Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reinventing Container Linux for the Wasm Era (a...

Andy Randall
April 22, 2024
Technology
0
45

Reinventing Container Linux for the Wasm Era (and More) with System Extensions

Presented at Open Source Summit North America 2024, 17 April 2024.
Video recording: https://www.youtube.com/watch?v=OpMik3XSCi8&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=93

Abstract:
More than 10 years ago, CoreOS introduced the concept of a "container-optimized Linux", inspired by the ChromeOS concept of an immutable, image-based desktop operating system, that was designed for just one thing: deploying containers. Since then the Linux community has evolved tools for building distributions. In particular, systemd recently introduced system extensions (or sysexts) which have been embraced by a number of distros as an elegant way to combine components at provisioning time. After reviewing this background and explaining the necessary concepts, this session will look at how sysexts can be applied in the context of a Container Linux to build an immutable but configurable operating system adapted to a range of use cases. We will look in particular at how the Flatcar project has leveraged sysexts to replace torcx for platform-specific images, custom container runtimes, and versions tailored for deploying Wasm-based applications. The concepts, however, come from the multi-vendor UAPI group, and promise to be the foundation for how many modern Linux distros manage the balance between configurability and stability at scale.

Andy Randall

April 22, 2024
Tweet

More Decks by Andy Randall

See All by Andy Randall
Now we're all Cloud Natives, what's next?
ahrkrak
2
260
56 dog years as a cloud native
ahrkrak
0
100
Hitching a ride on a flatcar: a community project update
ahrkrak
0
73
Business of Open Source: Oxymoron or Opportunity?
ahrkrak
0
25
Taking the Work out of Network Policy
ahrkrak
0
27
Beyond the buzzword: BPF's unexpected role in Kubernetes
ahrkrak
1
850
Unmask the ghouls that lurk in your cluster
ahrkrak
0
68
Software Circus Meetup: How to replace your engines mid-flight while maintaining a steady cruising altitude, or: how I learned to stop worrying and love Flatcar Container Linux
ahrkrak
0
110
CoreOS Through the Looking Glass - Software Circus 2020
ahrkrak
0
80

Other Decks in Technology

See All in Technology
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
3
200
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
580
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
170
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
190
複雑なState管理からの脱却
sansantech
PRO
1
140
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
370
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
730
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
0
110
SSMRunbook作成の勘所_20241120
koichiotomo
2
130

Featured

See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Automating Front-end Workflow
addyosmani
1366
200k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
120
Statistics for Hackers
jakevdp
796
220k
Optimizing for Happiness
mojombo
376
70k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
We Have a Design System, Now What?
morganepeng
50
7.2k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k

Transcript

  1. Reinventing Container Linux for the Wasm Era (and More) with

    System Extensions Andrew Randall Principal PM Manager Azure Core Linux

  2. So you’re about to provision a new Linux server…

  3. So you’re about to provision a new Linux server…

  4. The Linux distro dichotomy Kernel + systemd Thousands of included

    packages Tens of thousands of additional optional packages Fully mutable filesystem General Purpose Linux ✅ Flexible, works for just about any application

  5. The Linux distro dichotomy Kernel + systemd Thousands of included

    packages Tens of thousands of additional optional packages Fully mutable filesystem General Purpose Linux Flexible, works for just about any application Sources: Palo Alto Neworks, Security Magazine

  6. The Linux distro dichotomy Kernel + systemd Thousands of included

    packages Tens of thousands of additional optional packages Fully mutable filesystem General Purpose Linux ✅ Flexible, works for just about any application ❌ Large attack surface area ❌ Manageability ❌ Snowflakes / config drift

  7. The Linux distro dichotomy Kernel + systemd Thousands of included

    packages Tens of thousands of additional optional packages Fully mutable filesystem General Purpose Linux Kernel + systemd Minimal (10s/100s) collection of packages Container workloads loaded at runtime Immutable filesystem Special Purpose Linux ✅ Minimal attack surface area ✅ Manageability at scale ✅ Repeatable deployments

