SUSE has published the third prototype of the ALP "Piz Bernina" (Adaptable Linux Platform), positioned as a continuation of the development of the SUSE Linux Enterprise distribution. The key difference between ALP is the division of the distribution's core foundation into two parts: a stripped-down "host OS" for running on top of the hardware and an application support layer focused on running in containers and virtual machines. ALP is initially developed using an open development process, in which intermediate builds and test results are publicly available to everyone.
The third prototype includes two separate branches, which in the current form are close in terms of filling, but in the future they will develop towards different areas of application and will differ in the services provided. For testing, the Bedrock branch is available, which is focused on use in server systems, and the Micro branch, designed for building cloud systems (cloud-native) and running microservices. Ready assemblies are prepared for the x86_64 architecture (Bedrock, Micro). Additionally, build scripts are available (Bedrock, Micro) for Aarch64, PPC64le and s390x architectures.
The architecture of ALP is based on the development in the "host OS" of the environment, the minimum necessary to support and control equipment. All applications and user-space components are proposed to run not in a mixed environment, but in separate containers or in virtual machines running on top of the "host OS" and isolated from each other. This organization will allow users to focus on applications and abstract workflows from the low-level system environment and hardware.
The SLE Micro product, based on the developments of the MicroOS project, is used as the basis for the "host OS". For centralized management, Salt (preinstalled) and Ansible (optional) configuration management systems are offered. Podman and K3s (Kubernetes) toolkits are available for running isolated containers. Containerized system components include yast2, podman, k3s, cockpit, GDM (GNOME Display Manager), and KVM.
Of the features of the system environment, the default use of disk encryption (FDE, Full Disk Encryption) is mentioned with the ability to store keys in the TPM. The root partition is mounted in read-only mode and does not change during operation. The environment uses the mechanism of atomic update installation. Unlike the atomic updates based on ostree and snap used in Fedora and Ubuntu, ALP uses a regular package manager and the snapshot mechanism in the Btrfs file system instead of building separate atomic images and deploying additional delivery infrastructure.
A configurable mode for automatic installation of updates is provided (for example, you can enable automatic installation of only fixes for critical vulnerabilities or return to manual confirmation of installation of updates). Live patches are supported to update the Linux kernel without restarting or suspending work. To maintain the survivability of the system (self-healing), the last stable state is fixed using Btrfs snapshots (in case anomalies are detected after applying updates or changing settings, the system is automatically transferred to the previous state).
The platform uses a multi-version software stack, which allows you to use different versions of tools and applications at the same time through the use of containers. For example, you can run applications that depend on different versions of Python, Java, and Node.js by separating incompatible dependencies. Base dependencies come in the form of BCI (Base Container Images) sets. The user can create, update and remove software stacks without affecting other environments.
For installation, the D-Installer installer is used, in which the user interface is separated from the internal components of YaST and it is possible to use various frontends, including the frontend for managing the installation via a web interface. It is supported to run YaST clients (bootloader, iSCSIClient, Kdump, firewall, etc.) in separate containers.
Main changes in the third ALP prototype:
- Providing a trusted environment (Trusted Execution Environment) for confidential computing, allowing you to securely process data using isolation, encryption and virtual machines.
- Applying hardware and runtime attestation to verify the integrity of running tasks.
- Basis for support of confidential virtual machines (CVM, Confidential Virtual Machine).
- Integrate support for the NeuVector platform to check the security of containers, determine the presence of vulnerable components and detect malicious activity.
- Support for s390x architecture in addition to x86_64 and aarch64.
- Ability to enable full disk encryption (FDE, Full Disk Encryption) at the installation stage with key storage in TPMv2 and without the need to enter a passphrase during the first boot. Equivalent support for both encryption of regular partitions and LVM (Logical Volume Manager) partitions.
Source: opennet.ru