Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What’s new in Linux: How we’re collaborating to...

What’s new in Linux: How we’re collaborating to help shape its future

Presented at Microsoft Ignite, November 20, 2024
Video recording: https://youtu.be/1C5YrThpaaA
Linux is a fundamental technology for the cloud, a key enabler for open-source technologies like Kubernetes and PostgreSQL, and powers over 60% of customer cores in Azure. In this session, we explore the top innovations across the Linux ecosystem and how Microsoft is collaborating with the partner and open-source communities to help shape the future of Linux. Hear customer stories and see demos of the latest Linux advancements on Azure.

Andy Randall

December 10, 2024
Tweet

More Decks by Andy Randall

Other Decks in Technology

Transcript

  1. What’s new in Linux: How we’re collaborating to help shape

    its future Andy Randall, Principal PM Manager Vincent Batts, Principal Software Engineering Manager
  2. Agenda How we got here – Linux at Microsoft Distros

    in Azure, Fujitsu’s Journey Security, Quality & Reliability Usability, Observability & Debugging Evolution of Linux
  3. 15+ Years of Linux at Microsoft 2014 2016 2015 Linus

    Torvalds introduces Linux 1991 Hyper-V drivers in Linux kernel, Microsoft is 5th largest kernel contributor 2009-2011 Azure extended to Linux, steadily expanding range of endorsed distros 2012 SONiC WSL 2017 SQL Server 2019 Linux >50% of Azure 2020 Azure Linux 1.0 2021 Azure Linux for AKS host Azure Boost 2023
  4. 100s Microsoft services run on Linux AKS • Defender •

    PostgreSQL • HDInsight • Microsoft 365 (Office) • DNS Services • Minecraft • LinkedIn • GitHub • & more…
  5. Dozens of teams Across Azure dedicated to Linux Kernel •

    1P distro (Azure Linux) • quality and reliability • security • provisioning • upstream distro eng • cloud native/containers • & more…
  6. Anna I have a preferred distribution I want to use

    in Azure. I want to be able to run the distro of my choice. I want Linux but don’t know which distribution to use. I want to find out what options I have that work well in Azure. Bob We both want to Be able to easily find, procure and deploy Linux images in Azure Know Microsoft works with the publisher to ensure quality, security and reliability
  7. What does “Endorsed” mean? Contractual agreement and a deep relationship

    (more than just marketplace) Engineering collaboration forum for alignment, escalations, etc. In-Azure mirror infrastructure Strong market demand
  8. Fujitsu’s Journey with Linux in Azure Chris Quinn Global Vice

    Service Domain Owner Fujitsu Digital Transformation Cloud and Data Center
  9. Fujitsu and Microsoft Global and Regional representation Relationship Our success

    is supported by Microsoft Platform Design consideration Continuous upskilling support
  10. Fujitsu and Microsoft Engineering support Long term license support for

    Red Hat (Enhanced EUS) Design: IaaS, PaaS and Container services Network Topology Security: Defender for Cloud Linux Deployment Support Collaboration = Transformation
  11. Can OS Landscape Linux 43% Other 57% • Red Hat

    is in high demand for use in mission-critical systems • Red Hat, Ubuntu, SUSE OS estate: 43%
  12. What is DXP Cloud? Summary Infrastructure services transformation • Azure

    platform • Simplification and Cloud first: "One Fujitsu" • Flexibility of traditional IaaS, plus PaaS and Container services • Global platform service Features Ensure safe and secure use of new features • Modern, robust functionality, Azure landing zone architecture • Bundled security features • Compliance with industry-standard security guidelines (NIST) Scope Corporate systems • Global Operations: Fujitsu and Fujitsu Group companies • AI for Operations, User Experience, Development
  13. Linux Deployment Fundamentals Azure helped us minimize impact Automate security

    and governance deployment with DevOps • Defender for Cloud • Azure Policy Enforcement • Deployment / testing: Minutes Common issues when migrating Linux Enable security and governance without leaks and with long lead times • Missing settings and diagnostics • Manual deployment / testing: Weeks Problem Solution
  14. Red Hat Strategy > Azure After migration to Azure •

