Skip to content

SYSTEM Cited by 1 source

slack-zero

What it is

slack-zero is the shared golden base AMI at the foundation of Shipyard. It is built by Slack's Compute Platform Team and maintained collaboratively with Security and Monitoring teams. Every Shipyard service image inherits from slack-zero, analogous to how container teams use a shared base Docker image.

Contents

  • Operating system baseline and hardening
  • Networking and service discovery configuration
  • Monitoring and security agents
  • Common tooling and foundational system configuration

Build pipeline

slack-zero is built using AWS Image Builder (chosen over Packer) with four key capabilities:

  1. Lifecycle management: Old AMIs are automatically cleaned up using lifecycle policies, reducing storage costs.
  2. SSM Parameter publishing: Each new slack-zero image updates an SSM parameter indicating the latest available AMI per account. Service pipelines read this parameter to always build on the most current base.
  3. Event-driven automation: Successful bakes trigger EventBridge events โ†’ Lambda โ†’ downstream service pipelines automatically rebuild on the updated base.
  4. Built-in testing: Temporary instances are launched to run validation tests before the AMI is published. Every image is verified before distribution.

Lifecycle

slack-zero images are treated as immutable but ephemeral. When foundational components change (security patches, monitoring updates, networking improvements), a new slack-zero image is produced. Downstream service images rebuild on the updated base to inherit improvements.

Multi-architecture / multi-OS

slack-zero is built for multiple combinations: - Architectures: AMD64 + ARM (Graviton) - Operating systems: Ubuntu, RHEL, Amazon Linux

Shared responsibility

Team Responsibility
Compute Platform OS baseline, networking, common tooling
Security Hardening, security agents
Monitoring Observability agents, telemetry configuration
Service teams Building on top of slack-zero for their workloads

Caveats

  • No specific image-build cadence disclosed.
  • No size/boot-time benchmarks for the base image.
  • No details on which specific monitoring or security agents are included.
  • Validation test specifics not disclosed.

Seen in

Last updated ยท 585 distilled / 1,765 read