One platform — standardized, built and operated by many.
One platform — standardized, built and operated by many.
Berlin, 2024-09-11: Turnkey solution for Cloud Computing – Sovereign Cloud Stack publishes release 7
The Sovereign Cloud Stack (SCS) provides a complete set of base technology for the realization of digital sovereignty and open source strategy. SCS offers a digitally sovereign, secure, comprehensive, standardized, and open solution for the virtualization and container layers as base for containerized applications. The software implements the certifiable SCS standards that have been prepared with the users and operators of SCS. After some years of real-world usage, there is quite some experience and knowledge available, especially around operational topics.
An important focus of the release 7 (R7) development cycle was to more closely interlink the various components of our modular software stack, aiming to make it easier for operators to use the complete SCS stack. Beyond some improvements in the installation automation, the end-to-end installation manual is worth mentioning, encompassing all significant components. One part of the integration work was the Central API project, which is meant to expose the functionality of user, virtualization, and container management behind one API and which is available as technical preview.
Without open source technologies such as Linux, Ceph, OpenStack, or Kubernetes, SCS would be unthinkable. The members of the SCS community (both OSBA employees in the SCS project team as well as contractors and users) are active members of the respective upstream communities and contribute to the technology there. SCS’ strategic direction is to avoid doing improvements exclusively in our own downstream implementation but puts focus on aligning with the upstream technology communities. This is sometimes slower, but results in a more sustainable development process. Current examples are contributions from the SCS community to the domain-manager role in OpenStack, the work on the Cluster-API-Provider for OpenStack to ensure that several control plane nodes of a Kubernetes cluster do not (accidentally) end up on the same underlying hardware node (hypervisor) or the work on comprehensive encryption of internal connections in kolla-ansible. The first two examples will be part of the next release of SCS and have not yet trickled back to R7.
SCS R7 is shipped with current OpenStack (2024.1 Caracal) which can be operated on several Linux distributions: Ubuntu 22.04 LTS continues to be supported; Ubuntu 24.04 LTS, Debian 12 and CentOS Stream 9 (and thus RHEL9) have been added. VPN-as-a-Service is now also supported and validated with the modern software-defined-networking technology OVN that we have used by default for some years now. The latest version of Ceph (Reef) and Deployment of Ceph via rook are available as Technical Previews and can evaluated already as replacement for the proven Ceph Quincy deployed with ceph-ansible.
A lot of improvements went into Cluster Stacks. They are using the current version of Cluster API (v1.8) and the current Cluster-API-Provider for OpenStack (v0.10) which finally promises a stable API. Recent versions of Kubernetes (v1.30/1.31) have been validated. Cluster Stacks can now also use any OCI registry for their resources, facilitating the usage of own versions without requiring github releases. Own Node-Images can easily be provided via your own object storage. Using infrastructure with a private TLS certificate authority for the API is now supported.
Usage of Cluster Stacks outside of SCS-conforming infrastructure is growing, e.g. on Hetzer Cloud. This strengthens the technology and is proof that the framework is as flexible as we designed it to be. On SCS infra, we have successfully enabled Kamaji (as a technical preview) as an option, where the control planes of several workload clusters can be in a shared cluster in order to reduce the overhead of creating many clusters.
The most important improvement under the hood of Cluster Stacks are the so-called multi-stage-addons. With their help, we can correctly deal with version dependencies between components, e.g. in case of cluster version upgrades. This helps to ensure a seamless availability of the cluster during upgrades. The old Kubernetes-as-a-Service v1 technology was deprecated before and will now no longer be actively maintained. Any users still using it should move to cluster stacks urgently now.
The OpenStack Health Monitor has proven really useful to monitor the virtualization layer in SCS. The code has aged though and a new implementation was created. It uses modern technology and can easily be extended with container scenario tests. Maintenance and further development has been simplified by this transition significantly.
Another significant investment in securing the technology happened with the support from specialized penetration testers. We also automated the penetration tests in a CI pipeline, so they are run regularly or to validate changes. This continuous security assessment is an important contribution to defend against growing cybersecurity threats.
Next to the work on the reference implementation, there was progress in the area of standards and certification. back in May, it was shown that SCS-compatible IaaS-v4 compliance can be achieved with moderate effort using Yaook, an implementation that is completely independent of the SCS reference implementation. New partnes have been added to the list of SCS-Clouds: AOV, SysEleven, and with Proof-of-Concept environments the KDO Service GmbH as well as Cloud&Heat Technologies GmbH. SysEleven is not using the SCS reference implementation either. Next to the automated daily SCS standards compliance checks, the new SCS Compliance Monitor (currently still in test operation) gives a more detailed view on single passed or failed tests and also prepares for transparency on future optional requirements.
SCS has been funded by the German Federal Ministry of Economics and Climate Protection (BMWK) since July 2021 and is run by the Open Source Business Alliance - Bundesverband für digitale Souveränität e.V.. A growing, international ecosystem of now over 25 companies contributes to the success of the Sovereign Cloud Stack with over 50 software developers. The SCS project provides a fully open reference implementation for a complete and production-ready cloud stack. In addition, open standards for a modern, federatable open source cloud and container platform are defined together and implemented in an open development process using proven open source components. At the same time, operational knowledge and practice is being made transparently available to minimize the difficulty of delivering high-quality and secure cloud services. Already six providers are using SCS technology productively to operate truly sovereign and GDPR-compliant public cloud offerings. Additional SCS-based cloud infrastructure (public and private clouds) is under construction. SCS also contributes to Gaia-X and provides the development platform for the Gaia-X Federation Services / Cross-Federation Service Components (GXFS/XFSC).