Containerize Your Life!

Total Page:16

File Type:pdf, Size:1020Kb

Containerize Your Life! Containerize your life! How to live with always not enough resources Joachim von Thadden EMEA Senior Specialist Solution Architect OpenStack Thu 24 ! 2"#$, #&!"pm - (:2"pm OpenStack Summit 2018 - Vancouver Demo 2)44 OpenStack Summit 2018 - Vancouver AGENDA The Promise +irst Steps with ,-. How to /irtuali0e without And now the heavy stu223 /irtuali0ation1 The culprits o2 misusing a 4ontainer +irst Steps with libvirt ,et’s get our 7ngers dirty. OpenStack: 8nstall *ackstack ()44 OpenStack Summit 2018 - Vancouver Disclaimer 4)44 OpenStack Summit 2018 - Vancouver Warning 9 this is not a traditional la53 This ,a5 di22ers from others3 It is not meant to be a guided tour through a technology3 See it more as an e:perimental session to fgure out the 5orders o2 technology9 So e:pect failures% ;uestions and <agile customi0ation=3 And: >ou must not copy?paste 5lindly as you will have to adapt commands to your environment3 !)44 OpenStack Summit 2018 - Vancouver Instead of an USB Stick... 4ontent AB, The slides can be found under the following URL: https://gith b.com/jthadden/#penStack_S mmit_2&'($)ancou*er/doc ma+!e also via my ,aptop: http://'&.193.25'.235/p ! http://'&.193.25'.235/repos http://'&.193.25'.235/isos @)44 OpenStack Summit 2018 - Vancouver 0he Promise C)44 OpenStack Summit 2018 - Vancouver 2ou can 3mis45 se a Container as a full !lo7n Virtual Machine! E*en !etter: 2ou can virtuali:e 7itho t nesting9 $)44 OpenStack Summit 2018 - Vancouver 0he 6 lprit of Virtualization The reason why we don6t like it i2 we are not an enterprise3 ● Besources ● Besourcessss ● Besourcessssssss D)44 OpenStack Summit 2018 - Vancouver #penStack 9 is a Ehale3 A 2ull 5lown OpenStack consists o2 at least ● # 8nstaller (Director or other) (1@HB BAM% 44*As% #""HI .iskG ● ( 4ontrollers FJ#2HB BAM% J4 4*As% 1""HI .iskG ● J2 Computes (>4GI BAM% J4 C*As% 1""HI .iskG ● Some Storage (e g. for live migration) FJ4HB RAM% 2 4*As% >#""HB .iskG At least 60GB RAM, 30 CPUs, 700GB Disk. 8 can do it with 24HI BAM% 2 4*As + HT% #""HB Disk &'G #")44 OpenStack Summit 2018 - Vancouver ;o7 to )irtuali:e without )irtualization? ##)44 OpenStack Summit 2018 - Vancouver ;o7 to Virtualize 7ithout Virtualization< Some type o2 4ontainer is your friend3 ● chroot ● 4ontainer ● Other 8deas1 #2)44 OpenStack Summit 2018 - Vancouver Useful 6ontainer Technologies... and why we can't or don't want to use them Fand I tried them all3G 8 tried them all& ● 4hroot ○ lacking o2 namespace separation and no own networking stack F5ecause o2 the formerG ● .ocker ○ working 5ut pro5lems with (needed) privileged actions ● ,egacy Open/Z (v0ctlG ○ does the Mo5% but you might need to use the upstream package ○ not supported very well ● ,:c ○ does the Mo5% but horri5le to confgure and use ● Systemd'nspawn ○ nested virtuali0ation is a pro5lem #()44 OpenStack Summit 2018 - Vancouver 0he !est wa+ toda+ - and why we have to cry LXD the LXC Daemon ● 8t6s actually a daemon 2or ,-4 ● 4oming from Canonical ' so will pro5a5ly die when Shuttleworth dies ○ IAT it's OpenSource3 So who cares3 ● ,-. is 5ased on ,-4 and that's running out o2 support o2 Bed Hat (and might 5e removed in the 2utureG ○ Never mind% we will use +edora9 "# $ou don%t like the LXD a&&'ao(! ● you can do it as well with Legacy Open/L (install v0ctl-coreG #4)44 OpenStack Summit 2018 - Vancouver The c lprits of misusing a Container #!)44 OpenStack Summit 2018 - Vancouver 6ontainers ha*e se*eral restrictions ● no nested selinux ● restricted systemd ● no auditd ● no sysctl ● no module loading ● pro5lems with subscri5ing ● error with iscsi ○ open 5ug since >EABS now with missing namespacing in scsi'modules ● *ro5a5ly more you will 2ace3 And man$ o# them (an not e)en *een (i'(um)ented *$ 'unnin+ the (ontaine' &'i)ile+ed, #@)44 OpenStack Summit 2018 - Vancouver BU0: so many things are working like a charm ● Booting :'G ● DD% networking ● 7rewalling ● namespaces ● virtuali0ation ● DD D% feeling o2 real machine #C)44 OpenStack Summit 2018 - Vancouver Let’s get o r fngers dirt+... #$)44 OpenStack Summit 2018 - Vancouver Need a )8< There is a /M'8mage o2 an already installed and