SUSE recently unveiled the launch of the third prototype of the ALP «Piz Bernina» (Adaptable Linux Platform), positioned as a continuation of the development of the SUSE Linux Enterprise distribution.
The key difference between ALP is the division of the core framework of the distribution in two parts: a "host operating system" simplified to run on top of the hardware and an application support layer focused on running in containers and virtual machines.
ALP is initially developed using an open development process, where intermediate builds and test results are publicly available to everyone.
The third prototype includes two separate branchess, that in the present form they are close in terms of filling, but in the future they will develop towards different application areas and will differ in the services provided. For the tests, Bedrock branch is available, which focuses on use in server systems, and the Micro branch, designed for building cloud (cloud-native) systems and running microservices.
The architecture of ALP is based on development on the "host OS" environment, the minimum necessary to support and control the equipment. It is proposed that all userland applications and components do not run in a mixed environment, but in separate containers or virtual machines that run on top of the "host operating system" and are isolated from each other. This organization will allow users to focus on the applications and abstract workflows of the hardware and the low-level system environment.
The product SLE Micro, based on the developments of the MicroOS project, is used as the basis for the “host operating system”. For centralized management, the Salt (pre-installed) and Ansible (optional) configuration management systems are offered. The Podman and K3s (Kubernetes) toolkits are available for running isolated containers. Containerized system components include yast2, podman, k3s, cockpit, GDM (GNOME Display Manager), and KVM.
Of the features of the system environment, mention is made of the default use of Full Disk Encryption (FDE) with the ability to store keys in the TPM. The root partition is mounted read-only and does not change during the operation. The environment uses the atomic update installation mechanism. Unlike the ostree and snap based atomic updates used in Fedora and Ubuntu, in ALP, instead of creating separate atomic images and implementing additional delivery infrastructure, a normal package manager and in-system snapshot mechanism are used. of Btrfs files.
Besides that, live patches are supported to update the linux kernel without restarting or suspending the job. To maintain system survivability (self-recovery), the last stable state is fixed by Btrfs snapshots (in case anomalies are detected after applying updates or changing settings, the system is automatically transferred to the previous state).
Of the main changes in the third prototype ALP «Piz Bernina»the following stand out:
- Provide a Trusted Execution Environment for confidential computing, allowing you to securely process data using isolation, encryption, and virtual machines.
- Hardware and runtime attestation application to verify the integrity of running tasks.
- Foundation for Confidential Virtual Machine (CVM) support.
- Integrate support for the NeuVector platform to verify container security, determine the presence of vulnerable components, and detect malicious activity.
- Support for s390x architecture in addition to x86_64 and aarch64.
- Ability to enable Full Disk Encryption (FDE) at the installation stage with key storage in TPMv2 and without the need to enter a passphrase during first boot. Equivalent support for both normal partition encryption and LVM (Logical Volume Manager) partitions.
Finally, For those who are interested in learning more about it, you can check the details at the following link.
While for those interested in being able to test the system, they should know that the builds are ready for the x86_64 architecture ( Bedrock , Micro). Also, build scripts are available (Bedrock , Microphone ) for Aarch64, PPC64le and s390x architectures.