Software Circus Meetup: How to replace your engines mid-flight while maintaining a steady cruising altitude, or: how I learned to stop worrying and love Flatcar Container Linux

Slide 1

Slide 1 text

@andrew_randall @kinvolkio @salvo_mazzy @giantswarm How to replace your engines mid-ﬂight while maintaining a steady cruising altitude or: how I learned to stop worrying and love Flatcar Container Linux Software Circus Meetup 21 October 2020

Slide 2

Slide 2 text

andy randall business development @ salvatore mazzarino site reliability engineer @ @andrew_randall @kinvolkio @salvo_mazzy @giantswarm Berlin Prague

Slide 3

Slide 3 text

Who is Kinvolk berlin hq with globally distributed team community all systems go!, cloud-native rejekts, o4b, community days, … independent founded 2015, no external investors open source linux, kubernetes, oss consulting @your_twitter_handle

Slide 4

Slide 4 text

“Secure the Internet” (2013) @andrew_randall @kinvolkio @salvo_mazzy @giantswarm

Slide 5

Slide 5 text

automated, streamlined updates operational simplicity for management at scale easily apply all latest security patches rollback partition co-ordinated with k8s control plane (update operator) minimal distribution required for containers reduced dependencies less software to manage reduced attack surface area repeatable deployment without per-host scripting Why use a Container Linux? immutable ﬁle system operational simplicity for management at scale removes entire category of security threats - e.g. runc vulnerability cve-2019-5736* * See kinvolk.io/blog/2019/02/runc-breakout-vulnerability-mitigated-on-ﬂatcar-linux @andrew_randall @kinvolkio @salvo_mazzy @giantswarm

Slide 6

Slide 6 text

Gentoo ChromeOS CoreOS Container Linux minimal set of packages update mechanism @andrew_randall @kinvolkio @salvo_mazzy @giantswarm

Slide 7

Slide 7 text

@andrew_randall @kinvolkio @salvo_mazzy @giantswarm

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

Gentoo ChromeOS CoreOS Container Linux minimal set of packages update mechanism Flatcar Container Linux @andrew_randall @kinvolkio @salvo_mazzy @giantswarm

Slide 10

Slide 10 text

ﬂatcar /ˈﬂatkɑː/ noun a railway freight wagon without a roof or sides, often used to transport shipping containers as part of intermodal freight shipping

Slide 11

Slide 11 text

Taking Container Linux Forward continuous updates kernel → 5.4 (stable), 5.8 (alpha) 25 releases since coreos eol 56 component packages updated focus on security 145 security vulnerabilities (CVEs) fixed Joined Linux Kernel Security Team open source update server created and open sourced update server (previously proprietary coreos offering) ambitious roadmap telemetry services, broader platform support, security/regulatory certifications, … NEW: flatcar pro for cloud optimized for microsoft azure (initially) with azure tuned kernel includes enterprise support @andrew_randall @kinvolkio @salvo_mazzy @giantswarm

Slide 12

Slide 12 text

Embraced by the community supported wherever you deploy containers fast-growing installed base trusted by leading global enterprises

Slide 13

Slide 13 text

“Flatcar Container Linux imho is the best distro for k8s clusters atm” – Darren Shepherd Co-founder / CTO, Rancher Labs

Slide 14

Slide 14 text

What does Giant Swarm do? - 200+ clusters created & lifecycle managed by us - AWS / Azure / KVM (+ AWS China) - Many large clusters - Production ready (24/7 monitoring, day 2 ops, …)

Slide 15

Slide 15 text

Glossary - Control Plane: Kubernetes cluster running Giant Swarm services - Provider: Third-party service (public cloud or on-premises) providing low-level primitives such as Virtualization, Networking, Data Storage - Tenant Cluster: On-demand Kubernetes cluster created by Giant Swarm’s customers running customers’ workloads

Slide 16

Slide 16 text

Time to catch a new train Immutable infrastructure is an important part of making a container platform scalable and reliable. So having a really small OS, was and it is still important. Timo Derstappen CTO @Giant Swarm https://bit.ly/3lUnlSi

Slide 17

Slide 17 text

Providers Amazon Web Services • 7 regions • 150+ clusters • 1700+ VMs Microsoft Azure • 2 regions • 30+ clusters • 200+ VMs KVM • 4 Enterprise Data Centers • 12+ clusters • 300+ VMs CoreOS Container Linux CoreOS Container Linux CoreOS Container Linux

Slide 18

Slide 18 text

Platforms

Slide 19

Slide 19 text

Amazon Web Services - AWS EC2 - AMIs provided by Kinvolk - AWS China - Smooth and Easy * * https://bit.ly/3kgifPN

Slide 20

Slide 20 text

Microsoft Azure - Azure VM Scale Set - Publisher changed - Automation powers - More steps involved

Slide 21

Slide 21 text

KVM - PXE Boot for Control Planes - QEMU Images for Tenant Clusters - Kernel params changes

Slide 22

Slide 22 text

{ "ignition": { "version": "2.2.0" }, "storage": { "disks": [ ... ], "filesystems": [ ... ] }, "systemd": { "units": [ ... ] } } Ignition

Slide 23

Slide 23 text

Customers - Same OS - Security ‍♀ - Release process

Slide 24

Slide 24 text

Today

Slide 25

Slide 25 text

Today

Slide 26

Slide 26 text

Sponsorship

Slide 27

Slide 27 text

What’s next? - Releases Conformance tests - New Hypervisors testing (Firecracker) - Virt improvements (kernel 5.4+) - Built-in Wireguard support

Slide 28

Slide 28 text

Questions?