Containers and isolation as implemented in the Linux kernel
|
|
- Mervin Copeland
- 6 years ago
- Views:
Transcription
1 Containers and isolation as implemented in the Linux kernel Technical Deep Dive Session Hannes Frederic Sowa Senior Software Engineer 13. September 2016
2 Outline Containers and isolation as implemented in the Linux kernel Learned from history and enhanced and innovated in Free Software. 2 Overview of not so recent history from other operating systems Representation and control from user space Implementation details in the kernel What to come?
3 History of operating system isolation Plan9 per-process namespaces Distributed computing Architecture specific files mapped via bind/union mounts User space server via 9p protocol 3 Directory vnodes had an append operation Not yet implemented in linux: RPC via AF_UNIX over NFS
4 History of operating system isolation POSIX chroot Available as syscall thus usable in self written applications Provides a new filesystem view thus limited isolation FreeBSD s jails Strongly integrated into the operating system 4 Only small helper library available No operating system control and tuning Limited network isolation only based on IP addresses Solaris Zones Strongly integrated into the operating system (even package manager) Tooling is dictated by Solaris tools
5 Namespace API design in Linux Isolation and resource management completely decoupled API never tightly coupled to any user space library Syscalls openly documented and reusable by 3rd party software Management available on/with already known kernel primitives With rather primitive tools nearly no new tools were needed Fine grain control of primitives to namespace 5 Paved the path to a lot of user space frameworks (e.g. docker) Opt-in model Easy to enhance in user space as well as in the kernel
6 Isolation vs. Resource Management Not completely orthogonal but still... cgroup1 Process 1 Process 2 Process 3 Process 4 cgroups Resource management cgroup2 ns1 ns2 namespaces isolation 6
7 Namespaces in regular use Even on non-servers namespaces see regular use nowadays: Type Type code code snip$ snip$ lsns lsns NS NS TYPE TYPE NPROCS NPROCS pid pid user user uts uts ipc ipc mnt mnt net net pid pid --type=zygote --type=zygote net net --type=zygote --type=zygote pid pid net net user user user user --type=zygote --type=zygote PID PID USER USER COMMAND /usr/lib/systemd/systemd /usr/lib/systemd/systemd --user --user /usr/lib/systemd/systemd /usr/lib/systemd/systemd --user --user /usr/lib/systemd/systemd --user /usr/lib/systemd/systemd --user /usr/lib/systemd/systemd /usr/lib/systemd/systemd --user --user /usr/lib/systemd/systemd --user /usr/lib/systemd/systemd --user /usr/lib/systemd/systemd /usr/lib/systemd/systemd --user --user /opt/google/chrome/chrome /opt/google/chrome/chrome /opt/google/chrome/chrome /opt/google/chrome/chrome /opt/google/chrome/nacl_helper /opt/google/chrome/nacl_helper /opt/google/chrome/nacl_helper /opt/google/chrome/nacl_helper /opt/google/chrome/nacl_helper /opt/google/chrome/nacl_helper /opt/google/chrome/chrome /opt/google/chrome/chrome
8 Namespace API wrap-up No dependencies to 3rd party libraries or tools No design mandated by operating system or distributions Resource management independent from isolation Made several management tools possible (some specialized) 8 Iproute2, systemd, rkt, Docker, LXC, LXD, lmctfy, runc Own choices to use complete distribution or specialized init or maybe just running the application directly in a namespace OpenVZ/Virtuozzo reusing and contributing to namespaces upstream
9 Outline Containers and isolation as implemented in the Linux kernel Learned from history and enhanced and innovated in Free Software. 9 Overview of not so recent history from other operating systems Representation and control from user space Implementation details in the kernel What to come?
