[DISCUSS] SystemVM template for CKS

[Pearl d'Silva <pe...@shapeblue.com>]

Hi All,

As we all know that CoreOS reached EOL on May 26th, 2020 and with this arose the need to find a suitable replacement that meets the need of resilience, popularity, and security. Keeping these aspects in mind, we looked at some viable options like Alpine Linux, FlatCar Linux, and Debian. Doing some basic PoCs on each of them and understanding how they fair in the community, we based our decision on the following metrics/parameters:

        FlatCar Linux   Alpine Linux    Debian
Brief Description       Drop-in replacement for CoreOS  Alpine Linux is a Linux distribution based on musl and BusyBox, designed for security, simplicity, and resource efficiency      Debian is one of the oldest operating systems based on the Linux kernel. New distributions are updated regularly, and the next candidate is released after a time-based freeze.
Size    ~ 500MB – 600MB Small image of approx. 5MB – Because of its small size, it is commonly used in containers providing quick boot-up times ~ 500MB – 600MB
Security        Quite secure as it mitigates security vulnerabilities by means of delivering the OS as an immutable filesystem  All userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities.    Debian is on a par with most other Linux distributions.
Release Management      Frequent releases – almost bi-weekly or monthly There are several releases of Alpine Linux available at the same time. There is no fixed release cycle but typically every 6 months     Debian announces its new stable release on a regular basis. 3 years of full support for each release and 2 years of extra LTS support.
Maintenance     It is maintained by Kinvolk – a Berlin based consulting firm known for their work around rkt, Kubernetes, etc.  Alpine Linux is backed by a pretty large community base with mailer lists, etc. to find support Unparalleled support –claim to provide you with answers for queries on mailing lists within minutes!
Main Reason for Choosing / Not Choosing NOT CHOSEN: A small community, not a popular choice and chances of meeting the same fate as CoreOS i.e., EOL    NOT CHOSEN: Init system used by Alpine Linux is openrc – and up until recently k8s did not support openrc systems
https://github.com/kubernetes/kubeadm/issues/1295       CHOSEN: Huge community support, and most importantly – we can modify the existing systemVM templates!


With the above, we propose using the Debian-based systemVM template for apart from the fact that it has a huge community support, we already have it registered in our CloudStack environments, thus making it readily available for consumption by CKS for deploying Kubernetes clusters, with no requirement of registering a new template. To enable systemVM to be consumed by CKS a few packages like docker, containerd, are installed on the systemVM template, however, these services are disabled by default in the systemVM template and are only enabled and started for CKS nodes. We've proposed a PR here: https://github.com/apache/cloudstack/pull/4329.


Thanks & Regards,
Pearl Dsilva

pearl.dsilva@shapeblue.com 
www.shapeblue.com
3 London Bridge Street,  3rd floor, News Building, London  SE1 9SGUK
@shapeblue
  
 

Re: [DISCUSS] SystemVM template for CKS

[Pearl d'Silva <pe...@shapeblue.com>]

Hi All,

Apologies for the previous mail, seems like the table got mangled. So, re-sending the mail with the reformatted table content.

So, as we all know that CoreOS reached EOL on May 26th, 2020 and with this arose the need to find a suitable replacement that meets the need of resilience, popularity, and security. Keeping these aspects in mind, we looked at some viable options like Alpine Linux, FlatCar Linux, and Debian. Doing some basic PoCs on each of them and understanding how they fair in the community, we based our decision on the following metrics/parameters:

FlatCar Linux:

  *    Drop-in replacement for CoreOS
  *    Size: ~ 500-600MB
  *   Security: Quite secure as it mitigates security vulnerabilities by means of delivering the OS as an immutable filesystem
  *   Release Management: Frequent releases – almost bi-weekly or monthly
  *   Maintenance: It is maintained by Kinvolk – a Berlin based consulting firm known for their work around rkt, Kubernetes, etc.
  *   Reason for NOT choosing: A small community, not a popular choice and chances of meeting the same fate as CoreOS i.e., EOL

Alpine Linux:

  *   Alpine Linux is a Linux distribution based on musl and BusyBox, designed for security, simplicity, and resource efficiency
  *   Size: Small image of approx. 5MB – Because of its small size, it is commonly used in containers providing quick boot-up times
  *   Security: All userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities.
  *   Release Management: There are several releases of Alpine Linux available at the same time. There is no fixed release cycle but typically every 6 months
  *   Maintenance: Alpine Linux is backed by a pretty large community base with mailer lists, etc. to find support
  *   Reason for NOT choosing: Init system used by Alpine Linux is openrc – and up until recently k8s did not support openrc systems https://github.com/kubernetes/kubeadm/issues/1295

Debian:

  *   Debian is one of the oldest operating systems based on the Linux kernel. New distributions are updated regularly, and the next candidate is released after a time-based freeze.
  *   Size: ~500-600MB
  *   Security: Debian is on a par with most other Linux distributions.
  *   Release Management: Debian announces its new stable release on a regular basis. 3 years of full support for each release and 2 years of extra LTS support.
  *   Maintenance: Unparalleled support –claim to provide you with answers for queries on mailing lists within minutes!
  *   Reason for choosing: Huge community support, and most importantly – we can modify the existing systemVM templates!

