TNS
SUBSCRIBE
Join our community of software engineering leaders and aspirational developers. Always stay in-the-know by getting the most important news and exclusive content delivered fresh to your inbox to learn more about at-scale software development.
REQUIRED
 
It seems that you've previously unsubscribed from our newsletter in the past. Click the button below to open the re-subscribe form in a new tab. When you're done, simply close that tab and continue with this form to complete your subscription.
Welcome and thank you for joining The New Stack community!
Please answer a few simple questions to help us deliver the news and resources you are interested in.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Great to meet you!
Tell us a bit about your job so we can cover the topics you find most relevant.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
 
Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your first TNS newsletter.

PREV
of
NEXT
VOXPOP
As a JavaScript developer, what non-React tools do you use most often?
Angular
0%
Astro
0%
Svelte
0%
Vue.js
0%
Other
0%
I only use React
0%
I don't use JavaScript
0%
 
NEW! Try Stackie AI
Cloud Native Ecosystem Containers Databases Edge Computing Infrastructure as Code Linux Microservices Open Source Networking Storage
Agentic development hinges on verification. For cloud-native software, that is a runtime problem.
Jun 11th 2026 10:00am, by Arjun Iyer
Vendor neutrality isn’t magic: A hard look at the OpenTelemetry ecosystem
May 29th 2026 10:00am, by Adriana Villela and Josh Lee
How Jaeger hit 8.6Ă— compression on 10 million spans with ClickHouse
May 24th 2026 11:00am, by Mahad Zaryab
After becoming cloud computing’s telemetry standard, OpenTelemetry graduates into the AI infrastructure era
May 21st 2026 10:00am, by Paul Sawers
Why agent harnesses fail inside cloud-native systems
May 13th 2026 9:00am, by Arjun Iyer
AWS can now mathematically prove your VMs are isolated
Jun 10th 2026 12:46pm, by Frederic Lardinois
Microsoft wants to make service mesh invisible
Apr 8th 2026 1:11pm, by Frederic Lardinois
Edera spent years calling KVM less secure. Here's why it changed its mind.
Mar 25th 2026 2:22pm, by Steven J. Vaughan-Nichols
Minimus aims to solve one of open-source's long-festering problems
Mar 24th 2026 3:00am, by Adrian Bridgwater
How to deploy Pi-Hole with Docker and stop ads on every device on your LAN
Mar 23rd 2026 7:44am, by Jack Wallen
Why AI retrieval and ranking need more than vector search
Jun 13th 2026 2:00pm, by Bonnie Chase
When your data model is the bottleneck: lessons from Medium’s feature store
Jun 9th 2026 10:40am, by Cynthia Dunlop
For years, Apache Cassandra handed this work to your team — 6.0 takes it back
Jun 8th 2026 10:00am, by Anil Inamdar
Autonomous agents have met their biggest challenge yet: The database.
Jun 4th 2026 2:53pm, by Chris J. Preimesberger
Why the need for humans won't disappear in the age of autonomous databases
Jun 4th 2026 1:18pm, by Chris J. Preimesberger
Google Gemma 4 12B nearly matches 26B benchmarks — and runs on your laptop
Jun 4th 2026 3:30pm, by Meredith Shubel
How to get operational data off the factory floor without creating an IT breach
Jun 3rd 2026 3:55pm, by Alex Wilhelm
Edge-forward: Akamai eyes sweet spot between centralized & decentralized AI inference
Apr 1st 2026 7:00am, by Adrian Bridgwater
Developers are coding to a moving target, and nobody knows where AI lands next
Mar 3rd 2026 7:33am, by Adrian Bridgwater
Cloudflare’s new Markdown support shows how the web is evolving for AI agents
Mar 2nd 2026 4:30am, by David Eastman
Why Terraform is green when your cloud is broken
Apr 28th 2026 9:00am, by Joe Karlsson
The one Slack message that proved our elite engineering team was flying blind
Apr 26th 2026 11:00am, by Joe Karlsson
The operational gap is real, and it's getting wider
Mar 26th 2026 8:00am, by Yevgeny Pats
Why "automated" infrastructure might cost more than you think
Feb 24th 2026 4:00am, by Justyn Roberts
Why 40% of AI projects will be canceled by 2027 (and how to stay in the other 60%)
Feb 13th 2026 6:00am, by Alex Drag
Why Linux creator Linus Torvalds gets angry hearing "99% of code is AI"
