So you think you know SUSE?

Editor's Notes

• #3: Story After the video in the beginning I’m sure all of you will be keen to hear more about Edge Computing. Nevertheless I want to give you a glance overview about SUSE, to understand how well we are positioned to support you to “Innovate Everywhere”. At the heart of our strategy is our leadership in the two most important technologies powering digital transformation: Linux and Kubernetes. What powers all of our solutions is our unique open, interoperable solution stack. Not only is SUSE a leader in Enterprise Linux and Kubernetes, but also offering an open, complementary approach, allowing you to choose what fits you best. That gives you back control over your IT architecture and does not enforce decisions by tech dependencies. As you can see on the lower layer we address with our Linux and Kubernetes offerings several areas from Development over Data Center, Cloud Computing, Branches to the Edge. This is the reason why you will find in the middle bar so many flavours of Linux offerings. With our most adaptable Enterprise Linux in the industry, we are able to deliver use case purpose build solutions. Beside we offer systems management with SUSE Manager, that also supports all major Linux distributions from other vendors and communities. Let’s go to the upper, blue layer: With the recent acquisition of Rancher Labs we are now also able to offer with SUSE Rancher the industries only container platform management that supports all Cloud Native Computing Foundation (CNCF) certified Kubernetes distributions. While it is common not to run just one Kubernetes cluster in a business environment, SUSE Rancher allows managing Catalog, Security, Storage and Governance in a consistent way across all your Kubernetes clusters from a central point. Of course our offerings are accompanied by Support and Services. Speaker Background Information n/a Backup Data / Comments / Questions SUSE Manager supports with current version 4.2 SUSE, openSUSE, Red Hat, CentOS, Oracle Linux, Ubuntu, Debian, Amazon Linux!
• #5: TALKING POINTS SUSE Linux Enterprise is an adaptable and easy-to-manage platform that allows developers and administrators to deploy business-critical workloads on-premises, in the cloud and at the edge. All SUSE Linux Enterprise products are optimized for performance, security and reliability in specific environments or use cases. This approach enables you to: Simplify your IT environment The SUSE Linux Enterprise “common code base” platform bridges traditional and software-defined infrastructure. Simplify workload migration, protect your traditional infrastructure, and ease the adoption of containers. Modernize your IT infrastructure Modernize your IT infrastructure with SUSE Linux Enterprise Server’s multimodal architecture. With its cloud-agnostic design, SLES can easily transition to public cloud—Alibaba, Azure, AWS, Google, IBM, Oracle. Accelerate innovation Connect to our developer community at SUSE Package Hub. Once you are ready to move to from development to production you can seamlessly transition from our community Linux distribution - openSUSE Leap - to SUSE Linux Enterprise with just a few clicks. FAQs What does ‘Adaptability’ mean in the context of SLE? SLE products include APIs and services that make it possible to write applications that can work with the widest range of architectures, servers, storage and network options available. This approach allows SLE products like SLES to adapt to any operating environment and enables smooth workload migrations between them. What about security and compliance? Why is SLE different? SUSE engineers promptly react to security incidents, and deliver premium quality security updates. The configuration, auditing and automation features of SUSE Manager make it easy to ensure compliance with internal security policies and external regulations. What about business continuity? Why should I trust SUSE over competitive products? SUSE Linux Enterprise High Availability Extension, geo-clustering, and SUSE Linux Enterprise Live Patching improves business continuity and saves costs by reducing downtime, increasing service availability and enhancing security and compliance. What about virtualization? Each SUSE Linux Enterprise subscription includes support for the leading hypervisor technologies like Vmware and cloud platforms such as AWS, Azure and Google Cloud. We maximize your flexibility and lower costs without sacrificing performance, security or reliability.
• #6: SLE lifecycle details Please note that the info covers primarily SLES, other products might differ so always consult suse.com/lifecycle for the specifics
• #9: Container runtime (podman) supports auto-generation of SELinux policies for container workloads. Secure updates - Updates are always security signed and verified. Each update is atomic and uses transactional update technology. SLE Micro leverages SLE common code base, to provide FIPS 140-2, DISA SRG/STIG, integration with CIS and Common Criteria certified configurations. Packages and repositories are security signed – Intruder cannot exchange good, new packages with old or insecure packages. Using integrated “Secure Device Onboarding (SDO)” client, MSPs (Managed Service Providers) or IHVs/ISVs can ship an appliance directly to end customer, and subsequently, while operating the device remotely, onboard it securely.
• #10: Run container workloads with performance & security SLE Micro is built from ground up to support containers and microservices. All applications/workloads are run as containers and separated into dedicated containers. So, new installation of workloads can be done without reboot, atomic updates are easier to support, and it is easy to rollback when an update goes wrong. Workloads are isolated from the core filesystem to guard against malicious applications compromising the system. Container runtime (podman) is adjusted to support auto generation of SELinux policies for container workloads.
• #12: SUSE Manager is an Open Source Infrastructure Management solution. While reducing costs and complexity it will ensure that your environment is compliance with your internal security policies. One of the big differences between Satellite 5 and SUSE Manager is that we also focus on the cloud. We understand that you have to manage on-premise but also workloads in to cloud. That’s also a reason why it is possible that SUSE Manager can run in the cloud so that you don’t need local hardware to run SUSE Manager.
• #21: TALKING POINTS There are two key pillar of a successful ‘Kubernetes Everywhere’ strategy Certified Kubernetes Distributions To enable compute everywhere, you need to deploy certified Kubernetes distributions everywhere you need compute – in the datacenter, in the cloud, across desktop, branch, and edge locations Centralized Management You need to deploy a centralized management control plane, that delivers three key capabilities Consistent cluster operations – enabling ITOps teams to manage all of your certified Kubernetes distribution with a consistent interface, regardless of who developed the distribution or where it runs Security, Policy, and User Management – enabling ITOps teams to automate processes and applying a consistent set of user access and security policies for all of your clusters no matter where they are running. Shared Tools & Services – any Kubernetes management platform need to provide seamless access to DevOps tools and services including app packaging, CI/CD, logging, monitoring, and service mesh
• #27: Would like to have “builds” that show the technical details happening at each step.
• #28: Would like to have “builds” that show the technical details happening at each step.
• #34: Harvester is an open-source hyper converged infrastructure software. Built and designed with cloud-native environments in mind. Virtualizes the entire stack: the compute, the storage, and the network. 100% Open-Source, same as Rancher. No additional capabilities from subscription. Subscription entitles to support. Main HCI players (VMWare, Nutanix) are proprietary. Production ready turn-key experience. Higher level of completeness over niche open source HCI solutions (Portworx, KubeVirt). Different components very well integrated. Easy to use. Same experience as enterprise grade conventional HCI experience. Designed to run on bare-metal servers. - On-premise, Edge. On cloud: On-demand bare metal servers (e.g. Equinix Metal). No nested virtualization. Not supported in production. Performance penalty. Not intended for Main Public Cloud Providers. Already HCI. Edge: - Small clusters with relatively powerful servers with decent specifications. Remote branch locations. Restaurants. Factories. Remote branch offices. Not for Raspberry Pis. Harvester is: Lightweight: Lowest resource consumption of any HCI in market. Software-driven. Hardware agnostic. No specialized Hardware (e.g. external SANs). Unify and consolidate heterogeneous hardware. Integrates very well with Rancher. Rancher single pane of glass. Kubernetes use cases. HCI concerns. Unify management of VMs and containers from a single console. Role-based access control. Enterprise authentication. Observability tools. CI/CD tools.
• #35: Unique approach: Built on a foundation of cloud native technologies. Single unified API to deploy VMs. Great user experience. Kubernetes: Mature and stable orchestration layer. RKE2. Bootstrapped with RancherD. Single binary. Kubernetes cluster bundled with Rancher. KVM - Virtualization platform. KubeVirt: Virtualization management layer. Orchestrates running VMs inside of pods.   Longhorn - Distributed and highly available persistent storage. Multus: Meta-CNI. Allows for multiple software defined networks. KubeVIP: - Provides virtual IP support. - For bare-metal Harvester cluster (installation, accessing UI, node registration). - For Kubernetes clusters provisioned through Rancher. - Provides Load balancing functionality. Proven, powerful technologies for today’s infrastructure needs. SUSE Linux: Derivative of OpenSUSE 15.3. Name TBD (Elemmental for Open SUSE, RancherOS v2, …). Backed by SUSE. Binary-compatible with SLES. (not yet available) In 2022, transition to SLES for users with Harvester subscription.
