DOCSLIB.ORG

Virtualization with KVM and Libvirt

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Instituto Superior de Engenharia do Porto Mestrado em Engenharia Eletrotécnica e de Computadores Arquitetura de Computadores Virtualization with KVM and libvirt Introduction The KVM mechanism is best described in its own main web page1: KVM (for Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware containing virtualization extensions (Intel VT or AMD-V). It consists of a loadable kernel module, kvm.ko, that provides the core virtualization infrastructure and a processor specific module, kvm-intel.ko or kvm-amd.ko. Using KVM, one can run multiple virtual machines running unmodified Linux or Windows images. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, etc. Exercises 1) KVM can be used by simply passing the --enable-kvm command line parameter to QEMU. In this first exercise, we will compare the performance between the execution of a program in an emulated machine and its execution on a fully virtualized machine. 1.1) Download the arcom_vm.img and launch the distribution using QEMU in emulation mode: $ qemu-system-x86_64 arcom_vm.img 1.2) In the emulated machine, run /root/stress 100, where 100 is the number of iterations executed by the program, and measure its execution time using a clock (host application, smartphone, etc.). Note that this is the advisable procedure since time measurements in emulators and virtual machines (VMs) may be very inaccurate in several situations. Execution time:________________________________ 1.3) Shut down the virtual machine and relaunch QEMU with --enable-kvm parameter: $ qemu-system-x86_64 –enable-kvm arcom_vm.img Determine, by trial and error, the number of iterations to obtain an execution time approximately equal to the one obtained before Number of iterations with KVM:________________________________ 1 https://www.linux-kvm.org/page/Main_Page Virtualization with KVM and libvirt 1/14 ARCOM – MEEC – ISEP – 2018/2019 Working with multiple virtual machines In what follows, we will create an isolated network with two virtual machines connected to it. The network will be created using the Linux ethernet bridge mechanism. The virtual storage devices will be created using the QEMU qcow2 format. This format will be used because it provides the mechanism of backing file, i.e., the same image can be used as a base for several virtual machines. Table 1 – Raw and qcow2 QEMU disk image types Raw Qcow2 Raw is default format if no specific format is Qcow2 is an open-source format developed specified while creating disk images. Raw as an alternative to the VMWare vmdk and disk images do not have special features like Oracle Virtualbox vdi formats. Qcow2 compression, snapshot, etc. On the other provides features like compression, snapshot hand, raw disk images are faster than other and backing file. disk image types. 2) Create a directory named after your student number under /opt and grant full access permission to it for all system users: # mkdir /opt/student number # chmod 777 /opt/student_number Move all files to that directory and, from now on, keep working on that directory: # mv * /opt/student_number # cd /opt/student_number 3) Create the arcom-vm1.qcow2 and arcom-vm2.qcow2 volumes (both backed by the arcom-vm.qcow2 volume) to be used by the virtual machines: # qemu-img convert -O qcow2 arcom-vm.img arcom-vm.qcow2 # qemu-img create -f qcow2 -o backing_file=arcom-vm.qcow2 arcom-vm1.qcow2 # qemu-img create -f qcow2 -o backing_file=arcom-vm.qcow2 arcom-vm2.qcow2 # qemu-img info arcom-vm1.qcow2 The following script will be used to create a bridge with two virtual interfaces (vnet1 and vnet2) connected to it: #!/bin/sh set -x ip tuntap add vnet1 mode tap ip tuntap add vnet2 mode tap # Bring up the tap devices ip link set vnet1 up ip link set vnet2 up # Create the bridge to link the tap devices ip link add kbr0 type bridge Virtualization with KVM and libvirt 2/14 ARCOM – MEEC – ISEP – 2018/2019 # Adding the interface into the bridge is # done by setting its master to bridge_name ip link set vnet1 master kbr0 ip link set vnet2 master kbr0 # Bring up the bridge ip link set kbr0 up # Show existing bridges ip link show Save the above script as ifup and enable execution permission for its owner (chmod u+x ifup). The following script will be used to delete all interfaces created by the ifup script: #!