Zdeněk Kubala Senior QA

Similar documents
openqa features capabilities bugs Ondrej Holecek /aaannz/

openqa Avoiding Disasters of Biblical Proportions Marita Werner QA Project Manager

openqa making QA interesting since 2013 Ondrej Holecek /aaannz/

openqa Avoiding Disasters of Biblical Proportions Marita Werner QA Project Manager

SUSE An introduction...

Collecting data from IoT devices using Sigfox network

Samba and Ceph. Release the Kraken! David Disseldorp

1 Virtualization Recap

Pushing The Limits Of Linux On ARM

Using Linux Containers as a Virtualization Option

96Boards Enablement for opensuse

The CephFS Gateways Samba and NFS-Ganesha. David Disseldorp Supriti Singh

From GIT to a custom OS image in a few click OS image made easy

Docker Networking In OpenStack What you need to know now. Fawad Khaliq

Linux and z Systems in the Datacenter Berthold Gunreben

SUSE OpenStack Cloud. Enabling your SoftwareDefined Data Center. SUSE Expert Days. Nyers Gábor Trainer &

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Novell SLES 10/Xen. Roadmap Presentation. Clyde R. Griffin Manager, Xen Virtualization Novell, Inc. cgriffin at novell.com.

Essentials. Johannes Meixner. about Disaster Recovery (abbreviated DR) with Relax-and-Recover (abbreviated ReaR)

Virtualization and Performance

Managing Linux Servers Comparing SUSE Manager and ZENworks Configuration Management

for Kerrighed? February 1 st 2008 Kerrighed Summit, Paris Erich Focht NEC

Define Your Future with SUSE

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

How To Make Databases on SUSE Linux Enterprise Server Highly Available Mike Friesenegger

Cloud in a box. Fully automated installation of SUSE Openstack Cloud 5 on Dell VRTX. Lars Everbrand. Software Developer

Best practices with SUSE Linux Enterprise Server Starter System and extentions Ihno Krumreich

Virtualization. Pradipta De

EE 660: Computer Architecture Cloud Architecture: Virtualization

OS Containers. Michal Sekletár November 06, 2016

The only open-source type-1 hypervisor

Welcome to SUSE Expert Days 2017 Service Delivery with DevOps

SUSE Linux Enterprise Kernel Back to the Future

NON SCHOLAE, SED VITAE

Virtualization Introduction

Open Enterprise & Open Community

LINUX Virtualization. Running other code under LINUX

SaltStack and SUSE Systems and Configuration Management that Scales and is Easy to Extend

Module 1: Virtualization. Types of Interfaces

SUSE Manager Roadmap OS Lifecycle Management from the Datacenter to the Cloud

Linux High Availability on IBM z Systems

Virtualization (II) SPD Course 17/03/2010 Massimo Coppola

Virtualization. Starting Point: A Physical Machine. What is a Virtual Machine? Virtualization Properties. Types of Virtualization

Virtualization. ! Physical Hardware Processors, memory, chipset, I/O devices, etc. Resources often grossly underutilized

Provisioning with SUSE Enterprise Storage. Nyers Gábor Trainer &

Introduction to Virtualization and Containers Phil Hopkins

Making Nested Virtualization Real by Using Hardware Virtualization Features

The opensuse project. Motivation, Goals, and Opportunities. Sonja Krause-Harder Michael Löffler. March 6, 2006

The failure of Operating Systems,

Build with SUSE Studio, Deploy with SUSE Linux Enterprise Point of Service and Manage with SUSE Manager Case Study

Packaging made easy. How the opensuse build service makes building packages easy for developers who don't care about packaging

KVM CPU MODEL IN SYSCALL EMULATION MODE ALEXANDRU DUTU, JOHN SLICE JUNE 14, 2015

Chapter 5 C. Virtual machines

Nested Virtualization and Server Consolidation

CSCE 410/611: Virtualization

Oracle VM Tips and Best Practices

Introduction to Software Defined Infrastructure SUSE Linux Enterprise 15

SUSE Linux Enterprise High Availability Extension

Towards a configurable and slimmer x86 hypervisor

Virtualization. Darren Alton

Software Defined. All The Way with OpenStack. T. R. Bosworth Senior Product Manager SUSE OpenStack Cloud

