openSUSE MicroOS - the OS that does "just one job"

Transcript

1. MicroOS
   The OS that does “just one job”
   openSUSE contributor
   Richard Brown
   [email protected]
   sysrich on Freenode.net
   @sysrich
   

   View Slide

2. About Me
   ●
   ~15 years with openSUSE & other FOSS
   communities
   ●
   >5 years with SUSE
   ●
   Future Technologies Team Member
   ●
   openSUSE MicroOS & Kubic
   

   View Slide

3. Agenda
   ●
   What MicroOS isn’t
   ●
   What MicroOS is
   ●
   What MicroOS could be next
   

   View Slide

4. View Slide

5. Not a Container OS
   ●
   MicroOS is not designed to be used as the
   base OS inside containers
   

   View Slide

6. Tumbleweed is our Container OS
   registry.opensuse.org/opensuse/tumbleweed
   latest 73ef0c72c385 2 days ago 90.4 MB
   registry.opensuse.org/opensuse/busybox
   latest 188f8aaa3c14 2 days ago 9.4 MB
   ●
   Use these images for all of your container
   building with podman build, docker
   build, buildah and kiwi
   

   View Slide

7. Not ‘tiny at all costs’
   ●
   Size matters
   – Easier to Deploy
   – Fewer Updates, Less Risk
   ●
   MicroOS is designed to be as small as
   possible, while fulfilling it’s job without
   compromises.
   

   View Slide

8. Still Pretty Small
   ●
   619MB Bare Metal Install
   – 165 MB kernel-default
   – 152 MB kernel-firmware
   – 68 MB grub2
   ●
   382MB VM Image
   – 68 MB grub2
   – 35 MB kernel-default-base
   – 10 MB systemd
   – 288 RPMs, 210 Source Packages
   

   View Slide

9. Not the same as ‘JeOS’ or ‘Transactional Server’
   ●
   JeOS – regular openSUSE, deployed from a
   very small image, expected to grow as a
   typical multi-purpose system.
   ●
   Transactional Server – regular openSUSE
   with a read only root-filesystem, with
   atomic updates, expected to be used as a
   typical multi-purpose system.
   

   View Slide

10. What is MicroOS?
    

    View Slide

11. Why is MicroOS?
    

    View Slide

12. Why is MicroOS?
    ●
    Computer’s are not just laptops, desktops,
    and servers any more.
    ●
    People don’t even use laptops, desktops
    and servers the same way any more.
    

    View Slide

13. 100101010101000101010101111000
    0101010101110101010001010101010
    01010101110101010101001010101010
    01010000101010101010101110101010
    00100101010101010101010001010101
    00101010101011110101010101010101
    11101010101010101010101010101010
    

    View Slide

14. IP Webcam
    Do you have an IP Webcam
    or similar IoT Device?
    Ever updated it?
    

    View Slide

15. IP Webcam
    There are millions of these devices
    ●
    78% of total detected malware activity
    is due to IoT botnets (2018)
    ●
    Failed update → Many, many unhappy
    customers
    

    View Slide

16. O2 UK Network Outage 2019
    ●
    Reliable Updates
    ●
    Automatic Recovery
    ●
    Outage can be very expensive
    ●
    Repair can be very time consuming
    

    View Slide

17. View Slide

18. The New World
    Virtualisation
    More Services = More VMs,
    not more physical
    hardware
    Containers
    Limits incompatibilities,
    isolates service problems
    Cloud
    More Hardware is always
    just a Credit Card away
    IoT
    Single-purpose devices
    are increasingly prolific
    eg. Raspberry Pis
    

    View Slide

19. Regular Linux Isn’t Good Enough
    ●
    Regular Distros are all like Swiss Army
    Knives
    ●
    Lots of Services & Features
    – Increased chance of incompatibilities
    between services
    – A problem with service A can impact B, C, D,
    etc
    

    View Slide

20. Single Purpose Systems
    ●
    VM/Cloud Instance/IoT device
    deployed to do “just one job”
    ●
    Installation contains a minimal
    number of services
    ●
    Patching often ignored (Rip n’
    replace)
    ●
    More services to use? Just add more
    VM/Cloud/IoT Devices
    

    View Slide

21. Hand Crafted isn’t Good Enough
    ●
    Building custom Single Purpose systems
    by hand is a lot of work
    ●
    Still often have issues with Configuration
    Management
    ●
    Still need effort to keep patched
    ●
    Optimising for RAM/CPU/Disk is HARD
    

    View Slide

22. Nobody is perfect
    ●
    Even the best designed & maintained systems
    have flaws
    ●
    Those flaws need to be prevented from
    getting in the way of what the system is
    meant to do
    ●
    Anything worth doing, is worth being able to
    undo
    

    View Slide

23. “I NEVER want to touch a running system”
    - Every SysAdmin, ever
    

    View Slide

24. Transactional Updates
    ●
    Any change to a system should be applied
    reliably, reproducably, and reversibly
    ●
    Transactional Updates are:
    – Atomic
    – Either fully applied, or not at all
    – Applied without impacting the running
    system
    