confgured Fedora-2@ /M (qcow2G& http&))P8*J)isos)+edora-2@'BHTE.;cow2 ● make one with at least 8HI% 24*A% 8"HB HD. based on Fedora 2@% copy 4*A con7g ● start the /M and install Fedora 2@ ➔ on other distros see& https&))linuxcontainers org/l:d)getting-started'cli) ● install needed So2tware dnf -y upgrade dnf -y groupinstall cloud-management dnf -y install libguestfs-tools #D)44 OpenStack Summit 2018 - Vancouver Ena!ling LXD dnf -y copr enable ganto/lxd # don't use ganto/lxc3 for Fedora28 at the moment, instead edit # /etc/yum.repos.d/_copr_ganto-lxd.repo and change $releasever to 27 dnf -y install lxd lxd-client lxd-tools getent group lxd > /dev/null || groupadd -f -r lxd echo "root:1000000:65536" >> /etc/subuid echo "root:1000000:65536" >> /etc/subgid setenforce 0 systemctl start lxd.service usermod --append --groups lxd rhte To make it permanent (e g. in a special /MG& sed -i -e "s/SELINUX=enforcing/SELINUX=permissive/" /etc/selinux/config systemctl enable lxd.service 2")44 OpenStack Summit 2018 - Vancouver ,?D can !e used as a Ser*er daemon E.g. i2 you have some stronger machine in the cellar Add the 2ollowing: lxc config set core.https_address "[::]" lxc config set core.trust_password <your PW> firewall-cmd --add-port=8443/tcp --permanent firewall-cmd --reload 2#)44 OpenStack Summit 2018 - Vancouver Add some storage There are numerous storage options like ● L+S ● Btr2s ● ,/M ● *lain Filesystem <- we will use that Be'login as normal user rhte and e:ecute& lxc storage create default dir lxc profile device add default root disk path=/ pool=default 22)44 OpenStack Summit 2018 - Vancouver @irst Steps 7ith ,?D 2()44 OpenStack Summit 2018 - Vancouver Start your frst light7eight )8 All l:c commands should be issued as user rhte3 lxc image list images:|grep -i centos # remote repository images lxc image list # local available images lxc launch images:centos/7 my-centos7-container lxc exec my-centos7-container /bin/bash lxc list [regexp] # to list containers with state 24)44 OpenStack Summit 2018 - Vancouver Some more 6ommands lxc info my-centos7-container # getting Info lxc {network|profile|config|storage} list lxc {network|profile|config|storage} show lxc config show compute0 --expanded # getting all configs # (like image, storage, security" ps aux | grep "containers compute0" # find the monitoring process of a # container (e.g. if hanging) lxc list security.privileged=true # list all privileged containers lxc start|stop|restart|pause lxc file pull|push|edit <container>/<path> [-] # - means stdout lxc config device add mycontainer vartest disk source=/var/www path=/var/test # attach a dir to a container 2!)44 OpenStack Summit 2018 - Vancouver Prepare a 6ent#S image for our special sage 7ith ,?D ● learn here the easy way ○ to do the things which are not working in an L-.'4ontainer ● we need ○ a pro7le ○ the CentOS image in l:c (you know how to get itG ○ a rc local 7le& https&))raw githubusercontent com)Mthadden/OpenStackQSummitQ2"#$Q/anco uver)master)roles)layer2Q5ootstrap_container)7les)rc.local-container 2@)44 OpenStack Summit 2018 - Vancouver 6reate a ne7 Profle Bemem5er& user is always rhte3 lxc profile create rhosp lxc network attach-profile virbr0 rhosp eth0 lxc profile device add rhosp root disk path=/ pool=default lxc profile set rhosp security.privileged true OpenStack Summit 2018 - Vancouver 2C)44 rc.local → let us go through it, to understand what to do ← on the git repo go to: roles/layer2_bootstrap_container/files/rc.local-container 2$)44 OpenStack Summit 2018 - Vancouver Prepare your 6ent#S with the rc.local lxc image list lxc launch -p rhosp images:centos/7 my-centos7-container lxc exec my-centos7-container /bin/bash # install and start sshd yum -y install openssh-server file systemctl enable sshd && systemctl start sshd passwd root # and try to sshd into it lxc list ssh root@<IP> # get rc.local and execute curl <...