Considering the above, we propose using the Debian-based systemVM template for apart from the fact that it has a huge community support, we already have it registered in our CloudStack environments, thus making it readily available for consumption by CKS for deploying Kubernetes clusters, with no requirement of registering a new template. To enable systemVM to be consumed by CKS a few packages like docker, containerd, are installed on the systemVM template, however, these services are disabled by default in the systemVM template and are only enabled and started for CKS nodes. We've proposed a PR here: https://github.com/apache/cloudstack/pull/4329.


Thanks & Regards,
Pearl Dsilva

________________________________
From: Pearl d'Silva <pe...@shapeblue.com>
Sent: Thursday, January 28, 2021 6:32 PM
To: dev@cloudstack.apache.org <de...@cloudstack.apache.org>; users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: [DISCUSS] SystemVM template for CKS

Hi All,

As we all know that CoreOS reached EOL on May 26th, 2020 and with this arose the need to find a suitable replacement that meets the need of resilience, popularity, and security. Keeping these aspects in mind, we looked at some viable options like Alpine Linux, FlatCar Linux, and Debian. Doing some basic PoCs on each of them and understanding how they fair in the community, we based our decision on the following metrics/parameters:

        FlatCar Linux   Alpine Linux    Debian
Brief Description       Drop-in replacement for CoreOS  Alpine Linux is a Linux distribution based on musl and BusyBox, designed for security, simplicity, and resource efficiency      Debian is one of the oldest operating systems based on the Linux kernel. New distributions are updated regularly, and the next candidate is released after a time-based freeze.
Size    ~ 500MB – 600MB Small image of approx. 5MB – Because of its small size, it is commonly used in containers providing quick boot-up times ~ 500MB – 600MB
Security        Quite secure as it mitigates security vulnerabilities by means of delivering the OS as an immutable filesystem  All userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities.    Debian is on a par with most other Linux distributions.
Release Management      Frequent releases – almost bi-weekly or monthly There are several releases of Alpine Linux available at the same time. There is no fixed release cycle but typically every 6 months     Debian announces its new stable release on a regular basis. 3 years of full support for each release and 2 years of extra LTS support.
Maintenance     It is maintained by Kinvolk – a Berlin based consulting firm known for their work around rkt, Kubernetes, etc.  Alpine Linux is backed by a pretty large community base with mailer lists, etc. to find support Unparalleled support –claim to provide you with answers for queries on mailing lists within minutes!
Main Reason for Choosing / Not Choosing NOT CHOSEN: A small community, not a popular choice and chances of meeting the same fate as CoreOS i.e., EOL    NOT CHOSEN: Init system used by Alpine Linux is openrc – and up until recently k8s did not support openrc systems
https://github.com/kubernetes/kubeadm/issues/1295       CHOSEN: Huge community support, and most importantly – we can modify the existing systemVM templates!


With the above, we propose using the Debian-based systemVM template for apart from the fact that it has a huge community support, we already have it registered in our CloudStack environments, thus making it readily available for consumption by CKS for deploying Kubernetes clusters, with no requirement of registering a new template. To enable systemVM to be consumed by CKS a few packages like docker, containerd, are installed on the systemVM template, however, these services are disabled by default in the systemVM template and are only enabled and started for CKS nodes. We've proposed a PR here: https://github.com/apache/cloudstack/pull/4329.


Thanks & Regards,
Pearl Dsilva

pearl.dsilva@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
3 London Bridge Street,  3rd floor, News Building, London  SE1 9SGUK
@shapeblue




pearl.dsilva@shapeblue.com 
www.shapeblue.com
3 London Bridge Street,  3rd floor, News Building, London  SE1 9SGUK
@shapeblue
  
 

Re: [DISCUSS] SystemVM template for CKS

[Pearl d'Silva <pe...@shapeblue.com>]

Hi All,

Apologies for the previous mail, seems like the table got mangled. So, re-sending the mail with the reformatted table content.

So, as we all know that CoreOS reached EOL on May 26th, 2020 and with this arose the need to find a suitable replacement that meets the need of resilience, popularity, and security. Keeping these aspects in mind, we looked at some viable options like Alpine Linux, FlatCar Linux, and Debian. Doing some basic PoCs on each of them and understanding how they fair in the community, we based our decision on the following metrics/parameters:

FlatCar Linux:

  *    Drop-in replacement for CoreOS
  *    Size: ~ 500-600MB
  *   Security: Quite secure as it mitigates security vulnerabilities by means of delivering the OS as an immutable filesystem
  *   Release Management: Frequent releases – almost bi-weekly or monthly
  *   Maintenance: It is maintained by Kinvolk – a Berlin based consulting firm known for their work around rkt, Kubernetes, etc.
  *   Reason for NOT choosing: A small community, not a popular choice and chances of meeting the same fate as CoreOS i.e., EOL