10 Representation and control from user Processes are associated with one namespace: ## ls ls -l -l /proc/self/ns/ /proc/self/ns/ total 0 total 0 lrwxrwxrwx. lrwxrwxrwx. 11 root root Sep Sep 22:09 cgroup cgroup -> -> 'cgroup: 'cgroup: [ ]' [ ]' lrwxrwxrwx. lrwxrwxrwx. 11 root root root root Sep Sep 22:09 ipc ipc -> 'ipc:[ ]' 'ipc:[ ]' lrwxrwxrwx. 1 root root Sep 22:09 mnt -> 'mnt:[ ]' lrwxrwxrwx. 1 root root 12. Sep mnt 'mnt:[ ]' lrwxrwxrwx. lrwxrwxrwx. 11 root root root root Sep Sep 22:09 net net -> 'net:[ ]' 'net:[ ]' lrwxrwxrwx. 1 root root Sep 22:09 pid -> 'pid:[ ]' lrwxrwxrwx. 1 root root 12. Sep pid 'pid:[ ]' lrwxrwxrwx. lrwxrwxrwx. 11 root root root root Sep Sep 22:09 user user -> 'user:[ ]' 'user:[ ]' lrwxrwxrwx. 1 root root Sep 22:09 uts -> 'uts:[ ]' lrwxrwxrwx. 1 root root 12. Sep uts 'uts:[ ]' ## unshare unshare -n -n ## -n -n :: :: unshare unshare the network network namespace namespace ## ls ls -l -l /proc/self/ns/net /proc/self/ns/net lrwxrwxrwx. lrwxrwxrwx. 11 root root root root Sep Sep 22:10 /proc/self/ns/net /proc/self/ns/net -> -> 'net: [ ]' [ ]' ## 10
11 Making namespaces persistent Managing namespaces as a mountpoint: ## unshare unshare -n -n ## -n -n :: :: unshare unshare the network network namespace namespace ## ls -l /proc/self/ns/net ls -l /proc/self/ns/net lrwxrwxrwx. lrwxrwxrwx. 11 root root root root Sep Sep 22:10 /proc/self/ns/net /proc/self/ns/net -> -> 'net: [ ]' [ ]' ## touch touch /run/netns/my_namespace1 /run/netns/my_namespace1 ## mount -o mount -o bind bind /proc/self/ns/net /proc/self/ns/net /run/netns/my_namespace1 /run/netns/my_namespace1 ## ls ls -i -i /run/netns/my_namespace1 /run/netns/my_namespace /run/netns/foo /run/netns/foo ## exit exit ## readlink readlink /proc/self/ns/net /proc/self/ns/net net:[ ] net:[ ] ## nsenter nsenter --net=/run/netns/my_namespace1 --net=/run/netns/my_namespace1 ## readlink readlink /proc/self/ns/net /proc/self/ns/net net:[ ] net:[ ] ## 11
12 User namespaces User namespaces have a special role as they directly influence permission control Allowing to become root inside a user created namespace Disassociate permissions with parent namespace Example: $ id id -u -u $ unshare unshare user user -r -r bash bash # id id -u -u 0 # unshare unshare -n -n # nc nc -l -l ## netcat netcat is is allowed allowed to bind bind to port port
13 Easier management: netns OpenStack already uses a lightweight wrapper around these to manage netns: ## ip ip netns netns add add foo foo ## ip ip netns netns add add bar bar ## ip ip link link add add type type veth veth ## ip ip link link set set dev dev veth0 veth0 netns netns foo foo ## ip ip link link set set dev dev veth1 veth1 netns netns bar bar ## ip ip netns netns exec exec foo foo bash bash ## ip ip ll ll 1: 1: lo: lo: <LOOPBACK> <LOOPBACK> mtu mtu qdisc qdisc noop noop state state DOWN DOWN mode DEFAULT group group default default qlen qlen 11 link/loopback link/loopback 00:00:00:00:00:00 00:00:00:00:00:00 brd brd 00:00:00:00:00:00 2: 2: ip_vti0@none: ip_vti0@none: <NOARP> <NOARP> mtu mtu qdisc noop noop state DOWN mode mode DEFAULT DEFAULT group group default default qlen qlen 11 link/ipip link/ipip brd brd : 47: veth0@if48: veth0@if48: <BROADCAST,MULTICAST> <BROADCAST,MULTICAST> mtu qdisc qdisc noop noop state state DOWN DOWN mode DEFAULT group default qlen 1000 mode DEFAULT group default qlen 1000 link/ether link/ether ce:e5:a7:2f:d5:69 ce:e5:a7:2f:d5:69 brd brd ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff link-netnsid 11 ## exit exit 13
14 Representation wrap-up Namespaces are internally represented via normal inodes living in its own filesystem, which are globally valid 14 Thus filedescriptor passing works as usual Persisting of namespaces simply achieved by bind mounting the representative file to stable location Easy atomic utilities map directly to the representative syscalls unshare(1) unshare(2) or clone(2) nsenter(1) setns(2) mount is really just mounting
15 Outline Containers and isolation as implemented in the Linux kernel Learned from history and enhanced and innovated in Free Software. 15 Overview of not so recent history from other operating systems Representation and control from user space Implementation details in the kernel What to come?