May 29th 2026 10:34am, by B. Cameron Gain
Sparky Linux 9 brings a rolling release to Debian
Mar 30th 2026 8:00am, by Jack Wallen
Edera spent years calling KVM less secure. Here's why it changed its mind.
Mar 25th 2026 2:22pm, by Steven J. Vaughan-Nichols
Your Kubernetes isn't ready for AI workloads, and drift is the reason
Mar 25th 2026 8:43am, by TNS Staff
Linux kernel scale is swamping an already-flawed CVE system
Mar 20th 2026 4:30am, by Jed Salazar
Tetrate launches open source marketplace to simplify Envoy adoption
Mar 11th 2026 10:52am, by Adrian Bridgwater
OpenTelemetry roadmap: Sampling rates and collector improvements ahead
Feb 24th 2026 11:00am, by B. Cameron Gain
Merging To Test Is Killing Your Microservices Velocity
Dec 16th 2025 7:00am, by Arjun Iyer
IBM’s Confluent Acquisition Is About Event-Driven AI
Dec 11th 2025 6:00am, by Joab Jackson
Deploy Agentic AI Workflows With Kubernetes and Terraform
Nov 26th 2025 9:00am, by Oladimeji Sowole
Microsoft pulled 73 GitHub repos after malware attack — but still won’t say who’s compromised
Jun 10th 2026 12:40pm, by Meredith Shubel
Databricks wants to kill the "email me a file" problem for AI agent skills
Jun 10th 2026 10:00am, by Frederic Lardinois
For years, Apache Cassandra handed this work to your team — 6.0 takes it back
Jun 8th 2026 10:00am, by Anil Inamdar
Microsoft just made the agent runtime free — and kept everything around it
Jun 7th 2026 11:00am, by Janakiram MSV
Cloudflare aqui-hires VoidZero: Did a piece of the open web just stabilize, or become more brittle?
Jun 5th 2026 3:01pm, by Adrian Bridgwater
From system of record to system of control: How NetBox Labs is making network engineers “masters of intent.”
Apr 28th 2026 11:00am, by Doug Sillars
Beyond the VPN: Cloudflare Mesh builds a private network for the age of AI agents
Apr 14th 2026 11:04am, by Adrian Bridgwater
Model Flop Utilization is the metric Aria Networks says will define the AI infrastructure era
Apr 7th 2026 9:00am, by Adrian Bridgwater
How to deploy Pi-Hole with Docker and stop ads on every device on your LAN
Mar 23rd 2026 7:44am, by Jack Wallen
Why flat Kubernetes networks fail at scale
Mar 20th 2026 7:00am, by Reza Ramezanpour
Why Postgres wants NVMe on the hot path, and S3 everywhere else
Apr 17th 2026 9:00am, by Alasdair Brown
Scaling Btrfs to petabytes in production: a 74% cost reduction story
Mar 18th 2026 5:00am, by Motiejus Jakštys
What is KubeVirt and why it’s growing
Mar 17th 2026 9:00am, by Tiago Castro
S3 is the new network: Rethinking data architecture for the cloud era
Feb 2nd 2026 4:00am, by Max Liu
Agoda’s secret to 50x scale: Getting the database basics right
Jan 28th 2026 7:00am, by Cynthia Dunlop
AI AI Engineering API Management Backend development Data Frontend Development Large Language Models Security Software Development WebAssembly
The Anthropic Fable mess, explained
Jun 15th 2026 2:24pm, by
Cohere sold sovereign AI to enterprises, now it's targeting developers with its first coding model
Jun 15th 2026 10:54am, by
Your AI-generated app runs on their cloud, and that's the problem
Jun 15th 2026 9:50am, by
Fable 5 and Mythos 5 remain suspended: "The ball is in Anthropic’s court"
Jun 13th 2026 5:09pm, by
Can JetBrains close the IDE skills gap before AI widens it further?
Jun 13th 2026 1:00pm, by
Cohere sold sovereign AI to enterprises, now it's targeting developers with its first coding model
Jun 15th 2026 10:54am, by
Code is a message to the future
Jun 15th 2026 8:00am, by
Xiaomi's MiMo Code claims it beats Claude Code past 200 steps
Jun 14th 2026 1:00pm, by
Why AI retrieval and ranking need more than vector search
Jun 13th 2026 2:00pm, by
Loops are replacing prompts. Verification is about to be your biggest problem.
Jun 13th 2026 12:00pm, by
Anthropic's $300M Stainless deal lands hardest on OpenAI and Google
May 23rd 2026 10:00am, by
The API portal is the clearest signal of whether your company can handle AI agents
May 12th 2026 1:23pm, by
AI teams are spending months on web scrapers that SerpApi replaces with one API call
May 12th 2026 10:00am, by
Why JSON Schema matters more than ever in the age of generative AI
