March 05, 2019
The Debian project has started the freezing process to prepare to release Debian 10 (codename Buster) in the coming months. During the development-cycle time of this release the Debian Cloud team has made progress in many fronts: formalizing the team inside the project, improving our tooling, investing in QA, optimizing the generated images and increasing the number of supported architectures.
Last October, the Debian Project Leader (DPL) officially announced the creation of the Debian Cloud Team and appointed some Debian Developers as Delegates: Lucas Filipozzi (lfilipoz), Steve McIntyre (93sam) and Tomasz Rybak (serpent). The delegates are responsible for the policies, procedures, and services that are necessary for the production and maintenance of the official Debian images for use on cloud providers. The team chose those developers as Delegates because they have no direct involvement with cloud providers (many people in the team provide consultancy or work for cloud providers), avoiding any bias in the decisions made by the team. Moreover, the delegates with the support of Software in the Public Interest (SPI) have been working with some cloud providers (Microsoft Azure, Amazon AWS and Google Cloud) to create official Debian accounts in each of them, which will allow us to perform tests and publish Debian community images to their users.
In order to take advantage of these agreements with different cloud providers, our tooling has been improved to support publishing images to each of them. The team has designed and implemented, using Python, a framework to facilitate the specification of the different publishing processes among providers. As of now, Azure, AWS and GCE are supported but it is easily extendable. For some time, the team has been using FAI (Fully Automatic Installation) to build cloud images instead of bootstrap-vz. All the FAI configuration, the framework to publish images to cloud providers and further documentation can be found in debian-cloud-images git repository on salsa.debian.org.
Due to the recent migration to salsa.debian.org (Debian's GitLab instance) many nice features are at our disposal and one of them is the GitLab CI. The Debian Cloud team has taken advantage of that and defined some pipelines to build all variants of cloud images. Additionally, an implementation of an initial version of a testing infrastructure has been started, it is available in debian-cloud-tests repository on salsa. With that we aim to run some smoke test (for example checking the boot process and networking) in all our images, probably using qemu, and also be able to execute specific tests in VMs launched in cloud providers infrastructure. In the future, when our smoke tests are more stable and reliable, we intend to run them in the GitLab CI pipeline mentioned, not only ensuring that images built, but that the basic features also work.
Leaving the Debian images production and QA processes aside and looking at their content, some interesting modifications for optimization and better configuration of the images were made. For instance, many improvements regarding networking, partitioning and UEFI support were made to the scripts and configurations used by FAI. But also some new packages were introduced to the Debian archive in order to better support cloud images. A cloud-specific Linux package (linux-image-cloud) allowed us to disable features that are not relevant in cloud environments and enable what is really important. For example, features related to bluetooth and sound support are disabled and some drivers needed by the cloud providers are enabled. To illustrate that, Amazon EC2 uses Elastic Network Adapter (ENA) support and Intel Corporation 82599 Ethernet Controller Virtual Function, and Microsoft Azure uses Mellanox Technologies MT27500/MT27520 Family [ConnectX-3/ConnectX-3 Pro Virtual Function], all of them are enabled by default in linux-image-cloud package (and are not needed at all by regular Debian users). Furthermore, the grub-cloud package was created to provide some specific cloud setup on top of regular grub packages, it installs grub for the PC/BIOS and the EFI-AMD64 architecture.
Another cloud-related package introduced to the Debian archive that will allow the creation of official Debian images for GCE was google-compute-image-packages. GCE images depend on a guest agent developed by Google to provide a better user experience to their users, and it was not available in the Debian archive. Due to the absence of this agent, Debian was not able to build official GCE images since one of the requirements to be considered as an official image is to use only packages available in the main archive. Other cloud providers that Debian Cloud team is working with at the moment (Azure and AWS) already have all their agents packaged and available in the Debian archive, allowing the production of official Debian images.
An important feature we are pushing forward within the entire Debian community is the Secure Boot support. It is a great feature for all users but it is especially desirable in cloud environments. By default Secure Boot prevents changes in your bootloader and kernel by attackers. In the context of virtual machines, this feature is even more important since we do not have physical access to them to modify the trusted key set (only the hypervisor admin could do it). Therefore, Debian signs all the packages involved in your boot process using a key widely used in the market, and the cloud providers can use that to guarantee the security of the boot process in Debian machines. Fortunately, this feature will be available in the next Debian release and we hope to keep going further in this front.
People using Debian in the cloud are Debian users, and from the social contract "Our priorities are our users and free software", and we want them to have the best experience enabling features supported by the cloud providers. Some cloud providers, such as AWS and IBM Cloud, are moving towards non-amd64 architectures (arm64 and ppc64el respectively), and to support our users in this scenario the cloud team has also moved in this direction. For now, arm64 and ppc64el images can be built using the configuration available in debian-cloud-images repository.
Due to this growth of the number of cloud images variants and trying to make the user's life easier, the team has discussed the implementation of a cloud image finder application. It would be a web app where users can provide some image's attributes and find what they are looking for. Some other distributions provide this kind of service in a nice manner, such as Ubuntu. Since the Debian Cloud team is small and we do not have the necessary human power to get that done, we are proposing a GSoC project, trying to find an intern willing to join the team and help us on that. If you are or know someone that would be interested in this project do not hesitate to reach out to us.
The Debian Cloud team should have more news soon! Let's release Buster!
With virtme, you can run a custom built kernel on top of our running root filesystem. In this post, we explore another example of virtme…
Introducing cmtp-responder - a permissively licensed Media Transfer Protocol (MTP) responder implementation which allows embedded devices…
Up until now, talking in-depth about userspace tracing was deliberately avoided because it merits special treatment, hence this part devoted…
After a successful team effort, the patch enabling the Chromium Embedded Framework (CEF) Ozone builds to run with different platform backends,…
Now that we've studied the mainstream way of developing and using eBPF programs on top of the low-level VM mechanisms, we'll look at projects…
A previous post introduced the SPURV Android compatibility layer for Wayland based Linux environment. In this post, we're going to dig into…