No content

What’s new in Linux: How we’re collaborating to help shape its future Andy Randall, Principal PM Manager Vincent Batts, Principal Software Engineering Manager

Agenda How we got here – Linux at Microsoft Distros in Azure, Fujitsu’s Journey Security, Quality & Reliability Usability, Observability & Debugging Evolution of Linux

Microsoft Linux

15+ Years of Linux at Microsoft 2014 2016 2015 Linus Torvalds introduces Linux 1991 Hyper-V drivers in Linux kernel, Microsoft is 5th largest kernel contributor 2009-2011 Azure extended to Linux, steadily expanding range of endorsed distros 2012 SONiC WSL 2017 SQL Server 2019 Linux >50% of Azure 2020 Azure Linux 1.0 2021 Azure Linux for AKS host Azure Boost 2023

>65% Azure customer workloads run on Linux as measured by virtual CPU cores

100s Microsoft services run on Linux AKS • Defender • PostgreSQL • HDInsight • Microsoft 365 (Office) • DNS Services • Minecraft • LinkedIn • GitHub • & more…

AI Runs on Linux … and Azure is the world’s AI supercomputer

Dozens of teams Across Azure dedicated to Linux Kernel • 1P distro (Azure Linux) • quality and reliability • security • provisioning • upstream distro eng • cloud native/containers • & more…

Linux distros in Azure

Anna I have a preferred distribution I want to use in Azure. I want to be able to run the distro of my choice. I want Linux but don’t know which distribution to use. I want to find out what options I have that work well in Azure. Bob We both want to Be able to easily find, procure and deploy Linux images in Azure Know Microsoft works with the publisher to ensure quality, security and reliability

Azure Marketplace: The place to find Linux images Microsoft Azure Marketplace

Endorsed Distributions NEW Linux distributions endorsed on Azure

What does “Endorsed” mean? Contractual agreement and a deep relationship (more than just marketplace) Engineering collaboration forum for alignment, escalations, etc. In-Azure mirror infrastructure Strong market demand

Community Image Gallery and Fedora Collaboration NEW Community images in Azure - A new way to share images on Azure

Fujitsu’s Journey with Linux in Azure Chris Quinn Global Vice Service Domain Owner Fujitsu Digital Transformation Cloud and Data Center

Global IT, Cloud and Application Services Integration and Consulting Manufacturing Retail Public Sector Principle Industries

Fujitsu and Microsoft Global and Regional representation Relationship Our success is supported by Microsoft Platform Design consideration Continuous upskilling support

Fujitsu and Microsoft Engineering support Long term license support for Red Hat (Enhanced EUS) Design: IaaS, PaaS and Container services Network Topology Security: Defender for Cloud Linux Deployment Support Collaboration = Transformation

Can OS Landscape Linux 43% Other 57% • Red Hat is in high demand for use in mission-critical systems • Red Hat, Ubuntu, SUSE OS estate: 43%

What is DXP Cloud? Summary Infrastructure services transformation • Azure platform • Simplification and Cloud first: "One Fujitsu" • Flexibility of traditional IaaS, plus PaaS and Container services • Global platform service Features Ensure safe and secure use of new features • Modern, robust functionality, Azure landing zone architecture • Bundled security features • Compliance with industry-standard security guidelines (NIST) Scope Corporate systems • Global Operations: Fujitsu and Fujitsu Group companies • AI for Operations, User Experience, Development

Activity VMs 2,000+ Subscriptions 400+ PaaS 400+ Containers 25+ ※Applications

Linux Deployment Fundamentals Azure helped us minimize impact Automate security and governance deployment with DevOps • Defender for Cloud • Azure Policy Enforcement • Deployment / testing: Minutes Common issues when migrating Linux Enable security and governance without leaks and with long lead times • Missing settings and diagnostics • Manual deployment / testing: Weeks Problem Solution

Red Hat Strategy > Azure After migration to Azure • Aggregated license renewal process • Centralized management of patch application status, using Azure Update Manager Reduce burden of license and OS patch application management • Large server estate: Time-consuming process Before migration to Azure • Track deployed licenses, patching status and levels • Apply license renewal and patching on individual servers Problem Solution

Security

Security is top of mind for the Linux community

Secure Future Initiative Secure by design Secure by default Secure operations Security culture and governance Protect identities and secrets Protect tenants and isolate production systems Protect networks Protect engineering systems Monitor and detect threats Accelerate response and remediation Continuous improvement Standards Paved path Secure Future Initiative | Microsoft

Trusting your Images: Azure Marketplace Certification Validation of publishers in Marketplace Certification of images on ingestion – including for vulnerabilities Ongoing scanning of images in marketplace

Trusting your Images: Azure Trusted Launch Secure Boot ensures only signed OS images and drivers can boot Virtual Trusted Platform Module (vTPM) establishes root of trust Boot Integrity Monitoring via Guest Attestation Trusted Launch for Azure VMs - Azure Virtual Machines * Flatcar planned Q4 2024

Protecting Data in Use: Confidential Computing Confidential VMs run in trusted execution environment (TEE) Azure confidential computing Guest Attestation ensures workload really is running in TEE with secure boot enabled What is guest attestation for confidential VMs? NEW OpenHCL, new open source paravisor, enables older VMs to run in confidential mode OpenHCL: Evolving Azure’s virtualization model

Protecting Data in Use: Confidential Computing Confidential Containers in Azure Red Hat OpenShift (ARO) • Leverages AMD SEV-SNP • Builds on upstream Kata CoCo collaboration • Public preview Confidential Containers Public Preview on Azure Red Hat OpenShift NEW NEW Confidential VMs for AI • Azure NCC H100 v5 VMs • 4th-gen AMD EPYC CPU with SEV-SNP + NVIDIA H100 Tensor Core GPUs • OS: Ubuntu 22.04 • Generally available General Availability: Azure confidential VMs with NVIDIA H100 Confidential Containers • Implemented by Kata-CC project, with MS as active participants • Supported in AKS & ACI • Public preview Confidential Containers with Azure Kubernetes Service (AKS)

Limit execution to known, signed binaries Requires enforcement in the kernel Eliminates attacks • Linker hijacking (LD_PRELOAD, LD_AUDIT, DLL Injection) • Binary rewriting • Malicious binary execution/ loading Developed by Microsoft’s Linux kernel team Contributed to upstream kernel Integrity Policy Enforcement (IPE) NEW Integrity Policy Enforcement

Ensuring Security and Compliance with Azure Policy Azure Security Baseline for Linux Defines recommended hardening options for your VMs (Azure + Arc) Based on Center for Internet Security (CIS) standards NEW Enhanced audit experience Security baseline with Azure Policy and Machine Config More accurate findings & detailed descriptions Fully aligned with CIS NEW Auto-remediation Built on open-source (azure- osconfig) No additional cost Limited Public Preview From Compliance to Auto-Remediation: Azure's Latest Linux Security Innovations

Demo: Security Baseline

No content

Sign-up form for auto-remediation

Quality and Reliability

A Combinatorial Challenge for Quality Guest Host Workloads and Health Monitoring Azure Linux Fleet 75+ Guest Extensions Features & Kernels 7 Endorsed Partners 125+ 3P Publishers 40K+ Packages 20K Images 1K+ VM Sizes/ SKUs Azure Host and Virtual Stack Workloads and Health Monitoring

Our Approach to Ensuring Linux Image Quality LISA Linux Integrated Services Automation 400+ tests cover 40+ areas Extensible, supports all flavors of Linux github.com/ microsoft/lisa github.com/ microsoft/lisa Azure Certify Comprehensive validation of all images submitted to marketplace Includes LISA + scan for malware and vulnerabilities Continuous validation of upstream kernels KernelCI foundation sponsorship Azure-tuned kernel (ATK) KernelCI Foundation KernelCI Foundation AITL Azure Image Test Service for Linux Self-service automation portal for image publishers Secure, API-driven Private Preview NEW