Virtualization. Michael Tsai 2018/4/16

Virtualisation: The KVM Way. Amit Shah

Virtualization. Santa Clara Valley Chapter of the IEEE Communication Society June 20, 2007 Scott Lurndal, 3Leaf Systems

OS Security III: Sandbox and SFI

Travis Cardwell Technical Meeting

Nested Virtualization Update From Intel. Xiantao Zhang, Eddie Dong Intel Corporation

Virtualization. join, aggregation, concatenation, array, N 1 ühendamine, agregeerimine, konkateneerimine, massiiv

CSCI 8530 Advanced Operating Systems. Part 19 Virtualization

I/O and virtualization

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

The Architecture of Virtual Machines Lecture for the Embedded Systems Course CSD, University of Crete (April 29, 2014)

An introduction to Docker

Xen Project 4.4: Features and Futures. Russell Pavlicek Xen Project Evangelist Citrix Systems

Linux Virtualization Update

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Large Systems: Design + Implementation: Virtualization. Image (c) Facebook

Optimizing and Enhancing VM for the Cloud Computing Era. 20 November 2009 Jun Nakajima, Sheng Yang, and Eddie Dong

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

SUSE Manager and Salt

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

Veritas InfoScale 7.4 Virtualization Guide - Linux

Xen on ARM. Stefano Stabellini

Protect your server with SELinux on SUSE Linux Enterprise Server 11 SP Sander van Vugt

CS 470 Spring Virtualization and Cloud Computing. Mike Lam, Professor. Content taken from the following:

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

CHAPTER 16 - VIRTUAL MACHINES

Virtualization at Scale in SUSE Linux Enterprise Server

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

What is KVM? KVM patch. Modern hypervisors must do many things that are already done by OSs Scheduler, Memory management, I/O stacks

Container's Anatomy. Namespaces, cgroups, and some filesystem magic 1 / 59

CIT 480: Securing Computer Systems. Operating System Concepts

Intel Clear Containers. Amy Leeland Program Manager Clear Linux, Clear Containers And Ciao

Cloud Computing Virtualization

CLOUD COMPUTING IT0530. G.JEYA BHARATHI Asst.Prof.(O.G) Department of IT SRM University

BOV89296 SUSE Best Practices Sharing Expertise, Experience and Knowledge. Christoph Wickert Technical Writer SUSE /

SUSE Linux Enterprise Server: Supported Virtualization Technologies

CSC 5930/9010 Cloud S & P: Virtualization

SAINT LOUIS JAVA USER GROUP MAY 2014

64-bit ARM Unikernels on ukvm

Transcription:

(Kernel) Isolation PV, HVM, OS-V technologies in Linux Introduction and description of the isolation diferences between HM, PV and OS-level virt. technologies. Zdeněk Kubala Senior QA Engineer zkubala@suse.com @n1djz88

Paravirtualization

Paravirtualization (a.k.a. PV - Xen) Not kernel module, uses a hypervisor(domain 0) Guest OS has to be aware of the fact it is being paravirtualized(kernel 3.0+). Hypervisor provides ABI to communicate and Guest OS calls it

Paravirtualization (a.k.a. PV) No Performance losses (direct access to resources) Faster boot - Can boot kernel directly (no bootloader) Guests uses own kernel Isolation on the underlying OS processes could be secured by Apparmor/Selinux

Hardware-assisted virtualization

Hardware-assisted virtualization (a.k.a. HVM) For example: KVM or Xen Using hypervisor guests are completely isolated binary translation to trap and virtualize nonvirtualized instructions => emulation Has own bootloder Has own kernel Not modifed OS.

Hardware-assisted virtualization (a.k.a. HVM) All resources are handled in-directly through emulation. Nowadays PVHVM can be used if OS supports it (Kernel 2.6.32+) Needs CPU fags (Intel vmx AMD svm)

Operating-systemlevel virtualization

Operating-system-level virt. (a.k.a. containers) When we talk about containers we can think about a book in a shelf. There are multiple chapters in the book. Every chapter has a diferent "story" but they belong to the same piece of book.

