|
|
Log in / Subscribe / Register

Rocket, a new container runtime from CoreOS

[Posted December 1, 2014 by corbet]

CoreOS has announced that it is moving away from Docker and toward "Rocket," a new container runtime that it has developed. "Unfortunately, a simple re-usable component is not how things are playing out. Docker now is building tools for launching cloud servers, systems for clustering, and a wide range of functions: building images, running images, uploading, downloading, and eventually even overlay networking, all compiled into one monolithic binary running primarily as root on your server. The standard container manifesto was removed. We should stop talking about Docker containers, and start talking about the Docker Platform. It is not becoming the simple composable building block we had envisioned."
to post comments

Rocket, a new container runtime from CoreOS

Posted Dec 2, 2014 2:14 UTC (Tue) by nathwill (guest, #69692) [Link] (1 responses)

this is terrific news. container management as a field is wide open, and CoreOS has proven they're able to deliver. i very much look forward to watching Rocket mature towards a production-ready product.

Rocket, a new container runtime from CoreOS

Posted Dec 2, 2014 2:34 UTC (Tue) by bronson (guest, #4806) [Link]

Totally agree. I've been having the same misgivings about Docker -- it's starting to feel like a muddled, sprawling, enterprise-ready solution. Now I need to find a project that justifies taking Rocket for a spin.

Rocket, a new container runtime from CoreOS

Posted Dec 2, 2014 12:02 UTC (Tue) by ibukanov (subscriber, #3942) [Link] (6 responses)

> running primarily as root on your server.

This is even worse. There are management images that ask to pass the docker daemon socket into the container. They use that, for example, to collect logs for all containers. As a result people get used not only to run randomly downloaded images but also run random images that can trivially get full root access to the host.

On the other hand an apparent docker success implies once again that one does not need to provide any security to be popular.

Rocket, a new container runtime from CoreOS

Posted Dec 2, 2014 18:16 UTC (Tue) by drag (guest, #31333) [Link] (3 responses)

Having something that is insecure and works now is always preferable to something that is secure and doesn't exist yet.

Rocket, a new container runtime from CoreOS

Posted Dec 2, 2014 18:21 UTC (Tue) by droundy (guest, #4559) [Link] (1 responses)

I think that depends on the item in question. In some cases, it is better to have nothing rather than something that is broken. e.g. I'd rather have no online banking than online banking that allows someone what l else to take all my money. I'm not sure that docker is in that category, but an insecure convenience tool doesn't sound good.

Rocket, a new container runtime from CoreOS

Posted Dec 2, 2014 19:58 UTC (Tue) by drag (guest, #31333) [Link]

Well they just don't talk about security.

I never said it's a good policy. Personally I find it counter productive to treat security as a bolt-on, but that's just how things work in my experience.

Rocket, a new container runtime from CoreOS

Posted Dec 2, 2014 19:34 UTC (Tue) by mathstuf (subscriber, #69389) [Link]

Oddly, people then get into the rut of "if it ain't broke, don't fix it" when higher-ups say "Huh? Security costs how much? It works now right and hasn't had any issues?". If you know you need security, then work towards it. Putting it on the "Nice To Have" list usually puts it into a completely different timeframe, IME.

Rocket, a new container runtime from CoreOS

Posted Dec 2, 2014 19:52 UTC (Tue) by raven667 (subscriber, #5198) [Link] (1 responses)

> On the other hand an apparent docker success implies once again that one does not need to provide any security to be popular.

[rant]

One could also point out that while the security of running random code you download from the internet is always problematic, that the vast majority of the people on the internet and the code you download actually does just what it says and isn't trying to harm you, so that for the vast majority of the cases downloading Docker images isn't going to be an actual problem, only a potential one. This goes hand in hand with the fact that the vast majority of the people you meet aren't trying to kill you, so it's probably not a rational risk assessment to leave your house in the morning in a tank, unless maybe you live in a warzone.

There are real costs to security measures, they may prevent future loss, but they are always a loss now, time and money spent not making things better but instead potentially making them not worse. We should all be trying to make security technology either cheap (like signature verification) or unnecessary (only running code in the same security zone one a shared host), rather than pouring resources into more and more complicated security technology, that we then become reliant on because systems don't have more fundamental robustness.

Rocket, a new container runtime from CoreOS

Posted Dec 3, 2014 11:29 UTC (Wed) by dgm (subscriber, #49227) [Link]

> There are real costs to security measures, they may prevent future loss, but they are always a loss now

Do you run anti-virus software on your computer? Many people do. That's the real cost they have to pay for using a system that made the wrong choices regarding the security/convenience trade off.


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds