Popular Micro OSes for containers you should know
The current technological trend is to run applications in containers. In this context, it makes a lot of sense to eliminate all the packages and services of the host Operating System (OS), which are not essential for running containers. With that in mind, various vendors have come forward with specialized minimal OSes to run just containers.
Once we remove the packages that are not essential to boot the base OS and to run container-related services, we are left with specialized OSes, which are referred to as Micro OSes for containers. Some popular Micro OSes are:
Alpine Linux is an independent, non-commercial, Linux distribution designed for security, simplicity, and resource efficiency.
Although small at about 8 MB per container, it is more resource-efficient than typical distributions. Users can control what binary packages to install, thus ensuring a small yet efficient system.
Alpine Linux uses its own package manager called apk, the OpenRC init system, and set-up scripts. Users can add packages as needed such as PVR, iSCSI storage controllers, a mail server container, or an embedded switch.
Alpine Linux was designed with security in mind with embedded proactive security features that prevent the exploitation of entire classes of zero-day and other vulnerabilities.
Key benefits of using Alpine Linux are:
- It is a minimal OS designed to run containerized applications as well.
- It is designed for security, simplicity, and resource efficiency.
- It requires 8 MB as a container.
- It requires 130 MB as a standalone minimal OS installation.
- It provides increased security by compiling user binaries as Position Independent Executables (PIE) with stack smashing protection.
- It can be installed as a container, on bare metal, as well as VMs.
- It offers flavors optimized to support Xen and Raspberry Pi.
Find more here: https://www.alpinelinux.org/
Atomic Host is a lightweight operating system, assembled out of a specific RPM content. It allows us to run just containerized applications in a quick and reliable manner in private or public clouds. Atomic Host is available in three editions: Fedora Atomic Host, CentOS Atomic Host, or Red Hat Enterprise Linux (RHEL) Atomic Host.
Atomic Host is the core sub-project of Project Atomic, together with other sub-projects, such as Cockpit, and Atomic Developer Bundle. Project Atomic and its sub-projects aim to re-design the operating system around principles of immutable infrastructure, based on the LDK (Linux, Docker, Kubernetes) stack, with many components being upstream components of OpenShift Origin. The project maintains and makes use of additional open-source tools such as Buildah, Kompose, Bubblewrap, and skopeo.
Atomic Host comes out-of-the-box with Kubernetes installed together with several Kubernetes utilities, such as etcd, and flannel.
Atomic Host also comes with a command called atomic. This command provides a high-level, coherent entry point to the system, and fills in the gaps that are not filled by Linux container implementations, such as upgrading the system to the new rpm-ostree, running containers with pre-defined docker run options using labels, verifying an image, etc.
Key benefits of using Atomic Host are:
- It is an OS specifically designed to run containerized applications.
- It provides close-to-VM-like isolation but increased flexibility and efficiency.
- It enables us to perform quick updates and rollbacks.
- It provides increased security through namespaces, cgroups, and SELinux.
- It can be installed on bare metal, as well as VMs.
- It is available in Fedora, CentOS, and Red Hat Enterprise Linux editions.
- Containers can be deployed with Kubernetes and CRI-O.
- It integrates with Cockpit, a cross-cluster container hosts management tool.
Find more here: https://projectatomic.io/
Fedora CoreOS (FCOS) is an open-source project partnered with the Fedora Project. It was formerly known as Red Hat CoreOS and CoreOS Container Linux prior to that. It combines the best of both CoreOS Container Linux and Fedora Atomic Host (FAH) while aiming to provide the best container host to run containerized workloads securely and at scale.
Fedora CoreOS is a minimal operating system for running containerized workloads, that updates automatically and is available on multiple platforms. Although a container-focused operating system, by design CoreOS, is operable in both clusters and standalone instances. In addition, it is optimized to work with Kubernetes but it also works very well without the containerized workload orchestrator.
Key benefits of using Fedora CoreOS are:
- It is an OS designed to run containerized applications, in both clustered environments or as stand-alone.
- It enables us to perform quick updates and rollbacks.
- It provides increased security through SELinux.
- It can be installed on bare metal, virtual environments, and the cloud, or launched directly on AWS.
- It combines features of both Fedora Atomic Host and CoreOS Container Linux.
- It works well with Kubernetes.
- It uses Ignition as a provisioning tool for early boot disk partitioning, formatting, and other administrative configuration tasks.
