Periodic Reporting for period 1 - ICOS (Towards a functional continuum operating system)
Periodo di rendicontazione: 2022-09-01 al 2024-02-29
The ICOS project will design, develop and validate a meta operating system for the continuum built upon the principles of openness, adaptability, data sharing and a future Edge market scenario, addressing the challenges of: i) devices volatility and heterogeneity, ii) continuum infrastructure virtualization and diverse network connectivity; iii) optimised and scalable service execution and performance, as well as resources consumptions, including power consumption; iv) guaranteed trust, security and privacy, and; v) reduction of integration costs and effective mitigation of Cloud provider lock-in effects.
The key objectives of the project are:
O1: Design of an intelligent meta OS for the continuum
O2: Facilitating an on-demand ad-hoc and AI-assisted development of the continuum infrastructure
O3: Enforce trustworthy yet open operation
O4: Demonstrate the project outcomes in key relevant scenarios
O5: Building an open innovation environment and fostering the creation of new applications in the continuum as well as the science and engineering community
The key objectives of the project are:
O1: Design of an intelligent meta OS for the continuum
O2: Facilitating an on-demand ad-hoc and AI-assisted development of the continuum infrastructure
O3: Enforce trustworthy yet open operation
O4: Demonstrate the project outcomes in key relevant scenarios
O5: Building an open innovation environment and fostering the creation of new applications in the continuum as well as the science and engineering community
O1: Most components of ICOS have been implemented, resulting in a preliminary but fully operative ICOS system, leveraging most expected baseline technologies, although some components have been created with basic functionalities. Specifically, the meta-kernel layer is able to onboard and manage a variety of heterogeneous nodes and IoT devices, and accommodate multi-component services running on different platforms. The intelligence framework has also been built and is ready for all the intelligence related components to be plugged, although they are in a training stage (there is not real data yet for an effective and accurate training). And the security layer is in the process to deploy the catalogue of secure mechanisms.
O2: The framework for AI has been designed and implemented, which will include the corresponding AI components and will be fed from data collected from the telemetry and monitoring components. Some AI components are being developed and will be integrated in the framework during the second project iteration.
With respect to the runtime strategy for workload partitioning, the current implementation provides a basic static layout.
O3: Authentication is provided using Identity and Access Manager (Keycloak). The IAM is integrated with the ICOS shell and enables the authentication of users accessing ICOS. The authorisation of users and the authorisation of requests within the ICOS system using IAM are currently work in progress and are planned to be ready for ICOS IT-2. In addition, mechanisms for the security of infrastructure (cloud, edge) for ICOS nodes were implemented (Wazuh). These mechanisms scan for security issues, detect and propagate them to the Meta-kernel layer.
Requirements have been defined for the audit mechanism, which will be responsible for executing the light-audit checks on ICOS nodes on the edge. Some suitable technologies (e.g. Tetragon) were identified and tested, in combination with the testing of technologies for the security policies compliance (e.g. Cilium).
The existing endpoint detection mechanisms are further complemented by already implemented mechanisms for the detection of anomalous behaviour on ICOS nodes using AI (NLP) driven log analysis (LOMOS). While anomaly detection mechanisms are also normally operational at this point, they will be fully exploitable in the next ICOS releases. And finally, other mechanisms were implemented to provide trust. The communication between ICOS components in the ICOS controller (intra-cluster) is secured using Kubernetes-based Cilium which encrypts traffic on the network level. The inter-cluster communication (between ICOS controllers and ICOS agents) is also encrypted using Wireguard as a VPN protocol. Data from use case applications deployed on ICOS is encrypted using Zenoh with mTLS protocol. Additionally, data privacy is provided by anonymisation of data at the edge through data management and Intelligence layer functionalities.
O4: A basic ICOS system has been successfully deployed on each of the four Use Cases scenarios, although performing basic functionalities, i.e. nodes on-boarding and basic service deployment. With respect to the open calls program, some technical information has been prepared to provide detailed installation guidelines for the selected partners.
O2: The framework for AI has been designed and implemented, which will include the corresponding AI components and will be fed from data collected from the telemetry and monitoring components. Some AI components are being developed and will be integrated in the framework during the second project iteration.
With respect to the runtime strategy for workload partitioning, the current implementation provides a basic static layout.
O3: Authentication is provided using Identity and Access Manager (Keycloak). The IAM is integrated with the ICOS shell and enables the authentication of users accessing ICOS. The authorisation of users and the authorisation of requests within the ICOS system using IAM are currently work in progress and are planned to be ready for ICOS IT-2. In addition, mechanisms for the security of infrastructure (cloud, edge) for ICOS nodes were implemented (Wazuh). These mechanisms scan for security issues, detect and propagate them to the Meta-kernel layer.