Updates & Snapshots Problem: Safe Deployment Practices aborts a roll-out if an error is encountered, leaving different machines/regions with inconsistent versions. Solution: Enhanced apt package manager and Azure Guest Patching Service to enable deterministic deployment of a known-good version from a point in time. Increased security and resiliency of Canonical workloads on Azure

Usability, Observability and Troubleshooting

SSH – Ed25519 NEW Ed25519 is an Edwards-curve Digital Signature Algorithm (EdDSA) signature scheme using SHA- 512 and Curve25519 Now supported for SSH keys in Azure Portal and CLI, alongside existing RSA key formats Faster performance and equivalent security at smaller key length (RSA may offer greater security for larger key lengths) Looking at supporting other emerging formats for greater security Azure updates

Azure-vm-utils NEW Home for small utilities Addresses problem of consistent, predictable device names for NVMe devices Working with upstream communities to make this available via all the major distros github.com/Azure/azure-vm-utils New open-source project First one: azure-nvme-id

Azure-init NEW github.com/Azure/azure-init New open-source project Minimalist provisioning of Linux VMs from Azure metadata Extremely lightweight, written in rust; few requirements, so can be run early in boot process For reference, or lightweight distros without full guest config (e.g. cloud-init)

Sometimes, you want to run code in the kernel… debugging/ performance analysis application monitoring & security customizable low- level networking controls

eBPF enables this safely, without kernel modules in-kernel restricted virtual machine sandbox + verifier bytecode just-in-time compiled to native instruction set event/function hooks helper functions maps eBPF does to Linux what JavaScript does to HTML. (Sort of.)” – Brendan Gregg, Netflix

Unlock the power of eBPF with Inspektor Gadget Wide range of Gadgets Run in Kubernetes or Linux host Framework for building & deploying new gadgets Advise • Seccomp-profile • Network-policy Audit • Seccomp Snapshot • Process • Socket Trace • Network • Bind • Capabilities • Dns • Exec • Fsslower • Lsm • Malloc • Mount • Oomkill • Open • Signal • Sni • Ssl • Tcp • Tcpconnect • Tcpdrop • Tcpretrans Top • Blockio • Ebpf • File • Tcp Profile • Block-io • Cpu • Tcprtt Other • Traceloop • Deadlock • Fsnotify Inspektor Gadget (inspektor-gadget.io) Open source, in CNCF

Demo: Inspektor Gadget

Demo: Inspektor Gadget

Demo: Inspektor Gadget

Evolving Linux distro architecture

Challenges with managing traditional package- managed Linux distributions at scale Security Configuration drift SSH Inconsistent package and OS updates

Evolving Linux Distro Architecture 2009 Image-based desktop OS 2014 2019 Image-based server OS, container optimized 2024 & beyond Image-based general purpose distros

Linux Architecture Evolution: Industry Collaboration The Linux Userspace API (UAPI) Group systemd project CNCF TAG Runtime Special Purpose OS Working Group Flatcar Container Linux project (in CNCF) The Linux Userspace API (UAPI) Group The Linux Userspace API (UAPI) Group systemd.io - System and Service Manager systemd.io - System and Service Manager Special Purpose OS Working Group Special Purpose OS Working Group flatcar.org | Flatcar Container Linux flatcar.org | Flatcar Container Linux

Wrapping up…

Microsoft doesn’t just love Linux, we live Linux! The primary platform for cloud workloads, including AI Dozens of teams across Azure focused on enhancing quality, security, reliability, and usability of Linux Close collaboration with other vendors and the upstream Linux open source community

Linux and Open Source @ Microsoft aka.ms/linux-blog

How did we do? Tell us your thoughts about our sessions and overall event surveys