16 Implementation details in the kernel struct user_namespace Establishes own configurable UID and GID mapping struct nsproxy struct uts_namespace struct ipc_namespace Control isolation with network interfaces, routing tables, ip addresses struct cgroup_namespace (recent development) 16 Isolate process tree and pid numbers struct net Abstraction and isolation over the filesystem views struct pid_namespace Isolates (POSIX/svipc) mqueue, semaphores, shared memory struct mnt_namespace isolates hostname and domainname (e.g. for auth purposes) control group namespace, isolates resource management
17 Mount namespace Most important namespace, as they also provide the isolation for /proc and (partially) for sysfs, which should get remounted in a new container Mount namespaces basically form trees in the kernel which can be partially overlapping (mount subtrees) Process attached to one subtree 17 Discovered via nsproxy
18 System configuration (netns) 18 Configuration, Routing tables, firewall etc. are all separated per network namespace, how? System configuration mostly being done via sysctl A lot of sysctls are manageable per namespace netns namespace has own sysctl in struct net Incoming packets use configuration based on the network namespace of the incoming interface Outgoing packets can use socket namespace (locally generated) or the device context
19 Outline Containers and isolation as implemented in the Linux kernel Learned from history and enhanced and innovated in Free Software. 19 Overview of not so recent history from other operating systems Representation and control from user space Implementation details in the kernel What to come?
20 What is coming? Basically the namespace concept is architectural complety implemented New features added to the kernel are already designed in an orthogonal way or can correctly deal with namespaces Network namespace is heavy weight, thus Connecting netns to outside world requires one virtual router or bridge Alternatives exists but are architectural a dead end ipvlan: multiplexes IP addresses on one interface macvlan: multiplexes MAC addresses on one interface Provide isolation on IP layer like FreeBSD jails or Solaris 20 Maybe even extended to act like VRF with sockets
21 THANK YOU plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhatnews youtube.com/user/redhatvideos
OS Containers. Michal Sekletár November 06, 2016
OS Containers Michal Sekletár msekleta@redhat.com November 06, 2016 whoami Senior Software Engineer @ Red Hat systemd and udev maintainer Free/Open Source Software contributor Michal Sekletár msekleta@redhat.com
More informationIntroduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016
Introduction to Container Technology Patrick Ladd Technical Account Manager April 13, 2016 Container Technology Containers 3 "Linux Containers" is a Linux kernel feature to contain a group of processes
More informationFor personnal use only
Network Namespaces in RHEL7 Finnbarr P. Murphy (fpm@fpmurphy.com) Linux namespaces are somewhat like Solaris zones in many ways from a user perspective but have significant differences under the hood.
More informationLXC(Linux Container) Lightweight virtual system mechanism Gao feng
LXC(Linux Container) Lightweight virtual system mechanism Gao feng gaofeng@cn.fujitsu.com 1 Outline Introduction Namespace System API Libvirt LXC Comparison Problems Future work 2 Introduction Container:
More informationEngineering Robust Server Software
Engineering Robust Server Software Containers Isolation Isolation: keep different programs separate Good for security Might also consider performance isolation Also has security implications (side channel
More informationUnderstanding user namespaces
Understanding user namespaces Understanding user namespaces Michael Kerrisk, man7.org c 2018 mtk@man7.org 31 January 2018, San Jose, CA, USA Outline 1 Introduction 3 2 Some background: capabilities 6 3
More informationContainer mechanics in Linux and rkt FOSDEM 2016
Container mechanics in Linux and rkt FOSDEM 2016 Alban Crequy github.com/alban Jonathan Boulle github.com/jonboulle @baronboulle a modern, secure, composable container runtime an implementation of appc
More informationDocker A FRAMEWORK FOR DATA INTENSIVE COMPUTING
Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING Agenda Intro / Prep Environments Day 1: Docker Deep Dive Day 2: Kubernetes Deep Dive Day 3: Advanced Kubernetes: Concepts, Management, Middleware Day 4:
More informationSee Docker from the Perspective of Linux Process. Allen Hangzhou Docker Meetup
See Docker from the Perspective of Linux Process Allen Sun@DaoCloud Hangzhou Docker Meetup 2015.03.14 Agenda 1. Prerequisite Linux Process (do_fork / copy_process ) Namespaces 2. How Docker deals process
More information1 Virtualization Recap
1 Virtualization Recap 2 Recap 1 What is the user part of an ISA? What is the system part of an ISA? What functionality do they provide? 3 Recap 2 Application Programs Libraries Operating System Arrows?
More informationSeccomp, network and namespaces. Francesco Tornieri <francesco.tornieri AT kiratech.it>
Seccomp, network and namespaces Francesco Tornieri VM vs Container 2 Namespaces ecc 3 Namespaces ecc man namespaces: A namespaces wraps a global system resource in a
More informationDocker Networking: From One to Many. Don Mills
Docker Networking: From One to Many Don Mills What we are going to talk about Overview of traditional Docker networking Some demonstrations Questions New Docker features Some more demonstrations Questions
More informationUsing Docker with Cisco NX-OS
This chapter contains the following topics: About Docker with Cisco NX-OS, on page 1 Guidelines and Limitations, on page 1 Prerequisites for Setting Up Docker Containers Within Cisco NX-OS, on page 2 Starting
More informationUsing Docker with Cisco NX-OS
This chapter contains the following topics: About Docker with Cisco NX-OS, on page 1 Guidelines and Limitations, on page 1 Prerequisites for Setting Up Docker Containers Within Cisco NX-OS, on page 2 Starting
More informationContainer's Anatomy. Namespaces, cgroups, and some filesystem magic 1 / 59
Container's Anatomy Namespaces, cgroups, and some filesystem magic 1 / 59 Who am I? Jérôme Petazzoni (@jpetazzo) French software engineer living in California I have built and scaled the dotcloud PaaS
More information深 入解析 Docker 背后的 Linux 内核技术. 孙健波浙江 大学 SEL/VLIS 实验室
深 入解析 Docker 背后的 Linux 内核技术 孙健波浙江 大学 SEL/VLIS 实验室 www.sel.zju.edu.cn Agenda Namespace ipc uts pid network mount user Cgroup what are cgroups? usage concepts implementation What is Namespace? Lightweight
More informationPROCESS MANAGEMENT Operating Systems Design Euiseong Seo
PROCESS MANAGEMENT 2016 Operating Systems Design Euiseong Seo (euiseong@skku.edu) Definition A process is a program in execution Context Resources Specifically, Register file state Address space File and
More informationDeep Dive into OpenStack Networking
Deep Dive into OpenStack Networking Damrongsak Reetanon Solutions Architect Red Hat (Thailand) September 22, 2016 Deep Dive into OpenStack Networking Deep Dive into OpenStack
More informationSAINT LOUIS JAVA USER GROUP MAY 2014
SAINT LOUIS JAVA USER GROUP MAY 2014 STEVEN BORRELLI steve@borrelli.org @stevendborrelli ABOUT ME FIRST COMPUTER: SYSTEMS ENGINEERING MANAGEMENT FOUNDER, ASTERIS (JAN 2014) @ ORGANIZER OF STL MACHINE LEARNING
More informationLinux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat
Linux Containers Roadmap Red Hat Enterprise Linux 7 RC Bhavna Sarathy Senior Technology Product Manager, Red Hat Linda Wang Senior Eng. Manager, Red Hat Bob Kozdemba Principal Soln. Architect, Red Hat
More informationTravis Cardwell Technical Meeting
.. Introduction to Docker Travis Cardwell Tokyo Linux Users Group 2014-01-18 Technical Meeting Presentation Motivation OS-level virtualization is becoming accessible Docker makes it very easy to experiment
More informationIntroduction to Containers
Introduction to Containers Shawfeng Dong Principal Cyberinfrastructure Engineer University of California, Santa Cruz What are Containers? Containerization, aka operating-system-level virtualization, refers
More informationHigh Performance Containers. Convergence of Hyperscale, Big Data and Big Compute
High Performance Containers Convergence of Hyperscale, Big Data and Big Compute Christian Kniep Technical Account Manager, Docker Brief Recap of Container Technology Brief History of Container Technology
More informationThe failure of Operating Systems,
The failure of Operating Systems, and how we can fix it. Glauber Costa Lead Software Engineer August 30th, 2012 Linuxcon Opening Notes I'll be doing Hypervisors vs Containers here. But: 2 2 Opening Notes
More informationOS Security III: Sandbox and SFI
1 OS Security III: Sandbox and SFI Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 VMs on lab machine Extension? 3 Users and processes FACT: although ACLs use users as subject, the OS
More informationRDMA Container Support. Liran Liss Mellanox Technologies
RDMA Container Support Liran Liss Mellanox Technologies Agenda Containers 101 RDMA isolation Namespace support Controller support Putting it all together Status Conclusions March 15 18, 2015 #OFADevWorkshop
More informationKubernetes Essentials
Kubernetes Essentials Activity guide Release 1 rev46 Component Soft Ltd. January 12, 2018 The contents of this course and all its modules and related materials, including handouts to audience members,
More informationDocker Deep Dive. Daniel Klopp
Docker Deep Dive Daniel Klopp The Talk I m not telling you what fishing rod to use The Talk I m not telling you what fishing rod to use I m helping you understand the fishing rod The Talk I m not telling
More informationJanuary 27, Docker Networking with Linux. Guillaume Urvoy-Keller. Reference Scenario. Basic tools: bridges, VETH
with in with January 27, 2018 Swarm Network 1 / 62 with Sources documents in Laurent Bernaille blog: http://techblog.d2-si.eu/2017/04/25/ deep-dive-into--overlay-networks-part-1. html Cookbook, PacktPub,
More informationOS Virtualization. Linux Containers (LXC)
OS Virtualization Emulate OS-level interface with native interface Lightweight virtual machines No hypervisor, OS provides necessary support Referred to as containers Solaris containers, BSD jails, Linux
More informationNovember 11, Docker Networking with Linux. Guillaume Urvoy-Keller. Reference Scenario. Basic tools: bridges, VETH
with in with November 11, 2017 Swarm Network 1 / 58 with Sources documents in Laurent Bernaille blog: http://techblog.d2-si.eu/2017/04/25/ deep-dive-into-docker-overlay-networks-part-1. html Cookbook,
More informationTEN LAYERS OF CONTAINER SECURITY
TEN LAYERS OF CONTAINER SECURITY Tim Hunt Kirsten Newcomer May 2017 ABOUT YOU Are you using containers? What s your role? Security professionals Developers / Architects Infrastructure / Ops Who considers
More informationRootless Containers with runc. Aleksa Sarai Software Engineer
Rootless Containers with runc Aleksa Sarai Software Engineer asarai@suse.de Who am I? Software Engineer at SUSE. Student at University of Sydney. Physics and Computer Science. Maintainer of runc. Long-time
More informationNamespaces and Capabilities Overview and Recent Developments
Namespaces and Capabilities Overview and Recent Developments Linux Security Summit Europe Edinburgh, Scotland Christian Brauner christian@brauner.io christian.brauner@ubuntu.com @brau_ner https://brauner.github.io/
More informationHardware accelerating Linux network functions Roopa Prabhu, Wilson Kok
Hardware accelerating Linux network functions Roopa Prabhu, Wilson Kok Agenda Recap: offload models, offload drivers Introduction to switch asic hardware L2 offload to switch ASIC Mac Learning, ageing
More informationSoftware containers are likely to become a very important tool over the
MARK LAMOURINE Mark Lamourine is a senior software developer at Red Hat. He s worked for the last few years on the OpenShift project. He s a coder by training, a sysadmin and toolsmith by trade, and an
More informationFOSDEM 18. LTTng: The road to container awareness.
FOSDEM 18 LTTng: The road to container awareness mjeanson@efficios.com Who am I? Michael Jeanson Software developer @ EfficiOS Debian Developer What s LTTng? 2 tracers Kernel : lttng-modules Userspace
More informationRaw Packet Capture in the Cloud: PF_RING and Network Namespaces. Alfredo
Raw Packet Capture in the Cloud: PF_RING and Network Namespaces Alfredo Cardigliano cardigliano@ntop.org @acardigliano About ntop ntop develops high-performance network traffic monitoring technologies
More informationFlatpak a technical walk-through. Alexander Larsson, Red Hat
Flatpak a technical walk-through Alexander Larsson, Red Hat What is Flatpak? apps for the Linux Desktop Distribute your app Run it anywhere Build in anywhere Run it sandboxed How is this different from
More information$ wget V SOLUTIONS.tar.bz2 \ --user=lftraining --password=penguin2014
3.5. LABS 1 Exercise 3.1: Install Kubernetes Overview There are several Kubernetes installation tools provided by various vendors. In this lab we will learn to use kubeadm As an independent tool, it is
More informationIntroduction to containers
Introduction to containers Nabil Abdennadher nabil.abdennadher@hesge.ch 1 Plan Introduction Details : chroot, control groups, namespaces My first container Deploying a distributed application using containers
More informationAzure Sphere: Fitting Linux Security in 4 MiB of RAM. Ryan Fairfax Principal Software Engineering Lead Microsoft
Azure Sphere: Fitting Linux Security in 4 MiB of RAM Ryan Fairfax Principal Software Engineering Lead Microsoft Agenda o o o o Intro to Azure Sphere Kernel Customizations User mode services / App Model
More informationUser Namespaces. Linux Capabilities and Namespaces. Outline. Michael Kerrisk, man7.org c 2018 March 2018
Linux Capabilities and Namespaces User Namespaces Michael Kerrisk, man7.org c 2018 mtk@man7.org March 2018 Outline 9 User Namespaces 9-1 9.1 Introduction 9-3 9.2 Creating and joining a user NS 9-9 9.3
More informationOPENSHIFT FOR OPERATIONS. Jamie Cloud Guy - US Public Sector at Red Hat
1 OPENSHIFT FOR OPERATIONS Jamie Duncan @jamieeduncan Cloud Guy - US Public Sector at Red Hat 20170504 ABOUT JDUNCAN I've been at Red Hat just over 5 years 2 This is my daughter Elizabeth. #cutestthingever
More informationISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training
ISLET: An Attempt to Improve Linux-based Software Training Jon Schipp, AIDE 2015 jonschipp@gmail.com, @Jonschipp, jonschipp.com About me: Security Engineer for the National Center for Supercomputing Applications
More informationThe State of Rootless Containers
The State of Rootless Containers Aleksa Sarai / SUSE Akihiro Suda / NTT @lordcyphar @_AkihiroSuda_ Who are we? Aleksa Sarai Senior Software Engineer at SUSE. Maintainer of runc and several other Open Container
More informationMaking Applications Mobile
Making Applications Mobile using containers Ottawa Linux Symposium, July 2006 Cedric Le Goater Daniel Lezcano Clement Calmels Dave Hansen
More informationLandlock LSM: toward unprivileged sandboxing
Landlock LSM: toward unprivileged sandboxing Mickaël Salaün ANSSI September 14, 2017 1 / 21 Secure user-space software How to harden an application? secure development follow the least privilege principle
More informationA Lightweight OS-Level Virtualization Architecture Based on Android Bo-wen LIU, Nai-jie GU and De-he GU
2017 2nd International Conference on Computer, Network Security and Communication Engineering (CNSCE 2017) ISBN: 978-1-60595-439-4 A Lightweight OS-Level Virtualization Architecture Based on Android Bo-wen
More informationISSN (Online)
Build Minimal Docker Container Using Golang [1] Biradar Sangam.M, [2] R.Shekhar [1][2] Department of Computer Science & Engineering, Alliance University, Bangalore, INDIA Abstract: - Docker container is
More informationAdvanced IP Routing. Policy Routing QoS RVSP
Advanced IP Routing Policy Routing QoS RVSP Traditional Routing What is traditional routing? Best effort. All routing is a destination driven process. Router cares only about the destination address when
More informationWhat is an L3 Master Device?
