HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ex_amazon_sde

no profile record

comments

ex_amazon_sde
·5 lat temu·discuss
Why "app"? These are services.

> there shouldn't be any dogma around this

Like everything in security, it's about tradeoffs.

> Also, maybe, this means you're not running a single app per vm?

This is an argument for unikernels.

Instead, on 99.9% of your services you want to run multiple independent processes, especially in a datacenter environment: your service, web server, sshd, logging forwarder, monitoring daemon, dhcp client, NTP client, backup service.

Often some additional "bigcorp" services like HIDS, credential provider, asset management, power management, deployment tools.
ex_amazon_sde
·5 lat temu·discuss
> if there's some kind of exploit in it allowing for random code to be run, said code already has access to everything it needs

On the same host there could be SSL certificates, credentials in a local MTA, credentials used to run backups and so on.

Or the application itself could be made of multiple components where the vulnerable one is sandboxed.
ex_amazon_sde
·6 lat temu·discuss
Obviously not.
ex_amazon_sde
·6 lat temu·discuss
This is exactly what lock-in looks like.
ex_amazon_sde
·6 lat temu·discuss
> I think a lot of these anti-k8s articles are written by software developers who haven't really been exposed to the world of SRE ...

Think again. There's plenty of SREs at FAANGs that dislike the unnecessary complexity of k8s, docker and most "hip" devops stuff.