
Open Source DC/OS - hkernbach
https://mesosphere.com/blog/2016/04/19/open-source-dcos/
======
ifcologne
This is big news.

Great move and necessary to compete in the fast growing market of data-center
automation. I hope that DC/OS gets as much attention in the open-source
community as Kubernetes already does.

------
manishjhawar
TL;DR: [https://dcos.io/](https://dcos.io/)

~~~
manishjhawar
There's a separate thread for it:
[https://news.ycombinator.com/item?id=11525612](https://news.ycombinator.com/item?id=11525612)

------
Annatar
Nobody does containers better than illumos / SmartOS with Solaris zones.
Battle tested, enterprise proven technology since 2006, and SmartOS just took
it to the next level, and the level beyond next with Manta, and then a level
beyond that with Triton.

~~~
bogomipz
That's your opinion and not at all fact. Solaris really? What year is it 1999?
I know nobody that uses "illumos / SmartOS with Solaris zones" nor do I ever
recall seeing it as a skill that either established companies or start ups are
looking for.

~~~
Annatar
ZFS, kdb, mdb, FireEngine, isaexec, Crossbow, vmadm, imgadm, SMF, and FMA make
it a fact, not an opinion.

~~~
nickpsecurity
Oracle being a lock-in and lawsuit heavy company make it any solution
depending on them a high-risk one. That they tried to make illegal to do a
clean-slate implementation of an API means they want to lock you in even more.
It's best to just avoid using any I.P. from a company like that unless the
licensing terms protect you in present and future.

Feel free to get your hands tied to a company like that. Whereas, there's
alternatives for rest of us that are both capable and extortion-free.

~~~
Annatar
illumos code base, on which SmartOS is based, is free, open source software.
It has nothing to do with Oracle and it runs best on intel hardware.

~~~
nickpsecurity
You mean the tech that has nothing to do with Oracle that's built on this
foundation:

[http://www.infoworld.com/article/2617566/open-source-
softwar...](http://www.infoworld.com/article/2617566/open-source-
software/after-oracle--opensolaris-rises-again.html)

So, it was started by a devious company. They tried to kill it off. It's being
maintained and extended by a small pool of talented labor. Many of its
features are migrating over to BSD and Linux. They have lots more work going
into them. Also less risk of copyright and patent lawsuits in the future.

All in all, it seems that it's a dead-end, Oracle project that's probably
going to stay behind the others in various ways with unknown risk from its
parent company. And should still be avoided.

~~~
melloc
Your biggest concern seems to be that a litigious Oracle could come after
someone using an illumos-based system:

> It's best to just avoid using any I.P. from a company like that unless the
> licensing terms protect you in present and future.

But this is _exactly_ what the CDDL does as a copyleft license with a patent
grant. There's a good reason why Oracle hasn't gone after anyone for using
illumos or OpenZFS: they can't, because these people are protected by the
license the software is developed under. The most Oracle was capable of doing
was changing the license under which they develop internally.

The rest of your concern seems to be about development effort and the number
of contributors. While illumos-developer is not as busy the LKML, there is
definitely a lot of work going into continuing development of illumos, and
regular improvements.

~~~
nickpsecurity
I appreciate you actually addressing the concerns with some evidence. :) The
CDDL would then knock out the patent side of the issue far as that licensed
material goes. That Oracle keeps doing things like trying to copyright the
API's and such might still be a risk. Not to mention it's hard to defend
against a company like that whether they have a case or not. So, some residual
risk there.

Good that there's significant work going into it. Although my comments don't
seem this way, I'm actually a fan of multiple codebases being developed for
UNIX for diversity purposes. Especially preventing one-bug-hits-all
situations. I also wanted IRIX and other defunct UNIX code open-sourced for
that reason. I'll give OpenSolaris bunch as doing better than anything else
based on a legacy, commercial UNIX. ;)

~~~
Annatar
> I appreciate you actually addressing the concerns with some evidence. :)

After all the comments and the tone, I seriously doubt that. It is common
knowledge that illumos is licensed under the CDDL, and besides had you
researched it instead of dinging me personally, you would have easily found
that out.

Also illumos is very actively developed, and considering it has features like
DTrace, ZFS, zones, and FMA, it is annything but legacy. Linux has yet to get
those features, and will likely never get them. Not only that, but its
mainline filesystems are from the '80's of the last century. Talk about
legacy.

For someone who bills themselves as a researcher, you did not research
anything I wrote about: not ZFS, not kdb, not mdb, not the FireEngine, you
didn't research about isaexec, nor Crossbow, nor vmadm, nor imgadm, nor SMF,
nor FMA. Not only did you not do the homework, but went off on a "Snoracle"
tangent, which has nothing whatsoever to do with anything I wrote about.

The biggest irony is, for someone who claims interest in, and I quote,
"systems with rigorous design and assurance argument to ensure the failures
stay rare plus recoverable", you dissed an operating environment which is
paranoid about data integrity and correctness of operation. illumos and
SmartOS are all about being paranoid, functioning correctly in the face of
failure (hence FMA and SMF), and protecting one's data (hence ZFS with meta-
and data block checksums). FMA and SMF are big parts of self healing
technology SmartOS is built on, the very things you claim to be interested in.
In yet another twist of irony, all those features are sorely needed
ingredients for massive cloud and container deployments. I for one do not want
any more Linux-caused priority one incidents at 02:03 in the morning, because
I actually like sleeping through my nights, thank-you-very-much!

