Right, sure. That’s actually a fun little project that we started at the beginning of this year, actually. So the idea is that I was getting fed up with maintaining all of these little Raspberry Pi’s. Many of us probably have a little Raspberry Pi at home, doing one thing or another in their home network, or a device that is comparable… A little Intel NUC computer, or an Atom-based little embedded device, anything like that. But the Raspberry Pi certainly is the most prevalent of these devices, so I figured it would make sense to just target the Raspberry Pi for now.
The observation was that if I write most of my programs in Go nowadays, why do I even need to maintain this entire Linux ecosystem on each and every one of my Raspberry Pi’s? At the point when I started the project I had three of them running. I looked at them, and I logged in, and because of the custom image that I used on them, I saw that the last build timestamp for that image was in 2013… So at the point when I logged in, I saw that it had an uptime of four years without me changing the base system, and it had — of course, security vulnerabilities accumulated over these four years, and that is a horrible state to be in and I really don’t wanna have that on my home network.
[00:24:16.24] I wanna have all of my devices up to date, ideally with an auto-update. Ideally, it goes so far that I have gifted devices to friends of mine and bought a new device where the only difference in operation was that the device auto-updated.
An example of that is the Turris Omnia OpenWRT router, which I would recommend, because it is to the best of my knowledge the only OpenWRT-based Linux router that auto-updates. That just comes from working full-time.
When I was a student, I could of course still spend quite a lot of time administering all of these servers; I was running Debian testing on many of my machines and virtual machines and all of the little devices, and I would auto-update them sort of regularly… But at some point your priorities change and you just can’t do that anymore. So I figured I would go at it from the other direction and be very strict about it.
So I wanna have devices that auto-update, and I wanna have devices that don’t expose a lot of attack surface, both on the network itself and on the internet, of course. And I figured one way to do that would be to look into whether we could actually run a Linux kernel, and ideally, directly execute Go programs without any of the regular Linux distribution in the middle. Gokrazy is an implementation of this.
What gokrazy does is you give it a Go package that you have, be it like a little “Hello, world” program, or distinct bigger programs like the Prometheus Node Exporter if you wanna monitor your Raspberry Pi in Prometheus. You give a Go package to the gokrazy packer program, and what it does is it packs an SD card image with the Linux kernel and the Raspberry Pi firmware, and a minimal init system that comes with the gokrazy project, and then just the Go packages that you provide it.
These four parts are all that you really have in the image, and then you just copy that image onto an SD card and you boot your Raspberry Pi from it, and there is no other moving parts, there’s no Linux distribution; it’s not based on Debian or based on Fedora or anything like that. It has just directly the kernel and the firmware.
Another important part of this project is that all of these parts are auto-updated. For the kernel and for the firmware we have a cron job running on Travis, which every day goes and checks the upstream repositories for newer versions of what we have packaged. If there is, for example, a new kernel release – and I learned that the kernel actually gets quite a few releases; I never paid attention to it, but they do like a little point release… But anyway, so we have this little cron job which looks at what is the latest kernel version, and if the latest kernel version doesn’t match what we have in our repositories, it goes on and downloads it and then builds it on Travis.
Then we have three pieces of automation which I’m not gonna cover in detail – you can just look at an existing presentation about gokrazy if you’re interested – which sort of do this entire dance of “How about I take a pull request, I build a kernel, I amend a kernel into the pull request, I automatically test that new resulting image on an actual Raspberry Pi, and if it boots, I’m just gonna merge it.” Frequently, when I wake up, in my inbox I’m gonna have this little GitHub e-mail thread where it tells me there is a new version of the Linux kernel, “Oh, and by the way, I tested it and it boots. Oh, and also I merged it. And oh, I also deployed it onto all of your Raspberry Pi’s.” [laughter]
That’s the ideal state for me. I wake up, I realize that there was a new Linux kernel release, because I’m already running it. Later on I read about it in the news and read the changelog.