> -o /etc/rc.local chmod 755 /etc/rc.local systemctl enable rc-local reboot # look into logfile for execution of rc.local 2D)44 OpenStack Summit 2018 - Vancouver Let’s tr+ some real work! (") OpenStack Summit 2018 - Vancouver 44 Install an I1A (#)44 OpenStack Summit 2018 - Vancouver Prepare the Container Set hostname% ena5le repos and install 7rewalld # ssh into the container hostnamectl set-hostname `hostname`.rhte.internal yum repolist yum install firewalld systemctl enable firewalld && systemctl start firewalld (2)44 OpenStack Summit 2018 - Vancouver Install and Confg re I1A yum -y install ipa-server ipa-server-dns ipa-server-install --setup-dns --forwarder=8.8.8.8 -r \ `dnsdomainname|tr a-z A-Z` -p "changeme" -a "changeme" -U 2>&1 | \ tee ipa-install.out--setup-dns # open the firewall accordingly firewall-cmd --permanent \ --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/ udp,464/udp,53/udp,123/udp} firewall-cmd --reload (()44 OpenStack Summit 2018 - Vancouver 0est I1A kinit admin klist ipa user-find admin # i2 you want to see the we5inter2ace% use on your host something like sshuttle -r root@<yourVMsIP> <yourContainersIP> 2 add the host to your /etc)hosts echo "<IPofContainer> my-centos7-container.rhte.internal" >> /etc/hosts ( Browse to your 8*A https://my-centos7-container.rhte.internal (4)44 OpenStack Summit 2018 - Vancouver No7 try out )8s in 6ontainers9 (!)44 OpenStack Summit 2018 - Vancouver Install lib*irt yum -y install libvirt libvirt-daemon-kvm systemctl enable libvirtd systemctl start libvirtd (@)44 OpenStack Summit 2018
Recommended publications
  • Security Assurance Requirements for Linux Application Container Deployments
    NISTIR 8176 Security Assurance Requirements for Linux Application Container Deployments Ramaswamy Chandramouli This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8176 NISTIR 8176 Security Assurance Requirements for Linux Application Container Deployments Ramaswamy Chandramouli Computer Security Division Information Technology Laboratory This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8176 October 2017 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology NISTIR 8176 SECURITY ASSURANCE FOR LINUX CONTAINERS National Institute of Standards and Technology Internal Report 8176 37 pages (October 2017) This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8176 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. This p There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each ublication is available free of charge from: http publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.
    [Show full text]
  • Hypervisors Vs. Lightweight Virtualization: a Performance Comparison
    2015 IEEE International Conference on Cloud Engineering Hypervisors vs. Lightweight Virtualization: a Performance Comparison Roberto Morabito, Jimmy Kjällman, and Miika Komu Ericsson Research, NomadicLab Jorvas, Finland [email protected], [email protected], [email protected] Abstract — Virtualization of operating systems provides a container and alternative solutions. The idea is to quantify the common way to run different services in the cloud. Recently, the level of overhead introduced by these platforms and the lightweight virtualization technologies claim to offer superior existing gap compared to a non-virtualized environment. performance. In this paper, we present a detailed performance The remainder of this paper is structured as follows: in comparison of traditional hypervisor based virtualization and Section II, literature review and a brief description of all the new lightweight solutions. In our measurements, we use several technologies and platforms evaluated is provided. The benchmarks tools in order to understand the strengths, methodology used to realize our performance comparison is weaknesses, and anomalies introduced by these different platforms in terms of processing, storage, memory and network. introduced in Section III. The benchmark results are presented Our results show that containers achieve generally better in Section IV. Finally, some concluding remarks and future performance when compared with traditional virtual machines work are provided in Section V. and other recent solutions. Albeit containers offer clearly more dense deployment of virtual machines, the performance II. BACKGROUND AND RELATED WORK difference with other technologies is in many cases relatively small. In this section, we provide an overview of the different technologies included in the performance comparison.
