mkosi VS constellation

I work with a free and open-source software community called Fedora Project. I had the opportunity to moderate the talk of one of the maintainers of the Systemd suite during the annual contributor conference, Flock To Fedora 2023 where he talked about a tool named Mkosi.

For testing i prefer systemd-nspawn containers with mkosi. A neat tool for running your other fav. distro in a terminal. Works like a charm and integrates nicely in your system. Eg. logs and systemd services or CI testing.

- https://github.com/systemd/mkosi

- man:systemd-nspawn(1)

- man:machinectl(1)

you're gonna have to build this on an x86 pc. sudo dnf install arch-install-scripts bubblewrap gdisk qemu-user-static rsync systemd-container python3 -m pip install --user git+https://github.com/systemd/mkosi.git git clone https://github.com/leifliddy/asahi-fedora-usb.git cd asahi-fedora-usb

There's also mkosi: https://github.com/systemd/mkosi. This one outputs an iso or similar image file and supports many base distributions.

[1] https://github.com/systemd/mkosi/issues/376

System's mkosi is worth checking out too: https://github.com/systemd/mkosi I don't think it generates docker/OCI images directly, but it definitely can generate a tarball of the final image contents and then crane of a similar tool could package it up into an appropriate image. For just docker usage it's probably overkill, the main advantage would be it can build other image types like adding a kernel and init to be a fully bootable iso of VM image.

Constellation ensures that all K8s nodes run on AMD-based Confidential VMs (CVMs). CVMs are strongly isolated from the host and remain encrypted in memory at runtime. Constellation also ensures that all nodes run the same minimal mkosi-based node image.

At first glance I thought your project is a frontend for mkosi but then I saw that you support non-systemd targets too. Mentioning it here because it may be relevant to other users/developers.

A lot happening in Europe, Enclaive provides encrypting containers (GitHub), Edgeless Systems provides a whole encrypted k8s with constellation (GitHub), then there are other players like scontain and secustack.

Aber schau dir bspw mal https://github.com/edgelesssys/constellation an.

Would smth. like https://github.com/edgelesssys/constellation be helpful for those cases?

Hey u/Aztreix, we've recently released an open-source Kubernetes distribution that keeps all data always encrypted and isolates your workloads from cloud infrastructure. This solves many compliance requirements, at least for European companies. Feel free to check it out: https://github.com/edgelesssys/constellation.

Maybe they should deploy it via Constellation https://github.com/edgelesssys/constellation

Easy! I recently posted about our open-source project Constellation. Constellation is the first confidential Kubernetes distribution. Think Rancher Kubernetes Engine (RKE) or RedHat OpenShift for confidential computing.

Therefore, having such verifiable infrastructure seems paramount for a zero trust architecture. Constellation (https://github.com/edgelesssys/constellation) for example leverages Confidential Computing hardware to provide a fully-verifiable Kubernetes cluster. (Disclaimer: I work on that project)

Constellation does this as well btw: https://github.com/edgelesssys/constellation Disclaimer, I work on the project.