Alpine Linux:

  *   Alpine Linux is a Linux distribution based on musl and BusyBox, designed for security, simplicity, and resource efficiency
  *   Size: Small image of approx. 5MB – Because of its small size, it is commonly used in containers providing quick boot-up times
  *   Security: All userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities.
  *   Release Management: There are several releases of Alpine Linux available at the same time. There is no fixed release cycle but typically every 6 months
  *   Maintenance: Alpine Linux is backed by a pretty large community base with mailer lists, etc. to find support
  *   Reason for NOT choosing: Init system used by Alpine Linux is openrc – and up until recently k8s did not support openrc systems https://github.com/kubernetes/kubeadm/issues/1295

Debian:

  *   Debian is one of the oldest operating systems based on the Linux kernel. New distributions are updated regularly, and the next candidate is released after a time-based freeze.
  *   Size: ~500-600MB
  *   Security: Debian is on a par with most other Linux distributions.
  *   Release Management: Debian announces its new stable release on a regular basis. 3 years of full support for each release and 2 years of extra LTS support.
  *   Maintenance: Unparalleled support –claim to provide you with answers for queries on mailing lists within minutes!
  *   Reason for choosing: Huge community support, and most importantly – we can modify the existing systemVM templates!

Considering the above, we propose using the Debian-based systemVM template for apart from the fact that it has a huge community support, we already have it registered in our CloudStack environments, thus making it readily available for consumption by CKS for deploying Kubernetes clusters, with no requirement of registering a new template. To enable systemVM to be consumed by CKS a few packages like docker, containerd, are installed on the systemVM template, however, these services are disabled by default in the systemVM template and are only enabled and started for CKS nodes. We've proposed a PR here: https://github.com/apache/cloudstack/pull/4329.


Thanks & Regards,
Pearl Dsilva

________________________________
From: Pearl d'Silva <pe...@shapeblue.com>
Sent: Thursday, January 28, 2021 6:32 PM
To: dev@cloudstack.apache.org <de...@cloudstack.apache.org>; users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: [DISCUSS] SystemVM template for CKS

Hi All,

As we all know that CoreOS reached EOL on May 26th, 2020 and with this arose the need to find a suitable replacement that meets the need of resilience, popularity, and security. Keeping these aspects in mind, we looked at some viable options like Alpine Linux, FlatCar Linux, and Debian. Doing some basic PoCs on each of them and understanding how they fair in the community, we based our decision on the following metrics/parameters:

        FlatCar Linux   Alpine Linux    Debian
Brief Description       Drop-in replacement for CoreOS  Alpine Linux is a Linux distribution based on musl and BusyBox, designed for security, simplicity, and resource efficiency      Debian is one of the oldest operating systems based on the Linux kernel. New distributions are updated regularly, and the next candidate is released after a time-based freeze.
Size    ~ 500MB – 600MB Small image of approx. 5MB – Because of its small size, it is commonly used in containers providing quick boot-up times ~ 500MB – 600MB
Security        Quite secure as it mitigates security vulnerabilities by means of delivering the OS as an immutable filesystem  All userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities.    Debian is on a par with most other Linux distributions.
Release Management      Frequent releases – almost bi-weekly or monthly There are several releases of Alpine Linux available at the same time. There is no fixed release cycle but typically every 6 months     Debian announces its new stable release on a regular basis. 3 years of full support for each release and 2 years of extra LTS support.
Maintenance     It is maintained by Kinvolk – a Berlin based consulting firm known for their work around rkt, Kubernetes, etc.  Alpine Linux is backed by a pretty large community base with mailer lists, etc. to find support Unparalleled support –claim to provide you with answers for queries on mailing lists within minutes!
Main Reason for Choosing / Not Choosing NOT CHOSEN: A small community, not a popular choice and chances of meeting the same fate as CoreOS i.e., EOL    NOT CHOSEN: Init system used by Alpine Linux is openrc – and up until recently k8s did not support openrc systems
https://github.com/kubernetes/kubeadm/issues/1295       CHOSEN: Huge community support, and most importantly – we can modify the existing systemVM templates!


With the above, we propose using the Debian-based systemVM template for apart from the fact that it has a huge community support, we already have it registered in our CloudStack environments, thus making it readily available for consumption by CKS for deploying Kubernetes clusters, with no requirement of registering a new template. To enable systemVM to be consumed by CKS a few packages like docker, containerd, are installed on the systemVM template, however, these services are disabled by default in the systemVM template and are only enabled and started for CKS nodes. We've proposed a PR here: https://github.com/apache/cloudstack/pull/4329.


Thanks & Regards,
Pearl Dsilva

pearl.dsilva@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
3 London Bridge Street,  3rd floor, News Building, London  SE1 9SGUK
@shapeblue




pearl.dsilva@shapeblue.com 
www.shapeblue.com
3 London Bridge Street,  3rd floor, News Building, London  SE1 9SGUK
@shapeblue