    Aggregated license renewal process • Centralized management of patch application status, using Azure Update Manager Reduce burden of license and OS patch application management • Large server estate: Time-consuming process Before migration to Azure • Track deployed licenses, patching status and levels • Apply license renewal and patching on individual servers Problem Solution
  15. Secure Future Initiative Secure by design Secure by default Secure

    operations Security culture and governance Protect identities and secrets Protect tenants and isolate production systems Protect networks Protect engineering systems Monitor and detect threats Accelerate response and remediation Continuous improvement Standards Paved path Secure Future Initiative | Microsoft
  16. Trusting your Images: Azure Marketplace Certification Validation of publishers in

    Marketplace Certification of images on ingestion – including for vulnerabilities Ongoing scanning of images in marketplace
  17. Trusting your Images: Azure Trusted Launch Secure Boot ensures only

    signed OS images and drivers can boot Virtual Trusted Platform Module (vTPM) establishes root of trust Boot Integrity Monitoring via Guest Attestation Trusted Launch for Azure VMs - Azure Virtual Machines * Flatcar planned Q4 2024
  18. Protecting Data in Use: Confidential Computing Confidential VMs run in

    trusted execution environment (TEE) Azure confidential computing Guest Attestation ensures workload really is running in TEE with secure boot enabled What is guest attestation for confidential VMs? NEW OpenHCL, new open source paravisor, enables older VMs to run in confidential mode OpenHCL: Evolving Azure’s virtualization model
  19. Protecting Data in Use: Confidential Computing Confidential Containers in Azure

    Red Hat OpenShift (ARO) • Leverages AMD SEV-SNP • Builds on upstream Kata CoCo collaboration • Public preview Confidential Containers Public Preview on Azure Red Hat OpenShift NEW NEW Confidential VMs for AI • Azure NCC H100 v5 VMs • 4th-gen AMD EPYC CPU with SEV-SNP + NVIDIA H100 Tensor Core GPUs • OS: Ubuntu 22.04 • Generally available General Availability: Azure confidential VMs with NVIDIA H100 Confidential Containers • Implemented by Kata-CC project, with MS as active participants • Supported in AKS & ACI • Public preview Confidential Containers with Azure Kubernetes Service (AKS)
  20. Limit execution to known, signed binaries Requires enforcement in the

    kernel Eliminates attacks • Linker hijacking (LD_PRELOAD, LD_AUDIT, DLL Injection) • Binary rewriting • Malicious binary execution/ loading Developed by Microsoft’s Linux kernel team Contributed to upstream kernel Integrity Policy Enforcement (IPE) NEW Integrity Policy Enforcement
  21. Ensuring Security and Compliance with Azure Policy Azure Security Baseline

    for Linux Defines recommended hardening options for your VMs (Azure + Arc) Based on Center for Internet Security (CIS) standards NEW Enhanced audit experience Security baseline with Azure Policy and Machine Config More accurate findings & detailed descriptions Fully aligned with CIS NEW Auto-remediation Built on open-source (azure- osconfig) No additional cost Limited Public Preview From Compliance to Auto-Remediation: Azure's Latest Linux Security Innovations
  22. A Combinatorial Challenge for Quality Guest Host Workloads and Health

    Monitoring Azure Linux Fleet 75+ Guest Extensions Features & Kernels 7 Endorsed Partners 125+ 3P Publishers 40K+ Packages 20K Images 1K+ VM Sizes/ SKUs Azure Host and Virtual Stack Workloads and Health Monitoring
  23. Our Approach to Ensuring Linux Image Quality LISA Linux Integrated