    [Show full text]
  • Systemd As a Container Manager
    systemd as a Container Manager Seth Jennings [email protected] Texas Linux Fest 2015 8/21/2015 Agenda ● Very quick overview of systemd ● What is a Linux Container ● systemd as a Container Manager ● Live Demo! Because I like to punish myself! Disclaimer What is systemd? ● systemd is a suite of system management daemons, libraries, and utilities designed as a central management and configuration platform for the Linux operating system. How Big Is This “Suite” ● systemd - init process, pid 1 ● journald ● logind ● udevd ● hostnamed ● machined ● importd ● networkd ● resolved ● localed ● timedated ● timesyncd ● and more! Don't Leave! ● No deep dive on all of these ● Focus on using systemd for container management – Spoiler alert: many of the systemd commands you already use work on containers managed by systemd too! What is a Linux Container ● What it is not – Magic ● conjured only from the mystical language of Go – Virtualization (hardware emulation) – A completely new concept never before conceived of by man since time began – An image format – An image distribution mechanism – Only usable by modular (microservice) applications at scale What is a Linux Container ● A resource-constrained, namespaced environment, initialized by a container manager and enforced by the kernel, where processes can run – kernel cgroups limits hardware resources ● cpus, memory, i/o ● special cgroup filesystem /sys/fs/cgroup – kernel namespacing limits resource visibility ● mount, PID, user, network, UTS, IPC ● syscalls clone(), setns(), unshare() What is a Linux Container ● The set of processes in the container is rooted in a process that has pid 1 inside the pid namespace of the container ● The filesystem inside the container can be as complex as a docker image or as simple as a subdirectory on the host (think chroot).
    [Show full text]
  • Resource Management: Linux Kernel Namespaces and Cgroups
    Resource management: Linux kernel Namespaces and cgroups Rami Rosen [email protected] Haifux, May 2013 www.haifux.org 1/121 http://ramirose.wix.com/ramirosen TOC Network Namespace PID namespaces UTS namespace Mount namespace user namespaces cgroups Mounting cgroups links Note: All code examples are from for_3_10 branch of cgroup git tree (3.9.0-rc1, April 2013) 2/121 http://ramirose.wix.com/ramirosen General The presentation deals with two Linux process resource management solutions: namespaces and cgroups. We will look at: ● Kernel Implementation details. ●what was added/changed in brief. ● User space interface. ● Some working examples. ● Usage of namespaces and cgroups in other projects. ● Is process virtualization indeed lightweight comparing to Os virtualization ? ●Comparing to VMWare/qemu/scaleMP or even to Xen/KVM. 3/121 http://ramirose.wix.com/ramirosen Namespaces ● Namespaces - lightweight process virtualization. – Isolation: Enable a process (or several processes) to have different views of the system than other processes. – 1992: “The Use of Name Spaces in Plan 9” – http://www.cs.bell-labs.com/sys/doc/names.html ● Rob Pike et al, ACM SIGOPS European Workshop 1992. – Much like Zones in Solaris. – No hypervisor layer (as in OS virtualization like KVM, Xen) – Only one system call was added (setns()) – Used in Checkpoint/Restart ● Developers: Eric W. biederman, Pavel Emelyanov, Al Viro, Cyrill Gorcunov, more. – 4/121 http://ramirose.wix.com/ramirosen Namespaces - contd There are currently 6 namespaces: ● mnt (mount points, filesystems) ● pid (processes) ● net (network stack) ● ipc (System V IPC) ● uts (hostname) ● user (UIDs) 5/121 http://ramirose.wix.com/ramirosen Namespaces - contd It was intended that there will be 10 namespaces: the following 4 namespaces are not implemented (yet): ● security namespace ● security keys namespace ● device namespace ● time namespace.