Find more here: https://getfedora.org/en/coreos/
RancherOS is a lightweight and secure Linux distribution that is made of containers to manage other containers. It has the smallest footprints among Micro OSes because it only includes the software needed to run Docker, while all other OS features are pulled dynamically through Docker. By leveraging both Docker and Kubernetes to manage containers, RancherOS makes it simple to run containers at scale in development, test, and production environments. The containerized system services of the OS provide a very reliable and easy method to manage a container-ready environment.
RancherOS is a product provided by Rancher, a Kubernetes-as-a-Service (KaaS) provider supporting enterprise containerized workloads in multi-cluster Kubernetes environments.
Key benefits of using RancherOS are:
- It is a minimalist OS, by eliminating unnecessary libraries and services.
- It decreases complexity and boot time.
- It is highly secure due to a small code base and a decreased attack surface.
- It runs directly on top of the Linux kernel.
- It isolates user-level containers from system containers by running two separate Docker daemon instances.
- It enables us to perform updates and rollbacks in a simple manner.
- We can use the Rancher platform to set up Kubernetes.
- It boots containers within seconds.
- It automates OS configuration with cloud-init.
- It can be customized to add custom system Docker containers using the cloud-init file or Docker Compose.
Find more here: https://rancher.com/docs/os/v1.x/en/
Ubuntu Core is a lightweight version of Ubuntu, predominantly designed for IoT devices but also found in large container deployments. In comparison with other container OSes, its size of around 260MB places Ubuntu Core at the top of container OSes, besting CentOS Atomic and Fedora CoreOS. Similar to Ubuntu Server and Ubuntu Desktop, Ubuntu Core works with software packages called snaps.
Security is a top concern for the designers of Ubuntu Core, implemented by features such as:
- Hardened security with immutable packages and persistent digital signatures.
- Strict application isolation.
- Reduced attack surface by keeping a small OS, stripped down to bare essentials.
- Automatic vulnerability scanning of packages.
In addition, Ubuntu Core was designed with extreme reliability, implemented by:
- Transactional updates that increase OS and data resiliency by allowing automated rollbacks when errors are encountered.
- Automated restore points to allow returns to the last working boot in the case of an unsuccessful kernel update.
- Consistent application data snapshots.
Ubuntu Core was built for the enterprise by including secure app store management and license compliance. Developers using Core as their platform enjoy cross-platform portability of snaps from Desktop and Server to Core, together with CI/CD pipeline support and integration with Travis.
Key benefits of using Ubuntu Core are:
- It has one of the smallest footprints of all Micro OSes available.
- It supports automated updates and rollbacks.
- It is highly resilient.
- It boots the containers within seconds.
- It is highly secure and extremely reliable.
- It provides application isolation through AppArmor and Seccomp.
- It integrates with CI/CD pipelines.
Find more here: https://ubuntu.com/core
Photon OS™ is a minimal Linux container host provided by VMware, optimized for cloud-native applications. It is designed with a small footprint in order to boot extremely quickly on VMware vSphere deployments and on cloud computing platforms. Photon can be deployed on Amazon EC2 and GCE instances, while supporting a variety of container formats, such as Docker, rkt, and Cloud Foundry Garden.
Photon OS™ is available in two versions, a minimal and a full version:
The minimal version is a lightweight container host runtime environment including a minimum of packaging and functionality to manage containers while still remaining a fast runtime environment.
The full version also includes packages of tools for the development, testing, and deployment of containerized applications.
Photon OS™ is optimized for VMware products and cloud platforms. It supports Docker, rkt, and the Cloud Foundry Garden container specifications. It relies on an open-source, yum-compatible package manager called Tiny DNF (tdnf), and it manages services with systemd.
Photon OS™ is a security-hardened Linux. The kernel and other aspects of the Photon OS™ are built with an emphasis on security recommendations provided by the Kernel Self-Protection Project (KSPP).
It can be easily managed, patched, and updated. It also provides support for persistent volumes to store the data of cloud-native applications on VMware vSAN™. If you want to try it out, Photon OS™ is available on Amazon EC2, GCE, Microsoft Azure, and Raspberry Pi 3.
Key benefits of using VMware Photon are:
- It is an open-source technology with a small footprint.
- It supports Docker, rkt, and Cloud Foundry Garden container runtimes.
- It includes Kubernetes in the full version, to allow for container cluster management, but it also supports Mesos.
- It boots extremely quickly on VMware platforms.
- It provides efficient lifecycle management with a yum-compatible package manager.
- Its kernel is tuned for higher performance when it is running on VMware platforms.
- It is a security-enhanced Linux as its kernel and other aspects of the operating system are configured according to the security parameter recommendations given by the Kernel Self-Protection Project.
So, these were some of the most utilized Micro OSes. I hope you enjoyed the article. 😸
Thanks, Have a great week! 🚀