even something like Clair would be unlikely to help - they
likely knew about the numerous struts vulnerabilities they faced and simply
chose not to care (and prioritize other more exciting business prospects -
like selling identity theft protection)

------
alphabettsy
I like their product, but evoking the founding fathers of the US and MLK in
talking about a more secure OS seems a bit much.

~~~
vacri
Especially since it took another 80 years for the country that the 'freedom-
loving' Founding Fathers created to actually get rid of slavery. Buggered if I
know why some people get so religiose about the Founding Fathers when they
missed such simple things like "hey, freedom for all means no slaves. And
women get the vote as well."

~~~
bicubic
They enacted tremendous social change for their time, but they weren't
dictators. Even if they wanted to abolish slavery or enable women to vote, it
would have never happened because those were very unpopular views at the time.
Only a (benevolent?) dictatorial regime can act against the popular will of
the people to enact changes faster than the people can accept them.

Societal change has a hull speed, and attempting to exceed that hull speed
will result in massive push-back and ultimately failure even if the change in
question is viewed as 'obvious' in historical hindsight.

We can see the exact same thing happening today with the legalization of gay
marriage or drugs. Both will be viewed as obvious a generation from now, but
today they face tremendous pushback. That's not the fault of governance,
that's just governance imposing changes that approach the societal hull speed
on those issues.

~~~
SomeStupidPoint
Also, it took a war to get rid of slavery.

I can understand why a new nation battling off a major world power for
independence didn't have a civil war at the same time.

Sometimes, you have to pick your battles.

------
sargun
Usually blog posts like this come at pivotal times in a company's lifetime.

There doesn't seem to be anything yet. Interesting.

~~~
throwaway7645
My guess is it's easier to get attention for selling cloud security after
something like the Equifax breach happens.

------
devonkim
For everyone criticizing this because there's not much actual substance, I'm
fairly certain this piece wasn't aimed at you - it was aimed at people that
get taken by this kind of rhetoric over actual technology. If it comes down to
the usual players in enterprise software or CoreOS / Tectonic, I'd be
perfectly happy to see that stack as an option in the F500. I'm sure there's a
lot of reservations we all have about the tone and content, but as long as the
fundamental goal isn't just selling I can let it slide.

------
stevefan1999
As far as I know, if a malicious user compromised the CoreOS update central
and pushed a new rolling update, then everyone using CoreOS and (presumably
automatically) received the rolling update will also be hacked, the end. This
is an even bigger evil. It's no difference to a botnet . I don't know if
CoreOS has some kind of update signing/verification or what but based on my
assertion I wouldn't suggest using it.

------
peatfreak
"At CoreOS, our aim is to arm these companies with the tools to build their
cloud services – and run our digital lives – correctly. We’re also dedicated
to making it so easy to run these highly complex systems that they take care
of themselves. What if they’ll never miss an update again. They’ll have all
the security features turned on by default and new versions of applications
will ship quickly and safely." What a load of absolute dreck this article is.

------
kodablah
Off-topic minor note to site owner: You have two shortcut icon references in
your head, and one of them references the relative ico/favicon.png which
404's. Chrome falls back but many others do not and you get no favicon.

------
mankash666
Why do people lie about founding stories. Most of them boil down to two
things:

1> We like making money 2> We enjoy working in the domain the company operates
in.

Everything else is a usually made up crap for branding, PR and to feed tech
journalists.

------
bashcoder
It was my understanding that CoreOS was started as a minimal Linux distro
tooled for hosting and orchestrating Docker containers. IMHO, Docker still has
a long way to go to impress the security community.

