No SSH? What Is Talos, This Linux Distro for Kubernetes?
The rise of container-based Linux distros is real, especially now with the demand for deploying to edge environments that require lightweight operation systems.
Talos Linux, developed by Sidero Labs, is a Linux distro built for Kubernetes. It has SSH access disabled, and security comes built-in.
In a demo, founder and CTO Andrew Rynhard joined Justin Garrison, head of product, for a demonstration to discuss the idea behind Talos and how it works.
A bit of background: Sidero Labs CEO Steve Francis authored a post in The New Stack about Talos Linux, describing it as an operating system with a fully immutable file system and a comprehensive API for management. Talos runs where Kubernetes runs, including cloud providers, bare metal, virtualized systems, within Docker and on SBCs like Raspberry Pis. He further adds that “Talos Linux also requires kernel modules to be signed with the same key used to build the kernel — and because this key is ephemeral, it makes the kernel completely static and immutable.”
Rynhard said that earlier in his career, he managed Kubernetes clusters. He was a hardcore CoreOS user. CoreOS introduced these new ideas circa 2013 about an OS that is immutable, secure, minimal in scope, designed to run containers and updated automatically. At the time, CoreOS pioneered a new generation of container-based lightweight OS environments. Talos, like other lightweight Linux distributions, is well-suited to the increasing demand to work in edge environments.
The OS is built without systemd. There is no Bash, or any shell, and it uses a custom process manager, machineD, written in Go.
Garrison said that designing an API that works at the OS level strikes him as the most interesting. When integrating with Stripe, for example, he would not use SSH. He uses an API. Developers are familiar with how APIs work and understand how they scale. Someone declares something they want to happen with an API, and it happens. Talos does that at the OS layer, specifically for Kubernetes.
“Sidero is the Greek word for iron,” Garrison said. “Sideros is intentionally Kubernetes and bare metal related.”
“It can be big iron, small iron, whatever it is, you get an API,” Garrison said. “The API is portable anywhere, wherever you’re running it.”
Rynhard said he managed Kubernetes clusters for a company where he was a hardcore CoreOS user.
“I had this really idealized way of how we were going to manage Kubernetes clusters,” Rynhard said. “I would tell people, ‘Don’t SSH onto them.’ And of course they would, and of course I would, and we’d have to change things.
“And next thing you know, you have a 20-node cluster, and five different machines are all different from each other, and now nobody wants to touch anything.”
Talos is minimal in size and built to be secure. It can boot anywhere. There is no need for a hypervisor; routing can be achieved through a virtual private cluster.
“We do everything inside the operating system,” Rynhard said.
All of the certificates, security, and connectivity functions occur within the OS. In the case of Omni, Sidero Labs’ Software as a Service (SaaS) for Kubernetes deployments on bare metal and edge, the node is connected back to Omni via Wireguard. A Wireguard VPN connects back to the node.