    [Show full text]
  • Container-Based Virtualization for Byte-Addressable NVM Data Storage
    2016 IEEE International Conference on Big Data (Big Data) Container-Based Virtualization for Byte-Addressable NVM Data Storage Ellis R. Giles Rice University Houston, Texas [email protected] Abstract—Container based virtualization is rapidly growing Storage Class Memory, or SCM, is an exciting new in popularity for cloud deployments and applications as a memory technology with the potential of replacing hard virtualization alternative due to the ease of deployment cou- drives and SSDs as it offers high-speed, byte-addressable pled with high-performance. Emerging byte-addressable, non- volatile memories, commonly called Storage Class Memory or persistence on the main memory bus. Several technologies SCM, technologies are promising both byte-addressability and are currently under research and development, each with dif- persistence near DRAM speeds operating on the main memory ferent performance, durability, and capacity characteristics. bus. These new memory alternatives open up a new realm of These include a ReRAM by Micron and Sony, a slower, but applications that no longer have to rely on slow, block-based very large capacity Phase Change Memory or PCM by Mi- persistence, but can rather operate directly on persistent data using ordinary loads and stores through the cache hierarchy cron and others, and a fast, smaller spin-torque ST-MRAM coupled with transaction techniques. by Everspin. High-speed, byte-addressable persistence will However, SCM presents a new challenge for container-based give rise to new applications that no longer have to rely on applications, which typically access persistent data through slow, block based storage devices and to serialize data for layers of block based file isolation.
    [Show full text]
  • Ubuntu Server Guide Basic Installation Preparing to Install
    Ubuntu Server Guide Welcome to the Ubuntu Server Guide! This site includes information on using Ubuntu Server for the latest LTS release, Ubuntu 20.04 LTS (Focal Fossa). For an offline version as well as versions for previous releases see below. Improving the Documentation If you find any errors or have suggestions for improvements to pages, please use the link at thebottomof each topic titled: “Help improve this document in the forum.” This link will take you to the Server Discourse forum for the specific page you are viewing. There you can share your comments or let us know aboutbugs with any page. PDFs and Previous Releases Below are links to the previous Ubuntu Server release server guides as well as an offline copy of the current version of this site: Ubuntu 20.04 LTS (Focal Fossa): PDF Ubuntu 18.04 LTS (Bionic Beaver): Web and PDF Ubuntu 16.04 LTS (Xenial Xerus): Web and PDF Support There are a couple of different ways that the Ubuntu Server edition is supported: commercial support and community support. The main commercial support (and development funding) is available from Canonical, Ltd. They supply reasonably- priced support contracts on a per desktop or per-server basis. For more information see the Ubuntu Advantage page. Community support is also provided by dedicated individuals and companies that wish to make Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming, but a good search engine query can usually provide an answer to your questions.
    [Show full text]
  • Unprivileged GPU Containers on a LXD Cluster
    Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stéphane Graber Christian Brauner LXD project leader LXD maintainer @stgraber @brau_ner https://stgraber.org https://brauner.io [email protected] [email protected] What are system containers? They are the oldest type of containers 01 BSD jails, Linux vServer, Solaris Zones, OpenVZ, LXC and LXD. They behave like standalone systems 02 No need for specialized software or custom images. No virtualization overhead 03 They are containers after all. LXD System nova-lxd command line tool your own client/script ? container LXD REST API manager LXD LXD LXD LXD LXC LXC LXC LXC Linux kernel Linux kernel Linux kernel Linux kernel Host A Host B Host C Host ... What LXD is Simple 01 Clean command line interface, simple REST API and clear terminology. Fast 02 Image based, no virtualization, direct hardware access. Secure 03 Safe by default. Combines all available kernel security features. Scalable 04 From a single container on a laptop to tens of thousands of containers in a cluster. What LXD isn’t Another virtualization technology 01 LXD offers an experience very similar to a virtual machine. But it’s still containers, with no virtualization overhead and real hardware. A fork of LXC 02 LXD uses LXC’s API to manage the containers behind the scene. Another application container manager 03 LXD only cares about full system containers. You can run whatever you want inside a LXD container, including Docker. LXD Main Certificates components Cluster Containers Snapshots Backups Events Images Aliases Networks Operations Projects Storage pools Storage volumes Snapshots LXD clustering Built-in clustering support 01 No external dependencies, all LXD 3.0 or higher installations can be instantly turned into a cluster.
    [Show full text]
  • Separating Protection and Management in Cloud Infrastructures
    SEPARATING PROTECTION AND MANAGEMENT IN CLOUD INFRASTRUCTURES A Dissertation Presented to the Faculty of the Graduate School of Cornell University in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy by Zhiming Shen December 2017 c 2017 Zhiming Shen ALL RIGHTS RESERVED SEPARATING PROTECTION AND MANAGEMENT IN CLOUD INFRASTRUCTURES Zhiming Shen, Ph.D. Cornell University 2017 Cloud computing infrastructures serving mutually untrusted users provide se- curity isolation to protect user computation and resources. Additionally, clouds should also support flexibility and efficiency, so that users can customize re- source management policies and optimize performance and resource utiliza- tion. However, flexibility and efficiency are typically limited due to security requirements. This dissertation investigates the question of how to offer flexi- bility and efficiency as well as strong security in cloud infrastructures. Specifically, this dissertation addresses two important platforms in cloud in- frastructures: the containers and the Infrastructure as a Service (IaaS) platforms. The containers platform supports efficient container provisioning and execut- ing, but does not provide sufficient security and flexibility. Different containers share an operating system kernel which has a large attack surface, and kernel customization is generally not allowed. The IaaS platform supports secure shar- ing of cloud resources among mutually untrusted users, but does not provide sufficient flexibility and efficiency. Many powerful management primitives en- abled by the underlying virtualization platform are hidden from users, such as live virtual machine migration and consolidation. The main contribution of this dissertation is the proposal of an approach in- spired by the exokernel architecture that can be generalized to any multi-tenant system to improve security, flexibility, and efficiency.
    [Show full text]
  • Openvz Forum Each Container
    Subject: I am thinking of moving to LXD Posted by votsalo on Wed, 17 Aug 2016 19:13:50 GMT View Forum Message <> Reply to Message I am thinking of moving my dedicated server to LXD (a variant of LXC). One reason is that I can run LXD on several different environments where I can run Ubuntu: * On a dedicated server. * On an Amazon EC2 instance. * On my home machine, running Ubuntu desktop. * On a cheap Ubuntu 16.04 Openstack KVM VPS. I find the VPS option very usuful, however tricky because of the tight disk space. I can have a few containers on my VPS. I can move containers between the VPS and another LXD server. I can run a container OS that I need on my VPS that is not offered as a choice by my VPS provider, but is available as an LXD template. And perhaps I can replace the dedicated server with a few cheaper VPSs. I have tried doing all these with OpenVZ in the past. I couldn't get it to run anywhere, except on the dedicated server or on a dedicated home machine (or dual boot). Now it seems that I cannot run OpenVZ 7.0.0 on any of the above infrastructure. I have installed OpenVZ 7.0.0 on my home machine, as a dual boot, but I'm not using it, since I use my desktop OS and I cannot use both at the same time. In the past I tried installing OpenVZ on several desktop distributions, but I couldn't find one that worked.
    [Show full text]
  • Container Technologies
    Zagreb, NKOSL, FER Container technologies Marko Golec · Juraj Vijtiuk · Jakov Petrina April 11, 2020 About us ◦ Embedded Linux development and integration ◦ Delivering solutions based on Linux, OpenWrt and Yocto • Focused on software in network edge and CPEs ◦ Continuous participation in Open Source projects ◦ www.sartura.hr Introduction to GNU/Linux ◦ Linux = operating system kernel ◦ GNU/Linux distribution = kernel + userspace (Ubuntu, Arch Linux, Gentoo, Debian, OpenWrt, Mint, …) ◦ Userspace = set of libraries + system software Linux kernel ◦ Operating systems have two spaces of operation: • Kernel space – protected memory space and full access to the device’s hardware • Userspace – space in which all other application run • Has limited access to hardware resources • Accesses hardware resources via kernel • Userspace applications invoke kernel services with system calls User applications E.g. bash, LibreOffice, GIMP, Blender, Mozilla Firefox, etc. System daemons: Windowing system: User mode Low-level system systemd, runit, logind, X11, Wayland, Other libraries: GTK+, Qt, EFL, SDL, SFML, Graphics: Mesa, AMD components networkd, PulseAudio, SurfaceFlinger FLTK, GNUstep, etc. Catalyst, … … (Android) C standard library Up to 2000 subroutines depending on C library (glibc, musl, uClibc, bionic) ( open() , exec() , sbrk() , socket() , fopen() , calloc() , …) About 380 system calls ( stat , splice , dup , read , open , ioctl , write , mmap , close , exit , etc.) Process scheduling Memory management IPC subsystem Virtual files subsystem Network subsystem Kernel mode Linux Kernel subsystem subsystem Other components: ALSA, DRI, evdev, LVM, device mapper, Linux Network Scheduler, Netfilter Linux Security Modules: SELinux, TOMOYO, AppArmor, Smack Hardware (CPU, main memory, data storage devices, etc.) TABLE 1 Layers within Linux Virtualization Virtualization Concepts Two virtualization concepts: ◦ Hardware virtualization (full/para virtualization) • Emulation of complete hardware (virtual machines - VMs) • VirtualBox, QEMU, etc.
    [Show full text]
  • PCI DSS) Guide
    SUSE Linux Enterprise Server 15 SP2 Payment Card Industry Data Security Standard (PCI DSS) Guide To protect customers and the business itself, companies that handle credit card payments must keep data as safe and secure as possible. Following the Payment Card Industry Data Security Standard helps to secure all areas that are connected to payment processes and to implement security-relevant actions to keep the data and the computing environment safe. Publication Date: September 24, 2021 Contents 1 What Is the PCI DSS? 2 2 Focus of This Document: Areas Relevant to the Operating System 3 3 Requirements in Detail 4 4 GNU Free Documentation License 19 1 Payment Card Industry Data Security Standard (PCI DSS) Guide This document aims to provide a basic understanding of how SUSE Linux Enterprise Server can be congured to comply with the Payment Card Industry Data Security Standard. It is important to understand that protecting systems includes more than conguration. The entire environment and people involved must be taken into account. An essential part of implementing PCI DSS is the combination of actions: 1. Create a secure conguration. 2. Track and review all changes made to the conguration: who changed what at which point in time. 1 What Is the PCI DSS? The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements to guide a merchant to protect cardholder data. The standard covers six main categories with currently 12 requirement topics on how to implement, protect, maintain and monitor systems that are involved in credit cardholder data processing. PCI DSS was created and is maintained by the PCI Security Standards Council (SSC), which was founded by the ve major credit card brands, Visa, MasterCard, American Express, Discover, and JCB.
    [Show full text]
  • Performance Analysis of LXC for HPC Environments
    See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/280092756 Performance Analysis of LXC for HPC Environments Conference Paper · July 2015 DOI: 10.1109/CISIS.2015.53 CITATIONS READS 6 470 6 authors, including: Edward David Moreno Ordonez Patricia Takako Endo Universidade Federal de Sergipe University of Pernambuco 115 PUBLICATIONS 108 CITATIONS 27 PUBLICATIONS 271 CITATIONS SEE PROFILE SEE PROFILE Djamel Sadok Stenio Fernandes Federal University of Pernambuco Federal University of Pernambuco 242 PUBLICATIONS 1,303 CITATIONS 100 PUBLICATIONS 673 CITATIONS SEE PROFILE SEE PROFILE Some of the authors of this publication are also working on these related projects: security embedded View project Context-Aware Energy Efficiency Management for Smart Buildings View project All content following this page was uploaded by Edward David Moreno Ordonez on 16 July 2015. The user has requested enhancement of the downloaded file. All in-text references underlined in blue are added to the original document and are linked to publications on ResearchGate, letting you access and read them immediately. Performance Analysis of LXC for HPC Environments David Beserra Patricia Takako Endo Jymmy Barreto, Djamel Sadok and Edward David Moreno University of Pernambuco and Stenioˆ Fernandes Federal University of Sergipe Caruaru, Pernambuco, Brazil Federal University of Pernambuco Aracaju, Sergipe, Brazil [email protected] Recife, Pernambuco, Brazil [email protected] fjpsb, jamel, sfl[email protected] Abstract—Despite of Cloud infrastructures can be used as by academia, and according to [9], this type of virtualization High Performance Computing (HPC) platforms, many issues offers a lightweight virtualization layer, which promises a near- from virtualization overhead have kept them unrelated.
    [Show full text]