Apr 28th 2026 1:00pm, by
SmartBear's Swagger update targets the API drift problem AI coding tools created
Apr 19th 2026 10:00am, by
Why PHP performance keeps getting bumped from the roadmap
May 6th 2026 10:00am, by
Why Postgres wants NVMe on the hot path, and S3 everywhere else
Apr 17th 2026 9:00am, by
Expo bets big on React Native’s agentic future
Apr 16th 2026 11:37am, by
From clobbered drafts to real-time sync
Apr 14th 2026 10:00am, by
Moving beyond the “magic scaling sauce” myth
Apr 2nd 2026 9:30am, by
"The manual model breaks": What happens when agents write to production data
Jun 11th 2026 1:35pm, by
Databricks wants to kill the "email me a file" problem for AI agent skills
Jun 10th 2026 10:00am, by
When your data model is the bottleneck: lessons from Medium’s feature store
Jun 9th 2026 10:40am, by
For years, Apache Cassandra handed this work to your team — 6.0 takes it back
Jun 8th 2026 10:00am, by
Rayfin: Microsoft's answer to the gap between vibe coding and enterprise production
Jun 2nd 2026 3:46pm, by
Google wants to make the web agent-ready
May 19th 2026 1:45pm, by
Expo bets big on React Native’s agentic future
Apr 16th 2026 11:37am, by
Digital Experience Monitoring belongs in the modern developer workflow
Apr 3rd 2026 10:00am, by
WebMCP turns any Chrome web page into an MCP server for AI agents
Mar 17th 2026 11:50am, by
Confluent adds A2A support, anomaly detection, and Queues for Kafka in major platform update
Mar 3rd 2026 10:21am, by
We’ve been measuring AI wrong; why economically valuable work is the new benchmark
Jun 15th 2026 9:42am, by
Fable 5 vs Opus 4.8: The real stakes, not the spec sheet
Jun 13th 2026 11:00am, by
Cleaner AI training data, fewer bugs: Sonar's SonarSweep explained
Jun 11th 2026 8:00am, by
Google's DiffusionGemma is 4x faster than its other Gemma models
Jun 10th 2026 1:18pm, by
Fable 5: Guardrails and burn rate are annoying users, who say it's still better than Opus 4.8
Jun 10th 2026 1:11pm, by
What your logs can't tell you when an AI agent acts alone
Jun 14th 2026 12:00pm, by
"Don't just grab random stuff off the internet": What Chainguard found in 52,000 open-source packages
Jun 11th 2026 4:38pm, by
Cleaner AI training data, fewer bugs: Sonar's SonarSweep explained
Jun 11th 2026 8:00am, by
Microsoft pulled 73 GitHub repos after malware attack — but still won’t say who’s compromised
Jun 10th 2026 12:40pm, by
Spring is 23 years old. AI just made it a security emergency.
Jun 9th 2026 2:48pm, by
Your AI-generated app runs on their cloud, and that's the problem
Jun 15th 2026 9:50am, by
Code is a message to the future
Jun 15th 2026 8:00am, by
"AI is disrupting everything": Where do entry-level tech jobs go now?
Jun 11th 2026 2:34pm, by
Beyond the stack trace: why AI requires a new debugging paradigm
Jun 11th 2026 1:00pm, by
How to delegate 40% of tickets to AI
Jun 11th 2026 10:30am, by
Edge-forward: Akamai eyes sweet spot between centralized & decentralized AI inference
Apr 1st 2026 7:00am, by
WebAssembly is now outperforming containers at the edge
Mar 29th 2026 9:00am, by
WebAssembly could solve AI agents' most dangerous security gap
Mar 24th 2026 9:01am, by
How WebAssembly plugins simplify Kubernetes extensibility
Mar 3rd 2026 2:00pm, by
WebAssembly is everywhere. Here's how it works
Feb 25th 2026 11:00am, by
AI Operations CI/CD Cloud Services DevOps Kubernetes Observability Operations Platform Engineering
PagerDuty's CAIO says most AI incident tools are missing a critical layer
Jun 14th 2026 11:00am, by JoĂŁo Freitas
Observability overload is drowning engineers
Jun 10th 2026 1:27pm, by Alex Wilhelm
The tokenmaxxing party is over, and Revenium is mopping up
Jun 9th 2026 6:00am, by Chris J. Preimesberger
Why Anthropic just doubled Claude Cowork limits at no charge
Jun 8th 2026 1:35pm, by Adrian Bridgwater
From Jupyter Notebook to production: How to ship AI systems that actually work
Jun 6th 2026 7:00am, by Zziwa Raymond Ian
AI teams now deploy 1,000 times a month. Your pipeline wasn't built for that.
Jun 7th 2026 12:30pm, by Paul Stovell
GitLab 19.0 trades its string section for a full DevSecOps orchestra
May 25th 2026 12:00pm, by Adrian Bridgwater
CI wasn't built for coding agents. Here's what comes next.
May 21st 2026 10:30am, by Anirudh Ramanathan
As agentic dev tools boom, workflow auditability becomes the constraint
May 12th 2026 8:00am, by Brian Wald
The agent code explosion is here. We need to rethink our pipelines, fast.
May 4th 2026 10:00am, by Arjun Iyer
AI agents need infrastructure: Why Europe’s regional cloud strategy matters
Jun 11th 2026 10:00am, by Kevin Cochrane
Why CPUs still matter in the age of AI agents
Jun 3rd 2026 2:54pm, by Frederic Lardinois
Why AWS scrapped OpenSearch's architecture to chase agent workloads
May 28th 2026 2:30pm, by Frederic Lardinois
AI agents need to spend money — Stripe and iWallet are building the rails
May 5th 2026 7:43am, by John Biggs
AWS lands OpenAI on Bedrock, but Trainium is the real story
Apr 29th 2026 10:54am, by Janakiram MSV
From Jupyter Notebook to production: How to ship AI systems that actually work
Jun 6th 2026 7:00am, by Zziwa Raymond Ian
The DIY platform trap that's burning out engineering teams
May 31st 2026 11:00am, by Darin Zook
GitLab 19.0 trades its string section for a full DevSecOps orchestra
May 25th 2026 12:00pm, by Adrian Bridgwater
How MCP and synthetic data are reshaping compliance in the agentic era
May 23rd 2026 9:00am, by Brian Muskoff
"Morally repugnant shortsightedness": Why open source security leaders say companies must stop freeloading on maintainers
May 21st 2026 10:00am, by Adrian Bridgwater
Loops are replacing prompts. Verification is about to be your biggest problem.
Jun 13th 2026 12:00pm, by Arjun Iyer
Why the need for humans won't disappear in the age of autonomous databases
Jun 4th 2026 1:18pm, by Chris J. Preimesberger
How to secure Kubernetes in the age of AI workloads
Jun 4th 2026 12:45pm, by Mary Branscombe
Cloud native application challenges: installing the walking skeleton
May 13th 2026 9:00am, by Manning Book Authors
Why Prometheus couldn't see Cilium metrics at 2 a.m.
May 10th 2026 10:00am, by Rishi Mondal
Observability overload is drowning engineers
Jun 10th 2026 1:27pm, by Alex Wilhelm
The tokenmaxxing party is over, and Revenium is mopping up
Jun 9th 2026 6:00am, by Chris J. Preimesberger
Vendor neutrality isn’t magic: A hard look at the OpenTelemetry ecosystem
May 29th 2026 10:00am, by Adriana Villela and Josh Lee
Debugging the undebuggable: building observability into probabilistic AI systems
May 28th 2026 7:00am, by Oladimeji Sowole
Taming the agentic influx: a blueprint for AI business observability
May 26th 2026 8:00am, by Charles Humble
The reason enterprise outages almost never start where ops teams think
May 26th 2026 9:43am, by Jennifer Riggins
I buried 20 problems in a fake P&L to see if Claude for Small Business could find them
May 22nd 2026 9:00am, by Jessica Wachtel
OpenAI brings Codex to the ChatGPT mobile app
May 14th 2026 4:13pm, by Frederic Lardinois
GitLab is betting a 19th-century economic theory will shape its AI era
May 14th 2026 1:21pm, by Paul Sawers
The new FinOps problem isn't cloud bills
May 12th 2026 7:24pm, by Frederic Lardinois
Loops are replacing prompts. Verification is about to be your biggest problem.
Jun 13th 2026 12:00pm, by Arjun Iyer
Git real: AI agents aren't just for solo developers anymore
Jun 9th 2026 3:58pm, by Janakiram MSV
Netlify CTO Dana Lawson: Writing code is no longer the job
Jun 6th 2026 10:00am, by Jennifer Riggins
Why agentic AI makes the ops platform the most important layer in the enterprise
Jun 4th 2026 2:35pm, by TNS Staff
The DIY platform trap that's burning out engineering teams
May 31st 2026 11:00am, by Darin Zook
C++ Developer tools Go Java JavaScript Programming Languages Python Rust TypeScript
Open source USearch library jumpstarts ScyllaDB vector search
Feb 5th 2026 12:00pm, by Jelani Harper
AWS WAF vs. Google Cloud Armor: A Multicloud Security Showdown
Nov 25th 2025 10:00am, by Advait Patel
Goodbye Dashboards: Agents Deliver Answers, Not Just Reports
Nov 23rd 2025 9:00am, by Ketan Karkhanis
Rust vs. C++: a Modern Take on Performance and Safety
Oct 22nd 2025 2:00pm, by Zziwa Raymond Ian
Building a Real-Time System Monitor in Rust Terminal
Oct 15th 2025 7:05am, by Tinega Onchari
