ALP is moving to its next peak: Punta Baretti
December is here and it is time to deliver the next version of the ALP project, which we call “Punta Baretti”. For those wondering, ALP stands for ‘Adaptable Linux Platform’.
Back in September, we unveiled the ALP. Before jumping into Punta Baretti, let’s recap what ALP is.
What is ALP?
ALP is the next generation of Linux, an application-centric, secure and flexible platform designed to focus on workloads while abstracting from the hardware and the application runtime layers.
Punta Baretti is one of the prototypes based on ALP where we implemented features, approaches and relevant changes. There will be also other deliverables builds all based on ALP to come!
The products and solutions based on ALP use containerized workloads to isolate different processes at the application layer. These are managed using K3s for Kubernetes-based workloads or Podman for non-k8s workloads. This approach adds extra flexibility while keeping the deployment and management of workloads persistent, easy and stable.
ALP’s ‘Zero-Touch’ approach makes systems management, patching, and upgrading more stable, reliable and secure.
Major Changes in Punta Baretti
D-Installer
D-Installer is a new Linux installer that comes from the YaST team. It is designed to offer re-usability, integration with third-party tools, and the possibility of building advanced user interfaces over it.
In a secure environment, D-Installer can deploy ALP on encrypted volumes using FDE (Full Disk Encryption).
A customized LUKS2, compatible with GRUB, opens the door to using TPM (Trusted Platform Module) to decrypt the boot volume, so keys stored on the TPM chip can be used instead of passwords.
This allows us to get closer to highly secure deployments with no-user interaction at boot time.
Containerized YaST
Containerized YaST available in ALP since its inception. This allows users to run package management and other modules as first-class workloads following the ALP model.
- Many YaST clients have already adapted to run in containers: bootloader, iSCSIClient, Kdump, firewall, etc.
- Several modules have been adapted to work in transactional systems although currently some clients work only in the non-transactional variant of ALP.
- Implemented initial support for transactional systems handling when some packages need to be installed.
- Make libyui-rest-api available at the containers for openQA. This allows the containerized version of YaST to be integrated with openQA, leveraging the extensive sets of tests already available to greatly improve the quality of current and future releases.
All YaST containers are currently available through the project on the Open Build Service – https://build.opensuse.org/project/show/SUSE:ALP:Workloads.
Two types of containers are provided:
- Management Containers, to work with YaST on text, GUI and Web modes.
- Testing Containers, designed for automated testing of the YaST containerized workload, not intended for Production.
Those containerized YaST versions can run not only on ALP but also on the latest SLE, openSUSE Leap, or openSUSE Tumbleweed, using Podman, docker or any other container engine.
Cockpit
Cockpit is now containerized and available as an ALP workload. Once deployed, you can use Cockpit to manage your servers using just a web browser.
One of the key highlights in this release is Cockpit becoming the default 1:1 system management for ALP.
If you are interested in what’s new in this release or in testing the deployment and execution of Cockpit as a containerized workload, take a look here.
Full Disk Encryption (FDE)
ALP is designed to run securely on both private and/or public clouds, relying on features like FDE (Full Disk Encryption).
Regarding security, the Zero-Touch approach means volumes can be decrypted at boot time through the usage of encryption keys instead of a password. The use of encrypted volumes adds an additional layer of security to all ALP workloads.
To achieve this, the team decided to move on with the following additions to Punta Baretti:
- GRUB2 will be the new bootloader for ALP.
- FDE (Full Disk Encryption) is now available on bare-metal servers
New ALP workloads
There are new workloads available at online repositories:
Conclusion
We received a lot of feedback since September 2022 when the first prototype was released. There are now a lot of active discussions, tests, setups, and engineering involved in building the next generation of Linux!
This major release makes ALP more flexible, secure and stable. Punta Baretti has extended the FDE support to bare metal servers. By using the Trusted Platform Module we have allowed for unattended booting while keeping the systems encrypted and secured.
After some compatibility issues, SELinux has been moved to ‘enforced’ and Firewalld defaulted to ‘deny’.
The integration within the D-Installer increases the possibility of different deployment configurations.
The new Punta Baretti prototype is now available, go ahead and test it out!
Next Steps
ALP is driven by the workgroups; if you are interested in joining the discussion, you can find them here.
Documentation for ALP is now updated with Punta Baretti.
Related Articles
Jun 14th, 2024