| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by St-Clock 4231 days ago

Security-wise, if I understand correctly, this is a very interesting offering.

1. The containers live on "your" VMs so you get the isolation of a virtual machine and do not worry about the other tenants' containers.

2. The VMs are part of a "private cloud", i.e., the internal network is not accessible by other tenants' VMs and containers.

#2 is what worried me the most in other container service offerings. It's easy to overlook protecting your internal ip when you manage VMs, it's even easier (and expected) when you deploy containers.

2 comments

joshpadnick 4230 days ago

I'm here at AWS reinvent and just saw the EC2 Container Service presentation. They specifically targeted security as part of their design.

Basically, you launch a cluster of EC2 instances that are "available" for containers to launch into. So these are your instances, running in your VPCs. It's really the same security profile as the standard VPCs plus any other security issues your particular docker containers expose.

link

kalgen 4231 days ago

These are also properties of Google Container Engine. Which other container service offerings were you thinking of?

link

dividuum 4231 days ago

Digital Ocean has something called "Private Networking" that's internal to the data center but shared with all other customers. It's not obvious from reading the website that this is the case.

link

estsauver 4231 days ago

I actually think they're almost intentionally a touch deceptive. "Private" is a really loaded term to use there.

link

inopinatus 4230 days ago

When a door is marked "Private", then the room beyond is generally a shared space for all those authorized to access.

link

SoreGums 4230 days ago

Not really, common to refer to Private IP's as "private IP address space" as per RFC 1918(IPv4)/RFC 4193(IPv6).

If a user of the service is wanting to get on board, it is their responsibility to ensure what they think is accurate or not.

link

kelleyk 4230 days ago

Linode's is the same. I agree that it's annoying and that the terminology is slightly deceptive.

Any of these "datacenter LANs", though, tend to be fast and free (in terms of bandwidth). We just use a VPN overlay and call it a day.

link