Code is a message to the future
Jun 15th 2026 8:00am, by Hernan Garchtrom
Xiaomi's MiMo Code claims it beats Claude Code past 200 steps
Jun 14th 2026 1:00pm, by Janakiram MSV
Can JetBrains close the IDE skills gap before AI widens it further?
Jun 13th 2026 1:00pm, by Darryl K. Taft
Beyond the stack trace: why AI requires a new debugging paradigm
Jun 11th 2026 1:00pm, by Zziwa Raymond Ian
The Anthropic leader who built Claude Code says he ditched prompting — now he just writes loops.
Jun 10th 2026 1:01pm, by Janakiram MSV
Go Experts: 'I Don't Want to Maintain AI-Generated Code'
Sep 28th 2025 6:00am, by David Cassel
How To Run Kubernetes Commands in Go: Steps and Best Practices 
Jun 27th 2025 8:00am, by Sunny Yadav
Prepare Your Mac for Go Development
Apr 12th 2025 7:00am, by Damon M. Garn
Pagoda: A Web Development Starter Kit for Go Programmers
Mar 19th 2025 6:10am, by Loraine Lawson
Microsoft TypeScript Devs Explain Why They Chose Go Over Rust, C#
Mar 18th 2025 7:00am, by David Cassel
Transform your AI coding agent into a deterministic Java Spring expert
Jun 11th 2026 9:00am, by Raquel Pau
Spring is 23 years old. AI just made it a security emergency.
Jun 9th 2026 2:48pm, by Darryl K. Taft
In the AI age, Java is more relevant than ever
Apr 8th 2026 5:30pm, by Mary Branscombe
Java 26 lands without an LTS badge. Here's why developers should care anyway.
Mar 18th 2026 9:35am, by Darryl K. Taft
62% of enterprises now use Java to power AI apps
Feb 10th 2026 12:58pm, by Darryl K. Taft
Cloudflare aqui-hires VoidZero: Did a piece of the open web just stabilize, or become more brittle?
Jun 5th 2026 3:01pm, by Adrian Bridgwater
"Real maturity problems": Not every developer is thrilled with Bun after Anthropic acquisition
May 5th 2026 1:03pm, by Adrian Bridgwater
TypeScript 6.0 RC arrives as a bridge to a faster future
Mar 14th 2026 9:00am, by Darryl K. Taft
WebAssembly is everywhere. Here's how it works
Feb 25th 2026 11:00am, by Jessica Wachtel
Wasm vs. JavaScript: Who wins at a million rows?
Feb 22nd 2026 6:00am, by Jessica Wachtel
Who will maintain the web when PHP's veterans retire?
Apr 16th 2026 2:53pm, by Darryl K. Taft
Will AI force code to evolve or make it extinct?
Mar 22nd 2026 6:00am, by David Cassel
Java 26 lands without an LTS badge. Here's why developers should care anyway.
Mar 18th 2026 9:35am, by Darryl K. Taft
TypeScript 6.0 RC arrives as a bridge to a faster future
Mar 14th 2026 9:00am, by Darryl K. Taft
Nearly half of all companies now use Rust in production, survey finds
Mar 6th 2026 10:45am, by Darryl K. Taft
How to build an AI-powered private document search app with RAG, ChromaDB, and memory
Apr 10th 2026 12:00pm, by Teri Eyenike
In the AI age, Java is more relevant than ever
Apr 8th 2026 5:30pm, by Mary Branscombe
OpenAI acquires Astral to bring open source Python developer tools to Codex — but details are still fuzzy
Mar 20th 2026 7:33am, by Meredith Shubel
Python virtual environments: isolation without the chaos
Feb 16th 2026 7:00am, by Jessica Wachtel
Statistical language R is making a comeback against Python
Feb 12th 2026 2:57pm, by Darryl K. Taft
The Rust sidecar pattern that fixes Python AI's biggest weakness
May 14th 2026 9:00am, by Boris Chabeda
Nearly half of all companies now use Rust in production, survey finds
Mar 6th 2026 10:45am, by Darryl K. Taft
Wasm vs. JavaScript: Who wins at a million rows?
Feb 22nd 2026 6:00am, by Jessica Wachtel
Open source USearch library jumpstarts ScyllaDB vector search
Feb 5th 2026 12:00pm, by Jelani Harper
The 'weird' things that happened when Clickhouse replaced C++ with Rust
Feb 4th 2026 7:26am, by B. Cameron Gain
From clobbered drafts to real-time sync
Apr 14th 2026 10:00am, by David Moore
TypeScript 6.0 RC arrives as a bridge to a faster future
Mar 14th 2026 9:00am, by Darryl K. Taft
Mastra empowers web devs to build AI agents in TypeScript
Jan 28th 2026 11:00am, by Loraine Lawson
Inferno Vet Creates Frontend Framework Built With AI in Mind
Dec 10th 2025 11:00am, by Loraine Lawson
JavaScript Utility Library Lodash Changing Governance Model
Nov 1st 2025 7:00am, by Loraine Lawson
Cloud Native Ecosystem / Edge Computing / Kubernetes

