You want automatic Fedora CoresOS updates for your Kubernetes? And what do Zincati and libostree have to do with it? Get a quick overview here!
Fedora CoreOS is used as the operating system for many Kubernetes clusters. This operating system, which specializes in containers, scores points above all with its simple, automatic updates. Unlike usual, it is not updated package by package. Fedora CoreOS first creates a new, updated image of the system and finalizes the update with a reboot. A smooth process is ensured by rpm-ostree in combination with Cincinnati and Zincati.
Before we take a closer look at the components, let’s first clarify how you can activate automatic updates for your NWS Kubernetes cluster.
How do you enable automatic updates for your NWS Kubernetes cluster?
In the NWS portal, you can easily choose between different update mechanisms. To do this, click on “Update Fedora CoreOS” in the context menu of your Kubernetes cluster and choose between immediate, periodic and lock-based.
Immediate immediately applies updates to all your Kubernetes nodes and finalizes the update with a reboot.
Periodic only updates your nodes during a freely selectable maintenance window. In addition to the days of the week, you can specify the start time and the length of the maintenance window.
Lock-based uses the FleetLock protocol to coordinate updates. Here, the finalization of updates is coordinated via a lock manager. This ensures that nodes do not finalize and reboot updates at the same time. In addition, the update process is stopped in the event of problems and other nodes do not carry out an update.
Disable deactivates automatic updates.
So far, so good! But what is rpm-ostree and Zincati now?
Updates with a difference!
The introduction of container-based applications has also made it possible to standardize and simplify the underlying operating systems. Reliable, automatic updates and the control of these – by the operator of the application – also reduce the effort required for maintenance and coordination.
rpm-ostree creates the images
rpm-ostree is a hybrid of libostree and libdnf and thus a mixture of image and package system. libostree describes itself as git for operating system binaries, whereby each commit contains a bootable file tree. A new version of Fedora CoreOS thus corresponds to an rpm-ostree commit, maintained and provided by the CoreOS team. libdnf offers the familiar package management features, whereby the basis provided by libostree can be extended by users.
Taints and tolerations Nodes on which no containers can be started or are not accessible are given a so-called taint (e.g. not-ready or unreachable) by Kubernetes. As a counterpart, pods on such nodes are provided with a taint. This also happens with a Fedora CoreOS update. Pods are automatically marked with tolerationSeconds=300 during a reboot, which restarts your pods on other nodes after 5 minutes. You can find out more about taints and tolerations in the Kubernetes documentation.
Cincinnati and Zincati distribute the updates
To distribute the rpm-ostree commits Cincinnati and Zincati are used. The latter is a client that regularly queries the Fedora CoreOS Cincinnati server for updates. As soon as a suitable update is available, rpm-ostree prepares a new, bootable file tree. Depending on the chosen strategy, Zincati finalizes the update by rebooting the node.
What are the advantages?
Simple rollback
With libostree it is easy to restore the old state. All you have to do is boot into the previous rpm-ostree commit. This can also be found as an entry in the Grub bootloader menu.
Flexible configuration
Zincati offers a simple and flexible configuration with which hopefully every user will find a suitable update strategy.
Little effort
Fedora CoreOS can update itself without manual intervention. In combination with Kubernetes, the applications are also automatically moved to the currently available nodes.
Better quality
The lean image-based approach makes it easier and more accurate to test each version as a whole.
Only time will tell whether this hybrid of image and package-based operating system will prevail. Fedora CoreOS – as the basis for our NWS Managed Kubernetes – simplifies the update process considerably and still enables our customers to control it easily.
0 Comments