    Services Automation 400+ tests cover 40+ areas Extensible, supports all flavors of Linux github.com/ microsoft/lisa github.com/ microsoft/lisa Azure Certify Comprehensive validation of all images submitted to marketplace Includes LISA + scan for malware and vulnerabilities Continuous validation of upstream kernels KernelCI foundation sponsorship Azure-tuned kernel (ATK) KernelCI Foundation KernelCI Foundation AITL Azure Image Test Service for Linux Self-service automation portal for image publishers Secure, API-driven Private Preview NEW
  24. Updates & Snapshots Problem: Safe Deployment Practices aborts a roll-out

    if an error is encountered, leaving different machines/regions with inconsistent versions. Solution: Enhanced apt package manager and Azure Guest Patching Service to enable deterministic deployment of a known-good version from a point in time. Increased security and resiliency of Canonical workloads on Azure
  25. SSH – Ed25519 NEW Ed25519 is an Edwards-curve Digital Signature

    Algorithm (EdDSA) signature scheme using SHA- 512 and Curve25519 Now supported for SSH keys in Azure Portal and CLI, alongside existing RSA key formats Faster performance and equivalent security at smaller key length (RSA may offer greater security for larger key lengths) Looking at supporting other emerging formats for greater security Azure updates
  26. Azure-vm-utils NEW Home for small utilities Addresses problem of consistent,

    predictable device names for NVMe devices Working with upstream communities to make this available via all the major distros github.com/Azure/azure-vm-utils New open-source project First one: azure-nvme-id
  27. Azure-init NEW github.com/Azure/azure-init New open-source project Minimalist provisioning of Linux

    VMs from Azure metadata Extremely lightweight, written in rust; few requirements, so can be run early in boot process For reference, or lightweight distros without full guest config (e.g. cloud-init)
  28. Sometimes, you want to run code in the kernel… debugging/

    performance analysis application monitoring & security <insert your new idea here> customizable low- level networking controls
  29. eBPF enables this safely, without kernel modules in-kernel restricted virtual

    machine sandbox + verifier bytecode just-in-time compiled to native instruction set event/function hooks helper functions maps eBPF does to Linux what JavaScript does to HTML. (Sort of.)” – Brendan Gregg, Netflix
  30. Unlock the power of eBPF with Inspektor Gadget Wide range

    of Gadgets Run in Kubernetes or Linux host Framework for building & deploying new gadgets Advise • Seccomp-profile • Network-policy Audit • Seccomp Snapshot • Process • Socket Trace • Network • Bind • Capabilities • Dns • Exec • Fsslower • Lsm • Malloc • Mount • Oomkill • Open • Signal • Sni • Ssl • Tcp • Tcpconnect • Tcpdrop • Tcpretrans Top • Blockio • Ebpf • File • Tcp Profile • Block-io • Cpu • Tcprtt Other • Traceloop • Deadlock • Fsnotify Inspektor Gadget (inspektor-gadget.io) Open source, in CNCF
  31. Challenges with managing traditional package- managed Linux distributions at scale

    Security Configuration drift SSH Inconsistent package and OS updates
  32. Evolving Linux Distro Architecture 2009 Image-based desktop OS 2014 2019

    Image-based server OS, container optimized 2024 & beyond Image-based general purpose distros
  33. Linux Architecture Evolution: Industry Collaboration The Linux Userspace API (UAPI)

    Group systemd project CNCF TAG Runtime Special Purpose OS Working Group Flatcar Container Linux project (in CNCF) The Linux Userspace API (UAPI) Group The Linux Userspace API (UAPI) Group systemd.io - System and Service Manager systemd.io - System and Service Manager Special Purpose OS Working Group Special Purpose OS Working Group flatcar.org | Flatcar Container Linux flatcar.org | Flatcar Container Linux
  34. Microsoft doesn’t just love Linux, we live Linux! The primary

    platform for cloud workloads, including AI Dozens of teams across Azure focused on enhancing quality, security, reliability, and usability of Linux Close collaboration with other vendors and the upstream Linux open source community
  35. How did we do? Tell us your thoughts about our

    sessions and overall event surveys