An overview of Project Atomic

February 21, 2018

This article was contributed by J. B. Crawford

Terms like "cloud-native" and "web scale" are often used and understood as pointless buzzwords. Under the layers of marketing, though, cloud systems do work best with a new and different way of thinking about system administration. Much of the tool set used for cloud operations is free software, and Linux is the platform of choice for almost all cloud applications. While just about any distribution can be made to work, there are several projects working to create a ground-up system specifically for cloud hosts. One of the best known of these is Project Atomic from Red Hat and the Fedora Project.

The basic change in thinking from conventional to cloud-computing operations is often summed up as that of "pets versus cattle". Previously, we have looked at our individual computers as "pets", in that we think about them as individual entities that need to be protected. If a server went down, you would carefully fix that server, or in a worst case replace it with a new host by copying over a backup. In a cloud environment, we can create and destroy hosts in seconds, so we take advantage of this by treating those hosts as largely disposable "cattle". If a host encounters a problem, we just destroy it and create a new host to take over its function.

Closely coupled with this paradigm shift is a move to containerization. Container systems like Moby (formerly known as Docker) or rkt allow you to deploy software by packaging it into an image, similar to a very lightweight virtual machine, complete with all dependencies and system configuration required. Containerized, cloud-based deployments are quickly becoming the most common arrangement for web applications and other types of internet-connected software that are amenable to horizontal scaling.

With disposable servers running software that comes packaged with all its requirements, there's no longer as much need to manage the underlying servers at all. Ideally, they are set up once and never changed—even for updates. Instead of being "administered" in the conventional sense, an out-of-date cloud host is simply destroyed and replaced with a new one. This pattern is referred to as "immutable infrastructure", and it's perhaps the largest technical shift involved in modern cloud computing.

In a typical container-based cloud deployment, there are actually two levels at which a Linux distribution is involved. First, there is the operating system on the cloud hosts. Second, there is the Linux environment in the application containers running on those hosts—these share the kernel but have their own user space. The flexibility to use different distributions for different applications is one of the advantages of containerization, but in production systems the distribution installed in the container will often be a lightweight one like Alpine or a stripped down Ubuntu variant. The Linux distribution on the cloud host itself should be capable of running the containers and should provide whatever services are needed for maintenance and diagnostics.

Project Atomic produces such a distribution and, more generally, builds tools for Linux cloud hosts and containers. Project Atomic is the upstream project for many components of OpenShift Origin, which is the basis for Red Hat's commercial container-deployment platform OpenShift. The main Atomic product is Atomic Host, a Linux distribution for immutable cloud hosts running containers under Moby and Kubernetes.

Atomic Host comes in two different flavors depending on the user's risk appetite and desired update cycle: one derived from CentOS and one derived from Fedora. On top of the base distribution, Atomic Host makes a number of modifications. The most significant is the rpm-ostree update system. Rpm-ostree is a based on OSTree, which is described as "Git for operating systems", and is integrated with the familiar Red Hat package-management ecosystem but operates quite a bit differently. Conceptually, rpm-ostree manages the system software much like a container image. The entire installation is one atomic version, and updates replace it completely with a new version while keeping the previous version available for rollback. These versions are managed in a Git repository.

So, with Atomic Host, instead of installing an operating system on a server and then installing and configuring a variety of system software, you can instead create a virtual machine or cloud host from an Atomic Host image and then, in one step, install a Git-controlled system configuration. The system is ready to serve an application in just two steps that can be easily automated by a cloud orchestrator. When the image becomes outdated, whether because of updates to the kernel or just to some configuration files, you build a new image and completely replace the filesystem on the running hosts with the new image.

Atomic Host's Fedora variant updates at a strict biweekly cadence, providing new images with the patches and updates that would normally come as updates to individual packages. The CentOS option currently releases irregularly, about once per month, although one of the goals of the CentOS Atomic SIG is to establish a regular release cycle for the future. In a notable difference from a more conventional update strategy, users will have to apply these as complete system updates in order to receive security patches and bug fixes. Since per-package updates may come more quickly than every two weeks, there may be a somewhat larger window of vulnerability for Atomic Host when compared to Fedora or CentOS.

Composing with rpm-ostree

Let's take a closer look at how an rpm-ostree configuration is created. The Git repository controlling rpm-ostree contains a number of files that describe the cloud host in terms of installed package versions and their configurations. The rpm-ostree tool then "composes" the system, assembling the packages and configuration into a filesystem and storing the result as an image file. The underlying OSTree tooling actually records the state of the filesystem after the compose and then installs the resulting version by copying the entire filesystem onto a host. This is conceptually similar to a disk image but, since OSTree operates at a filesystem level, it is both more efficient and capable of using filesystem features to retain older versions for easy rollback of changes.

