Discover how IBM Cloud’s bare metal servers offer highly confined and high-performing single-tenant cloud isolation through the use of Ubuntu Core and Snaps, supported by the AMD Pensando Elba DPU (Data Processing Unit). This setup enables the creation of secure and efficient environments for each tenant. Its design ensures the total separation of their servers from the cloud underlay. The architecture delivers consistent performance and enables non intrusive control from the cloud provider. Learn how this innovative solution can benefit your business and enhance your cloud infrastructure.

Introduction

Public cloud bare-metal servers offer dedicated physical resources, but can present isolation and performance challenges. Isolation requirements involve maintaining full control of compute capabilities by the tenant, while preserving the backend management of its infrastructure by the cloud provider and preventing unauthorised access. Performance requirements entail providing consistent performance even under heavy workloads. Cloud providers face challenges in ensuring physical and logical isolation, resource allocation, monitoring, management, scalability, and security. To address these complex requirements, providers must invest in advanced technologies and implement best practices for resource allocation, monitoring, and management. They also need to regularly review and update infrastructure to meet tenant needs.

In the following discussion, we will explore how IBM Cloud is addressing these challenges by harnessing the distinctive capabilities of Ubuntu Core and Snaps deployed on the AMD Pensando Elba infrastructure accelerators.

IBM Cloud Bare Metal Servers for VPC

IBM has always been dedicated to keeping clients essential data secure through a strong focus on resilience, performance, and compliance. IBM Cloud executes that focus within highly regulated industries such as finance and insurance organisations. Given IBM Cloud’s long-standing commitment to data security, it is unsurprising and essential that Bare Metal Servers for VPC (VPC BM) implements the most rigorous security guarantees to meet customers expectations.

Bare metal servers, which are physical servers dedicated to a single tenant, offer benefits such as high performance and customizability, but managing them in a multi-tenant environment can be complex. A key requirement is ensuring isolation between the tenant and the cloud backend, both to maintain security and to prevent performance issues caused by noisy neighbours.

VPC BM allows customers to select a preset server profile that best matches their workloads to help accelerate the deployment of compute resources. Customers can achieve maximum performance without oversubscription deployed in 10 minutes 

VPC BM  is powered with the latest technology. They are built for cloud-enterprise applications, including VMware and SAP, and can also support HPC and IOT workloads. They come with enhanced high-performance networking at 100 Gbps as well as advanced security features. 

A network orchestration layer handles the networking for all bare metal servers that are within an IBM Cloud VPC across regions and zones. This allows for management and creation of multiple, virtual private clouds in multi zone regions and also improves security, reduces latency, and increases high availability.

“I selected IBM Cloud VPC because of 5 points that I thought and was proven correct based on my experience using the service. First is security. Secondly is agility. The third is isolation. Fourth is the high performance. Fifth, and last, is the scalability.”

Ivo Draginov CEO BatchService

AMD Pensando DSC2-200 “Elba”

In use with some of the largest cloud providers and Hyperscalers on the planet, the AMD
Pensando DSC2-200 has proven itself as the platform of choice for cloud providers seeking to
optimise performance, increase scale and introduce new infrastructure services at the speed of
software. The DSC2-200 is full-height, half-length PCIe card powered by AMD Pensando 2nd
generation DPU “Elba”. The DSC2-200 is the ideal platform for cloud providers to implement
multi-tenant SDN, stateful security, storage, encryption and telemetry at line rate. The platform’s
scale architecture allows cloud provider to offer multiple services on the same DPU card.

Developers can create customised data plane services that target 400G throughput,
microsecond-level latencies, and scale to tens of millions of flows. The heart of the AMD
Pensando platform is a fully programmable P4 data processing unit (DPU). High-level
programming languages (P4, C) enable rapid development and deployment of new features and
services.