What is an L3 Master Device? David Ahern Cumulus Networks Mountain View, CA, USA dsa@cumulusnetworks.com Abstract The L3 Master Device (l3mdev) concept was introduced to the Linux networking stack in v4.4.
More informationNetwork stack virtualization for FreeBSD 7.0. Marko Zec
Network stack virtualization for FreeBSD 7.0 Marko Zec zec@fer.hr University of Zagreb Network stack virtualization for FreeBSD 7.0 slide 1 of 18 Talk outline Network stack virtualization what, why, and
More informationAccessing the Networking Stack
The Cisco IOS XR Software serves as a networking stack for communication. This section explains how applications on IOS XR can communicate with internal processes, and with servers or outside devices.
More informationSecurity of OS-level virtualization technologies
Security of OS-level virtualization technologies Elena Reshetova 1, Janne Karhunen 2, Thomas Nyman 3, N. Asokan 4 1 Intel OTC, Finland 2 Ericsson, Finland 3 University of Helsinki, Finland 4 Aalto University
More informationLinux Clusters Institute: OpenStack Neutron
Linux Clusters Institute: OpenStack Neutron Yale, August 13 th 17 th 2018 John Michael Lowe Senior Cloud Engineer Indiana University jomlowe@iu.edu Neutron SDN or not Network Namespaces Components Security
More informationIntroduction to VMs & Containers
Lesson iut.univ-paris8.fr 2018-05 Introduction to VMs & Containers This Document: http://arnaud-nauwynck.github.io/docs/intro-vm-container.pdf arnaud.nauwynck@gmail.com Hardware Software "All problems
More informationContainer Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center
Container Adoption for NFV Challenges & Opportunities Sriram Natarajan, T-Labs Silicon Valley Innovation Center Virtual Machine vs. Container Stack KVM Container-stack Libraries Guest-OS Hypervisor Libraries
More informationOperating system security models
Operating system security models Unix security model Windows security model MEELIS ROOS 1 General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects
More informationAdvanced Topics. Network Namespaces CHAPTER 14
CHAPTER 14 Advanced Topics Chapter 13 dealt with the InfiniBand subsystem and its implementation in Linux. This chapter deals with several advanced topics and some topics that didn t fit logically into
More informationBackup strategies for Stateful Containers in OpenShift Using Gluster based Container-Native Storage
Backup strategies for Stateful Containers in OpenShift Using Gluster based Container-Native Storage Niels de Vos Senior Software Engineer Red Hat Storage Critical features for both Dev and Ops Self-Service
More informationWhat s new in control groups (cgroups) v2
Open Source Summit Europe 2018 What s new in control groups (cgroups) v2 Michael Kerrisk, man7.org c 2018 mtk@man7.org Open Source Summit Europe 21 October 2018, Edinburgh, Scotland Outline 1 Introduction
More informationOPENSTACK AGILITY. RED HAT RELIABILITY.
