A guide to deploying an initial Docker Swarm mode network and then incorporating Asterisk into that swarm. Commands, a discussion of host mode vs overlay networking, and the basics of a deployable Docker Swarm mode Stack file are all covered.
Presentación del Webinar desarrollado el 18 de Diciembre de 2020.
Enlace al webinar: https://youtu.be/Vu0xj2vhsb4
Docker es un proyecto de código abierto que automatiza el despliegue de aplicaciones dentro de contenedores de software, proporcionando una capa adicional de abstracción y automatización de virtualización de aplicaciones en múltiples sistemas operativos.
Temas a desarrollar:
- Breve introducción a Docker
- Construyendo nuestra primera imagen Asterisk-Docker
- Lanzando nuestro contenedor Asterisk
- Docker Compose: Asterisk + MariaDB (CDR)
- Ejemplo de una Aplicación VoIP real:
- OMniLeads “dockerizado” corriendo sobre FreePBX / Issabel
Panelista invitado:
Fabián Pignataro, CTO OMniLeads
Launch the First Process in Linux SystemJian-Hong Pan
The session: https://coscup.org/2022/en/session/AGCMDJ
After Linux kernel boots, it will try to launch first process “init” in User Space. Then, the system begins the featured journey of the Linux distribution.
This sharing takes Busybox as the example and shows that how does Linux kernel find the “init” which directs to the Busybox. And, what will Busybox do and how to get the console. Try to make it like a simple Linux system.
Before Linux kernel launches “init” process, the file system and storage corresponding drivers/modules must be loaded to find the “init”. Besides, to mount the root file system correctly, the kernel boot command must include the root device and file system format parameters.
On the other hand, the Busybox directed from “init” is a lightweight program, but has rich functions, just like a Swiss Army Knife. So, it is usually used on the simple environment, like embedded Linux system.
This sharing will have a demo on a virtual machine first, then on the Raspberry Pi.
Drafts:
* https://hackmd.io/@starnight/Busbox_as_the_init
* https://hackmd.io/@starnight/Build_Alpines_Root_Filesystem_Bootstrap
Relate idea: https://hackmd.io/@starnight/Systems_init_and_Containers_COMMAND_Dockerfiles_CMD
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
Docker Networking presentation at ONS2016.
Docker Macvlan and Ipvlan Networking Drivers Experimental Readme:
github.com/docker/docker/blob/master/experimental/vlan-networks.md
Kernel requirements for Ipvlan mode is v4.2+, Macvlan mode is v3.19.
If using Virtualbox to test with, use NAT mode interfaces unless you have multiple MAC addresses working in your setup. Use the 172.x.x.x subnet and gateway used by the VBox NAT network. Vmware Fusion works out of the box.
Here is a screenshot of a VirtualBox NAT interface:
https://www.dropbox.com/s/w1rf61n18y7q4f1/Screenshot%202016-03-20%2001.55.13.png?dl=0
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
Update on status of connection tracking and stateful NAT addition to the Linux kernel datapath. Followed by a discussion on the topic to collect ideas and come up with next steps.
Presentación del Webinar desarrollado el 18 de Diciembre de 2020.
Enlace al webinar: https://youtu.be/Vu0xj2vhsb4
Docker es un proyecto de código abierto que automatiza el despliegue de aplicaciones dentro de contenedores de software, proporcionando una capa adicional de abstracción y automatización de virtualización de aplicaciones en múltiples sistemas operativos.
Temas a desarrollar:
- Breve introducción a Docker
- Construyendo nuestra primera imagen Asterisk-Docker
- Lanzando nuestro contenedor Asterisk
- Docker Compose: Asterisk + MariaDB (CDR)
- Ejemplo de una Aplicación VoIP real:
- OMniLeads “dockerizado” corriendo sobre FreePBX / Issabel
Panelista invitado:
Fabián Pignataro, CTO OMniLeads
Launch the First Process in Linux SystemJian-Hong Pan
The session: https://coscup.org/2022/en/session/AGCMDJ
After Linux kernel boots, it will try to launch first process “init” in User Space. Then, the system begins the featured journey of the Linux distribution.
This sharing takes Busybox as the example and shows that how does Linux kernel find the “init” which directs to the Busybox. And, what will Busybox do and how to get the console. Try to make it like a simple Linux system.
Before Linux kernel launches “init” process, the file system and storage corresponding drivers/modules must be loaded to find the “init”. Besides, to mount the root file system correctly, the kernel boot command must include the root device and file system format parameters.
On the other hand, the Busybox directed from “init” is a lightweight program, but has rich functions, just like a Swiss Army Knife. So, it is usually used on the simple environment, like embedded Linux system.