    View Slide

25. Health Check
    ●
    Checks for errors during boot phase
    – Error with new snapshot:
    ●
    Rollback to last known working snapshot
    – Error with already successful booted snapshot:
    ●
    Try reboot
    ●
    Shutdown services, inform admin
    ●
    Needs access to harddisk
    

    View Slide

26. openSUSE MicroOS
    openSUSE MicroOS
    The perfect single-service
    Linux-based Operating System
    Salt & Read-Only Root
    Filesystem
    Fully automated
    Transactional Updates
    Optimised footprint
    

    View Slide

27. MicroOS Architecture
    openSUSE MicroOS is a rolling release
    based on openSUSE Tumbleweed.
    MicroOS is wholly built, developed, and
    tested as part of the Tumbleweed release
    process.
    Any test failure detected before the release
    of either Tumbleweed & MicroOS can
    prevent the release of both distributions.
    

    View Slide

28. Hardware Requirements
    ARM:
    – EFI, either firmware or u-boot
    X86-64:
    – UEFI (secure boot)
    – Legacy Bios
    Memory (Virtualised):
    – 512 MB + Workload
    – 4 GB + Workload
    

    View Slide

29. Deployment Options
    DVD/NET ISO w. YaST
    Customisable,
    streamlined, installer
    VM/Vagrant/Cloud/Pi
    Images
    Preconfigured, ready to
    use disk images
    Yomi
    Installing directly
    using Saltstack
    Ignition
    For use to configure
    images/systems on first
    boot
    

    View Slide

30. More about Yomi?
    YouTube
    openSUSE Conference 2019
    Alberto Planas
    Installing openSUSE only
    with SaltStack
    

    View Slide

31. Automatic initial configuration: Ignition
    ●
    https://github.com/coreos/ignition
    ●
    Partly replacement of cloud-init
    – Features:
    ●
    Partitioning disks
    ●
    Formatting partitions
    ●
    Writing files, enable systemd services
    ●
    Configure users
    – Runs out of initramfs during first boot
    – Does not touch sub-systems not mentioned in user supplied config
    

    View Slide

32. Example Use Cases
    IoT Single-Service VM Container Host Cluster Node Appliances
    

    View Slide

33. MicroOS – The Perfect Container Host OS
    Containers make it very easy to separate the
    Service/Application from the operating system.
    Users care about the Service, they shouldn’t care about the
    OS.
    MicroOS with it’s ‘self caring’ rolling OS means users just
    need to worry about picking and updating the containers
    they choose.
    

    View Slide

34. We ❤️ Podman
    Alternative to for standalone container
    hosts/developer machines
    No Daemon
    Supports OCI-containers & Pods
    Familiar commands eg.
    – podman pull
    – podman run
    

    View Slide

35. registry.opensuse.org
    We have our own container registry!
    Built direct from packages in OBS
    Rebuilt automatically – Always Fresh
    Signed/Notorised Images
    ●
    podman pull registry.opensuse.org/opensuse/tumbleweed
    ●
    podman pull registry.opensuse.org/opensuse/leap
    

    View Slide

36. My MicroOS Life
    

    View Slide

37. Debugging - Toolbox
    Read-only root filesystem:
    – Reboot needed to install additional tools
    – Situation after reboot is different then before
    Toolbox:
    – Launches small, privileged container
    – Root filesystem available below /media/root
    – zypper to install the necessary tools
    – Persistent between usages
    

    View Slide

38. Bye bye Leap..
    

    View Slide

39. openSUSE Kubic
    openSUSE Kubic is now a MicroOS
    Derivative, focused specifically on
    Containers and Kubernetes.
    Like MicroOS, it is wholly built,
    developed, and tested as part of the
    Tumbleweed release process.
    

    View Slide

40. Kubernetes is special
    Lots of Moving Parts
    Containers, Kubernetes,
    Container Runtime, and
    base Operating System
    all need to be updated
    regularly
    Containers at Scale
    Kubernetes is designed
    to run 100s-1000s of
    containers at once
    Large Clusters
    Kubernetes clusters can
    span dozens or
    hundreds of physical
    machines or VMs
    

    View Slide

41. Kubic – The perfect Kubernetes OS
    Inheriting all the usual benefits of
    openSUSE MicroOS, with optimisations
    for Containers and Kubernetes, including
    – Fully Integrated kubeadm
    – CRI-O Container Runtime
    – Kured for automating reboots across
    the cluster
    – Kubic-Control – alternative cluster
    bootstrapping tool
    

    View Slide

42. MicroOS Desktop
    ●
    All of this makes perfect sense for ‘servers’,
    why not desktops?
    ●
    Auto updated base OS plus Desktop
    Environment
    ●
    Apps from Flatpak
    ●
    Currently in [ALPHA]
    

    View Slide

43. View Slide

44. MicroOS Leap 15.2
    ●
    All the benefits of MicrOS but based on the
    Leap 15.2 codebase
    ●
    COMING SOON
    

    View Slide

45. View Slide