Do you mean the differences to the way I was setting up servers before CoreOS? Well, this is subjective, of course, but I feel that it's easier & faster to isolate everything now. I still have to add iptables rules (I also use AWS ports restrictions) and add SSH keys, but that's all I have to do. Auto updates with scheduled reboots and safe rollback work out of the box, I have only few vector attacks in terms of services exposed to the public network. When I have everything in 1 data center, "internal" tools (etcd, fleet, confd, locksmithd) are open only in private network and just ports 22, 80 & 443 have to be exposed. Containers are also "linked" in private network, I can easily securely connect services/applications in containers running on different machines without much overhead.
Often the easiest attack vector is/are security vulnerabilities in applications exposed to the public network. Containers are great here, because when application is compromised, just 1 particular container is dead (and probably other containers running that app). I can just run docker kill app && docker rm app and the rest of my containers are (probably) ok. The problem is that attacker can gain access to data in etcd, since it's not encrypted by default and has no per-user permission (but you can use HTTPS in etcd cluster, which is good), however as of now you can use something like crypt: https://github.com/xordataexchange/crypt to use gpg in etcd (with natural API).
Docker gives you root for everything in the container, which may not be the best option. Also, only lately Docker have the option to verify downloaded images. rkt already has this feature, and it's just 0.5.5. (see also: https://github.com/coreos/etcd/blob/master/Documentation/sec...). Docker is great, don't get me wrong, I think it's a very good software and I'm glad I can use it. CoreOS team has just a better vision and priorities, IMO.
I'm considering a blog post about CoreOS/Docker/rkt and similar tools, not sure if there's interest?
Often the easiest attack vector is/are security vulnerabilities in applications exposed to the public network. Containers are great here, because when application is compromised, just 1 particular container is dead (and probably other containers running that app). I can just run docker kill app && docker rm app and the rest of my containers are (probably) ok. The problem is that attacker can gain access to data in etcd, since it's not encrypted by default and has no per-user permission (but you can use HTTPS in etcd cluster, which is good), however as of now you can use something like crypt: https://github.com/xordataexchange/crypt to use gpg in etcd (with natural API).
Docker gives you root for everything in the container, which may not be the best option. Also, only lately Docker have the option to verify downloaded images. rkt already has this feature, and it's just 0.5.5. (see also: https://github.com/coreos/etcd/blob/master/Documentation/sec...). Docker is great, don't get me wrong, I think it's a very good software and I'm glad I can use it. CoreOS team has just a better vision and priorities, IMO.
I'm considering a blog post about CoreOS/Docker/rkt and similar tools, not sure if there's interest?