Persistent storage and certificates

20 views
Skip to first unread message

Maciej Piechotka

unread,
Sep 19, 2016, 12:29:34 PM9/19/16
to CoreOS User
Hi,

Reading about CoreOS and fleet I'm confused about how 2 things are suppose to work:

  • How is persistent storage suppose to work in CoreOS? For example if I'd like to have Postgres DB. Docker volumes are per-host AFAIK.
  • How is sharing of secure files suppose to work. For example let's assume I'd like to use letsencrypt. I can use reverse proxy to direct to standalone server /.well-known but how to share minted certs to other clients?

Matt

Seán C. McCord

unread,
Sep 19, 2016, 12:56:10 PM9/19/16
to Maciej Piechotka, CoreOS User
An obvious solution to the key storage is to use etcd.  Using kubernetes will also provide additional structure and tooling, but there are many storage solutions which are available.  Torus is the volume-oriented solution which is being built, but there are many others.   Ceph works well on CoreOS, and other cluster-oriented databases can use local storage sharded and replicated across the cluster.

A PostgreSQL store is not as flexible, since it is not a cluster-oriented database.  There are sharding and replicating solutions which can be built on top of it, but effort would be best spent (in my opinion) setting up a cluster-oriented volume infrastructure.  The progressive choice there would be kubernetes and torus.  More conservatively, you can use a Ceph RBD-based volume or a service like Flocker.


--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Seán C McCord
CyCore Systems, Inc

Maciej Piechotka

unread,
Sep 22, 2016, 1:37:30 PM9/22/16
to Seán C. McCord, CoreOS User
Thanks,
A few followup questions

  • etcd does not have any per-client ACL? In other words I cannot restrict it only to some containers?
  • Am I correct in my reading that kubernet effectively replaces fleetd?

Matt

Seán C. McCord

unread,
Sep 22, 2016, 1:46:37 PM9/22/16
to Maciej Piechotka, CoreOS User

To the first, you are correct, there is access or not, not yet any keyspace/prefix-oriented access control.  However, kubernetes approaches this by generally removing direct etcd access, favoring structured access to data in the form of Secrets, and similar.

To the first, I wrote up a bit about fleet v. Kubernetes some time ago.  A bit out of date, but it might help.
https://www.quora.com/What-is-the-difference-between-fleet-in-CoreOS-and-container-platforms-like-Docker-and-Kubernetes/answer/Se%C3%A1n-McCord?srid=JxDs&share=f90c53a8

Reply all
Reply to author
Forward
0 new messages