Operating-system-level virt. (a.k.a. containers) Sometimes called as "jail on steroids". Containers provide an additional layer of the security by isolating resources on a OS level Can be used together with apparmor/selinux to enhance security

Operating-system-level virt. (a.k.a. containers) Solves issues with shared libraries(multiple versions) and helps with keeping OS clean Easily destroyed Sharing the kernel with the host

Diferences between virtual machines & containers

Diferences bretween virt. machines & containers VMs are "heavier" to setup/start - in general OS boot takes up to minutes (PV/HVM diference) HW isolation on a hypervisor level(hvm/pv/pvhvm) Qemu process represents virtual machine, storage backend involved

Diferences bretween virt. machines & containers Lightweight(MiB-"hundreds of MiB") Can be application oriented Isolation on an OS level - process tree

Containers technologies

Containers technologies chroot *1982 OpenVZ *2005 lxc(lxd) *2008 docker *2013 systemd-nspawn *2013

Containers technologies chroot *1982 partial fle system isolation nested virtualization

Containers technologies OpenVZ *2005 fle system isolation disk quotas (ZFS) IO limiting memory limits cpu quotas network isolation partial nested virtualization live migration root isolation

Containers technologies lxc(lxd) *2008 fle system isolation partial disk quotas (lvm/btrfs) partial IO limiting (btrfs) memory limits cpu quotas network isolation partial nested virtualization root isolation

Containers technologies docker *2013 fle system isolation IO limiting (since 1.10) memory limits cpu quotas network isolation partial nested virtualization root isolation (since 1.10)

Containers technologies systemd-nspawn *2013 fle system isolation disk quotas partial IO limiting (systemd+cgroups) memory limits (systemd+cgroups) cpu quotas (systemd+cgroups) network isolation nested virtualization root isolation

What are they using to isolate resources?

What are they using to isolate resources? PID namespace - Process identifers and capabilities UTS namespace - Host and domain name MNT namespace - File system access and structure

What are they using to isolate resources? IPC namespace -Process communication over shared memory NET namespace -Network access and structure USR namespace -User names and identifers

What are they using to isolate resources? Cgroups Resource protection(cpu usage, memory usage, io)

When to choose containers and when vms

When to choose containers testing a new application(from source - from the internet) fast deployments - "iso" template for the application(or for whole cycle)

When to choose vms wider isolation(running in the process, access to resources is fltered/emulated HVM or through api/drivers PV) "sendboxes" for customers

Questions? Sources: https://en.wikipedia.org/wiki/hardware-assisted_virtualization https://en.wikipedia.org/wiki/operating-system-level_virtualization http://www.linux-magazine.com/issues/2016/184/systemd-nspawn Zdeněk Kubala Senior QA Engineer zkubala@suse.com @n1djz88

Thank you Zdeněk Kubala Senior QA Engineer zkubala@suse.com @n1djz88 Join Us at www.opensuse.org

License This slide deck is licensed under the Creative Commons Attribution-ShareAlike 4.0 International license. It can be shared and adapted for any purpose (even commercially) as long as Attribution is given and any derivative work is distributed under the same license. Details can be found at https://creativecommons.org/licenses/by-sa/4.0/ General Disclaimer This document is not to be construed as a promise by any participating organisation to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. opensuse makes no representations or warranties with respect to the contents of this document, and specifcally disclaims any express or implied warranties of merchantability or ftness for any particular purpose. The development, release, and timing of features or functionality described for opensuse products remains at the sole discretion of opensuse. Further, opensuse reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All opensuse marks referenced in this presentation are trademarks or registered trademarks of SUSE LLC, in the United States and other countries. All third-party trademarks are the property of their respective owners. Credits Template Richard Brown rbrown@opensuse.org Design & Inspiration opensuse Design Team http://opensuse.github.io/brandingguidelines/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback