https://lwn.net/Articles/645013/ This is a special feed containing comments posted to the individual LWN article titled "New projects from day two of CoreOS Fest". en-us Sun, 02 Nov 2025 16:02:04 +0000 Sun, 02 Nov 2025 16:02:04 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/647130/ https://lwn.net/Articles/647130/ philipsbd <div class="FormattedComment"> I don't follow your concern; storing users/roles in etcd keys makes it very similar to how SQL databases work. The keys that hold the users/roles aren't exposed via the normal keys API if that is your concern?<br> </div> Wed, 03 Jun 2015 18:10:32 +0000 https://lwn.net/Articles/647035/ https://lwn.net/Articles/647035/ jberkus <div class="FormattedComment"> Am I reading this correctly that users and roles are stored in etcd itself? There's a bit of a security catch-22 with that; how does etcd prevent attackers from exploiting the authentication method?<br> </div> Tue, 02 Jun 2015 23:35:26 +0000 https://lwn.net/Articles/647017/ https://lwn.net/Articles/647017/ kleptog <div class="FormattedComment"> <font class="QuotedText">&gt; And in the upcoming version of etcd you can pair transport security with authz using users and roles. </font><br> <p> Now that is excellent news, thanks for pointing it out. That definitely puts etcd back in the running for me (not that there were many competitors...). The API described in that page looks easily sufficient for the most important requirements, namely making configuration read-only for most users and preventing key enumeration.<br> </div> Tue, 02 Jun 2015 20:11:51 +0000 https://lwn.net/Articles/647012/ https://lwn.net/Articles/647012/ philipsbd etcd supports <a href="https://github.com/coreos/etcd/blob/master/Documentation/security.md">TLS client certificates for authentication</a> to the service and has supported this from very early on in the project. And in the upcoming version of etcd you can pair transport security with <a href="https://github.com/coreos/etcd/blob/master/Documentation/security_api.md">authz using users and roles</a>. Tue, 02 Jun 2015 19:36:37 +0000 https://lwn.net/Articles/646754/ https://lwn.net/Articles/646754/ kleptog <div class="FormattedComment"> Project Calico looks interesting, but it says it uses etcd and last time I checked they have no kind of security against a rogue agent. So an attacker in a container would just need to fiddle the settings in etcd and then wait for the firewall to open up.<br> <p> Seems a strange thing to overlook, but the whole containerisation craze recently has shown little interest in security.<br> </div> Sun, 31 May 2015 12:51:58 +0000 https://lwn.net/Articles/645662/ https://lwn.net/Articles/645662/ sjj <div class="FormattedComment"> As someone more on the Ops side, static binaries FTW! Not having to worry about different versions of interpreters and supporting libraries on different machines is a bigger reason for me to really learn Go. Plus simple cross-compilation.<br> </div> Fri, 22 May 2015 20:55:24 +0000 https://lwn.net/Articles/645648/ https://lwn.net/Articles/645648/ sciurus <div class="FormattedComment"> Sysdig gives you insight into more system activity than just network traffic; see <a href="http://www.sysdig.org/wiki/sysdig-examples/">http://www.sysdig.org/wiki/sysdig-examples/</a> for examples.<br> </div> Fri, 22 May 2015 17:59:25 +0000 https://lwn.net/Articles/645646/ https://lwn.net/Articles/645646/ jberkus <div class="FormattedComment"> Yes, I think that's the case a lot of places. At least, I know of more than a few Python/Go shops, although I know about even more Ruby/Go shops, for which the same argument would hold.<br> </div> Fri, 22 May 2015 17:07:03 +0000 https://lwn.net/Articles/645642/ https://lwn.net/Articles/645642/ ncm <div class="FormattedComment"> I guess we should see this use of Go as an example of its displacing Python in places where performance sort of matters.<br> </div> Fri, 22 May 2015 16:36:32 +0000