~~~
nickpsecurity
Oh wow, this is a treat. Your post is an impressive attempt to demolish my
own. It resembles mine here on certain topics albeit without the linked
references I usually have. It certainly earned a reply. Let me do a tad of
introspection to see where one or both of us went wrong here.

re CDDL. Not common knowledge for someone that doesn't use illumos. A quick
look at the homepage people linked to in the past wasn't very enlightening:

[https://www.illumos.org/home](https://www.illumos.org/home)
[https://www.illumos.org/projects](https://www.illumos.org/projects)

Would you seriously have studied a random project more if you saw that vs
what's typical of BSD. Linux, or proprietary pages? That looks like hobbyists
throwing stuff together. The few posts here about it on front page are full of
buzzwords and zeal common with fads that disappear after a few years. Doesn't
prove it is one but I hope you understand the mental filter being applied
given I have to look at dozens of pages & claims made online.

"ZFS, kdb, mdb, FireEngine, isaexec, Crossbow, vmadm, imgadm, SMF, and FMA
make it a fact, not an opinion." "or someone who bills themselves as a
researcher, you did not research anything I wrote about"

This is what started the style of my comments. I thought you were a zealot or
trying to troll me with a reply like that. You're right that I didn't Google
most of them after recognizing a filesystem and some networking/VM tools. Your
post was written as if similar tools, including ZFS itself, weren't available
for Linux and/or BSD's. You might be shocked to find what OS's that market
leaders in cloud segment and SaaS have been running on. Hint: not Solaris.
That you named off those as if nobody could do something similar or good
enough on Linux/BSD... on top of their ecosystem benefits... led to the style
of my reply.

"you dissed an operating environment which is paranoid about data integrity
and correctness of operation"

You read my profile but clearly have no experience in my field where nobody
would make that claim about any UNIX, including Solaris. Let's start with
Solaris's reliability issues going back to the conception of it. It was much
like other UNIX's: focus on features, cost, and performance instead of
quality. Lots of lost work and crashes before it (or any UNIX) started being
reliable. Even so, all of them in a cloud or business critical deployment are
too unreliable to trust by themselves: usually in clustered configurations
optionally with clustered filesystems, backups, and standby's that don't even
trust ZFS due to single point of failure. Far as uptime, AIX wins over it in
proprietary sector per surveys and OpenBSD probably in open sector. That's
reliability part.

Now, let's talk my end: security. The strongest version of Solaris, either
Trusted Solaris 8 or the 10 variant of it, was designed against B1 standard
for Compartmented Mode Workstations plus equivalents under Common Criteria.
That means it had _features_ of highly-secure systems but not _assurance of
correctness or security_. They did not have their code pentested or try to
meet requirements like covert channel suppression important for shared
resources like cloud deployments. Many versions and years where neither Sun
nor Oracle would submit for strong pentesting despite smaller companies (eg
Secure Computing Corporation, Sentinel) with custom or BSD-like OS's
submitting theirs. Sun didn't even volunteer for free ones like SPOCK.
Further, the features were even behind those like Argus Pitbull which is why
said company is still in business.

Meanwhile, UCLA Secure UNIX and Trusted Xenix did aim for assurance
requirements and stronger pentesting requirements. Security assessment showed
inherent design weaknesses in UNIX and coding problems in commercial codes. No
retrofits possible. So, they clean-slated the kernels and certain software
with high privileges. Many improvements but still had lots of critiques in
evaluation vs high-assurance stuff. Non-UNIX's with UNIX/Linux app layers like
XTS-400's STOP did much better during multiple pentests with source. Over two
decades, Solaris codebase produced avoidable vulnerability after vulnerability
often with kernel mode takedown while software like Boeing SNS, XTS-400, and
OpenBSD just kept going without any major breaches detected. None for SNS &
maybe XTS. So, the security of UNIX and Solaris were as shitty as the
reliability with vulnerability metrics and lack of pentesting (despite
opportunities) to show it.

"I for one do not want any more Linux-caused priority one incidents at 02:03
in the morning"

My company has same perspective. That's why they wouldn't get off their
AS/400's at various offices that never crash. OpenVMS is another option. I
know they both can crash but have never seen either go down and nobody I know
admining them has either. That's despite us using the hell out of them for 5-8
years between upgrades. VMS clusters have gone 17 years with IBM mainframes
doing something like 30. I hear UNIX's are catching up slowly.

Now, all that said, a number of people here indicate that Solaris and its
cloud technology have gotten a lot better in past 5 years or so. They think
it's highly reliable and manageable. I was impressed by ZFS, Dtrace, and some
self-healing parts of Solaris 10 that reminded me of NUMA and mainframe
advantages. I'll at least give it another shot for non-security applications
in the near future since I now know it's unencumbered and people in other
threads (plus this one) testified to reliability. Curious, though, do you have
some links on OS, installs, and common deployment better than the crap I have
above?

~~~
Annatar
SmartOS does not require installation, as it is a type 1 hypervisor running in
read-only mode from random access memory. All of the stable storage in a
system is used for /zones, which store the actual containers.

Set up a pxegrub, TFTP and DHCP server, and boot it straight from the network
on a node. Console on ttya or ttyb recommended but not required.

SmartOS can also be booted from a USB stick. All of the above is available on
[http://smartos.org/](http://smartos.org/)

~~~
nickpsecurity
Thanks for the tips and link. :)