OPENSTACK AGILITY. RED HAT RELIABILITY. Operational Management How is it really done? And what should OpenStack do about it? Anandeep Pannu Senior Principal Product Manager 7 November 2017 Ops Management
More informationSTATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID
The WLCG Motivation and benefits Container engines Experiments status and plans Security considerations Summary and outlook STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID SWISS EXPERIENCE
More informationCross platform enablement for the yocto project with containers. ELC 2017 Randy Witt Intel Open Source Technology Center
Cross platform enablement for the yocto project with containers ELC 2017 Randy Witt Intel Open Source Technology Center My personal problems Why d I even do this? THE multiple distro Problem Yocto Project
More informationIntroduction to Virtualization and Containers Phil Hopkins
Introduction to Virtualization and Containers Phil Hopkins @twitterhandle Virtualization What is it? Introduction to Virtualization and Containers What the heck is a hypervisor? Why are there so many of
More informationcontainerization: more than the new virtualization
containerization: more than the new virtualization Jérôme Petazzoni (@jpetazzo) Grumpy French DevOps - Go away or I will replace you with a very small shell script Runs everything in containers - Docker-in-Docker
More informationTHE STATE OF CONTAINERS
THE STATE OF CONTAINERS Engines & Runtimes in RHEL & OpenShift Scott McCarty Principal Technology Product Manager - Containers 10/15/2018 What if... I told you there is container innovation happening in
More informationTHE ROUTE TO ROOTLESS
THE ROUTE TO ROOTLESS THE ROUTE TO ROOTLESS BILL AND TED'S ROOTLESS ADVENTURE THE ROUTE TO ROOTLESS WHAT SECURITY PROBLEM IS GARDEN SOLVING IN CLOUD FOUNDRY? THE PROBLEM IN CLOUD FOUNDRY Public Multi-Tenant
More informationAn introduction to Docker
An introduction to Docker Ing. Vincenzo Maffione Operating Systems Security Container technologies on Linux Several light virtualization technologies are available for Linux They build on cgroups, namespaces
More informationOn the Performance Impact of Virtual Link Types to 5G Networking
On the Performance Impact of Virtual Link Types to 5G Networking Wen-Ping Lai *, Yong-Hsiang Wang Department of Communications Engineering Yuan Ze University Taoyuan, Taiwan, ROC Abstract Virtual links
More informationSOFT CONTAINER TOWARDS 100% RESOURCE UTILIZATION ACCELA ZHAO, LAYNE PENG
SOFT CONTAINER TOWARDS 100% RESOURCE UTILIZATION ACCELA ZHAO, LAYNE PENG 1 WHO ARE THOSE GUYS Accela Zhao, Technologist at EMC OCTO, active Openstack community contributor, experienced in cloud scheduling
More informationSandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot
Sandboxing (1) Motivation Depending on operating system to do access control is not enough. For example: download software, virus or Trojan horse, how to run it safely? Risks: Unauthorized access to files,
More informationTRAINING AND CERTIFICATION UPDATE
TRAINING AND CERTIFICATION UPDATE Red Hat Enterprise User Group Twin Cities Steve Bonneville Manager, Curriculum Development / Red Hat November 11, 2015 RED HAT LEARNING SUBSCRIPTION One year access to
More informationFreeBSD Jails vs. Solaris Zones
FreeBSD Jails vs. Solaris Zones (and OpenSolaris) James O Gorman james@netinertia.co.uk Introduction FreeBSD user since 4.4-RELEASE Started using Solaris ~3.5 years ago Using jails for website hosting
More informationKubernetes Love at first sight?
Kubernetes Love at first sight? 15, February 2018 Joost Hofman (Lead Developer @ Albert Heijn IT Online) Milo van der zee (Senior Developer @Albert Heijn IT Online) Agenda Kubernetes Why at AH? How? Questions
More informationDockercon 2017 Networking Workshop
Dockercon 2017 Networking Workshop Mark Church, Technical Account Manager @ Docker Lorenzo Fontana, Docker Captain Nico Kabar, Solutions Architect @ Docker Agenda 1. Container Network Model 2. Docker Networking
More informationRed Hat Roadmap for Containers and DevOps
Red Hat Roadmap for Containers and DevOps Brian Gracely, Director of Strategy Diogenes Rettori, Principal Product Manager Red Hat September, 2016 Digital Transformation Requires an evolution in... 2 APPLICATIONS
More informationKata Containers The way to run virtualized containers. Sebastien Boeuf, Linux Software Engineer Intel Corporation
Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation https://regmedia.co.uk/2017/09/11/shutterstock_containers_in_port.jpg Containers 101 Process
More informationFilesystem Hierarchy and Permissions
and Linux Prepared by Steven Gordon on 19 April 2017 Common/Reports/linux-file-permissions.tex, r1417 1/15 Multiuser and Server Operating System Linux systems are commonly used as a multi-user system E.g.
More informationFaculty of Computer Science Institute for System Architecture, Operating Systems Group. Naming. Stefan Kalkowski. Dresden,
Faculty of Computer Science Institute for System Architecture, Operating Systems Group Naming Stefan Kalkowski Dresden, 2007-11-27 So far... Basics: Tasks and Threads Synchronization Memory Communication
More informationOpenStack Neutron. Introduction and project status & Use case ML2 plugin with l2 population
OpenStack Neutron Introduction and project status & Use case ML2 plugin with l2 population Summary 1. OpenStack Neutron Why Neutron? What s Neutron? 2. 2014.1 release Please, stabilize it! Features 3.