Livin’ Kubernetes on the (Immutable) Edge with Kairos Project

A new open source project is designed to tackle the need for immutability and atomic upgrades.
Dec 1st, 2022 11:05am by
Featued image for: Livin’ Kubernetes on the (Immutable) Edge with Kairos Project
Image of Aerosmith from YouTube.
If you’re of a certain age, you’ll be very familiar with Aerosmith’s 1993 hit “Livin’ on the Edge.” Its refrain is simple: Livin’ on the edge, you can’t help yourself at all.  Well, nowadays, when we talk about living on the edge, we’re talking about Kubernetes — and we’ve never had more technologies available to help ourselves. The edge is the hot topic around Kubernetes right now, as research shows. Companies big and small are pushing Kubernetes adoption to the last mile (yes, maybe even into the locomotive featured in the Aerosmith video pictured above) and replacing typical virtual machine (VM) infrastructures with bare metal. A host of distributions have sprung up to meet the needs of managing containerized bare metal Kubernetes at the edge, including projects like FlatCar Linux and Talos, all designed to provide a lightweight, “immutable” OS for the edge with “atomic” upgrades. But why does this matter?

Immutability Is the Next Step Beyond Configuration Management

An immutable OS is a carefully engineered system that boots in a restricted, permissionless mode where certain paths of the system are not writable. For instance, after installation it’s not possible to install additional packages in the system, and any configuration change is discarded after reboot. This reduces a malicious attacker’s surface, which is vitally important at the edge, where devices may be physically available for tampering. At the same time, it makes sure every node runs a certain version of the software stack, reducing the risk of infrastructure drift.
This approach is all about scale. In the old days before cloud native, each of our servers was a snowflake or “pet,” kept up and running with patches, updates and configuration changes layered on top of the first OS installation, making each server a knot of unique dependencies. Tools like Ansible, Salt and Puppet were often used to handle each tiny detail of a system and to reduce as much as possible the infrastructure drift. Instead, the “cattle” approach is about treating nodes as interchangeable systems. If there is an issue with a system, instead of debugging it in production or taking corrective actions “live,” we just remove the faulty node and create a new, identical one to swap in its place. This is where immutable OSes really pay off, because when you know that the OS hasn’t been modified since build, you know the replacement will be an exact clone, and workloads will behave predictably. Immutability makes configuration management almost obsolete beyond a central catalog. Upgrading a system in an immutable infrastructure is done via creating a new image with a new version of the OS and pushing it to your nodes with the upgrade strategy of your choice — blue/green deployment becomes easy as those are “atomic” — and there are no small packages and drift all over to handle and maintain. Having an immutable OS doesn’t necessarily mean having a management plane — when it’s about edge scale in a cloud native world, we want to manage our nodes inside Kubernetes, and we should instead be free to treat the node as we do for apps — just simple containers that we publish and roll upgrades to with our defined strategy. That would be a powerful combination, allowing us to leverage the container ecosystem tooling to address real-world problems such as automated security scanning, using pipelines to selectively upgrade nodes, in tandem with fully managed nodes using Kubernetes.

Immutability: One Distribution at a Time

This is where Kairos comes in. Kairos is a new open source project designed to tackle the need for immutability and atomic upgrades. In that sense it’s like Talos, FlatCar and K3OS, which we discussed above. But there are very important differences: Kairos is distribution-agnostic, Open Container Initiative (OCI)- based and cloud-init first. Let’s take a look at what this means Distribution agnostic: Unlike, say, K3OS, Kairos is not a Linux distribution. It’s a meta-Linux distribution, which means it enables you to spin up an immutable Kubernetes cluster with the Linux distro of your choice. Kairos is distribution-agnostic by design and supports converting existing distributions from container images to “Kairos-based” distributions. Those automatically inherit features such as A/B atomic upgrades, immutability, live layering and all the Kairos featureset. Importantly, the kernel and initramfs are static and shipped with the image, which really means atomic upgrades for the entire full stack of the system. At the time of writing this article, Kairos is at 1.3 and supports openSUSE-, Alpine- and Ubuntu-based distributions, which can be directly downloaded from the released assets and will be used in the examples below. OCI-based: OCI-based means Kairos uses container images. The OS itself is just a single image container that runs natively on the host without any container engine, and it’s overlayed in the booting system with overlayFS. Upgrades are handled atomically with an A/B schema and automatic fallback. Because Kairos is just an OCI image, you can find the container image in the quay repositories, which can be used to burn ISOs to USB sticks or other media. ISOs are available as well as part of the releases, so we don’t have to worry about that and we can pick the distribution we like among the published assets. Cloud-init first: The only configuration mechanism for Kairos is performed via cloud-init. As a single source of truth, it is used to configure one or all your nodes in the cluster. This is to enhance user maintenance and configuration at scale, reducing the impact of complex configuration infrastructure required to manage nodes. Management is optionally handed over to specific Kubernetes components that manage the life cycle of the nodes after bootstrap.