• #36: Harvester is a cluster of nodes, Each of which is running: SUSE Linux, RKE2 (Secure and stable base). Longhorn (Storage) and KubeVirt (Virtualization). Not swappable for other storage or virtualization solutions. Tight integration. Key elements of the entire HCI solution. Tied to certain functionalities (e.g. Hot Plug). Harvester seen as a single entity rather than pick and choose. Run VMs on top of Harvester. Networking: Each VM connects into management network (Kubernetes overlay network). Management network accesses any VM in the cluster. Can create multiple VLANs. Only VLANs. Support for other network types, e.g. VXLAN, in roadmap priority. VM can connect to multiple networks at the same time (Isolate traffic across VMs).  Provided by Multus and Harvester's network CNI plugin (allows VM to connect to multiple network interfaces).  Clustering multiple Harvester hosts together. Create a shared compute platform across them.  Manage all these servers as one pool of resource. Allocated to VMs. Kubernetes on top of VMs. When add more nodes to the cluster Harvester reconfigures itself (Kubernetes cluster).   Heterogenous machines are supported. Good networking is very important. Additional considerations: RKE2 and KubeVirt don’t currently support Arm, so Harvester does not support Arm. Can’t upgrade from Harvester v0.3 to v1.0 (work in progress).
• #37: (Only for the ones with additional info) Can create similar VMs based on templates. Live migration with storage is powered by Longhorn. Similar to vMotion in the VMWare world. It allows to migrate VM from one node to another without downtime. Possible within the same Harvester cluster. Can not move guest VMs between different clusters. Exporting images from existing VMs. Can use a VM, modify it and then export it. The exported VM can be used for future deployments. Harvester supports Terraform and is a Terraform provider. Monitoring Dashboard. Situation and resource consumption at: Cluster level. VM level (similar to node status in Rancher) . Storage. Only block storage, no object storage. High performance: In tests, Longhorn is the fastest software defined storage solution on SSD/NVMe. Faster than Ceph and Portworx for raw disk operations. A critical part of the storage involves storing the Virtual Machine Base Images, It needs to be high performant. Efficiency: Longhorn is able to store the base image used to spin many virtual machines. These images are shared and reused across the virtual machines. Longhorn also stores the deltas for whatever each VM is using. You don’t need to duplicate the base image on disk for each VM. It is a very efficient way to store the data for all VMs. VM backup and restore to NFS and S3. Currently limited to the same Harvester cluster. In future, allow to backup Harvester VMs and restore on another location (For Failover and Disaster Recovery). Hot plug disk support. Harvester contributed the enhancements to the upstream KubeVirt project. Hot plug disk is used if you have a Kubernetes cluster spin up from a Harvester VM to obtain a better performance for the disk. When the CSI driver in the guest cluster asks for a hot volume, it is actually a real hot plug disk to the VM. Network: Virtual IP support: One virtual IP for the cluster. One virtual IP for any Kubernetes cluster provisioned through Rancher. Kube-vip can also get a load balancer service. Can bond NICs. Custom SSL certificate. - Can bring SSL certificates for a specific domain into Harvester.
• #41: The use of containers and Kubernetes is exploding because of the scalability and efficiency that they help with. Unfortunately, traditional security tools don’t work inside of these environments. To make matters worse, K8s deliberately obfuscates the network traffic as a trade-off for that efficiency. This is what our founders found a way to solve, to operate in these ephemeral environments the same way traditional security tools do.
• #43: For our vulnerability management, we are full lifecycle, we start when a developer builds an image We have plugins for Jenkins, CircleCI and others We can pass/fail builds as part of the pipeline, and we can scan registries as you might expect, and we do plug into admission control so you can create pod security policies in our product for deploying containers. we want to make sure we’re continuously scanning in production to find new CVEs as they’re published. Important to mention here that we built our scanner in house, so no use of existing open-source technologies. We’ve been told by our customers that it is the fastest, most flexible and accurate scanner on the market. And, since we’re cloud native, it can scale quickly and easily to large repositories (we have a customer who has 100s of thousands of images that get scanned regularly without issue).