History and Basics of containers, LXC, Docker and Kubernetes. This presentation is given to Engineering colleage students at VIT DevFest 2018. Beginner to Intermediate level.
This talk provides a 2017 updated view on SDN and the broader Network Softwarization trend (e.g., + NFV, P4) aiming and trying to provide a clarifying view on the evolving SDN definitions (beyond a purist view) by explaining the main characteristics of SDN embodiments in 2017+
How Linux Processes Your Network Packet - Elazar LeibovichDevOpsDays Tel Aviv
With buzz on eBPF, XDP, bpfilter etc,, it's important to get the basics right. We will show the route of a networ packet from kernel driver to TCP/IP stack to userspace socket and explain how and where it's processed en route.
Modern environment uses a lot of the Linux networking stack capability.
Every docker container requires a dedicated bridge, usually a few iptables entries to expose port, and a dnsmasq daemon, and masquarading to allow internet access.
It is hence important to understand Linux network fundumentals. From the driver interrupt/NAPI, to the network stack, the various filters it passes through and the various hooks you have at your disposal to alter and view the network packets flow.
We will first review the theory, and then present useful tools to apply the theory and debug problems in common situations.
We will survey common containers situations and see how packets move from the hardware to the container's veth.
History and Basics of containers, LXC, Docker and Kubernetes. This presentation is given to Engineering colleage students at VIT DevFest 2018. Beginner to Intermediate level.
This talk provides a 2017 updated view on SDN and the broader Network Softwarization trend (e.g., + NFV, P4) aiming and trying to provide a clarifying view on the evolving SDN definitions (beyond a purist view) by explaining the main characteristics of SDN embodiments in 2017+
How Linux Processes Your Network Packet - Elazar LeibovichDevOpsDays Tel Aviv
With buzz on eBPF, XDP, bpfilter etc,, it's important to get the basics right. We will show the route of a networ packet from kernel driver to TCP/IP stack to userspace socket and explain how and where it's processed en route.
Modern environment uses a lot of the Linux networking stack capability.
Every docker container requires a dedicated bridge, usually a few iptables entries to expose port, and a dnsmasq daemon, and masquarading to allow internet access.
It is hence important to understand Linux network fundumentals. From the driver interrupt/NAPI, to the network stack, the various filters it passes through and the various hooks you have at your disposal to alter and view the network packets flow.
We will first review the theory, and then present useful tools to apply the theory and debug problems in common situations.
We will survey common containers situations and see how packets move from the hardware to the container's veth.
A basic introductory slide set on Kubernetes: What does Kubernetes do, what does Kubernetes not do, which terms are used (Containers, Pods, Services, Replica Sets, Deployments, etc...) and how basic interaction with a Kubernetes cluster is done.
Kubernetes has two simple but powerful network concepts: every Pod is connected to the same network, and Services let you talk to a Pod by name. Bryan will take you through how these concepts are implemented - Pod Networks via the Container Network Interface (CNI), Service Discovery via kube-dns and Service virtual IPs, then on to how Services are exposed to the rest of the world.
KSQL and Security: The Current State of Affairs (Victoria Xia, Confluent) Kaf...confluent
As KSQL-users move from development to production, security becomes an important consideration. Because KSQL is built on top of Kafka Streams, which in turn is built on top of Kafka Consumers and Producers, KSQL can leverage existing security functionality, including SSL encryption and SASL authentication in communications with Kafka brokers. However, authentication and authorization between KSQL servers and KSQL clients is a different story. As of December 2018, SSL for communication between KSQL clients and servers is enabled for the REST API, but not yet for the CLI. By April 2019, SSL will be supported in the KSQL CLI, and additional security functionality including SASL authentication, ACLs, audit logs, and RBAC will be in the works as well. This talk will cover the security options available for KSQL, including any new options added by April 2019, and will also include a preview of features to come. Audience members will leave with an understanding of what security features are currently available, how to configure them, current limitations, and upcoming features. The talk may also include common pitfalls and tips for debugging a KSQL security setup.