Requirements have been defined for the audit mechanism, which will be responsible for executing the light-audit checks on ICOS nodes on the edge. Some suitable technologies (e.g. Tetragon) were identified and tested, in combination with the testing of technologies for the security policies compliance (e.g. Cilium).
The existing endpoint detection mechanisms are further complemented by already implemented mechanisms for the detection of anomalous behaviour on ICOS nodes using AI (NLP) driven log analysis (LOMOS). While anomaly detection mechanisms are also normally operational at this point, they will be fully exploitable in the next ICOS releases. And finally, other mechanisms were implemented to provide trust. The communication between ICOS components in the ICOS controller (intra-cluster) is secured using Kubernetes-based Cilium which encrypts traffic on the network level. The inter-cluster communication (between ICOS controllers and ICOS agents) is also encrypted using Wireguard as a VPN protocol. Data from use case applications deployed on ICOS is encrypted using Zenoh with mTLS protocol. Additionally, data privacy is provided by anonymisation of data at the edge through data management and Intelligence layer functionalities.
O4: A basic ICOS system has been successfully deployed on each of the four Use Cases scenarios, although performing basic functionalities, i.e. nodes on-boarding and basic service deployment. With respect to the open calls program, some technical information has been prepared to provide detailed installation guidelines for the selected partners.
In contrast to centrally managed clouds, ICOS addresses the management of heterogeneous and distributed systems in the continuum, including IoT devices, edge devices and cloud infrastructures. This management is significantly more complex. Furthermore, distributed data management introduces an additional layer of complexity, requiring the classification of data infrastructures, the collection of vast and diverse data volumes, the provision of transparent data access methods, the optimisation of the internal data flow and the effective preservation of data collections. ICOS provides a transparent and AI-powered operational system that leverages heterogeneous infrastructure in the continuum, alleviating vendor lock-in. The addition of new devices and technology further complicates the issue, as evidenced by the efforts to utilise the work within the open cluster management upstream project. ICOS maintains the same level of technology-agnosticism at the edge as we currently have in the cloud, supporting a range of disparate cluster and resource orchestrators, including Kubernetes, Docker, Nuvla, and others.
On the other hand, the continuum must be managed efficiently to optimally meet the application demands during service execution. This includes identifying the optimal set of nodes to execute the application, locating computation closer to where data is produced, cleaning, formatting and pre-processing data to optimise execution for both real-time processing and non-real-time data analytics, as well as monitoring the service execution to detect potential failures and applying the appropriate fault tolerance mechanisms. Furthermore, monitoring the continuum enables the detection of new resources that could improve performance, which in turn allows for the implementation of the corresponding migration mechanisms. Additionally, an AI-powered system like ICOS implements not only reactive optimisation policies but also sophisticated decision-making mechanisms based on system activity forecasting.
Finally, it is important to note that the reliability of the continuum infrastructure cannot be guaranteed. The distributed and dynamic nature of the continuum, with numerous devices from different owners and provenance, makes it challenging to apply reliability and trustiness. Secure mechanisms to access the distributed nodes, data privacy preservation, and providing open and transparent operation are fundamental to enhance trustiness. The ICOS is designed with trust as a fundamental principle, incorporating appropriate security mechanisms from the outset and facilitating the integration of AI-powered solutions to develop sophisticated, reliable, and trustworthy applications.
On the other hand, the continuum must be managed efficiently to optimally meet the application demands during service execution. This includes identifying the optimal set of nodes to execute the application, locating computation closer to where data is produced, cleaning, formatting and pre-processing data to optimise execution for both real-time processing and non-real-time data analytics, as well as monitoring the service execution to detect potential failures and applying the appropriate fault tolerance mechanisms. Furthermore, monitoring the continuum enables the detection of new resources that could improve performance, which in turn allows for the implementation of the corresponding migration mechanisms. Additionally, an AI-powered system like ICOS implements not only reactive optimisation policies but also sophisticated decision-making mechanisms based on system activity forecasting.
Finally, it is important to note that the reliability of the continuum infrastructure cannot be guaranteed. The distributed and dynamic nature of the continuum, with numerous devices from different owners and provenance, makes it challenging to apply reliability and trustiness. Secure mechanisms to access the distributed nodes, data privacy preservation, and providing open and transparent operation are fundamental to enhance trustiness. The ICOS is designed with trust as a fundamental principle, incorporating appropriate security mechanisms from the outset and facilitating the integration of AI-powered solutions to develop sophisticated, reliable, and trustworthy applications.