/bin/sh set -x # Bring down the bridge ip link set kbr0 down # Delete the bridge ip link del kbr0 # Delete the tap devices ip tuntap del vnet1 mode tap ip tuntap del vnet2 mode tap Save the above script as ifdown and enable execution permission for its owner (chmod u+x ifdown). Create the isolated network by running ifup as root: # ./ifup Launch the first virtual machine, using vnet1 as ethernet adapter: # qemu-kvm arcom-vm1.qcow2 -name arcom-kvm1 -m 64 \ -netdev tap,id=hostnet0,script=no,downscript=no,ifname=vnet1 \ -device virtio-net-pci,netdev=hostnet0,mac=00:50:56:00:00:01 Note that, to enable connectivity between virtual machines, it is necessary to specify a different MAC address for each interface on the same ethernet network. Open a new terminal to launch the second virtual machine. In this case, the virtual machine will be launched as a daemon (in background and detached from the terminal, -daemonize parameter), and it will use the Virtual Network Computing (VNC) system for video output (- display vnc:0). # qemu-kvm arcom-vm2.qcow2 -name arcom-kvm2 -m 64 \ -netdev tap,id=hostnet0,script=no,downscript=no,ifname=vnet2 \ -device virtio-net-pci,netdev=hostnet0,mac=00:50:56:00:00:02 \ -daemonize -display vnc=:0 VNC is a graphical desktop sharing system where the system sharing its display acts as a server, providing the access through ports 5900 (for display :0), 5901 (for display :1) and so on. To access the remote display, a VNC client is required, such vinagre or reminna: Virtualization with KVM and libvirt 3/14 ARCOM – MEEC – ISEP – 2018/2019 Perform the static configuration of the ethernet card on each virtual machine using private IP addresses, and test the connectivity using the ping command. For instance: # ip a add 192.168.0.2/24 dev eth0 # ip link set eth0 up # ping 192.168.0.1 After the connectivity test, shutdown both virtual machines an run ./ifdown. Libvirt KVM can be more easily used via the libvirt API and tools. Libvirt provides an API to create, modify, and control virtual machines. Some examples of libvirt tools are virt-install (command line based, used only to create a virtual machine), virsh (command line based), and virt-manager (graphical interface). In this context, a virtual machine is called a “guest domain”. Each VM has an associated XML file with all its settings. In this exercise, similarly to the previous exercise, we will configure and test two virtual machines connected through an isolated virtual network. However, this time the tasks will be carried out using the libvirt tools. Create the following XML file: # cat mynet1.xml <network ipv6='yes'> <name>mynet1</name> </network> Create an isolated virtual network, named mynet1, using virsh: # virsh net-define mynet1.xml # virsh net-dumpxml mynet1 # virsh net-start mynet1 Virtualization with KVM and libvirt 4/14 ARCOM – MEEC – ISEP – 2018/2019 Create the first virtual machine using the command line tool virt-install2: virt-install --name arcom-kvm1 --ram 64 --graphics vnc --disk path=arcom-vm1.qcow2 --import --network network=mynet1,model=virtio The virtual machine is started and the virt-install command blocks until the machine is powered off. In order to power off the machine, you must connect to it (using the VNC client) and execute the poweroff command (still in the virtual machine). Afterward, the machine can be restarted, stopped and powered off using the virsh tool. To list all virtual machines managed through libvirt: # virsh list --all To start the virtual machine: # virsh start arcom-kvm1 # virsh list --all To suspend a running a virtual machine: # virsh suspend arcom-kvm1 # virsh list --all The VM is kept in memory but it won't be scheduled for execution. If you try to use the VM’s terminal, you will get no response from it. To resume execution of the virtual machine: # virsh resume arcom-kvm1 # virsh list --all The VM should become responsive again. To power off your virtual machine (i.e., the equivalent to pressing the power off button on a real machine): # virsh destroy arcom-kvm1 # virsh list --all If the guest operating system supports the Advanced Configuration and Power Interface (ACPI), a software shutdown can be requested: # virsh shutdown arcom-kvm1 To display the machine configuration in XML format: # virsh dumpxml arcom-kvm1 The same information can be obtained directly from the corresponding XML file: cat /etc/libvirt/qemu/arcom-kvm1.xml The virsh and virt-install utilities are particularly useful for scripting and for quick checks. On the other hand, the virt-manager utility provides a more user-friendly environment. Create the second VM using the virt-manager utility: 2 The –import parameter is used to build a guest around an existing disk image (the default is to install from a given installation source). The device used for booting is the first device specified via "--disk" or "--filesystem". Virtualization with KVM and libvirt 5/14 ARCOM – MEEC – ISEP – 2018/2019 # virt-manager You should be presented with a graphical window, with a list of virtual machines. You should be able to find the previously created VM: Virtualization with KVM and libvirt 6/14 ARCOM – MEEC – ISEP – 2018/2019 Virtualization with KVM and libvirt 7/14 ARCOM – MEEC – ISEP – 2018/2019 Virtualization with KVM and libvirt 8/14 ARCOM – MEEC – ISEP – 2018/2019 Complete the VM creation by pressing “Begin Installation”.
Recommended publications
  • Effective Virtual CPU Configuration with QEMU and Libvirt

    Effective Virtual CPU Configuration with QEMU and Libvirt

    Effective Virtual CPU Configuration with QEMU and libvirt Kashyap Chamarthy <[email protected]> Open Source Summit Edinburgh, 2018 1 / 38 Timeline of recent CPU flaws, 2018 (a) Jan 03 • Spectre v1: Bounds Check Bypass Jan 03 • Spectre v2: Branch Target Injection Jan 03 • Meltdown: Rogue Data Cache Load May 21 • Spectre-NG: Speculative Store Bypass Jun 21 • TLBleed: Side-channel attack over shared TLBs 2 / 38 Timeline of recent CPU flaws, 2018 (b) Jun 29 • NetSpectre: Side-channel attack over local network Jul 10 • Spectre-NG: Bounds Check Bypass Store Aug 14 • L1TF: "L1 Terminal Fault" ... • ? 3 / 38 Related talks in the ‘References’ section Out of scope: Internals of various side-channel attacks How to exploit Meltdown & Spectre variants Details of performance implications What this talk is not about 4 / 38 Related talks in the ‘References’ section What this talk is not about Out of scope: Internals of various side-channel attacks How to exploit Meltdown & Spectre variants Details of performance implications 4 / 38 What this talk is not about Out of scope: Internals of various side-channel attacks How to exploit Meltdown & Spectre variants Details of performance implications Related talks in the ‘References’ section 4 / 38 OpenStack, et al. libguestfs Virt Driver (guestfish) libvirtd QMP QMP QEMU QEMU VM1 VM2 Custom Disk1 Disk2 Appliance ioctl() KVM-based virtualization components Linux with KVM 5 / 38 OpenStack, et al. libguestfs Virt Driver (guestfish) libvirtd QMP QMP Custom Appliance KVM-based virtualization components QEMU QEMU VM1 VM2 Disk1 Disk2 ioctl() Linux with KVM 5 / 38 OpenStack, et al. libguestfs Virt Driver (guestfish) Custom Appliance KVM-based virtualization components libvirtd QMP QMP QEMU QEMU VM1 VM2 Disk1 Disk2 ioctl() Linux with KVM 5 / 38 libguestfs (guestfish) Custom Appliance KVM-based virtualization components OpenStack, et al.
  • QEMU Parameter Jungle Slides

    QEMU Parameter Jungle Slides

    Finding your way through the QEMU parameter jungle 2018-02-04 Thomas Huth <[email protected]> Legal ● Disclaimer: Opinions are my own and not necessarily the views of my employer ● “Jungle Leaves” background license: CC BY 3.0 US : https://creativecommons.org/licenses/by/3.0/us/ Image has been modified from the original at: https://www.freevector.com/jungle-leaves-vector-background 2 Introduction 3 Why a guide through the QEMU parameter jungle? 4 Why a guide through the QEMU parameter jungle? ● QEMU is a big project, supports lots of emulated devices, and lots of host backends ● 15 years of development → a lot of legacy ● $ qemu-system-i386 -h | wc -l 454 ● People regularly ask about CLI problems on mailing lists or in the IRC channels → Use libvirt, virt-manager, etc. if you just want an easier way to run a VM 5 General Know-How ● QEMU does not distinguish single-dash options from double-dash options: -h = --h = -help = --help ● QEMU starts with a set of default devices, e.g. a NIC and a VGA card. If you don't want this: --nodefaults or suppress certain default devices: --vga none --net none 6 Getting help about the options ● Parameter overview: -h or --help (of course) ● Many parameters provide info with “help”: --accel help ● Especially, use this to list available devices: --device help ● To list parameters of a device: --device e1000,help ● To list parameters of a machine: --machine q35,help 7 e1000 example ● $ qemu-system-x86_64 --device e1000,help [...] e1000.addr=int32 (PCI slot and function¼) e1000.x-pcie-extcap-init=bool (on/off) e1000.extra_mac_registers=bool (on/off) e1000.mac=str (Ethernet 6-byte MAC Address¼) e1000.netdev=str (ID of a netdev backend) ● $ qemu-system-x86_64 --device \ e1000,mac=52:54:00:12:34:56,addr=06.0 8 General Know How: Guest and Host There are always two parts of an emulated device: ● Emulated guest hardware, e.g.: --device e1000 ● The backend in the host, e.g.: --netdev tap Make sure to use right set of parameters for configuration! 9 “Classes” of QEMU parameters ● Convenience : Easy to use, but often limited scope.
  • Many Things Related to Qubesos

    Many Things Related to Qubesos

    Qubes OS Many things Many things related to QubesOS Author: Neowutran Contents 1 Wiping VM 2 1.1 Low level storage technologies .................. 2 1.1.1 Must read ......................... 2 1.1.2 TL;DR of my understanding of the issue ........ 2 1.1.3 Things that could by implemented by QubesOS .... 2 2 Create a Gaming HVM 2 2.1 References ............................. 2 2.2 Prerequise ............................. 3 2.3 Hardware ............................. 3 2.4 Checklist .............................. 4 2.5 IOMMU Group .......................... 4 2.6 GRUB modification ........................ 4 2.7 Patching stubdom-linux-rootfs.gz ................ 5 2.8 Pass the GPU ........................... 6 2.9 Conclusion ............................. 6 2.10 Bugs ................................ 6 3 Create a Linux Gaming HVM, integrated with QubesOS 7 3.1 Goals ................................ 7 3.2 Hardware used .......................... 7 3.3 Main steps summary ....................... 7 3.3.1 Detailled steps ...................... 8 3.3.2 Using a kernel provided by debian ............ 8 3.4 Xorg ................................ 8 3.4.1 Pulseaudio ......................... 11 3.5 Final notes ............................ 11 3.6 References ............................. 12 4 Nitrokey and QubeOS 12 5 Recovery: Mount disk 12 6 Disposable VM 13 6.1 Introduction ............................ 14 6.1.1 References ......................... 14 6.1.2 What is a disposable VM? ................ 14 6.2 Playing online video ....................... 14 6.3 Web browsing ........................... 15 6.4 Manipulating untrusted files/data ................ 16 1 6.5 Mounting LVM image ...................... 17 6.6 Replace sys-* VM ......................... 18 6.7 Replace some AppVMs ...................... 18 7 Building a new QubesOS package 18 7.1 References ............................. 18 7.2 Goal ................................ 18 7.3 The software ............................ 19 7.4 Packaging ............................. 19 7.5 Building .............................
  • KVM Based Virtualization and Remote Management Srinath Reddy Pasunuru St

    KVM Based Virtualization and Remote Management Srinath Reddy Pasunuru St

    St. Cloud State University theRepository at St. Cloud State Culminating Projects in Information Assurance Department of Information Systems 5-2018 KVM Based Virtualization and Remote Management Srinath Reddy Pasunuru St. Cloud State University, [email protected] Follow this and additional works at: https://repository.stcloudstate.edu/msia_etds Recommended Citation Pasunuru, Srinath Reddy, "KVM Based Virtualization and Remote Management" (2018). Culminating Projects in Information Assurance. 53. https://repository.stcloudstate.edu/msia_etds/53 This Starred Paper is brought to you for free and open access by the Department of Information Systems at theRepository at St. Cloud State. It has been accepted for inclusion in Culminating Projects in Information Assurance by an authorized administrator of theRepository at St. Cloud State. For more information, please contact [email protected]. 1 KVM Based Virtualization and Remote Management by Srinath Reddy Pasunuru A Starred Paper Submitted to the Graduate Faculty of St. Cloud State University in Partial Fulfillment of the Requirements for the Degree Master of Science in Information Assurance May, 2018 Starred Paper Committee Susantha Herath, Chairperson Ezzat Kirmani Sneh Kalia 2 Abstract In the recent past, cloud computing is the most significant shifts and Kernel Virtual Machine (KVM) is the most commonly deployed hypervisor which are used in the IaaS layer of the cloud computing systems. The Hypervisor is the one which provides the complete virtualization environment which will intend to virtualize as much as hardware and systems which will include the CPUs, Memory, network interfaces and so on. Because of the virtualization technologies such as the KVM and others such as ESXi, there has been a significant decrease in the usage if the resources and decrease in the costs involved.
  • QEMU for Xen Secure by Default

    QEMU for Xen Secure by Default

    QEMU for Xen secure by default Deprivileging the PC system emulator Ian Jackson <[email protected]> FOSDEM 2016 with assistance from Stefano Stabellini guest guest Xen PV driver IDE driver Xen PV protocol mmio, dma, etc. qemu Emulated IDE controller Xen PV backend (usually), syscalls (usually) dom0 (usu.dom0) kernel Device driver kernel Device driver PV HVM ... ... ... ... ... from Xen Security Team advisories page, http://xenbits.xen.org/xsa/ Xen on x86 modes, and device model bug implications Current status for users of upstream Xen and distros and future plans Status Device model Notes bugs mean PV Fully supported Safe (no DM) Only modified guests HVM qemu in dom0 Fully supported Vulnerable Current default as root HVM qemu stub DM Upstream but not Safe Ancient qemu qemu-xen-trad. in most distros. Build system problems HVM qemu stub DM In progress Safe Rump build system rump kernel Hard work! is mini distro HVM qemu dom0 Targeting No privilege esc. Defence in depth not as root Xen 4.7 Maybe dom0 DoS Hopefully, will be default Xen on x86 modes, and device model bug implications Current status for users of upstream Xen and distros and future plans Status Device model Notes bugs mean PV Fully supported Safe (no DM) Only modified guests HVM qemu in dom0 Fully supported Vulnerable Current default as root HVM qemu stub DM Upstream but not Safe Ancient qemu qemu-xen-trad. in most distros. Build system problems HVM qemu stub DM In progress Safe Rump build system rump kernel Hard work! is mini distro HVM qemu dom0 Targeting No privilege esc.
  • Hyperlink: Virtual Machine Introspection and Memory Forensic Analysis Without Kernel Source Code Jidong Xiao Boise State University

    Hyperlink: Virtual Machine Introspection and Memory Forensic Analysis Without Kernel Source Code Jidong Xiao Boise State University

    Boise State University ScholarWorks Computer Science Faculty Publications and Department of Computer Science Presentations 1-1-2016 HyperLink: Virtual Machine Introspection and Memory Forensic Analysis without Kernel Source Code Jidong Xiao Boise State University Lei Lu VMware Inc. Haining Wang University of Delaware Xiaoyun Zhu Futurewei Technologies © 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. doi: 10.1109/ICAC.2016.46 HyperLink: Virtual Machine Introspection and Memory Forensic Analysis without Kernel Source Code Jidong Xiao∗, Lei Luy, Haining Wangz, Xiaoyun Zhux ∗Boise State University, Boise, Idaho, USA yVMware Inc., Palo Alto, California, USA zUniversity of Delaware, Newark, Delaware, USA xFuturewei Technologies, Santa Clara, California, USA Abstract— Virtual Machine Introspection (VMI) is an ap- nel rootkit detection [8], [9], kernel integrity protection [10], proach to inspecting and analyzing the software running inside a and detection of covertly executing binaries [11]. Being the virtual machine from the hypervisor. Similarly, memory forensics main enabling technology for cloud computing, virtualiza- analyzes the memory snapshots or dumps to understand the tion allows us allocating finite hardware resources among runtime state of a physical or virtual machine. The existing VMI a large number of software systems and programs. As the and memory forensic tools rely on up-to-date kernel information key component of virtualization, a hypervisor runs directly of the target operating system (OS) to work properly, which often requires the availability of the kernel source code.
  • Hardware Virtualization

    Hardware Virtualization

    Hardware Virtualization E-516 Cloud Computing 1 / 33 Virtualization Virtualization is a vital technique employed throughout the OS Given a physical resource, expose a virtual resource through layering and enforced modularity Users of the virtual resource (usually) cannot tell the difference Different forms: Multiplexing: Expose many virtual resources Aggregation: Combine many physical resources [RAID, Memory] Emulation: Provide a different virtual resource 2 / 33 Virtualization in Operating Systems Virtualizing CPU enables us to run multiple concurrent processes Mechanism: Time-division multiplexing and context switching Provides multiplexing and isolation Similarly, virtualizing memory provides each process the illusion/abstraction of a large, contiguous, and isolated “virtual” memory Virtualizing a resource enables safe multiplexing 3 / 33 Virtual Machines: Virtualizing the hardware Software abstraction Behaves like hardware Encapsulates all OS and application state Virtualization layer (aka Hypervisor) Extra level of indirection Decouples hardware and the OS Enforces isolation Multiplexes physical hardware across VMs 4 / 33 Hardware Virtualization History 1967: IBM System 360/ VM/370 fully virtualizable 1980s–1990s: “Forgotten”. x86 had no support 1999: VMWare. First x86 virtualization. 2003: Xen. Paravirtualization for Linux. Used by Amazon EC2 2006: Intel and AMD develop CPU extensions 2007: Linux Kernel Virtual Machines (KVM). Used by Google Cloud (and others). 5 / 33 Guest Operating Systems VMs run their own operating system (called “guest OS”) Full Virtualization: run unmodified guest OS. But, operating systems assume they have full control of actual hardware. With virtualization, they only have control over “virtual” hardware. Para Virtualization: Run virtualization-aware guest OS that participates and helps in the virtualization. Full machine hardware virtualization is challenging What happens when an instruction is executed? Memory accesses? Control I/O devices? Handle interrupts? File read/write? 6 / 33 Full Virtualization Requirements Isolation.
  • Virtualization

    Virtualization

    Virtualization ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania April 6, 2009 (CIS 399 Unix) Virtualization April 6, 2009 1 / 22 What is virtualization? Without virtualization: (CIS 399 Unix) Virtualization April 6, 2009 2 / 22 What is virtualization? With virtualization: (CIS 399 Unix) Virtualization April 6, 2009 3 / 22 Why virtualize? (CIS 399 Unix) Virtualization April 6, 2009 4 / 22 Why virtualize? Operating system independence Hardware independence Resource utilization Security Flexibility (CIS 399 Unix) Virtualization April 6, 2009 5 / 22 Virtualization for Users Parallels Desktop and VMware Fusion have brought virtualization to normal computer users. Mostly used for running Windows programs side-by-side with OS X programs. Desktop use has pushed support for: I USB devices I Better graphics performance (3d acceleration) I Integration between the guest and host operating system and applications. (CIS 399 Unix) Virtualization April 6, 2009 6 / 22 Virtualization for Developers Build and test on multiple operating systems with a single computer. Use VM snapshots to provide a consistent testing environment. Run the debugger from outside the virtual machine. I Isolates the debugger and program from each other. I Allows easy kernel debugging. I Snapshotting and record/replay allow you to capture and analyze rare bugs. (CIS 399 Unix) Virtualization April 6, 2009 7 / 22 Virtualization for Business Hardware independence - upgrade hardware without reinstalling software. Resource utilization - turn 10 hosts with 10% utilization into 1 host with 100% utilization. Big power and cooling savings! Migration - move a server to a different machine without shutting it down.
  • Virtualization of Linux Based Computers: the Linux-Vserver Project

    Virtualization of Linux Based Computers: the Linux-Vserver Project

    VirtualizationVirtualization ofof LinuxLinux basedbased computers:computers: thethe LinuxLinux--VServerVServer projectproject BenoBenoîîtt desdes Ligneris,Ligneris, Ph.Ph. D.D. [email protected] Objectives:Objectives: Objectives:Objectives: 1)1) PresentPresent thethe availableavailable programsprograms thatthat cancan provideprovide aa virtualizationvirtualization ofof LinuxLinux computerscomputers withwith differentdifferent technologies.technologies. Objectives:Objectives: 1)1) PresentPresent thethe availableavailable programsprograms thatthat cancan provideprovide aa virtualizationvirtualization ofof LinuxLinux computerscomputers withwith differentdifferent technologies.technologies. 2)2) FocusFocus onon LinuxLinux--VServers:VServers: aa veryvery lightweightlightweight andand effectiveeffective technologytechnology forfor thethe regularregular LinuxLinux useruser notnot interstedintersted inin KernelKernel hacking.hacking. PlanPlan PlanPlan ● IntroductionIntroduction PlanPlan ● IntroductionIntroduction ● OverviewOverview ofof thethe availableavailable technologytechnology PlanPlan ● IntroductionIntroduction ● OverviewOverview ofof thethe availableavailable technologytechnology ● ClassificationClassification ofof thethe problems:problems: usageusage criteriacriteria PlanPlan ● IntroductionIntroduction ● OverviewOverview ofof thethe availableavailable technologytechnology ● ClassificationClassification ofof thethe problems:problems: usageusage criteriacriteria ● ComparativeComparative studystudy ofof thethe existingexisting
  • Draft NISTIR 8221

    Draft NISTIR 8221

    Withdrawn Draft Warning Notice The attached draft document has been withdrawn, and is provided solely for historical purposes. It has been superseded by the document identified below. Withdrawal Date June 5, 2019 Original Release Date September 21, 2018 Superseding Document Status Final Series/Number NISTIR 8221 Title A Methodology for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data Publication Date June 2019 DOI https://doi.org/10.6028/NIST.IR.8221 CSRC URL https://csrc.nist.gov/publications/detail/nistir/8221/final Additional Information 1 Draft NISTIR 8221 2 3 A Methodology for Determining 4 Forensic Data Requirements for 5 Detecting Hypervisor Attacks 6 7 8 Ramaswamy Chandramouli 9 Anoop Singhal 10 Duminda Wijesekera 11 Changwei Liu 12 13 14 Draft NISTIR 8221 15 16 A Methodology for Determining 17 Forensic Data Requirements for 18 Detecting Hypervisor Attacks 19 20 Ramaswamy Chandramouli 21 Anoop Singhal 22 Duminda Wijesekera 23 Changwei Liu 24 Computer Security Division 25 Information Technology Laboratory 26 27 28 29 30 31 32 33 34 35 36 September 2018 37 38 39 40 41 U.S. Department of Commerce 42 Wilbur L. Ross, Jr., Secretary 43 44 National Institute of Standards and Technology 45 Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology 46 47 National Institute of Standards and Technology Internal Report 8221 48 27 pages (September 2018) 49 50 51 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 52 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 53 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best 54 available for the purpose.
  • Ovirt Architecture

    Ovirt Architecture

    oVirt Architecture Itamar Heim Presented here by Dan Kenigsberg [email protected] oVirt Overview 1 Agenda ● oVirt Components ● Engine ● Clients ● Host ● Engine Agent - VDSM ● Guest ● Storage Concepts ● Data Warehouse & Reports ● User flows oVirt Overview 2 Architecture From 30,000 Feet Servers Engine Client oVirt Overview 3 The Real World Web Clients Python SDK DB Python CLI Engine R LDAP E Server S T Guest agent Spice Guest client Shared Storage VDSM Host Local Storage oVirt Overview 4 oVirt Engine VM & Template Life Cycle Load HA create, schedule, snapshot Balancing Storage Configuration & Monitoring Network Configuration & Monitoring Host Host Host Host Register/Install Monitoring Maintenance Fencing Authentication, Authorization Inventory Audit oVirt Overview 5 oVirt Engine Postgres DB Active Directory Engine RHDS R E S IDM T oVirt Overview 6 The Real World Web Clients Python SDK DB Python CLI Engine R LDAP E Server S T Guest agent Spice Guest client Shared Storage VDSM Host Local Storage oVirt Overview 7 The Clients Admin Portal User Portal R Python SDK Engine E S T Python CLI oVirt Overview 8 Admin Portal oVirt Overview 9 User Portal oVirt Overview 10 Power User Portal oVirt Overview 11 REST API oVirt Overview 12 SDK oVirt Overview 13 CLI oVirt Overview 14 The Real World Web Clients Python SDK DB Python CLI Engine R LDAP E Server S T Guest agent Spice Guest client Shared Storage VDSM Host Local Storage oVirt Overview 15 The Host QEMU/KVM Fedora Engine MOM libvirt oVirt Node VDSM KSM Configuration Monitoring : Network, Storage, Host,
  • Vnfs in a CNF Environment

    Vnfs in a CNF Environment

    VNFs in a CNF environment Monika Antoniak, Piotr Skamruk CodiLime Agenda ● Who are we? ● Business use case - use existing VNFs in a containerized set-up ● Technical solution to the problem ● Q&A Who we are? Who we are ● CodiLime has been providing networking engineering services since 2011 ● As part of our R&D efforts and based on our expertise with CNFs and VNFs, we have decided to explore this topic further ● Today we are presenting the working example Business use case Business case What if… ● You love the lightness of containers and use them on a daily basis ● You value the flexibility and resilience of the overall solution ● You want a simple way to deploy things ● You enjoy using kubernetes to manage your resources ● ...and you use a business critical network function as a blackbox VM What can you do to get all of that? A step back: VNFs and CNFs VNF (Virtual Network Function): a well- CNF (Containerized Network Function): a known way to realize network functions in new way of providing required network virtualized or cloud environments functionality with the help of containers Software is provided as a VM image that Software is distributed as a container cannot be changed into a container image, image and can be managed using or is based on an operating system other container-management tools (like docker than Linux images in kubernetes env) VNF examples: vFW, vBNG, vEPC CNF examples: vCPE/cCPE, LDAP, DHCP Back to business Goal: a converged setup for running containerized and VM-based network functions ● using a single user interface