- Archeology: before and without Kubernetes
- Deployment: kube-up, DCOS, GKE
- Core Architecture: the apiserver, the kubelet and the scheduler
- Compute Model: the pod, the service and the controller
2014 OpenStack Summit - Neutron OVS to LinuxBridge MigrationJames Denton
Presentation titled 'Migrating production workloads from OVS to LinuxBridge'. Presented at the Fall 2014 OpenStack summit in Paris, this slide deck introduced the possibility of migrating live workloads from Open vSwitch to LinuxBridge with minimal downtime.
slideshow: https://www.slideshare.net/ssuser9b325a/docker-101-144718472
This is an introduction to docker in Vietnamese language
In this document
- Introduction to docker
- Docker network
- Demo scenario
Slide show:
https://www.slideshare.net/ssuser9b325a/docker-101-144718472
OpenShift Virtualization - VM and OS Image LifecycleMihai Criveti
Building and packaging OS Images with KVM, qemu-img and podman and deploying them onto Kubernetes and KubeVirt with OpenShift Virtualization
Build and create images using Hashicorp Packer and Kickstart - create layered images for multiple cloud providers.
Interconnecting Neutron and Network Operators' BGP VPNsThomas Morin
joint presentation given at OpenStack summit Barcelona (Oct. 2016) with Paul Carver and Tim Irnich
talk video: https://www.youtube.com/watch?v=LCDeR7MwTzE
demo: https://www.youtube.com/watch?v=5iRoZcmQyuU
Author: Oleg Chunikhin, www.eastbanctech.com
Kubernetes is a portable open source system for managing and orchestrating containerized cluster applications. Kubernetes solves a number of DevOps related problems out of the box in a simple and unified way – rolling updates and update rollback, canary deployment and other complicated deployment scenarios, scaling, load balancing, service discovery, logging, monitoring, persistent storage management, and much more. You will learn how in less than 30 minutes a reliable self-healing production-ready Kubernetes cluster may be deployed on AWS and used to host and operate multiple environments and applications.
Introduce the basic concept of Open vSwitch. In this slide, we talked about how Linux kernel and networking stack worked together to forward and process the network packet and also compare those Linux networking stack functionality with Open vSwitch and Openflow.
At the end of this slide, we talk about the challenge to integrate the Open vSwitch with Kubernetes, what kind of the networking function we need to resolve and what is the benefit we can get from the Open Vswitch.
Ceph data services in a multi- and hybrid cloud worldSage Weil
IT organizations of the future (and present) are faced with managing infrastructure that spans multiple private data centers and multiple public clouds. Emerging tools and operational patterns like kubernetes and microservices are easing the process of deploying applications across multiple environments, but the achilles heel of such efforts remains that most applications require large quantities of state, either in databases, object stores, or file systems. Unlike stateless microservices, state is hard to move.
Ceph is known for providing scale-out file, block, and object storage within a single data center, but it also includes a robust set of multi-cluster federation capabilities. This talk will cover how Ceph's underlying multi-site capabilities complement and enable true portability across cloud footprints--public and private--and how viewing Ceph from a multi-cloud perspective has fundamentally shifted our data services roadmap, especially for Ceph object storage.
POC Conference 2015
Virtual Appliances have become very prevalent these days as virtualization is ubiquitous and hypervisors commonplace. More and more of the major vendors are providing literally virtual clones for many of their once physical-only products. Like IoT and the CAN bus, it's early in the game and vendors are late as usual. One thing that it catching these vendors off guard is the huge additional attack surface, ripe with vulnerabilities, added in the process. Also, many vendors see software appliances as an opportunity for the customer to easily evaluate the product before buying the physical one, making these editions more accessible and debuggable by utilizing features of the platform on which it runs. During this talk, I will provide real case studies for various vulnerabilities created by mistakes that many of the major players made when shipping their appliances. You'll learn how to find these bugs yourself and how the vendors went about fixing them, if at all. By the end of this talk, you should have a firm grasp of how one goes about getting remote root on appliances.
A basic introductory slide set on Kubernetes: What does Kubernetes do, what does Kubernetes not do, which terms are used (Containers, Pods, Services, Replica Sets, Deployments, etc...) and how basic interaction with a Kubernetes cluster is done.
