CoreOS CEO: Security is fundamental

In an interview, CEO Alex Polvi claims his company invented the cloud-native OS category and discusses how CoreOS's update strategy differs from the likes of Red Hat

CoreOS CEO and found Alex Polvi
Credit: Alex Polvi

Called a game changer in the data center and cloud and an existential threat to conventional Linux distros, CoreOS provides a container-oriented distribution of Linux that leverages Docker to manage applications and services. CoreOS also recently launched Tectonic, combining CoreOS with the Kubernetes container management tool, geared to enterprises, and the company has shipped its own Docker alternative, dubbed Rocket.

InfoWorld Editor at Large Paul Krill met with Alex Polvi, CoreOS CEO, at the O'Reilly Open Source Convention in Portland last week, where Polvi emphasized CoreOS's security benefits.

InfoWorld: Would you call yourself the inventor of CoreOS?

Polvi: Creator of CoreOS? Sure, yes. We see CoreOS as a fundamental building block for securing the Internet. That's what drove us to start the project.

InfoWorld: Securing it in what way?

Polvi: What happens today is some zero day gets disclosed, then all the IT guys around the world scramble to patch their servers, and we think there's a better model. There's always different ways people get hacked, but the most common way that people get hacked is with out-of-date software, like you have an old version of something and an attacker notices it and they hack you because there's a known exploit against the out-of-date software.

InfoWorld: How does CoreOS address that?

Polvi: The way CoreOS Linux works is it has this painless update model where it's a continuous stream of patches. It's not like how Red Hat works where every four or five years you get these monster releases and everybody has to migrate to the major new version. Ours is much more like software as a service where you're always using the latest version. You're continuously getting little patches and updates that tweak things.

You might say -- what happens when one of the updates breaks your server, because inevitably we'll push something bad? That's why we invest in all these distributed systems technologies like Kubernetes, because at some point you will break something and your system should be able to handle it. It won't just be our update, it will be you deploying some bad software or something, and if you can build an infrastructure that braces failure correctly, then you've really truly solved the problem. That's what all the Kubernetes work is about.

Our Linux OS does this continuous streaming of patches. All the cluster management would be on top [and] allows our users to build environments that they're confident won't break, even in the event of a bad patch.

InfoWorld: How does CoreOS challenge the virtualization space?

Polvi: Virtualization is really about taking a big server and carving it up into lots of little servers. Containers and Kubernetes are really about taking a pool of servers and making them appear as one big computer, so it's kind of the opposite of virtualization.

Virtualization is about carving it up into smaller servers. This is about aggregating all the servers into one giant pool that you can put workload against. They're different in that way. They're opposite in that way. They get compared a lot because once you have a lot of servers, you have to start managing them this way.

That's why Google, Facebook, and everybody runs their servers in this way already today, is because it's the only way you can really manage it at true scale, but that scaling pattern works with smaller sizes too. It's just the software is really hard to build, so only the big guys have it. Now, because of things like Kubernetes 1.0 and components that we've been building, any company can run their infrastructure that way.

InfoWorld: We had a quote from a writer a while ago that says -- "Indeed, by changing the very definition of the Linux distribution, CoreOS is an existential threat to Red Hat, Canonical, and Suse, according to some suggestions." How would you respond to that?

Polvi: We are a disruptive change to the Linux distro, and all those organizations recognize it, and they've built their own versions of CoreOS that are trying to replicate what we do. I would say the incumbents feel threatened by it, and they should because it's a different model, and it's the way it should be done in 2015.

InfoWorld: There have been a lot of forks of CoreOS?

Polvi: They're building their own versions.

InfoWorld: When you say they, who is they?

Polvi: Red Hat, Ubuntu, and VMware even released a Linux distribution called Photon. Red Hat has Atomic, Ubuntu is Ubuntu Core, VMware has Photon, and these are all CoreOS-like things. They're not forks directly, but they're in the same space. They're trying to be lightweight container OSes like CoreOS.

InfoWorld: What does that mean as far as CoreOS's business? Does that water it down if you have all these other companies doing the same thing?

Polvi: As an entrepreneur, as long as we're leading the pack, it's OK if there's a lot of competition. CoreOS is definitely leading the pack. It's the most widely used OS for all these container deployments.

InfoWorld: InfoWorld wrote that CoreOS is the first cloud-native OS to emerge. Would you agree with that or disagree?

Polvi: Yes, that's right. We invented the category. CoreOS was the first to ship one and created the category and now, since then, we've seen Red Hat, Ubuntu, and everyone else do it.

InfoWorld: What would a cloud-native OS be? How would it be classified as cloud-native OS?

Polvi: It means we strip out everything we possibly can except for the pieces for running your application. We focus on only [running] containers. It's all based around container-based deployment, and it's well-tuned for all these different cloud providers, so we deeply integrate with the services from the cloud providers as well. It's the next iteration of what a Linux distro should be.

InfoWorld: What's been the adoption rate for CoreOS?

Polvi: It's hard to tell with open source software. I would estimate it's thousands of companies, just from our users of our commercial products we can say that. On the open source side, tens of thousands, I guess. We haven't quantified it somehow, but it's used all over the place.

InfoWorld: What's next for CoreOS and Tectonic?

Polvi: Tectonic is our business-ready bundle of all of the software and we again, with our mission to secure the Internet, we believe that this model of computing is the way to do it, so we want to put out open source for companies that want to do it themselves and we think we can build a big business around helping companies adopt and leverage this technology. We'll continue to go down that path.

This week was an important week because now all the pieces are in place and now we'll use that foundation to build products that help companies take advantage of this stuff. We released Tectonic and also Kubernetes 1.0 [arrived].

InfoWorld: As far as CoreOS, are there any features you're going to add in the near future?

Polvi: Yes, there's always more. I don't know if there's anything I'm ready to talk about quite yet. Some of the work that came out recently that was pretty cool was around Rocket. Our container runtime is getting some great security features in it, some really strong, differentiated security features, allowing companies to balance the best of both worlds between virtualization and containers, the lightweight-ness of containers with the isolation of virtual machines and things like that. That's pretty neat.

Related:
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.