benjamin gilbert ben breard - blog.openshift.com · fedora coreos •new fedora edition...

Benjamin GilbertFedora CoreOS Technical Lead

Creative Commons BY-SA 4.0

Ben BreardProduct

ManagerOpenShift Commons Briefing - July 25, 2019

Fedora CoreOS• New Fedora edition• Purpose-built OS for running containerized

workloads at scale• Philosophy of CoreOS Container Linux• Technology from Fedora Atomic Host

Mission“An automatically updating, minimal, monolithic,

container-focused operating system, designed for clusters but also operable standalone, optimized

for Kubernetes but also great without it.”

RHEL CoreOS?• RHEL CoreOS is not intended as a standalone OS

• Component of OpenShift• Updates along with OpenShift• Based on RHEL package set

• Fedora CoreOS• Shares some components and tooling with RHEL CoreOS• Standalone OS• Based on Fedora package set

Philosophy• Immutable infrastructure

• Customizations entirely in provisioning config• No configuration management: re-provision the node

• User software does not run directly in the host• No interpreters• We will freely update libraries

• OS versions are an implementation detail• Fedora releases are regular updates

What is Fedora CoreOS?• Server and cloud distro

• Available in wide variety of clouds• Workloads run in containers

• Reasonably minimal host OS• Image-based distro using rpm-ostree

• "Git for the OS"• OS mounted read-only• Offline atomic updates

• Automatic updates

Cloud/virt support• Targets: AWS, Azure, DigitalOcean, GCP,

OpenStack, Packet, QEMU, VirtualBox, VMware• Fedora CoreOS will avoid shipping platform agents

where possible• Afterburn: generic cloud agent providing minimum

required functionality

Bare metal support• Install to disk

• Cloud images do not have an installer• Bare metal shouldn’t either• Install script is basically dd

• Live PXE

• Latest Fedora base components• Hardware support• Basic administration tools• Container engines: podman, moby• TBD: Kubernetes integration with kubelet, cri-o

What’s in the OS?

Ignition: provisioning• Ignition configs: declarative JSON documents

provided via user data• Runs exactly once• Can write files and systemd units, create users and

groups, partition disks, create RAID arrays, format filesystems

• If provisioning fails, so does boot

Writing Ignition configs• Ignition configs are unsugared and JSON is not pretty• Fedora CoreOS Config Language

• YAML• Ignition config, plus sugar for common operations

• Converted to Ignition config by Fedora CoreOS Config Transpiler• Transpiler catches common errors at build time

Automatic updates• Users shouldn’t have to think about updates• They must be reliable• No breaking changes w/o long deprecation period• How we achieve reliability:

• Automated CI• Managed update rollout• Multiple release streams• Automatic rollback if update doesn’t boot

• With user-specified health checks

Update management• New installs

• Public metadata points to the recommended install images• Per-cloud and per-region basis• We can point to a previous release if a regression is found

• Updates• rpm-ostree is driven by a service, Zincati, that requests

permission to update• Updates are rolled out gradually, and can be stopped if

regressions are reported

Release streams• testing: snapshot of Fedora N plus updates• stable: testing after it bakes for two weeks• next: extra baking time for Fedora N+1 and new kernels

• Goal: report problems before they promote to stable• Users should run all three in production• Security fixes and bug fixes will be backported to all

streams

Update coordination• Nodes can request update permission from a

cluster service• Useful for ensuring an entire cluster doesn't update

simultaneously

Telemetry• Fedora CoreOS will report some machine info to

the Fedora project by default• Default set: non-identifying info

• Platform, instance type, OS version• Enhanced set is opt-in

• Hardware and network summary, etc.• Possible to opt-out entirely• Data used only in aggregate; no unique IDs

Fedora CoreOS preview• Preview release is available now

• Don’t run in production!• Incompatible changes may occur• Please test and report bugs

• Stable release in ~6 months• Please run in production!

Coming soon• next and stable streams• Full set of cloud and virtualization platforms• Multi-arch support• Live PXE and Live CD• Improved network configuration• More FCCT sugar• Functioning telemetry• More docs• OKD integration & design

OKD on Fedora CoreOS• Need openshift-installer and MCO changes• kubelet and cri-o are not yet shipped in the OS

• OS components, versioned with the cluster• Cluster control of OS version?• Short term: branch OS, add missing pieces• Medium term: support OKD directly in Fedora

CoreOS

Get involved!• Web: getfedora.org/coreos• Issues: github.com/coreos/fedora-coreos-tracker/issues• Forum: discussion.fedoraproject.org/c/server/coreos• Dev list: coreos@lists.fedoraproject.org• IRC: freenode #fedora-coreos

Next Commons Briefing on Ignition Deep Divehttps://commons.openshift.org/events.html#event|7885|995

Creative Commons BY-SA 4.0

Thank you!