When the German government asked for feedback on its Germany Stack initiative at the end of last year, we at ALASCA FOCIS also took the opportunity to comment on it and submitted our statement under the title Strengthen digital sovereignty: Add infrastructure and operating system layer and Sovereign Cloud Stack, written by Daniel Gerber, a.
We as ALASCA-FOCIS welcome the Federal Government's offence and the attempt to define technology and standards to achieve the goal of increasing Germany's digital sovereignty. In particular, the clear focus on operational and established open source technologies should be emphasised positively.
While the current design of the stack already addresses the container layer in part, we believe that the necessary underlying infrastructure and data centre layer is missing. Infrastructure-as-a-Service layer. With the help of this layer, e.g. provided by products such as OpenStack, virtual machines, virtual networks and any distributed storage types (Ceph, Swift) are provided. In this context, necessary, established and successfully deployed open source projects such as Proxmox, OpenBAO (Hasicorp Vault Fork), OpenTofu (Terraform Fork), Grafana, Prometheus, Thanos, Helmet, Keycloak, Podman, Harbour, Ansible, Redis and RabbitMQ should be added.
A layer that builds on this and has also been missing up to now is the Operating system layer. The operating systems typically used here, such as Ubuntu, CentOS, Alpine Linux or NixOS can be included in the stack.
In addition to the provision of infrastructure, consideration should also be given to its operation. Day-2 operations and secure communication within virtual infrastructures are particularly relevant here. Kubernetes-based tools for the operation and lifecycle management of Openstack such as Yaook, Yake as an installation and lifecycle management tool for Gardener and Tarook for lifecycle management of Kubernetes clusters on bare metal or OpenStack should be included in the stack.
Change request: Addition of IaaS and operating systems to the "Infrastructure" category"
The „Infrastructure“ layer or group should therefore be expanded to include the category Infrastructure-as-a-Service and Operating systems be supplemented. The technologies mentioned above that are relevant in this context should be added.
In response to the key questions defined in the tender description regarding mechanisms for comprehensive integration and distribution as well as the decoupling of logic, data, services and infrastructure, the Sovereign Cloud Stack an excellent answer. The project, which is funded by the BMBF and is now in Release 9 published reference implementation was developed to
- enable seamless integration and optimal performance in different cloud environments
- Enable switching between different cloud providers
- to offer standardised, certified, highly available, secure cloud infrastructure at container and infrastructure-as-a-service level.
The stack is now divided into GIZ projects in demand worldwide, is used in the Thuringian administration cloud and has a second reference implementation with Yaook.
Change request: Integration of the SCS into the infrastructure layer
In general, we would like to point out and work towards ensuring that the jurisdiction of governance (Linux Foundation, Cloud Native Computing Foundation), i.e. control and coordination, is located within the European Union, especially for the selected projects. For projects for which this is not the case, care should be taken to ensure that
- whose licence terms are similar to those of Open Source Definition comply with the Open Source Initiative (OSI) and
- the corresponding expertise and infrastructure for the operation and further development of the relevant technologies, e.g. through funding, competitions and the adaptation of procurement guidelines within Germany and the EU.
Finally, when defining the D-Stack, we argue that no services should be included that call themselves „sovereign” but jeopardise the data sovereignty of the German administration. In particular, services that are subject to the Cloud Act or FISA 702, for example, should not be allowed to play a role in the D-Stack, „[e]very data sovereignty, as required by European data protection standards, is therefore not guaranteed when using US solutions.” (Recognising sovereignty washing with cloud services, ZenDiS)
We are pleased to have the opportunity to submit our comments on the German stack. An overview of the comments submitted can be found here can be regarded as a "good thing".
This measure is co-financed with tax revenue on the basis of the budget approved by the Saxon state parliament.
