HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ex_amazon_sde

no profile record

comments

ex_amazon_sde
·5 years ago·discuss
Why "app"? These are services.

> there shouldn't be any dogma around this

Like everything in security, it's about tradeoffs.

> Also, maybe, this means you're not running a single app per vm?

This is an argument for unikernels.

Instead, on 99.9% of your services you want to run multiple independent processes, especially in a datacenter environment: your service, web server, sshd, logging forwarder, monitoring daemon, dhcp client, NTP client, backup service.

Often some additional "bigcorp" services like HIDS, credential provider, asset management, power management, deployment tools.
ex_amazon_sde
·5 years ago·discuss
> if there's some kind of exploit in it allowing for random code to be run, said code already has access to everything it needs

On the same host there could be SSL certificates, credentials in a local MTA, credentials used to run backups and so on.

Or the application itself could be made of multiple components where the vulnerable one is sandboxed.
ex_amazon_sde
·6 years ago·discuss
Obviously not.
ex_amazon_sde
·6 years ago·discuss
This is exactly what lock-in looks like.
ex_amazon_sde
·6 years ago·discuss
> I think a lot of these anti-k8s articles are written by software developers who haven't really been exposed to the world of SRE ...

Think again. There's plenty of SREs at FAANGs that dislike the unnecessary complexity of k8s, docker and most "hip" devops stuff.