This sharing will have a demo on a virtual machine first, then on the Raspberry Pi.
Drafts:
* https://hackmd.io/@starnight/Busbox_as_the_init
* https://hackmd.io/@starnight/Build_Alpines_Root_Filesystem_Bootstrap
Relate idea: https://hackmd.io/@starnight/Systems_init_and_Containers_COMMAND_Dockerfiles_CMD
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
Docker Networking presentation at ONS2016.
Docker Macvlan and Ipvlan Networking Drivers Experimental Readme:
github.com/docker/docker/blob/master/experimental/vlan-networks.md
Kernel requirements for Ipvlan mode is v4.2+, Macvlan mode is v3.19.
If using Virtualbox to test with, use NAT mode interfaces unless you have multiple MAC addresses working in your setup. Use the 172.x.x.x subnet and gateway used by the VBox NAT network. Vmware Fusion works out of the box.
Here is a screenshot of a VirtualBox NAT interface:
https://www.dropbox.com/s/w1rf61n18y7q4f1/Screenshot%202016-03-20%2001.55.13.png?dl=0
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
Update on status of connection tracking and stateful NAT addition to the Linux kernel datapath. Followed by a discussion on the topic to collect ideas and come up with next steps.
Fortinet UTM - les Fonctionnalités avancéeseAlphorm
Formation complète ici:
http://www.alphorm.com/tutoriel/formation-en-ligne-fortinet-fortigate-utm-nse4-les-fonctionnalites-avancees
Cette formation Fortinet UTM : les Fonctionnalités avancées est la suite de la précédente formation Fortinet Fortigate UTM (NSE4).
Dans cette formation Fortinet UTM, vous allez découvrir les fonctionnalités avancées du pare-feu Fortigate : le routage avancé, le mode transparent, les VDOMs, les certificats, la HA, les outils de diagnostic.
Les chapitres traités au cours de cette formation Fortinet UTM visent à compléter vos connaissances des pare-feu Fortigate UTM et vous permettre de déployer des architectures de sécurité réseau complexes.
La formation Fortinet Fortigate UTM (NSE4) et cette formation Fortinet UTM : les Fonctionnalités avancées vous préparent et vous aident à réussir la certification NSE4 (Network Security Expert).
Container Network Interface: Network Plugins for Kubernetes and beyondKubeAcademy
With the rise of modern containers comes new problems to solve – especially in networking. Numerous container SDN solutions have recently entered the market, each best suited for a particular environment. Combined with multiple container runtimes and orchestrators available today, there exists a need for a common layer to allow interoperability between them and the network solutions.
As different environments demand different networking solutions, multiple vendors and viewpoints look to a specification to help guide interoperability. Container Network Interface (CNI) is a specification started by CoreOS with the input from the wider open source community aimed to make network plugins interoperable between container execution engines. It aims to be as common and vendor-neutral as possible to support a wide variety of networking options — from MACVLAN to modern SDNs such as Weave and flannel.
CNI is growing in popularity. It got its start as a network plugin layer for rkt, a container runtime from CoreOS. Today rkt ships with multiple CNI plugins allowing users to take advantage of virtual switching, MACVLAN and IPVLAN as well as multiple IP management strategies, including DHCP. CNI is getting even wider adoption with Kubernetes adding support for it. Kubernetes accelerates development cycles while simplifying operations, and with support for CNI is taking the next step toward a common ground for networking. For continued success toward interoperability, Kubernetes users can come to this session to learn the CNI basics.
This talk will cover the CNI interface, including an example of how to build a simple plugin. It will also show Kubernetes users how CNI can be used to solve their networking challenges and how they can get involved.
KubeCon schedule link: http://sched.co/4VAo
In this session, we’ll review how previous efforts, including Netfilter, Berkley Packet Filter (BPF), Open vSwitch (OVS), and TC, approached the problem of extensibility. We’ll show you an open source solution available within the Red Hat Enterprise Linux kernel, where extending and merging some of the existing concepts leads to an extensible framework that satisfies the networking needs of datacenter and cloud virtualization.
A presentation about combining the powers of the Go language and Asterisk in order to provide fast, reliable and hugely scalable voice applications. A brief introduction about why Go presents a big opportunity for the asterisk community, a primer into developing FastAGI applications, demonstration of the AGI package [1] and a walk through the idioms and challenges of developing in Go. The talk is focused mainly on our experience of porting existing code into Go with the aim to scale our services to larger numbers accompanied with benchmarks and an introduction to some tools [2] we developed to help us test, debug and benchmark AGI applications.