Hands-On with Kairos

Let’s have a closer look at Kairos, and use it to deploy a K3s cluster with MetalLB. In the example below I’m going to use a bare metal host to provision a Kairos node in my local network with K3s and deploy Kubedoom, but similarly you can provision nodes with a VM by following the official quickstart with different charts, manifests and setup.

Step 1: Download a Release and Flash It to a USB Stick

As Kairos comes with different flavors, we can pick between the base distribution of our choice and the version of K3s. Kairos publishes artifacts with K3s included in the image in a separate repository including the release artifacts. This is because it is possible to install additional extensions at runtime. But in this case we want K3s, so we just use the images with K3s inside. We are going to need a .ISO file, as we will flash it to an USB stick in case of a bare metal boot; otherwise we would just load it in the hypervisor settings. In this article we will use the openSUSE image, and we will pick the latest K3s available version. Kairos has recently added support for Ubuntu and Fedora, and other distributions are available as well, but the openSUSE flavor is well tested and available since the early releases. We are going to use now a machine to flash the image to a USB stick: 
```
wget https://github.com/kairos-io/provider-kairos/releases/download/v1.3.0/kairos-opensuse-v1.3.0-k3sv1.23.14+k3s1.iso
```
And flash it to the USB drive (in my case it was /dev/sda): 
```
dd if=kairos-opensuse-v1.3.0-k3sv1.23.14+k3s1.iso of=/dev/sda oflag=sync status=progress
```

Step 2: Install and Boot the Node

Now we can use the USB stick as a Kairos installer. If it were a VM, we could have just loaded the ISO. A Kairos node needs a configuration, and in this article we are going to install MetalLB and Kubedoom, so it will look similar to https://gist.github.com/mudler/bde499f156513bbfe2030587295adfca: 
#cloud-config

hostname: kubedoom-{{ trunc 4 .MachineID }}
users:
- name: kairos
  # Change to your pass here
  passwd: kairos
  ssh_authorized_keys:
  # Add your github user here!
  - github:mudler

k3s:
  enabled: true
  args:
  - --disable=traefik,servicelb

# Additional manifests that are applied by k3s on boot
write_files:
- path: /var/lib/rancher/k3s/server/manifests/metallb.yaml
  permissions: "0644"
  content: |
        apiVersion: v1
        kind: Namespace
        metadata:
          name: metallb-system
        ---
        apiVersion: helm.cattle.io/v1
        kind: HelmChart
        metadata:
          name: metallb
          namespace: metallb-system
        spec:
          chart: https://github.com/metallb/metallb/releases/download/metallb-chart-0.13.7/metallb-0.13.7.tgz
- path: /var/lib/rancher/k3s/server/manifests/kubedoom.yaml
  permissions: "0644"
  content: |
        apiVersion: v1
        kind: Namespace
        metadata:
          name: kubedoom
        ---
        apiVersion: helm.cattle.io/v1
        kind: HelmChart
        metadata:
          name: kubedoom
          namespace: kubedoom
        spec:
          chart: https://github.com/spectrocloud-labs/kubedoom-chart/releases/download/kubedoom-helmchart-0.0.1/kubedoom-helmchart-0.0.1.tgz
          set:
            kubedoom_namespace: "kube-system"
- path: /var/lib/rancher/k3s/server/manifests/addresspool.yaml
  permissions: "0644"
  content: |
        apiVersion: metallb.io/v1beta1
        kind: IPAddressPool
        metadata:
          name: default
          namespace: metallb-system
        spec:
          addresses:
          - 192.168.1.10-192.168.1.20
        ---
        apiVersion: metallb.io/v1beta1
        kind: L2Advertisement
        metadata:
          name: default
          namespace: metallb-system
        spec:
          ipAddressPools:
          - default
Note:
  • We disable Traefik and the default load balancer that comes with K3s to use MetalLB instead. An IPAddressPool is configured to use the IPs, and an L2Advertisement is associated with it.
  • Be sure to replace 192.168.1.10-192.168.1.20in the IPAddressPool with the available IP range in your network. The service will automatically take one of the IPs in the range, and we will use that to connect to Kubedoom afterward.
  • Replace also the GitHub username (`github:mudler`) with yours to automatically login via SSH using your keys (this works only if you have uploaded your SSH public keys to GitHub). If you don’t have any, we have also set `kairos/kairos` as username and password so you can also log in with a password prompt.
  • If running in a VM, the network interface needs to be bridged to your local network in order to correctly connect to Kubedoom.
  •  Check out the documentation for more information on the available fields in the configuration file if you need to add any other setting or additional user logic.
Let’s start the ISO now and select manual mode from the console. As we are running over LAN, we will SSH to the node and run the installation manually. However, by default Kairos will boot up and display a QR code that can be used with the CLI to drive the installation process without having to SSH remotely. Check out the official quickstart if you want to use the QR code instead. Once the node is up, we can SSH to it with the `kairos` user and we can login with the `kairos` password. Let’s become root user and run the installation: 
```
scp config.yaml kairos@<IP>:./
ssh kairos@<IP>
sudo kairos-agent manual-install --reboot --device auto config.yaml
```

