Rust at CoreOS

Luca BRUNO @lucabruno | [email protected] | github.com/lucab Rust at CoreOS:
Why, what and how Slides at https://speakerdeck.com/lucab

“Computer Engineer, Debian Developer and enthusiast FLOSS supporter” • OS
Software Engineer • CoreOS/RedHat, Berlin office • PoliTo graduate • Previously: security researcher/engineer $ whoami

“Infrastructure with autopilot: improve reliability and security regarding critical updates,
machine failures, networking outages” • YC’13 startup • FLOSS-centric company • Offices in SF, NYC, Berlin • Recently acquired by RedHat Inc. CoreOS Inc.

ContainerLinux GNU/Linux distribution for containerized workloads • Targeted at cloud
and bare-metal servers • Single OS image, no package management • Cross-building SDK for development • Based on ChromeOS (Gentoo)

ContainerLinux • Auto-updating, active-passive partition scheme • Updates and rollback
via GPT metadata

Why Our goals: • Improve system security and reliability →
memory safety, data ownership • Minimize surface for human mistakes → static typing, inference • Avoid code bloating → generics, cargo, crates.io

How First-class SDK integration of Rust projects within OS scope,
build-machinery based on cargo and portage. cargo (Rust project builder): • dependencies management (source resolution) • rustc + linking coreos-cargo (based on cargo.eclass): • dependencies setup (source fetching + unpacking) • cross-compilation setup

# Compile for the built-in target, using SDK cross-tools. export
RUST_TARGET=$(rust_builtin_target "${CHOST}") cat <<- EOF >> "${ECARGO_HOME}/config" [build] target = "${RUST_TARGET}" [target.${RUST_TARGET}] ar = "${TARGET_AR}" linker = "${TARGET_CC}" EOF How Cross-compilation via SDK specific target tuples

What Several system-level projects, major categories: • personal experiments •
internal machinery • native libraries and bindings • host components Open-source projects on GitHub with Apache-2 licenses.

What - libraries Rust libraries (crates) • caps ◦ Native
Linux capabilities(7) library • yubihsm ◦ Bindings for Yubico HSM • rust-uefi ◦ UEFI runtime environment, no-std • pretty-good ◦ Parsers and structures for OpenPGP packets • openssh-keys ◦ Parsers and structures for OpenSSH pubkeys

What - experiments CLI applications (standalone binaries) • rkt-volo ◦
Chroot-based stage1 for rkt • pazi ◦ Directory jumper • kubox ◦ Debug helper for kubernetes

What - host components Part of ContainerLinux stable releases •
coreos-metadata ◦ Cloud-introspection for systemd services • update-ssh-keys ◦ SSH pubkeys consumers for cloud nodes

What - internal machinery Used for internal processes/chores at CoreOS
• marker ◦ Markdown linter • tailor ◦ Bot for PRs/commits style validation • coreos-pages-sync ¹ ◦ Builder for doc-pages on coreos.com • picker ² ◦ UEFI boot selector w/ tries and rollbacks • fero ² ◦ Signing server for OS artifacts ¹ currently on a private infra repo, not yet open-sourced ² on-going internship project, not yet open-sourced

coreos-metadata [Unit] Requires=coreos-metadata.service After=coreos-metadata.service [Service] EnvironmentFile=/run/metadata/coreos ExecStart=/usr/bin/myraftd \ --client-urls=http://${COREOS_EC2_IPV4_PUBLIC}:2379 \
--peer-urls=http://${COREOS_EC2_IPV4_LOCAL}:2380 \ A simple cloud metadata agent, designed as an helper for systemd service units

marker Markdown linter, wired into CI pipelines • Validate CommonMark
flavour • Mostly used for checking references in docs This is a [broken reference]. This [won't load](http://www.acrawford.com/404). [A subtle URL typo](http:://example.com) [This file](not_here.md) doesn't exist. This is an [absolute path](/root.md). Found broken url (404 -> http://www.acrawford.com/404) in ./example.md: 404 Not Found Found malformed URL (malformed url -> http:://example.com) in ./example.md: empty host Found broken path (bad path -> not_here.md) in ./example.md Found absolute path (absolute path -> /root.md) in ./example.md

pazi Faster implementation of `z`, without bash-scripts spaghetti

rkt-volo A stage1 for rkt, akin to stage1-fly • single-app
pod • chroot only rkt (stage0) pod (stage1) bash/systemd/kubelet... (invoking process) app1 (stage2) app2 (stage2)

kubox Fooling around with Kubernetes and Linux namespaces

Questions? - Thank you!

Rust at CoreOS

Rust at CoreOS

Luca Bruno

More Decks by Luca Bruno

Other Decks in Technology

Featured

Transcript

Luca BRUNO @lucabruno | [email protected] | github.com/lucab Rust at CoreOS:

“Computer Engineer, Debian Developer and enthusiast FLOSS supporter” • OS

“Infrastructure with autopilot: improve reliability and security regarding critical updates,

ContainerLinux GNU/Linux distribution for containerized workloads • Targeted at cloud

ContainerLinux • Auto-updating, active-passive partition scheme • Updates and rollback

Rust

Why

Why Our goals: • Improve system security and reliability →

How First-class SDK integration of Rust projects within OS scope,

# Compile for the built-in target, using SDK cross-tools. export

What Several system-level projects, major categories: • personal experiments •

What - libraries Rust libraries (crates) • caps ◦ Native

What - experiments CLI applications (standalone binaries) • rkt-volo ◦

What - host components Part of ContainerLinux stable releases •

What - internal machinery Used for internal processes/chores at CoreOS

coreos-metadata [Unit] Requires=coreos-metadata.service After=coreos-metadata.service [Service] EnvironmentFile=/run/metadata/coreos ExecStart=/usr/bin/myraftd \ --client-urls=http://${COREOS_EC2_IPV4_PUBLIC}:2379 \

marker Markdown linter, wired into CI pipelines • Validate CommonMark

pazi Faster implementation of `z`, without bash-scripts spaghetti

rkt-volo A stage1 for rkt, akin to stage1-fly • single-app

kubox Fooling around with Kubernetes and Linux namespaces

Questions? - Thank you!