The innovative design of AMD Pensando DPU provides secure air-gap between tenant’s
compute instances and cloud infrastructure as well as secure isolation between tenants. This
separation enables cloud operators to manage their infrastructure functions efficiently and
independently of their tenant’s workloads while freeing up the valuable compute resources from
the infrastructure tasks and fully dedicating them to revenue generating business applications.
The exceptional throughput and performance of the Elba DSC2-200, along with its strong
alignment with IBM’s security expectations, made it a top choice for inclusion in IBM Cloud’s
bare metal servers for VPC. This combination of features enables IBM Cloud to provide highly
secure and powerful environments for its customers.

Achieving IBM Cloud’s target outcomes with Ubuntu Core and Snaps

The first goal was to implement a secure and reliable operating system that IBM Cloud development teams could use to launch their management interface and functionality on the AMD Pensando DPU cards. Initially IBM Cloud selected Ubuntu Server as the operating system. They were familiar with it and could easily develop on top of it using the familiar Linux toolset and API.

To develop software running on the AMD Pensando DPU cards, the development kit provides a complete container-based development environment. It allows for the development of data plane, management plane, and control plane functions. To perform correctly, these containers must be allowed direct communication with the card hardware components with fine-grained isolation. Using traditional container runtimes such as Docker and Kubernetes alone cannot meet the unique requirements of this solution. Fortunately, Snap packages provide this access through secure and controlled interfaces to the operating system.

Using Snap packages, IBM Cloud developers were able to implement all the functionalities they needed in record time. This positive experience made them turn their attention to Ubuntu Core, the version of Ubuntu specifically designed for embedded systems such as AMD Pensando DPU cards. It is entirely made up of Snap packages, creating a confined, immutable and transaction-based system. Communication among containers and between containers and the operating system is locked down under full control. In addition, Ubuntu Core provides full disk encryption and secure boot, achieving additional mandatory security compliance objectives.

IBM Cloud successfully converted their bespoke AMD Pensando system image from Ubuntu Server to Ubuntu Core and, after positive results in the pre-production tests, proceeded to deploy it in production to support Bare Metal Servers on VPC.

Conclusion

In summary, Canonical’s Ubuntu Core and IBM Cloud’s components, when packaged as Snaps, provide a unique solution that effectively addresses the challenges faced by the company. This innovative approach has enabled IBM Cloud to enhance its offerings and deliver improved performance, security, and tenant isolation. The development of the solution completed in under a year and has been successfully operating in production since then. The implementation has been a resounding success. Ultimately addressing these challenges provided IBM Cloud with several advantages, including differentiation, cost savings, and improved efficiency.

The collaboration between IBM Cloud, Canonical, and AMD Pensando remains ongoing, with plans to expand the use of Ubuntu Core and Snaps to support other non-bare metal offerings, including Virtual Server for VPC. A key medium-term goal is to achieve FedRAMP compliance, which involves upgrading to Ubuntu Core 22 and ensuring FIPS compliance at the kernel and filesystem levels. This ongoing partnership and development aim to enhance the security, performance, and functionality of IBM Cloud’s solutions.

The NVIDIA BlueField-3 networking platform – powering the latest data processing units (DPUs) and SuperNICs, and transforming data centre performance and efficiency – runs BlueField OS, an optimised Linux operating system (OS) derived from Ubuntu. With Ubuntu’s signature maintenance and support guarantees, the comprehensive Ubuntu Pro software infrastructure stack, and bespoke optimisation, the collaboration between NVIDIA and Canonical accelerates time to value for NVIDIA BlueField-3 users and elevates security. 

What are DPUs? 

DPUs are a relatively new technology that represents the third pillar of accelerated data centre processing units, alongside CPUs and GPUs. By offloading and accelerating a wide variety of complex networking, security and storage workloads to the DPU, enterprises can reduce server power consumption by up to 30% while freeing up CPU capacity for computation tasks.

NVIDIA, now shipping the third generation of its industry-leading BlueField DPU, empowers enterprises to transform data centres with a 400Gb/s infrastructure compute platform that can handle the most demanding AI workloads. 

NVIDIA BlueField OS is built on Ubuntu

DPUs require an operating system that is secure, stable and capable of supporting all of the innovative features that the new technology brings to the table – and that’s why NVIDIA BlueField-3 runs an optimised derivative of Ubuntu as its default OS. 

Ubuntu, delivered by Canonical, supports a broad range of  NVIDIA BlueField-3 features, ensuring that enterprise customers can readily consume the DPU functions with optimal performance. Canonical’s collaboration with NVIDIA delivers a solution that is easy to implement and offers full functionality out of the box.

Alongside time to value, Ubuntu reinforces the stability of NVIDIA BlueField-3. The optimised Ubuntu derivative powering the NVIDIA BlueField OS is based on Ubuntu Long Term Support (LTS) and goes through the same rigour of validation as an LTS release, which consequently delivers the same level of stability and performance. Ubuntu Pro embedded support is a core part of NVIDIA BlueField’s OS, thus enhancing the reliability of any NVIDIA BlueField-accelerated solution. 

NVIDIA BlueField-3 Enterprise support and security backed by Canonical

Ubuntu’s extensive security features, hardening and compliance tooling, coupled with Canonical’s enterprise-grade support, have been instrumental in making Ubuntu the first-choice OS for organisations worldwide. NVIDIA customers can be assured that these same capabilities are also extended to NVIDIA BlueField-3 deployments.

One of the key factors that sets Ubuntu’s security apart from alternative operating systems is the pace at which Canonical delivers fixes for security common vulnerabilities and exposures (CVEs). Canonical has the fastest turnaround for CVE fixes in the industry, and this rapid patching applies to the NVIDIA BlueField OS. What’s more, these updates can be applied automatically, further minimising any windows of vulnerability. 

Canonical is also signing the entire kernel image for the NVIDIA BlueField OS. This enables secure boot in enterprise deployments and guarantees that no modifications are made to the kernel, so that users can have complete trust in the OS.

Powering AI with Canonical infrastructure solutions and NVIDIA BlueField-3 

NVIDIA BlueField-3 DPUs are increasingly becoming a central component in enterprise AI strategies. These use cases require a comprehensive ecosystem of software for optimal performance and efficiency. Canonical’s close collaboration with NVIDIA enables BlueField-3 users to take advantage of infrastructure solutions to address most enterprise AI data centre deployments and enable end-to-end management.

Customers can utilise metal-as-a-service (MAAS) for cloud-style provisioning of their physical infrastructure, turning bare-metal servers into an elastic, cloud-like resource that they can easily provision, monitor and manage. Meanwhile, Juju provides an orchestration engine for software operators that enables the deployment, integration, and lifecycle management of applications at any scale on infrastructure compute.

On the infrastructure software side, Canonical OpenStack provides an enterprise cloud platform, and Canonical Kubernetes drives seamless, highly automated container orchestration. These infrastructure services can fully utilise the offload capabilities supported in NVIDIA BlueField DPUs. In fact, Canonical also offers MicroK8s, a lightweight Kubernetes distribution that is tailor-made for low footprint deployments on DPUs. Similarly, MicroCloud is a miniature version of LXD, providing enterprises with everything they need to run virtualized workloads and system containers on their DPUs. All of these solutions are secured and supported for 10 years with an Ubuntu Pro subscription.

Ubuntu Pro and NVIDIA DOCA

The Ubuntu Pro stack works in tandem with NVIDIA DOCA, software at the heart of NVIDIA BlueField-3. NVIDIA DOCA is a unified software framework that provides a variety of APIs for improved NVIDIA BlueField-3 management, unlocking features around connectivity, monitoring, logging and more. Utilised alongside Ubuntu Pro, these features drive unprecedented infrastructure efficiency.

• To learn more about deploying DPUs on Ubuntu, get in touch.
• To learn more about NVIDIA BlueField-3, check out the datasheet.
• Further reading: Canonical solutions reduce SmartNIC time-to-market and drive efficiency in enterprise data centers