Kubernetes has two simple but powerful network concepts: every Pod is connected to the same network, and Services let you talk to a Pod by name. Bryan will take you through how these concepts are implemented - Pod Networks via the Container Network Interface (CNI), Service Discovery via kube-dns and Service virtual IPs, then on to how Services are exposed to the rest of the world.
KSQL and Security: The Current State of Affairs (Victoria Xia, Confluent) Kaf...confluent
As KSQL-users move from development to production, security becomes an important consideration. Because KSQL is built on top of Kafka Streams, which in turn is built on top of Kafka Consumers and Producers, KSQL can leverage existing security functionality, including SSL encryption and SASL authentication in communications with Kafka brokers. However, authentication and authorization between KSQL servers and KSQL clients is a different story. As of December 2018, SSL for communication between KSQL clients and servers is enabled for the REST API, but not yet for the CLI. By April 2019, SSL will be supported in the KSQL CLI, and additional security functionality including SASL authentication, ACLs, audit logs, and RBAC will be in the works as well. This talk will cover the security options available for KSQL, including any new options added by April 2019, and will also include a preview of features to come. Audience members will leave with an understanding of what security features are currently available, how to configure them, current limitations, and upcoming features. The talk may also include common pitfalls and tips for debugging a KSQL security setup.
- Archeology: before and without Kubernetes
- Deployment: kube-up, DCOS, GKE
- Core Architecture: the apiserver, the kubelet and the scheduler
- Compute Model: the pod, the service and the controller
2014 OpenStack Summit - Neutron OVS to LinuxBridge MigrationJames Denton
Presentation titled 'Migrating production workloads from OVS to LinuxBridge'. Presented at the Fall 2014 OpenStack summit in Paris, this slide deck introduced the possibility of migrating live workloads from Open vSwitch to LinuxBridge with minimal downtime.
slideshow: https://www.slideshare.net/ssuser9b325a/docker-101-144718472
This is an introduction to docker in Vietnamese language
In this document
- Introduction to docker
- Docker network
- Demo scenario
Slide show:
https://www.slideshare.net/ssuser9b325a/docker-101-144718472
OpenShift Virtualization - VM and OS Image LifecycleMihai Criveti
Building and packaging OS Images with KVM, qemu-img and podman and deploying them onto Kubernetes and KubeVirt with OpenShift Virtualization
Build and create images using Hashicorp Packer and Kickstart - create layered images for multiple cloud providers.
Interconnecting Neutron and Network Operators' BGP VPNsThomas Morin
joint presentation given at OpenStack summit Barcelona (Oct. 2016) with Paul Carver and Tim Irnich
talk video: https://www.youtube.com/watch?v=LCDeR7MwTzE
demo: https://www.youtube.com/watch?v=5iRoZcmQyuU
Author: Oleg Chunikhin, www.eastbanctech.com
Kubernetes is a portable open source system for managing and orchestrating containerized cluster applications. Kubernetes solves a number of DevOps related problems out of the box in a simple and unified way – rolling updates and update rollback, canary deployment and other complicated deployment scenarios, scaling, load balancing, service discovery, logging, monitoring, persistent storage management, and much more. You will learn how in less than 30 minutes a reliable self-healing production-ready Kubernetes cluster may be deployed on AWS and used to host and operate multiple environments and applications.
Introduce the basic concept of Open vSwitch. In this slide, we talked about how Linux kernel and networking stack worked together to forward and process the network packet and also compare those Linux networking stack functionality with Open vSwitch and Openflow.
At the end of this slide, we talk about the challenge to integrate the Open vSwitch with Kubernetes, what kind of the networking function we need to resolve and what is the benefit we can get from the Open Vswitch.
Ceph data services in a multi- and hybrid cloud worldSage Weil
IT organizations of the future (and present) are faced with managing infrastructure that spans multiple private data centers and multiple public clouds. Emerging tools and operational patterns like kubernetes and microservices are easing the process of deploying applications across multiple environments, but the achilles heel of such efforts remains that most applications require large quantities of state, either in databases, object stores, or file systems. Unlike stateless microservices, state is hard to move.
Ceph is known for providing scale-out file, block, and object storage within a single data center, but it also includes a robust set of multi-cluster federation capabilities. This talk will cover how Ceph's underlying multi-site capabilities complement and enable true portability across cloud footprints--public and private--and how viewing Ceph from a multi-cloud perspective has fundamentally shifted our data services roadmap, especially for Ceph object storage.
POC Conference 2015
Virtual Appliances have become very prevalent these days as virtualization is ubiquitous and hypervisors commonplace. More and more of the major vendors are providing literally virtual clones for many of their once physical-only products. Like IoT and the CAN bus, it's early in the game and vendors are late as usual. One thing that it catching these vendors off guard is the huge additional attack surface, ripe with vulnerabilities, added in the process. Also, many vendors see software appliances as an opportunity for the customer to easily evaluate the product before buying the physical one, making these editions more accessible and debuggable by utilizing features of the platform on which it runs. During this talk, I will provide real case studies for various vulnerabilities created by mistakes that many of the major players made when shipping their appliances. You'll learn how to find these bugs yourself and how the vendors went about fixing them, if at all. By the end of this talk, you should have a firm grasp of how one goes about getting remote root on appliances.
Docker is going to change the way services are deployed by encapsulating them, thus provide a robust and complete continous development/deployment workflow. But how is docker impacting the compute part of HPC? Containerization uses kernel functions (Namespaces/CGroups) to encapsulate the processes, while allowing a fain grained customization of the compute stack; sitting on top of a stripped down bare-metal OS that provides basic services.
This sessions aims to explore if docker already is the 'virtualization' technique the HPC community is waiting for.
Could a distributed MPI job across multiple containers placed on different physical nodes beat a natively started job?
A brief introduction on Vagrant and Docker, and how to use them to create portable and distributable development environments. Know why and how to use them for better development and faster deployment, including demonstration and code samples from this presentation.
QNIBTerminal: Understand your datacenter by overlaying multiple information l...QNIB Solutions
Today's data center managers are burdened by a lack of aligned information of multiple layers. Work-flow events like 'job starts' aligned with performance metrics and events extracted from log facilities are low-hanging fruit that is on the edge to become use-able due to open-source software like Graphite, StatsD, logstash and alike.
This talk aims to show off the benefits of merging multiple layers of information within an InfiniBand cluster by using use-cases for level 1/2/3 personnel.
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Samuel Lampa
A very quick overview of how Vagrant, Ansible and Docker fits nicely together as a very productive and flexible solution for creating automated development environments.
This presentation, given at the Nashville VMUG Converge 2015 event on April 8, 2015, provides an overview of Vagrant and Docker as tools that VMware administrators might find useful.
Flash Talk for the ECEP Alliance from the NSF BPC Community MeetingMark Guzdial
The Expanding Computing Education Pathways (ECEP) Alliance (an NSF Broadening Participation in Computing alliance) helps states broaden participation in computing education and improve their computing education. This five minute (20 slides, 15 seconds per slide) talk introduces ECEP and offers a model for how states can get started with improving and broadening their computing education.
Talk on Ebooks at the NSF BPC/CE21/STEM-C Community MeetingMark Guzdial
Why we should use ebooks (rather than MOOCs) for CS learning opportunities for high school teachers. We use educational psychology principles to design our book. The talk presents data from our first three studies: usability, log file analysis, and learnability
This presentation was given by David Lucchino and Chris Loose, co-founders of Semprus BioSciences, Corp. It describes the process of how Lucchino and Loose grew Semprus BioSciences from their lab at MIT to what it is today! The presentation outlines certain rules and practices other startup founders can follow for finding funding and mentorship.
Introductory seminar on Docker and its components (networks and Compose in particular). Focused on going through some basic concepts, mention some more advanced topics, and introduce a practical workshop held on the same evening.
Overview of Docker 1.11 features(Covers Docker release summary till 1.11, runc/containerd, dns load balancing ipv6 service discovery, labels, macvlan/ipvlan)
In this talk, Damien describes the infrastructure Nuxeo has built around Docker containers, which is mainly based on CoreOS and Docker, and how it provides a way to generically run applications not only on a single host, but across a whole cluster of hosts. The resulting architecture can be used to implement a PaaS approach for any application.
Introduction to Docker, December 2014 "Tour de France" EditionJérôme Petazzoni
Docker, the Open Source container Engine, lets you build, ship and run, any app, anywhere.
This is the presentation which was shown in December 2014 for the "Tour de France" in Paris, Lille, Lyon, Nice...
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
2. About Me
2
• Have worked
• Iteration through L1/2/3 SysOps
• Mostly german automotive sector
• 01/2013 -> 10/2014 R&D @Bull SAS
• Now
• independent R&D / Freelancing
• DevOps Eng. at Locafox (scale online)
• Hot topics
• Containerization
• Log / Performance Management
• GO-Lang
• HPC Cluster Software Stack / Interconnect
3. Docker in a (Coco-)Nutshell
• (chroot)2 != Virtual Machine
3
4. Traditional vs. Lightweight
Layers
4
SERVICE SERVICE SERVICE
InitSystem InitSystem InitSystem
Userland (OS) Userland (OS) Userland (OS)
KERNEL KERNEL
HYPERVISOR
InitSystem
HOST KERNEL
SERVER
KERNEL
Userland (OS)
SERVICE
SERVICE SERVICE
Userland (OS) Userland (OS) Userland (OS)
InitSystem
Userland (OS)
HOST KERNEL
SERVER
Traditional Virtualisation Docker Containerisation
5. Docker in a (Coco-)Nutshell
• (chroot)2 != Virtual Machine
• Builds on-top LinuX Containers (LXC)
• Kernel namespaces (isolation)
5
6. Process Namespace
6
$ docker run -ti --rm ubuntu:14.04 ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 10:24 ? 00:00:00 ps -ef
$
Containers are not able to see processes
outside of their scope.
7. Network Namespace
7
$ docker run -ti --rm ubuntu:14.04 ip -4 -o addr
1: lo inet 127.0.0.1/8 scope host lo
10: eth0 inet 172.17.0.4/16 scope global eth0
$
Each container got it’s own network stack
(by default, configureable).
8. Namespace
• Mount (do not mess with other file systems)
• User (users are only valid within one container)
• IPC (Interprocess communication only within)
• UTS (hostname / domain name is unique)
8
9. Docker in a (Coco-)Nutshell
9
• (chroot)2 != Virtual Machine
• Builds on-top LinuX Containers (LXC)
• Kernel namespaces (isolation)
• cgroups (resource mgmt)
• intuitive build system
10. Dockerfile
10
$ cat Dockerfile
# From which image to start from
FROM fedora:20
# Who is in charge
MAINTAINER "Christian Kniep <christian@qnib.org>"
# Execute bash command
RUN yum install -y stress
# if no command is given, this command will be
# executed at runtime (within a bash).
CMD ["stress", "-c", "4"]
18. Docker != VM (srsly!)
http://en.wikipedia.org/wiki/Systemd
Virtual Machine
• Kicks off a complete Machine, hence the name!
• EveryoneTM disables security
• Hard to strip down
18
Docker
• Only spawns one process (in theory, at least)
• Easy to understand (theory, old friend)
22. Images and CoW
• An image is an immutable layer
• A container is the RW layer,
which is executed on-top
22
qnib/slave
qnib/terminal
qnib/supervisor
qnib/fd20
Fedora
qnib/of_build
qnib/IB_build
qnib/slurm_build
qnib/build
qnib/master
qnib/gapi
qnib/carbon
qnib/elk
copy-on-write
/slurm
FROM points to the
parent-image and this
relationship sticks. If the
parent is changed, the
child has to be rebuild.
28. Config Mgmt
• Provisioning
• Bootstrap DOCKER_HOST
• Dockerfile vs. playbooks?
• Orchestration
• Multiple other project in the woods
(Docker Swarm, Kubernetes, Apache Mesos[?], …)
• Validation
• Is the configuration within still valid?
28
30. Ansible
• docker module
• Start/Stop Container
• docker inventory
• provide dynamic inventory by fetching info about
running containers
• docker facts
• Use information about containers within Ansible
30
31. Thoughts
• Containers mostly do not provide an SSH daemon
• Connecting via
• Docker is a nice way to check out playbook
• Otherwise playbooks shouldn’t be used inside of Dockerfiles [IMHO]
• Use Ansible to check configuration within container?
• Setup SELinux rules using Ansible
• Vagrant vs. Docker
31
docker exec <container> bash