Presented by Talos - “a modern Linux distribution for Kubernetes”

A few days ago, American engineer Andrew Rynhard presented an interesting project: a compact Linux distribution kit, designed specifically for launching Kubernetes clusters. It got its name from ancient Greek mythology - Talos .

The project appeared under the inspiration from Kelsey Hightower's tweet as far back as 2015, in which he said that we had only to wait for the appearance of a conditional KubeOS (after which the life of cloud environments would become absolutely wonderful):



By the way, with the advent of Talos, this story continued : someone answered the historical tweet that such a system had already appeared, and the author Talos said that he would be happy if Kelsey looked at the project. The reaction of the latter, however, (yet) was not followed.

Apparently, the development of Talos involved one person (representing himself in the framework of the whole company - Autonomy ) - it took him more than a year. And now, when the status of minimum readiness is reached, the author expects that other representatives of Kubernetes / cloud native-community will join him. So what is the essence of the project?

Talos principles and features

Talos is positioned as a modern Linux distribution, specially created (and exclusively!) For Kubernetes. To achieve this goal in its implementation follow the following approaches:

Minimalism

Ubiquitous minimalism is one of the cornerstones of Talos architecture. One of the clearest examples here is the initialization service used, which (contrary to current trends in this area) follows the UNIX philosophy that “every program does one thing but well”:

We wanted to make init focused on a single task — launch Kubernetes. It simply has no mechanisms for any other actions.

The developers went further and deprived their operating system of the usual system administrators of user access to the host: in Talos there are no command shells, no SSH daemon, or even the ability to run their own processes on the host. And really: why all this if you need to run Kubernetes and only? Virtually all processes in Talos operate within containers.

However, since the world is not so perfect (for the OS to fully function "itself"), there are still tools for operating the OS:

• The osd daemon, implemented according to the principle of providing the minimum necessary privileges (Principle of Least Privilege) and offering an API (based on gRPC) for managing nodes;
• An osctl CLI utility that allows you to communicate with the osd service that runs on each node.

This is how a set of basic operating capabilities is implemented: rebooting services and cluster nodes, getting kernel logs (dmesg) from containers, inserting data into node configuration files, etc.

All the listed components (init, osd, osctl ...), like some others in the distribution, are written in the Go language . By the way, all the source code is distributed under the terms of the Open Source-license Mozilla Public License 2.0.

Security

The minimalist approach described above (all necessary only for launching Kubernetes) + the principle of issuing only minimal privileges by themselves reduces the potential attack surface. In addition, in Talos:

• The included kernel is configured in accordance with the recommendations of the KSSP (Kernel Self Protection Project) project, which focuses on the ability of the kernel to protect itself against potential bugs and vulnerabilities (instead of using userspace utilities for the same purposes);
• the root file system is mounted in read-only, which - combined with the absence of shells / SSH - makes the system immutable;
• uses two-way TLS (mTLS) to interact with the API;
• Kubernetes settings and configurations are applied in accordance with CIS guidelines (Center for Internet Security).

An additional plus, resulting from minimalism and focusing on immutable, is the predictability of the system in its behavior (since the number of factors affecting the environment is reduced).

Relevance

The authors promise to base Talos on the penultimate upstream release of Kubernetes (however, K8s 1.13.3 is supported right now) and the latest available LTS release of the Linux kernel (4.19.10 is currently used).

System components

The main components of the distribution (in addition to the kernel and "proprietary" utilities) are:

• musl-libc - as standard C library;
• golang - for init and its other tools;
• gRPC - for API;
• containerd - to run system services in containers (used with the CRI plugin for Kubernetes);
• kubeadm - for deploying clusters.

Work with Talos

Examples of Talos deployments for AWS, KVM and Xen use cases are provided in the project documentation . To quickly illustrate how this looks, here is an installation algorithm with Linux KVM virtual machines:

1. Installing the master node on the host:

 docker run --rm --privileged --volume /dev:/dev \ autonomy/talos:latest image -b /dev/sdb -f -p bare-metal \ -u http://${IP}:8080/master.yaml 

2. Create VM:

 virt-install -n master --description "Kubernetes master node." \ --os-type=Linux --os-variant=generic --virt-type=kvm --cpu=host \ --vcpus=2 --ram=4096 --disk path=/dev/sdb \ --network bridge=br0,model=e1000,mac=52:54:00:A8:4C:E1 \ --graphics none --boot hd --rng /dev/random 

3. Similar steps to create a work node:

 docker run --rm --privileged --volume /dev:/dev \ autonomy/talos:latest image -b /dev/sdc -f -p bare-metal \ -u http://${IP}:8080/worker.yaml virt-install -n master --description "Kubernetes worker node." \ --os-type=Linux --os-variant=generic --virt-type=kvm --cpu=host \ --vcpus=2 --ram=4096 --disk path=/dev/sdc \ --network bridge=br0,model=e1000,mac=52:54:00:B9:5D:F2 \ --graphics none --boot hd --rng /dev/random 

Configuring the interaction between osd and osctl by and large comes down to generating keys for their authentication (already mentioned mTLS) and is described here .

Further work with them comes down to commands like osctl reboot , osctl stats and osctl logs . Demonstration of container output in the k8s.io namespace:

 $ osctl ps -k NAMESPACE ID IMAGE PID STATUS k8s.io 0ca1… sha256:da86… 2341 RUNNING k8s.io 356f… sha256:da86… 2342 RUNNING … k8s.io e42e… sha256:4ff8… 2508 RUNNING k8s.io kubelet k8s.gcr.io/… 2068 RUNNING 

The process of configuring a Kubernetes cluster with Talos is available here (mater nodes) and here (workers).

Status and prospects

The project is in the alpha version stage (the latest release is v0.1.0-alpha.18 ) and, of course, at this stage it looks more like an amusing experiment than anything really close to production.

However, a surge of interest in Talos after its recent announcement (already 600+ stars on GitHub) and the call of the only author to work together can serve as an excellent incentive for its development.


Activity on issues of the Talos project in recent days

At least, the distribution kit contains ideas relevant for the world of cloud native, the qualitative implementation of which is a matter of time.

PS

Read also in our blog:

• “ Firecracker introduced microvirtualization for Linux at AWS ”;
• “The Past, Present, and Future of Docker and Other Container Executables in Kubernetes ”;
• " Red Hat replaces Docker with Podman ";
• “The Linux distribution from scratch for building Docker images is our experience with dappdeps .”