  8. The Linux distro dichotomy Kernel + systemd Thousands of included

    packages Tens of thousands of additional optional packages Fully mutable filesystem General Purpose Linux Kernel + systemd Minimal (10s/100s) collection of packages Container workloads loaded at runtime Immutable filesystem Special Purpose Linux Minimal attack surface area Manageability at scale Repeatable deployments

  9. The Linux distro dichotomy Kernel + systemd Thousands of included

    packages Tens of thousands of additional optional packages Fully mutable filesystem General Purpose Linux Kernel + systemd Minimal (10s/100s) collection of packages Container workloads loaded at runtime Immutable filesystem Special Purpose Linux ✅ Minimal attack surface area ✅ Manageability at scale ✅ Repeatable deployments ❌ Inflexible - advanced knowledge required to modify base image

  10. What if there were a better way…

  11. Composable (Image-based) Linux Kernel + systemd Thousands of included packages

    Tens of thousands of additional optional packages Fully mutable filesystem Kernel + systemd OS extension layers loaded at boot time Container, Wasm modules, etc., loaded at runtime Immutable filesystem General Purpose Linux Composable Linux ✅ Minimal attack surface area ✅ Manageability at scale ✅ Repeatable deployments ✅ Easy to create custom OS flavors from composable system extension layers Kernel + systemd Minimal (10s/100s) collection of packages Container workloads loaded at runtime Immutable filesystem Special Purpose Linux

  12. Anatomy of a System Extension (sysext) /usr /opt An overlay

    file system containing /usr & /opt Packaged as a disk image* Loaded at boot time by systemd-sysext * typically; can also be plain directory or btrfs subvolume https://www.freedesktop.org/software/systemd/man/latest/systemd-sysext.html sysext

  13. Flatcar has embraced sysext /oem Torcx Replacement / Custom Container

    Runtimes OEM Partition Cluster API

  14. Recent Applications in Flatcar Container Linux: 1) Torcx Replacement /

    Custom Container Runtimes ž torcx (from CoreOS) ž custom, tarball-based, complex, inflexible ž No behavior change for default (e.g. Docker, containerd) ž Easily add new runtimes (e.g. Podman) alongside or replacing standard ones sysext sysext sysext

  15. Recent Applications in Flatcar Container Linux: 2) OEM Partition ž

    Separate partition fixed at build time for platform- specific tools/agents ž Not upgradeable without reprovisioning entire node ž Sysext for each target platform ž In-place upgrades /oem sysext sysext sysext

  16. Recent Applications in Flatcar Container Linux: 3) Cluster API ž

    Custom worker node images combine OS + K8s control plane ž K8s + OS versions tied ž No in-place updates ž K8s control plane as sysext ž Stock distro images ž OS + K8s versions decoupled ž In-place updates sysext

  17. Creating Sysexts: the Flatcar Sysext Bakery files to bake +

    config + metadata https://github.com/flatcar/sysext-bakery/blob/main/README.md bake.sh sysext image (.raw) sysext Kind of like docker build Kind of like your dockerfile

  18. Publishing sysexts Create checksum upload sysext image + checksum +

    update conf to http endpoint (e.g. GitHub as part of build pipeline) Kind of like docker push sha256sum *.raw > SHA256SUMS CONF Create update conf file (optional)

  19. Baked Goods, Ready to Consume https://github.com/flatcar/sysext-bakery/releases/tag/latest • docker • docker-compose

    • kubernetes • wasmcloud* • wasmtime* • cri-o (PR in progress) • k3s (PR in progress) * we’ll come to these later

  20. A Brief Detour into Flatcar provisioning YAML Butane config (human

    readable) Butane transpiler JSON Ignition config (machine readable) This is where we want to specify the sysext(s) to use https://coreos.github.io/butane/

