TL;DR On writes RocksDB is first, then PerconaFT, then WiredTiger.
Interesting results. Last months I saw the production use of MongoDB with RocksDB engine only once. Do you use engines other than WiredTiger (or mmapv1) and what were your reasons to do it?
We have been working on a general-purpose resharding for over 3 years, but have yet to release it to the open source community: it's very hard to do it well.
But our customers get a sharding scheme that best suits their business needs, including fully automatic shard management and data re-balancing. I submitted a talk about the technology and know-how behind this to Percona Live 2017: https://www.percona.com/live/17/sessions/best-practices-appl...
This can be seen as a kind of response to concerns about the survival of other open source databases raised after closing RethinkDB and its recent postmortem https://hackernews.hn/item?id=13421608
BTW, can you confirm than SELinux in enforcing mode really prevents exploiting of this runC vulnerability? Therefore, the argue on the post's correctness considers only RadHat's marketing war.
Because if the answer is "No", and there's some other way to bypass SELinux and exploit this bug, it raises more grave accusation of RedHad - false statement about the vulnerability workaround.
Thank you for clarification of your point. It really shows perfect example of the Red Hat marketing.
Can you please give a link to the announce from Red Hat or someone else urging their users that they don't need to upgrade? It would be the last thing closing the question.
The blog post being discussed here is the latest example. NOTE: the blog post has since been updated without acknowledging the inaccuracies in the earlier version.
$ wdiff -n -3 first latest
======================================================================
[-Docker 0-Day Stopped Cold by-] SELinux
======================================================================
SELinux {+Mitigates docker exec Vulnerability+}
======================================================================
Fixed packages [-have been-] {+are being+} prepared and shipped for RHEL
======================================================================
[-Centos.-] {+CentOS.+}
======================================================================
[-Stopping 0-Days with-] SELinux
======================================================================
SELinux {+Reduces Vulnerability+}
======================================================================
[-How about a more visually enticing demo? Check out this animation:-]
======================================================================
we were glad to see that our customers were [-safe-] {+safer+} if running containers with setenforce 1
======================================================================
{+Even with SELinux in enforcement, select information could be leaked, so it is recommended that users patch to fully remediate the issue.+}
{++}
{+This post has been updated to better reflect SELinux’s impact on the Docker exec vulnerability and the changing threat landscape facing Linux containers.+}
======================================================================
I'm not sure that first post's version can be considered as recommendation to not upgrade. It just shows how RedHat people was happy to see that bug was prevented by another subsystem. Me, as a sysadmin, would be happy to to know that I'm not obligated to upgrade urgently everything I have. For most sysadmins it can be considered as a workaround, already engaged.
You as a Docker developer see the post as an attack on your project. But most of sysadmins and kernel developers see it as a nice example of the fruits of invisible long work - when well cared system with accurately configured security restrictions saves from some vulnerabilities.
Anyway, it not means underestimation of the Docker and you great job. Sorry you've got stressed by all this noise.