This is a different way of installing updates from the one we've all become accustomed to. There are several major advantages, though. First, the filesystem replication process guarantees that the installed software and operating system configuration on one host will be identical to those installed on the others. The rpm-ostree mechanism also allows thorough testing (including automated integration testing) of a complete host configuration, from the operating system up, before making changes to the production environment. Second, it prevents a huge number of potential problems with software installation and update consistency, making it much easier to automatically update hosts—every update is an installation from scratch with no concerns about the starting state. Finally, it makes it far easier to replace hosts. Since all of the software on the host came from a known, version-controlled configuration, there's no need to worry that there is special configuration on a host that will be lost. In short, there's no need for backups as everything can be exactly recreated from the start.

Rpm-ostree extends the basic OSTree image approach by allowing "layering" of RPM packages on top of an OSTree configuration. If you have worked with Docker/Moby, this concept of image layering will be familiar. If an existing OSTree image meets your basic needs but you require some additional software, the RPM packages for the additional software can be added on top of the OSTree image without building an entirely new image. This eases the transition to immutable updates by allowing administrators to stick to one of their most familiar tools: making software available by installing a package.

Also included in Atomic Host is the atomic command, which wraps Moby to simplify installing and running container images that have specific expectations about the way they are run. atomic is particularly well suited for Moby containers used for system functions; an example use case is automatically placing systemd unit files to manage the Moby container as a service. Instead of pulling a Moby image and going through several steps to set up a systemd unit to run it with appropriate settings, containers with the right metadata can just be installed with atomic install.

It should be clear that Atomic Host is a significant change from traditional server-oriented Linux distributions. Atomic Host might sound difficult to use for small environments and one-off servers, but those are not in its use cases. Immutable infrastructure systems work best in at-scale environments where hosts—servers, virtual machines, or cloud instances—can be obtained and abandoned easily. Philosophically, Atomic Host focuses on providing a testable, consistent environment overall, rather than maintaining individual hosts for maximum reliability. As a result, it is not a good choice for "pet" servers that are individually important and cannot easily be replaced. To truly take advantage of Atomic Host, the applications you run should be able to tolerate individual hosts disappearing and add new hosts as they become available.

The benefit of this change is simpler and more automated maintenance of multiple servers. When your application runs on hosts that are nearly stateless and can be rebuilt in minutes, there's far less need for traditional system administration. Instead, your time can be spent on thorough design and testing of your system configuration.

Atomic Host is not the only product of Project Atomic. There is also Cockpit, which is a web application that allows for easy remote management and monitoring of hosts running Atomic Host. Cockpit is a step between manually installing and managing Atomic Host nodes and a complete configuration management system such as Puppet; Cockpit is still a tool to monitor and manage individual hosts, but allows you to do so from a central interface instead of via SSH. Because of Atomic Host's simple, low-maintenance design, this may be all that's needed for cloud environments with tens of hosts.

While it's perfectly possible to make changes to an Atomic Host installation on the fly via SSH or even Cockpit, doing so negates many of the advantages of immutable deployments by introducing inconsistent and likely poorly tested changes. As with many technologies, immutable deployments also require an element of discipline by the operators. The temptation to make a "quick fix" must be overcome in favor of a tested, controlled change to the entire deployment.

Finally, Project Atomic has also put quite a bit of work into developing the basic nuts and bolts for a well-run Linux cloud environment. A major example is their significant work on integrating Moby with SELinux. This effort, like Atomic Host and Cockpit, will help to keep Linux solidly at the front of cloud computing.

Index entries for this article
GuestArticles	Crawford, J. B.

An overview of Project Atomic

Posted Feb 21, 2018 23:37 UTC (Wed) by mskarbek (guest, #115025) [Link] (1 responses)

> running containers under Moby and Kubernetes

Atomic Host (nor Fedora/CentOS/RHEL) was never shipping Moby. You can install that using external repository. Red Hat stopped shipping official Docker/Moby releases around Docker 1.12 (later updated to 1.13 in Fedora) and simply backports bugfixes/certain functionality to their Docker package (which is also enhanced with patches not upstreamed because of hostility of Docker maintainers).

Additionally they developed Cri-o project with intention of completely replacing Docker and eventually removing Docker form base image.

An overview of Project Atomic

Posted Feb 25, 2018 0:39 UTC (Sun) by cyphar (subscriber, #110703) [Link]

More importantly, you don't run containers under "Moby" at all -- this is quite a common confusion. While the repository may be called "Moby", the long-term plan of the project is to make "Moby" be a kind of "builder" for Docker and alternative configurations of the various components that make up Docker[1]. "Moby" doesn't run containers.

And this point is the same regardless of the version. Right now, openSUSE ships Docker-CE 17.09.1, but that doesn't mean that we ship "Moby" -- you can't ship "Moby" because the project that they are describing when they talk about "Moby" simply doesn't exist yet.

[1]: https://github.com/moby/moby/projects/6

An overview of Project Atomic

Posted Feb 22, 2018 13:52 UTC (Thu) by walters (subscriber, #7396) [Link] (7 responses)

It looks like this article was sourced from website material mostly; unfortunately our website hasn't been updated as much as it should have been, and we have an entirely new one in progress.

There's a lot more up-to-date material to be found on the mailing lists.

In particular I want to highlight this post with Devconf.cz 2018 talks.

Now:

Project Atomic produces such a distribution

No; Project Atomic is not itself a distribution; rather there's e.g. Fedora Atomic Host, and Red Hat Enterprise Linux Atomic Host variants of our existing distributions. A key point here is that Atomic Host is 99% just a "list of packages" - we reuse the same RPMs from upstream.

Project Atomic is also the upstream (in the github sense) for various bits of container technology like libpod and buildah as well as the rpm-ostree project mentioned.

On to ostree/rpm-ostree (to clarify, I am one of the main upstream developers for both). Very briefly: it's simplest to think of OSTree (now "libostree") as just an image system. The git thing is useful to understand the internals, but in day-to-day practice we really don't want admins to think they're "... install[ing] a Git-controlled system configuration" - it's simpler to pretend it's somewhat like an "A/B" partition style system, even if in fact it's not at all implemented that way.

And finally the point with which I disagree most:

Philosophically, Atomic Host focuses on providing a testable, consistent environment overall, rather than maintaining individual hosts for maximum reliability. As a result, it is not a good choice for "pet" servers that are individually important and cannot easily be replaced.

You could certainly say that was the original starting point. We haven't made a huge amount of noise about this, but since rpm-ostree gained package layering we now (in my opinion) excel at "pet" machines too. In fact, it's "pet" machines for which you most want transactional updates, right?

I now describe rpm-ostree as a hybrid image/package system. Anywhere you can use a package system or an image system, you could use rpm-ostree. This is quite a bold claim I know - I wouldn't say we are better in every way; we're still working through improving our client-side package layering support, and that will likely continue for years to come. But I believe it's in fact the "pet" server (or desktop/IoT) cases where we are most compelling - it's worth trying it out.

There's more in my devconf.cz talk linked above. For example, it became a lot more practical for me to use Fedora Atomic Host on my home "pet" server (not part of e.g. a Kube cluster, though I do use oc cluster up) once I could just rpm-ostree install libvirt ntfs-3g ... etc. (libvirt is too useful, and I had an old NTFS drive I wanted to read). I do actually run a lot of software in containers (e.g. my backup agent which bind mounts the host), but package layering meant I didn't have to containerize everything, and I can tap the whole existing RPM ecosystem as necessary, making an incremental transition a lot easier.

An overview of Project Atomic

Posted Feb 22, 2018 19:31 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link]

>There's more in my devconf.cz talk linked above

Did you mean this URL?

https://www.youtube.com/watch?v=4A_xl5dC210

An overview of Project Atomic

Posted Feb 22, 2018 21:16 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

So I'm thinking about making a home automation server that should last for 10 years without hands-on maintenance. I want to include Asterisk, Home Assistant and some other tools.

So it needs transactional updates with automated rollbacks if the server fails to boot or if a service fails to start.

Is Project Atomic suitable for that? I'm currently looking at Ubuntu Core with snaps.

An overview of Project Atomic

Posted Feb 22, 2018 23:24 UTC (Thu) by walters (subscriber, #7396) [Link] (1 responses)

My view is definitely that we're making general purpose technology. So the short answer is yes, I think we're worth considering!

The longer answer is more complex. Actually it's been a while since I've played with Ubuntu Core and snaps (still surprises me Ubuntu doesn't have vagrant-libvirt boxes, and running through the ISO is sooo many "answer question" wait a bit, "answer question"...).

Anyways I think the basic way I'd summarize this is that snap is very focused on a container-like system for the "single machine" case which covers desktops, single node servers as well as some types of IoT. Our closest equivalent is "atomic install --system", which definitely works, but receives a lot less promotion/effort. We have not made a large scale effort to "system containerize" Fedora content for example. Also, the system container approach doesn't make sense for desktop apps, which is where flatpak is. So our story is messier.

On the other hand, the fact that they're saying ".debs" are just one way to build snaps - or in other words they're trying to use snap for everything is a pretty massive contrast with rpm-ostree, which supports a whole lot of our existing RPM ecosystem - proving that a true transactional system can be brought to traditional package management too.

Were you to choose a Project Atomic system you have multiple options for the extra software; package as RPM, build container images and learn about system containers, or actually go the full route of baking everything into a single "image" or ostree commit; for that last bit, see: https://mail.gnome.org/archives/ostree-list/2017-October/...

The biggest weakness in my view of Ubuntu Core and Snaps in general is that it's not benefiting from the massive industry investment in Kubernetes for the scale-out server case, which is where a whole lot of our container investment is going. But your case doesn't sound scale-out, so the comparisons get more interesting.

An overview of Project Atomic

Posted Feb 23, 2018 0:04 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

So with Ubuntu Core it's quite simple - the core itself is an immutable image that can be atomically upgraded and it hosts snaps which really are almost full-blown containers. The update story is fairly straightforward - the core itself is maintained by Ubuntu and can be atomically upgraded, as it's just another snap (it's snaps all the way down).

However, snaps are versioned individually and it's possible for the core upgrade to break a user snap. Each snap can also has its own package set.

Looks like OSTree allows to bake everything into one single image, but it looks like it doesn't allow to have multiple versions of a single package?

It's all very confusing. It'd be nice to have a single large chart describing all the features of Atomic, Core and other initiatives like ResinOS and RancherOS.

An overview of Project Atomic

Posted Feb 23, 2018 11:04 UTC (Fri) by ms (subscriber, #41272) [Link] (2 responses)

I've watched a couple of the videos now... it's interesting. I'm curious how you see it contrasting with Nix. To my mind (and I fully expect I may have missed all sorts of important details) Nix is still massively ahead in terms of describing packages and understanding dependencies between packages accurately. And they have all the same atomic properties too - it's all just links. But, last I checked, Nix certainly doesn't have the same investment in containers. I'm just curious as to how you see the systems contrasting?

An overview of Project Atomic

Posted Feb 23, 2018 13:18 UTC (Fri) by walters (subscriber, #7396) [Link] (1 responses)

For ostree upstream, we maintain a related projects list: here's the Nix entry. Specifically, I believe the "rebuild the world when glibc changes" part is not practical for a lot of use cases; I basically can't imagine doing something like Red Hat Enterprise Linux that operated that way.

However, that's just comparing libostree to Nix; rpm-ostree is a distinct thing layered on top. libostree is quite "policy free" - it's just an image system, you bring your own build system. Here's a simple way to look at it; it'd make sense to do a Nix build on a server, and commit that whole thing to libostree. In this model, libostree replaces NAR archives etc.; all the dependency resolution etc. is done on the server, and one can use libostree's static deltas, etc. (Doing this would entail unwinding some of the overlap between the nix store and libostree though).

And in fact it's important to look at the bigger picture: the intention for rpm-ostree is to maintain minimal host systems and for people to do as much in containers as possible (generally). See this thread - as a developer I spend most of my time using classic yum, but in containers (and I also use cargo, sudo pip install etc. too). And I also use oc cluster up directly on my workstation to have a full Kubernetes environment, so I can test things locally. A comparison with Nix would then start to entail how one builds and manages these containers, which is a totally distinct thing from the host.

Another point is that Nix really wants to "own" a declarative way to describe systems, whereas with rpm-ostree (and obviously yum/dnf) we are not trying to do that; you use whatever config management system you want.

As far as multiple versions of packages; that's where the Fedora Modularity effort comes in. Currently we haven't discussed doing modules for rpm-ostree on the host - you'd use modules in containers (or VMs).

An overview of Project Atomic

Posted Feb 23, 2018 13:41 UTC (Fri) by ms (subscriber, #41272) [Link]

Thank you for your detailed reply. Sorry I hadn't found the comparison entry before.

The "rebuild the world" comment I feel is a fraction unfair. Firstly, it is the only way to be sure (in lieu of some other source of trust), but also most of the time with Nix, you're pulling from binary caches anyway, so for most people there is no huge amount of recompilation. OTOH, I totally accept that even if most people aren't recompiling, nevertheless there would be a lot of rebuilt packages that need to be installed.

I guess the reason I asked is in one of your talks you mentioned the difficulty of meaningful version numbers in particular versioning a system installation, and the fact that ostree provides a solution to that problem. To me, this problem is inextricably linked to the whole question of dependency management, both compile-time and run-time, of every package you have installed, and then of course you get into questions of reproducible builds and so on. It's this side that I feel Nix addresses so elegantly and consistently. You also mentioned no one likes writing spec files, which again made me think of Nix and it's rather lovely lazy expression language. :)