  21. Provisioning Flatcar with a Sysext variant: flatcar version: 1.0.0 storage:

    files: - path: /opt/extensions/wasmtime/wasmtime-17.0.1-x86-64.raw contents: source: https://github.com/flatcar/sysext-bakery/releases/download/latest/wasmtime-17.0.1-x86-64.raw links: - target: /opt/extensions/wasmtime/wasmtime-17.0.1-x86-64.raw path: /etc/extensions/wasmtime.raw hard: false YAML

  22. What about updates? OS-independent sysexts OS-dependent sysexts OS images •

    E.g. standalone go binary, no OS dependencies • systemd-sysupdate • simple semver based mechanism over https • Needs to update in lockstep with OS due to dependencies • Use OS update mechanism • Flatcar update server (Nebraska) extended to support sysexts • Sysexts part of OS image à updated as part of OS update

  23. Configuring for Updates of OS-independent Sysexts variant: flatcar version: 1.0.0

    storage: files: - path: /opt/extensions/wasmtime/wasmtime-17.0.1-x86-64.raw contents: source: https://github.com/flatcar/sysext-bakery/releases/download/latest/wasmtime-17.0.1-x86-64.raw - path: /etc/sysupdate.wasmtime.d/wasmtime.conf contents: source: https://github.com/flatcar/sysext-bakery/releases/download/latest/wasmtime.conf links: - target: /opt/extensions/wasmtime/wasmtime-17.0.1-x86-64.raw path: /etc/extensions/wasmtime.raw hard: false systemd: units: - name: systemd-sysupdate.timer enabled: true - name: systemd-sysupdate.service dropins: - name: wasmtime.conf contents: | [Service] ExecStartPre=/usr/lib/systemd/systemd-sysupdate -C wasmtime update - name: sysext.conf contents: | [Service] ExecStartPost=systemctl restart systemd-sysext YAML

  24. What if I don’t want to pull the image at

    runtime? bake_flatcar_image.sh sysext(.raw) new flatcar image including sysext https://github.com/flatcar/sysext-bakery?tab=readme-ov-file#baking-sysexts-into-flatcar-os-images // Create a qemu image (latest stable) with pre-baked wasmcloud bake_flatcar_image.sh --fetch --vendor qemu_uefi wasmcloud:wasmcloud-0.82.0-x86-64.raw

  25. Putting it all together: Wasm-Optimized Linux Wasm = Web Assembly

    By default, provably secure sandbox Most languages compile to it Runs on most OSes, architectures VERY small size, super fast start Wasm modules run in a Wasm runtime

  26. Putting it all together: Wasm-Optimized Linux Kernel + systemd Core

    wasm utils loaded during init or baked into image Wasm modules loaded at runtime Immutable filesystem Wasm-Optimized Linux No Docker sysext active – no docker binaries in OS! Worth noting that if you disable a sysext, the binaries disappear from the OS file system. Might be important for e.g. compliance.

  27. So many Wasm runtimes and tools to choose from Lunatic

    Modsurfer nerdctl runwasi SpiderLightning (slight) Spin wamr (wasm-micro- runtime) wasm3 WasmCloud WasmEdge Runtime wasmtime WaVe WaZero

  28. More Wasm Goodness in Ralph’s Bakery https://github.com/squillace/sysext-bakery This is a

    great playground for all: feel free to submit additional sysexts here or upstream Flatcar sysext-bakery for mature projects

  29. Takeaways • systemd-sysext is a promising new way to compose

    custom Linux distros • Immutable + minimal (with all the benefits that brings), but also flexible • Flatcar has already embraced as the way forward for enabling flexible deployments and customization • Great platform for production environments for Wasm and more
  30. None

  31. Get involved! CNCF Special Purpose OS Working Group tag-runtime.cncf.io/wgs/spos The

    Linux Userspace API (UAPI) Group uapi-group.org Flatcar Container Linux Project github.com/flatcar/Flatcar