More informationLinux Kernel Security Overview
Linux Kernel Security Overview Linux Security Summit Europe 2018 Edinburgh, UK James Morris jmorris@namei.org $ whoami Linux kernel security subsystem maintainer Linux kernel engineer at Microsoft Previously
More informationLecture 5. Switching
TEL3214 Computer Communication Networks Lecture 5 Switching 10.10.10.30/24 (eth0.10) Trunk SW_B VLAN 10 (eth0.20) VLAN 20 CEng, FIEI, FIET, CISSP 20.20.20.30/24 diarmuid@obriain.com Bridging Device used
More information[Docker] Containerization
[Docker] Containerization ABCD-LMA Working Group Will Kinard October 12, 2017 WILL Kinard Infrastructure Architect Software Developer Startup Venture IC Husband Father Clemson University That s me. 2 The
More informationThe Road to Digital Transformation: Increase Agility Building and Managing Cloud Infrastructure. Albert Law Solution Architect Manager
The Road to Digital Transformation: Increase Agility Building and Managing Cloud Infrastructure Albert Law Solution Architect Manager Agenda The Challenges and the trend Bridging the gap Next step 2 FROM
More informationA Design and Implementation of Universal Container
, pp.137-143 http://dx.doi.org/10.14257/astl.2016.136.33 A Design and Implementation of Universal Container Xin Li 1, Hee-Kyung Moon 1, Sung-Kook Han 1, 1 Department of Computer Engineering, Wonkwang University
More informationBringing Security and Multitenancy. Lei (Harry) Zhang
Bringing Security and Multitenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry) Zhang #Microsoft MVP in cloud and datacenter management though I m a Linux guy :/ Previous: VMware, Baidu Feature
More informationSplunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC
Splunk N Box Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer 9/25/2017 Washington, DC Forward-Looking Statements During the course of this presentation, we may make forward-looking
More informationSQUASH. Debugger for microservices. Idit Levine solo.io
SQUASH Debugger for microservices Idit Levine solo.io About me Idit Levine Founder and CEO of solo.io @Idit_Levine @ilevine The problem: Debugging microservices applications is hard The problem A monolithic
More informationIs it safe to run applications in Linux Containers?
Is it safe to run applications in Linux Containers? Jérôme Petazzoni @jpetazzo Docker Inc. @docker Is it safe to run applications in Linux Containers? And, can Docker do anything about it? Question: Is
More informationCisco Virtual Update Container networking. Hans Donnerborg, Lars Granberg, Maj 2018
Cisco Virtual Update Container networking Hans Donnerborg, hdonnerb@cisco.com Lars Granberg, lagranbe@cisco.com Maj 2018 Why ACI for Application Container Platforms Turnkey solution for node and container
More informationExam LFCS/Course 55187B Linux System Administration
Exam LFCS/Course 55187B Linux System Administration About this course This four-day instructor-led course is designed to provide students with the necessary skills and abilities to work as a professional
More informationrkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration
rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration Jonathan Boulle github.com/jonboulle - @baronboulle Why rkt and Kubernetes? Why rkt and Kubernetes? Why container runtimes
More informationCourse 55187B Linux System Administration
Course Outline Module 1: System Startup and Shutdown This module explains how to manage startup and shutdown processes in Linux. Understanding the Boot Sequence The Grand Unified Boot Loader GRUB Configuration
More informationGL-280: Red Hat Linux 7 Update. Course Description. Course Outline
GL-280: Red Hat Linux 7 Update Course Description This is a differences course that focuses on the new technologies and features that made their appearance in Red Hat Enterprise Linux v7. It is intended
More informationMulti-Arch Layered Image Build System
Multi-Arch Layered Image Build System PRESENTED BY: Adam Miller Fedora Engineering, Red Hat CC BY-SA 2.0 Today's Topics Define containers in the context of Linux systems Brief History/Background Container
More informationSecurity Assurance Requirements for Linux Application Container Deployments
Security Assurance Requirements for Linux Application Container Deployments Ramaswamy Chandramouli This publication is available free of charge from: https://doi.org/10.6028/nist.ir.8176 Security Assurance
More informationAt course completion. Overview. Audience profile. Course Outline. : 55187B: Linux System Administration. Course Outline :: 55187B::
Module Title Duration : 55187B: Linux System Administration : 4 days Overview This four-day instructor-led course is designed to provide students with the necessary skills and abilities to work as a professional
More informationDocker Rocker. Aliyun wzt
Docker Rocker Aliyun wzt Namespace Unix fork process - task_struct/thread_struct - - - - - - - - - - - / \- - - - - - - - - - - - - - - - - - - fork / fork \ fork thread1 - - - - - - - - - - - - - - -
More information