polymorphic OCI OS images with Kairos #1875
j-landru
started this conversation in
Show and tell
Replies: 3 comments 5 replies
-
Thanks for sharing @j-landru this is super cool! I wonder if we could link it from https://github.com/kairos-io/community |
Beta Was this translation helpful? Give feedback.
2 replies
-
Also, getting a preview at one of our meetings would be super nice |
Beta Was this translation helpful? Give feedback.
2 replies
-
2 things I get from this.
|
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
abcd : Alpine Based Cos Derivative
Keywords : Kairos derivative; polymorphic OS images; immutability; instal-lless OS image; execution context agnostic; "rootless" Containerized OS (sandboxing).
I share here some personal notes about Kairos derivatives (sorry maybe a bit long), hoping it can be useful for others or maybe receive some feedbacks or guidelines from the Kairos community.
_
polymorphic OCI OS image with Kairos
Context
Orphan of K3OS as a base system for CIRRUS (Cloud Iac Reservoir de Resources pour Sessions de tp) a pedagogical lab cluster. I successively turned to C3OS, then elemental-toolkit and finally naturally Kairos to build base system ISO images for lab environments. For the fourth version of VIMINAL (VIrtual Model for Ip Network Architecture Lab), initially used as autonomous installless all in one LiveDVD network lab plateform, now essentially played as live ISO on HVM Hypervisor, I plan to switch from Gentoo catalyst live iso generator to the lighter Kairos/Aurora iso builder. I'll switch from Gentoo to Alpine distribution, which was the one used on K3OS, for its neat lightness and as a more than 20 years Gentoo user I'm more familar with its openrc init process. Prefix name of these images is ABCD which means Alpine Based Cos Derivative (Cos stands for "Containerized Opernating System"). But all that's describe in this post can, with no doubt, be translated to more common systemd like Linux distributions as Kairos is "Meta-Distribution, distro agnostic".
Essential properties for that goal :
_
Polymorphic OS image running on all major common execution contexts
In that context of networked lab execution, the pure performance of lab system nodes is less important than the flexibility of execution environments that typically run nested. The nodes on which the students carry out manipulations are generally virtualized in the form of an appliance (all in one VM), as the first virtualization level, and the entire laboratory platform (VIMINAL, but also the dominant GNS3 system image in the context of teaching network infrastructure) is itself executed in virtualized mode (second virtualization level aka nested). At MOOCs (Massive Open On line Courses) scale, that laboratory platform must be able to be run for the entire subscriber population. It needs to be distributed as a simple VM image with the minimum of runtime dependencies, to be run on common HVM hypervisors such Virtualbox (available on the 3 dominant systems, i.e. GNU/Linux, Windows and IOS), VMWare or Hyper-V, as well as libvirt/KVM (but for the latter only for Linux subscribers).
As OSaC (Operating System as Code) environment, basically based on Dockerfile format, Kairos use standard OCI system image as its immutable rootfs packaging for baremetal or HVM-VM install. Several years ago, VIMINAL network lab model environment, as its third version, switched from nested HVM (libvirt/KVM) execution context to an LXD (lightvisor) execution context. So idea arose, why not try running Kairos system image on the common LXD container runtime as well as dominant Docker or Podman. In that way the same single base system image could be run on, not all but, almost all major common execution contexts : baremetal (liveUSB ISO), HVM hypervisor (KVM/libivrt, VirtualBox, VMWare, Hyper-V, XVisor,... in liveISO mode) and container runtime (LXD, Docker, Podman, ...) paving the way for VDI (Virtual Desktop Infrastrucure) scaling up to today's dominant cloud envrionment i.e. K8S.
_
inheritance and abcd lineage
OCI container images stack several storage layers at build time, one layer per step of the dockerfile. Multiple stacking levels can be aggregated when importing a previously built image. So one system image can share some common genes of ancestor system. The system image can thus be managed by inheritance, as in the OOP programming language. The polymorphic image adds an upper layer to a common functional image, whose elements are adapted to the target execution context. The aim is to ensure that, whatever the target execution context, the same functionalities, user interface and user experience are preserved.
So, for a basic ABCD image, these directives for the upper layer are set inside dedicated dockerfiles :
abcdic : abcd Inside Container to build container runtime conformant system image ;
abcdik : abcd with Initrd and Kernel : add initrd and kernel elements which will be used by Aurora to build iso full system image bootable on bare metal or on full virtalization hypervisors (HVM).
abcdib : (just a crazy idea not yet implemented) abcd Inside Browser : Another lab platform called L.I.B.E.R.A.L. (Linux Inside Browser to Experiment Remotely Activities and Labs) is an in browser remote lab use case based on Fabrice Bellard JSLinux javascript CPU emulator. LIBERAL was conceived at IMT Nord Europe during that unusual COVID19 pandemic period where containment forced to play some labs remotely at student's home. Based on a javascript hardware emulator like jor1k or JSLinux, this kind of platform aimed at playing basic Linux system lab directly inside the browser with no system dependencies nor hypervisor install. On such Javascript emulator performance of the virtualized system is modest, but sufficient for shell cli manipulations. JSLinux emulates X86 or RISC-V architecture, so abcdib dockerfile would be the recipe for building LIBERAL lab images, but need to investigate Kairos on RISC-V, which would undoubtedly be another exciting story...
abcd family tree
Nota : On abcd4desktop line subtree, graphical display is managed by classical X11 X server on physical or paravirtualized (such spice/qxl) graphic card drivers for abcdik descendants and xpra/Xdummy for abcdic descendants. On that latter, remote desktop is displayed through xpra HTML5 web rest interface with dynamic resolution auto-adjustment to browser window size. See illustration below and SDDM/KDE/PLASMA remote desktop with xpra for config details.
About rootless container
In this context of running academic labs, without privileged rights on the lab workstation (sandbox), it is necessary to run the containers in unprivileged mode (and more generally, it is a good practice to run with less privileges). So the environment settings to run the container abcd in rootless mode is the good way, (Another argument was to get around a window manager startup issue inside container see : "unbearable delay at sddm login/logout starting kde Plasma desktop when running inside container" for more details).
TODO - What else next ?!
Illustration
Does it work ? 1st try
On a Gentoo host, 4 simultaneous abcd4desktop instances on 4 execution contexts : from left to right and top down
abcdik4desktop liveiso HVM (kvm/libvirt spice/qxl paravirtualized graphic) ; abcdic4desktop rootless docker container (html5 remote display on firefox) ; abcdic4desktop rootless podman container (html5 remote display on firefox) ; abcdic4desktop lxd rootless container (html5 remote display on firefox).
automatic resolution adjustment to browser tab size on KDE/Plasma destop
More details, howtos, dockerfiles, container runtime configs ...
abcd is published on an alternate associative sovereign gitlab portal, available at https://framagit.org/j-landru/abcd >>>
Beta Was this translation helpful? Give feedback.
All reactions