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
Hearts Of Darkness - a Spring DevOps ApocalypseJoris Kuipers
In this talk Joris shares several real-life failure cases concerning running Spring applications in production. Examples include services being killed because of health check issues, Micrometer metrics getting lost, circuit breakers never closing after opening, OOM errors caused by unbounded queues and other nightmarish scenario’s. Not only will you come to understand how these problems could sneak through staging to make their way to production, you will also be given practical tips on how to avoid these things from happening to your own applications. Otto von Bismarck famously said “Fools say that they learn by experience. I prefer to profit by others’ experience”. Don’t be a fool, and profit by viewing this talk!
Faster Container Image Distribution on a Variety of Tools with Lazy PullingKohei Tokunaga
Talked at KubeCon + CloudNativeCon North America 2021 Virtual about lazy pulling of container images with eStargz and nydus (October 14, 2021).
https://kccncna2021.sched.com/event/lV2a
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
Speaker: Bill Fletcher
Date: September 24, 2015
★ Session Description ★
An introductory session of a system-level overview at Power State Coordination
- Focus on ARMv8
- Goes top-down from ACPI
- A demo based on the current code in qemu
- The specifications are very dynamic - what’s onging for ACPI and PSCI
★ Resources ★
Video: https://www.youtube.com/watch?v=vXzPdpaZVto
Presentation: http://www.slideshare.net/linaroorg/sfo15tr9-psci-acpi-and-uefi-to-boot
Etherpad: pad.linaro.org/p/sfo15-tr9
Pathable: https://sfo15.pathable.com/meetings/303087
★ Event Details ★
Linaro Connect San Francisco 2015 - #SFO15
September 21-25, 2015
Hyatt Regency Hotel
http://www.linaro.org
http://connect.linaro.org
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
https://dockercon19.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=281879
Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode. He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.
This slide provides a basic understanding of hypervisor support in ARM v8 and above processors. And these slides (intent to) give some guidelines to automotive engineers to compare and choose right solution!
Introduction to the Container Network Interface (CNI)Weaveworks
CNI, the Container Network Interface, is a standard API between container runtimes and container network implementations. These slides are from the Cloud Native Computing Foundation's Webinar, and explain what CNI is, how you use it, and what lies ahead on the roadmap.
Overview of Docker 1.11 features(Covers Docker release summary till 1.11, runc/containerd, dns load balancing ipv6 service discovery, labels, macvlan/ipvlan)
Dockerizing the Hard Services: Neutron and Novaclayton_oneill
Talk about the benefits and pitfalls involved in successfully running complex services like Neutron and Nova inside of Docker containers.
Topics include:
* What magic incantations are needed to run these services at all?
* How to prevent HA router failover on service restarts.
* How to prevent network namespaces from breaking everything.
* Bonus: How network namespace fixes also helped fix Cinder NFS backend
Fortinet UTM - les Fonctionnalités avancéeseAlphorm
Formation complète ici:
http://www.alphorm.com/tutoriel/formation-en-ligne-fortinet-fortigate-utm-nse4-les-fonctionnalites-avancees
Cette formation Fortinet UTM : les Fonctionnalités avancées est la suite de la précédente formation Fortinet Fortigate UTM (NSE4).
Dans cette formation Fortinet UTM, vous allez découvrir les fonctionnalités avancées du pare-feu Fortigate : le routage avancé, le mode transparent, les VDOMs, les certificats, la HA, les outils de diagnostic.
Les chapitres traités au cours de cette formation Fortinet UTM visent à compléter vos connaissances des pare-feu Fortigate UTM et vous permettre de déployer des architectures de sécurité réseau complexes.
La formation Fortinet Fortigate UTM (NSE4) et cette formation Fortinet UTM : les Fonctionnalités avancées vous préparent et vous aident à réussir la certification NSE4 (Network Security Expert).
Container Network Interface: Network Plugins for Kubernetes and beyondKubeAcademy
With the rise of modern containers comes new problems to solve – especially in networking. Numerous container SDN solutions have recently entered the market, each best suited for a particular environment. Combined with multiple container runtimes and orchestrators available today, there exists a need for a common layer to allow interoperability between them and the network solutions.
As different environments demand different networking solutions, multiple vendors and viewpoints look to a specification to help guide interoperability. Container Network Interface (CNI) is a specification started by CoreOS with the input from the wider open source community aimed to make network plugins interoperable between container execution engines. It aims to be as common and vendor-neutral as possible to support a wide variety of networking options — from MACVLAN to modern SDNs such as Weave and flannel.
