Hacker News new | comments | show | ask | jobs | submit login

Fine, I'll bite: what non-cute tool do big boys who are "great at Linux" and do know what they're doing use?

In my experience (as one of those "big boys"), it's usually more traditional virtualization, typically on top of a bare-metal hypervisor like Xen (nowadays via Amazon EC2, though there are plenty of bigger companies that run their own Xen hosts), ESXi, SmartOS, or something similar. Even more recent is the use of "operating systems" dedicated to a particular language or runtime; Ling (Erlang on Xen) is an excellent example of this.

On one hand, this tends to offer a slightly stronger assurance against Linux-level security faults while also enabling the use of non-Linux stacks (such as BSD or Solaris or - God forbid - Windows, along with just-enough-OS (or no OS whatsoever)). Proper virtualization like this offers another layer of security, and it's generally perceived to be a stronger one.

On the other hand, the security benefits provided on an OS level (since now even an OS-level compromise won't affect the security of the whole system, at least not immediately) are now shunted over to the hypervisor. Additionally, the fuller virtualization incurs a slight performance penalty in some cases, and certainly includes the overhead of running the VM.

On the third hand, bare-metal hypervisors tend to be very similar to microkernels in terms of technical simplicity and compactness, thus gaining many of the inherent security/auditing advantages of a microkernel over a monolithic kernel. Additionally, in many (arguably most) environments, the slight degradation of performance (which isn't even guaranteed, mind you) is often much more tolerable than the risk of an OS-level bug compromising whole hosts, even if the risk of hypervisor-level bugs still exists.

It depends on what you want to do, of course, but the standard tools for software packaging is deb and rpm.

The management tools are fairly decent, and the question "which CVEs are we vulnerable to our production environment" or "were are we still using Java 6" shouldn't be more than a keypress away.

Neither deb/rpm nor containers are an excuse for not using configuration management tools however. Don't believe anyone who says so.

Docker > Chef

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact