Discover how IBM Cloud’s bare metal servers offer highly confined and high-performing single-tenant cloud isolation through the use of Ubuntu Core and Snaps, supported by the AMD Pensando Elba DPU (Data Processing Unit). This setup enables the creation of secure and efficient environments for each tenant. Its design ensures the total separation of their servers from the cloud underlay. The architecture delivers consistent performance and enables non intrusive control from the cloud provider. Learn how this innovative solution can benefit your business and enhance your cloud infrastructure.

Introduction

Public cloud bare-metal servers offer dedicated physical resources, but can present isolation and performance challenges. Isolation requirements involve maintaining full control of compute capabilities by the tenant, while preserving the backend management of its infrastructure by the cloud provider and preventing unauthorised access. Performance requirements entail providing consistent performance even under heavy workloads. Cloud providers face challenges in ensuring physical and logical isolation, resource allocation, monitoring, management, scalability, and security. To address these complex requirements, providers must invest in advanced technologies and implement best practices for resource allocation, monitoring, and management. They also need to regularly review and update infrastructure to meet tenant needs.

In the following discussion, we will explore how IBM Cloud is addressing these challenges by harnessing the distinctive capabilities of Ubuntu Core and Snaps deployed on the AMD Pensando Elba infrastructure accelerators.

IBM Cloud Bare Metal Servers for VPC

IBM has always been dedicated to keeping clients essential data secure through a strong focus on resilience, performance, and compliance. IBM Cloud executes that focus within highly regulated industries such as finance and insurance organisations. Given IBM Cloud’s long-standing commitment to data security, it is unsurprising and essential that Bare Metal Servers for VPC (VPC BM) implements the most rigorous security guarantees to meet customers expectations.

Bare metal servers, which are physical servers dedicated to a single tenant, offer benefits such as high performance and customizability, but managing them in a multi-tenant environment can be complex. A key requirement is ensuring isolation between the tenant and the cloud backend, both to maintain security and to prevent performance issues caused by noisy neighbours.

VPC BM allows customers to select a preset server profile that best matches their workloads to help accelerate the deployment of compute resources. Customers can achieve maximum performance without oversubscription deployed in 10 minutes 

VPC BM  is powered with the latest technology. They are built for cloud-enterprise applications, including VMware and SAP, and can also support HPC and IOT workloads. They come with enhanced high-performance networking at 100 Gbps as well as advanced security features. 

A network orchestration layer handles the networking for all bare metal servers that are within an IBM Cloud VPC across regions and zones. This allows for management and creation of multiple, virtual private clouds in multi zone regions and also improves security, reduces latency, and increases high availability.

“I selected IBM Cloud VPC because of 5 points that I thought and was proven correct based on my experience using the service. First is security. Secondly is agility. The third is isolation. Fourth is the high performance. Fifth, and last, is the scalability.”

Ivo Draginov CEO BatchService

AMD Pensando DSC2-200 “Elba”

In use with some of the largest cloud providers and Hyperscalers on the planet, the AMD
Pensando DSC2-200 has proven itself as the platform of choice for cloud providers seeking to
optimise performance, increase scale and introduce new infrastructure services at the speed of
software. The DSC2-200 is full-height, half-length PCIe card powered by AMD Pensando 2nd
generation DPU “Elba”. The DSC2-200 is the ideal platform for cloud providers to implement
multi-tenant SDN, stateful security, storage, encryption and telemetry at line rate. The platform’s
scale architecture allows cloud provider to offer multiple services on the same DPU card.

Developers can create customised data plane services that target 400G throughput,
microsecond-level latencies, and scale to tens of millions of flows. The heart of the AMD
Pensando platform is a fully programmable P4 data processing unit (DPU). High-level
programming languages (P4, C) enable rapid development and deployment of new features and
services.

The innovative design of AMD Pensando DPU provides secure air-gap between tenant’s
compute instances and cloud infrastructure as well as secure isolation between tenants. This
separation enables cloud operators to manage their infrastructure functions efficiently and
independently of their tenant’s workloads while freeing up the valuable compute resources from
the infrastructure tasks and fully dedicating them to revenue generating business applications.
The exceptional throughput and performance of the Elba DSC2-200, along with its strong
alignment with IBM’s security expectations, made it a top choice for inclusion in IBM Cloud’s
bare metal servers for VPC. This combination of features enables IBM Cloud to provide highly
secure and powerful environments for its customers.

Achieving IBM Cloud’s target outcomes with Ubuntu Core and Snaps

The first goal was to implement a secure and reliable operating system that IBM Cloud development teams could use to launch their management interface and functionality on the AMD Pensando DPU cards. Initially IBM Cloud selected Ubuntu Server as the operating system. They were familiar with it and could easily develop on top of it using the familiar Linux toolset and API.

To develop software running on the AMD Pensando DPU cards, the development kit provides a complete container-based development environment. It allows for the development of data plane, management plane, and control plane functions. To perform correctly, these containers must be allowed direct communication with the card hardware components with fine-grained isolation. Using traditional container runtimes such as Docker and Kubernetes alone cannot meet the unique requirements of this solution. Fortunately, Snap packages provide this access through secure and controlled interfaces to the operating system.

Using Snap packages, IBM Cloud developers were able to implement all the functionalities they needed in record time. This positive experience made them turn their attention to Ubuntu Core, the version of Ubuntu specifically designed for embedded systems such as AMD Pensando DPU cards. It is entirely made up of Snap packages, creating a confined, immutable and transaction-based system. Communication among containers and between containers and the operating system is locked down under full control. In addition, Ubuntu Core provides full disk encryption and secure boot, achieving additional mandatory security compliance objectives.

IBM Cloud successfully converted their bespoke AMD Pensando system image from Ubuntu Server to Ubuntu Core and, after positive results in the pre-production tests, proceeded to deploy it in production to support Bare Metal Servers on VPC.

Conclusion

In summary, Canonical’s Ubuntu Core and IBM Cloud’s components, when packaged as Snaps, provide a unique solution that effectively addresses the challenges faced by the company. This innovative approach has enabled IBM Cloud to enhance its offerings and deliver improved performance, security, and tenant isolation. The development of the solution completed in under a year and has been successfully operating in production since then. The implementation has been a resounding success. Ultimately addressing these challenges provided IBM Cloud with several advantages, including differentiation, cost savings, and improved efficiency.

The collaboration between IBM Cloud, Canonical, and AMD Pensando remains ongoing, with plans to expand the use of Ubuntu Core and Snaps to support other non-bare metal offerings, including Virtual Server for VPC. A key medium-term goal is to achieve FedRAMP compliance, which involves upgrading to Ubuntu Core 22 and ensuring FIPS compliance at the kernel and filesystem levels. This ongoing partnership and development aim to enhance the security, performance, and functionality of IBM Cloud’s solutions.

Canonical is pleased to announce that Ubuntu Server is optimised and fully supported on IBM LinuxONE 4 Express – the newest addition to IBM’s world-leading LinuxONE server family.

The previous model in the Express series, IBM LinuxONE III Express, was immensely popular, and brought the power of LinuxONE to a wider audience than ever. IBM LinuxONE 4 Express builds on this success by taking advantage of the latest LinuxONE 4 technology to drive new levels of efficiency and sustainability. Users can gain even more value from the new IBM hardware by pairing it with Ubuntu Server, benefiting from bespoke optimisation and comprehensive and cost-effective support. 

Next-generation IBM server

With the shift from LinuxONE III to LinuxONE 4 technology, IBM LinuxONE 4 Express benefits from the same advances in security and performance that we’ve already seen in IBM LinuxONE Rockhopper 4 and IBM LinuxONE Emperor 4.

Rebasing on the latest LinuxONE 4 offering means that the new upgraded peripherals are available, including OSA Express 7S, FICON Express 32S and RoCE Express 3, as well as new options like secure boot and Secure Execution for Linux, and the IBM Telum chip for AI acceleration. What’s more, IBM’s hardware maintenance, IBM Technology Lifecycle Services (TLS), has been simplified to 8% of the hardware price (Y1 under warranty) for all geographies.

LinuxONE 4 Express remains focused on the core principles that have made the Express server line so successful, with new advances in:

• Simplicity: Due to evolved management options (like DPM), preconfigured design and modern Linux capabilities, LinuxONE 4 Express is now even easier to deploy and operate.
• Price: The even lower entry-level LinuxONE 4 Express price makes LinuxONE more accessible than ever to a new and growing market.
• Route: IBM has added new purchasing options to address clients via Business Partner Agreements (BPAs) and independent software vendors (ISVs)
• Flexibility: With more and differently sized hardware options available, customers can choose the perfect fit for their data centre and plan for growth. It’s even possible to scale within a single rack…

A preconfigured LinuxONE 4 Express system is a rack-mounted entry-model that comes with up to 16 IFLs – but can be upgraded (via MES) to any of the available LinuxONE 4 sizes. The frame can accommodate the rack-mounted and mid-size LinuxONE Rockhopper 4, with up to 68 IFLs (Max68), and eventually up to a full-blown, multi-frame LinuxONE Emperor 4 system with up to 200 IFLs (Max200).

Last but not least, LinuxONE 4 is the perfect option to elevate your sustainability strategy, as it offers significant performance improvements without increasing energy consumption. In fact, IBM LinuxONE Emperor 4 won the Sustainable Product Award at the SEAL 2022 Business Sustainability Awards. 

Make the most of LinuxONE 4 Express with Ubuntu

We’ve seen that LinuxONE 4 Express brings a host of new capabilities to the table, but to take full advantage of these features you need an operating system that supports them – and this is where Ubuntu Server comes in.

Building on the long-standing partnership between IBM and Canonical, Ubuntu Server 22.04 LTS, and the upcoming 24.04 LTS, were designed in parallel with IBM’s server technology to support the complete range of LinuxONE 4 features. Out-of-the-box support enables Ubuntu users to unlock the full potential of IBM LinuxONE 4 Express from day one, and maximise resource utilisation for a highly efficient system.

Complementing the flexibility of IBM LinuxONE 4 Express, Ubuntu Server can be deployed in LPAR, as an IBM z/VM guest, as a KVM virtual machine, and in different container environments such as LXD, Docker or Kubernetes.

Cost-effective, full-stack support

Ubuntu Server adds further cost-savings to the LinuxONE Express offering thanks to Canonical’s distinctive pricing model for enterprise support. Canonical’s support subscription,  Ubuntu Pro, is available either through a per IFL model (like with most vendors), but also per drawer. Both a LinuxONE 4 Express system and a LinuxONE Rockhopper 4 each only count as a single drawer, regardless of the number of active IFLs. This means that you can run up to 68 IFLs on a LinuxONE Rockhopper 4 in a supported way for the cost of just one drawer subscription.

Going beyond price, what further sets Ubuntu Pro apart from the support subscriptions of other vendors is that it not only covers the operating system itself, but also:

• The full infrastructure stack, including KVM, OpenStack, MicroK8s, LXD, MAAS and more
• Livepatch service for s390x, enabling you to patch kernel vulnerabilities without system downtime
• An ever-growing open source application landscape, including but not limited to:

Ubuntu Server and IBM LinuxONE 4 Express

The competitive price-point of the LinuxONE Express series has always made it a compelling option. When you pair that value with the uniquely cost-effective support of Ubuntu Pro, alongside full LinuxONE 4 feature enablement and full-stack infrastructure coverage, it’s easy to see why Ubuntu Server and IBM LinuxONE 4 Express are the perfect match.

To learn more about IBM LinuxONE 4, visit: ibm.com/products/linuxone-4. 

Ubuntu Server 22.04 LTS is available now. Download it here.