CNI is growing in popularity. It got its start as a network plugin layer for rkt, a container runtime from CoreOS. Today rkt ships with multiple CNI plugins allowing users to take advantage of virtual switching, MACVLAN and IPVLAN as well as multiple IP management strategies, including DHCP. CNI is getting even wider adoption with Kubernetes adding support for it. Kubernetes accelerates development cycles while simplifying operations, and with support for CNI is taking the next step toward a common ground for networking. For continued success toward interoperability, Kubernetes users can come to this session to learn the CNI basics.
This talk will cover the CNI interface, including an example of how to build a simple plugin. It will also show Kubernetes users how CNI can be used to solve their networking challenges and how they can get involved.
KubeCon schedule link: http://sched.co/4VAo
In this session, we’ll review how previous efforts, including Netfilter, Berkley Packet Filter (BPF), Open vSwitch (OVS), and TC, approached the problem of extensibility. We’ll show you an open source solution available within the Red Hat Enterprise Linux kernel, where extending and merging some of the existing concepts leads to an extensible framework that satisfies the networking needs of datacenter and cloud virtualization.
A presentation about combining the powers of the Go language and Asterisk in order to provide fast, reliable and hugely scalable voice applications. A brief introduction about why Go presents a big opportunity for the asterisk community, a primer into developing FastAGI applications, demonstration of the AGI package [1] and a walk through the idioms and challenges of developing in Go. The talk is focused mainly on our experience of porting existing code into Go with the aim to scale our services to larger numbers accompanied with benchmarks and an introduction to some tools [2] we developed to help us test, debug and benchmark AGI applications.
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
Hearts Of Darkness - a Spring DevOps ApocalypseJoris Kuipers
In this talk Joris shares several real-life failure cases concerning running Spring applications in production. Examples include services being killed because of health check issues, Micrometer metrics getting lost, circuit breakers never closing after opening, OOM errors caused by unbounded queues and other nightmarish scenario’s. Not only will you come to understand how these problems could sneak through staging to make their way to production, you will also be given practical tips on how to avoid these things from happening to your own applications. Otto von Bismarck famously said “Fools say that they learn by experience. I prefer to profit by others’ experience”. Don’t be a fool, and profit by viewing this talk!
Faster Container Image Distribution on a Variety of Tools with Lazy PullingKohei Tokunaga
Talked at KubeCon + CloudNativeCon North America 2021 Virtual about lazy pulling of container images with eStargz and nydus (October 14, 2021).
https://kccncna2021.sched.com/event/lV2a
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
Speaker: Bill Fletcher
Date: September 24, 2015
★ Session Description ★
An introductory session of a system-level overview at Power State Coordination
- Focus on ARMv8
- Goes top-down from ACPI
- A demo based on the current code in qemu
- The specifications are very dynamic - what’s onging for ACPI and PSCI
★ Resources ★
Video: https://www.youtube.com/watch?v=vXzPdpaZVto
Presentation: http://www.slideshare.net/linaroorg/sfo15tr9-psci-acpi-and-uefi-to-boot
Etherpad: pad.linaro.org/p/sfo15-tr9
Pathable: https://sfo15.pathable.com/meetings/303087
★ Event Details ★
Linaro Connect San Francisco 2015 - #SFO15
September 21-25, 2015
Hyatt Regency Hotel
http://www.linaro.org
http://connect.linaro.org
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
https://dockercon19.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=281879
Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode. He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.
This slide provides a basic understanding of hypervisor support in ARM v8 and above processors. And these slides (intent to) give some guidelines to automotive engineers to compare and choose right solution!
Introduction to the Container Network Interface (CNI)Weaveworks
CNI, the Container Network Interface, is a standard API between container runtimes and container network implementations. These slides are from the Cloud Native Computing Foundation's Webinar, and explain what CNI is, how you use it, and what lies ahead on the roadmap.
Overview of Docker 1.11 features(Covers Docker release summary till 1.11, runc/containerd, dns load balancing ipv6 service discovery, labels, macvlan/ipvlan)
Dockerizing the Hard Services: Neutron and Novaclayton_oneill
Talk about the benefits and pitfalls involved in successfully running complex services like Neutron and Nova inside of Docker containers.
Topics include:
* What magic incantations are needed to run these services at all?
* How to prevent HA router failover on service restarts.
* How to prevent network namespaces from breaking everything.