Step 3: Log in and Check if You Can Run Your Workload

After the installation has ended, the node will reboot. The first boot might take some time to spin off the cluster, but eventually we should be able to login via SSH with kairos/kairos and via the console as well: 
```
ssh kairos@<IP>
```
Note that the user configuration might take a few moments after the node is fully booted to be effective. We can now check that K3s is running and the node is ready to serve a workload: 
```
sudo systemctl status k3s
sudo k3s kubectl get nodes -A
```
And we can also check that the service is running and that it was assigned an IP with MetalLB: 
```
testcluster-3646:~ # kubectl get svc -o wide -n kubedoom
NAME                               	TYPE       	CLUSTER-IP  	EXTERNAL-IP	PORT(S)      	AGE   SELECTOR
kubedoom-kubedoom-helmchart-kubedoom   ClusterIP  	10.43.152.192   <none>     	5900/TCP     	68m   app=kubedoom
kubedoom-kubedoom-helmchart-novnc  	LoadBalancer   10.43.46.202	192.168.1.10   6080:30966/TCP   68m   app=novnc
```
In my case, the IP taken from the range was 192.168.1.10, and I can access the NoVNC web UI now from http://192.168.1.10:6080/vnc.html. You will be displayed to the noVNC dashboard, which will ask for a password to connect over the Kubedoom instance ( the default one is “idbehold”), and voilá, our Doom game is available right in our browser: Cheat codes for Kubedoom and instructions are available here. 🙂 To upgrade the node and manage it after installation, we can either do that manually or with Kubernetes. All the details are in the Kairos docs.

Conclusion: What We Need for Life at the Edge

From the easy abstraction of the cloud, we are transitioning to the tangible hard reality of bare metal at the edge. No one can pretend to know what every edge scenario demands, so an ideal OS needs to be flexible enough to take into account any customization to the stack and make changes and upgrades easy, with the same confidence we have when deploying applications to Kubernetes. This is crucial, as it helps scaling out with the same framework among various use cases that can arise while provisioning nodes to the edge. When it comes to what OS to install on a cluster, we have to take into account how the nodes will upgrade, what are the fallback systems in place and whether we can handle the automation in a familiar fashion. In the cloud native era that means managing Kubernetes in Kubernetes! This is why immutable OSes are getting really popular — they are a perfect fit for running Kubernetes workloads, as they are static OSes that run and upgrade (usually) atomically. In this article we’ve analyzed the aspects that make immutability important for adopters, especially for the compelling properties that immutable infrastructures can bring at the edge. Kairos’s cloud-centric, container-based approach brings version control of the OS at the edge with single, atomic upgrades that can be rolled over to the cluster nodes similarly to application upgrades with the Linux distribution of your choice. As Aerosmith sang, Tell me what you think about your situation Complication, aggravation Is getting to you, yeah With a tool like Kairos, our goal is to make livin’ on the edge less complicated, less aggravating, with the power of immutability. You can find out more about Kairos and get started at kairos.io. We welcome any feedback and contributions 🤗!
TRENDING STORIES
Group Created with Sketch.
Ettore di Giacinto is head of open source at Spectro Cloud. He's spent more than 15 years as a developer focused on contributing to and maintaining open source projects, including Gentoo Linux. Most recently Ettore was staff software engineer at...
Read more from Ettore di Giacinto
SHARE THIS STORY
TRENDING STORIES
TNS owner Insight Partners is an investor in: Pragma.
TRENDING STORIES
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.