* Bonus: How network namespace fixes also helped fix Cinder NFS backend
Orchestrating Linux Containers while tolerating failuresDocker, Inc.
lthough containers are bringing a refreshing flexibility when deploying services in production, the management of those containers in such an environment still requires special care in order to keep the application up and running. In this regard, orchestration platforms like Docker, Kubernetes and Nomad have been trying to alleviate this responsibility, facilitating the task of deploying and maintaining the entire application stack in its desired state. This ensures that a service will be always running, tolerating machine failures, network erratic behavior or software updates and downtime. The purpose of this talk is to explain the mechanisms and architecture of the Docker Engine orchestration platform (using a framework called swarmkit) to tolerate failures of services and machines, from cluster state replication and leader-election to container re-scheduling logic when a host goes down.
The age of orchestration: from Docker basics to cluster managementNicola Paolucci
The container abstraction hit the collective developer mind with great force and created a space of innovation for the distribution, configuration and deployment of cloud based applications. Now that this new model has established itself work is moving towards orchestration and coordination of loosely coupled network services. There is an explosion of tools in this arena at different degrees of stability but the momentum is huge.
On the above premise this session we'll delve into a selection of the following topics:
- Two minute Docker intro refresher
- Overview of the orchestration landscape (Kubernetes, Mesos, Helios and Docker tools)
- Introduction to Docker own ecosystem orchestration tools (machine, swarm and compose)
- Live demo of cluster management using a sample application.
A basic understanding of Docker is suggested to fully enjoy the talk.
Docker is not just about deploying containers to hundreds of servers. Developers need tools that help with day-to-day tasks and to do their job more effectively. Docker is a great addition to most workflows, from starting projects to writing utilities to make development less repetitive. Docker can help take care of many problems developers face during development such as “it works on my machine” as well as keeping tooling consistent between all of the people working on a project. See how easy it is to take an existing development setup and application and move it over to Docker, no matter your operating system.
Starting with Docker 1.12, Docker has added features to the core Docker Engine to make multi-host and multi-container orchestration extremely simple to use and accessible to everyone. Docker 1.12 Networking plays a key role in enabling these orchestration features.
In this online meetup, we learned all the new and exciting networking features introduced in Docker 1.12:
Swarm-mode networking
Routing Mesh
Ingress and Internal Load-Balancing
Service Discovery
Encrypted Network Control-Plane and Data-Plane
Multi-host networking without external KV-Store
MACVLAN Driver
AtlasCamp 2015: The age of orchestration: From Docker basics to cluster manag...Atlassian
Nicola Paolucci, Atlassian
Containers hit the collective developer mind with great force the past two years and created a space of fervent innovation. Now work is moving towards orchestration. In this session we'll cover an overview of the container orchestration landscape, give an introduction to Docker's own tools - machine, swarm and compose - and show a (semi)live demo of how they work in practice.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
Docker Engine 1.12 can be rightly called ” A Next Generation Docker Clustering & Distributed System”. Though Docker Engine 1.12 Final Release is around corner but the recent RC3 brings lots of improvements and exciting features. One of the major highlight of this release is Docker Swarm Mode which provides powerful yet optional ability to create coordinated groups of decentralized Docker Engines. Swarm Mode combines your engine in swarms of any scale. It’s self-organizing and self-healing. It enables infrastructure-agnostic topology.The newer version democratizes orchestration with out-of-box capabilities for multi-container on multi-host app deployments.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
4. • Lightweight and distributable containers
• Containers should be single-process, no durable storage, ephemeral little
creatures
• Scalability due to built in resilience and orchestration layers
• Higher packing density than virtual machines due to shared libs
What is Docker
5. Docker Swarm mode
• Orchestration layer (Swarm) is built into Docker Engine
• Easily scale containers across multiple nodes
• Easy, multi-hostVXLAN routing
• Built in state reconciliation, health checks, and designed for resilient deployments
• Mesh networking allows ingress from any node to reach any other node
• Auto-load balancing of inbound requests utilizes in-kernel Linux IPVS
• Built-in DNS-based service discovery
• Rolling Updates
• Ease of Scaling
• A free basket of puppies (Docker EE only)
7. • Spin up a few machines with your favorite OS
• We’ll be using Debian 9
Install Docker CE
Deploying Your First Swarm
sudo apt-get update
sudo apt-get install
apt-transport-https
ca-certificates
curl
gnupg2
software-properties-common
curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | sudo apt-key add -
sudo add-apt-repository
"deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")
$(lsb_release -cs)
stable"
sudo apt-get update
sudo apt-get install docker-ce
Voila!
root@astricon-sfo-1:~# docker -v
Docker version 17.09.0-ce, build afdb6d4
8. Initialize the Swarm
• TCP 2377 for cluster management communications
• TCP & UDP port 7946 for communication among nodes
• UDP port 4789 for overlay network traffic
Deploying Your First Swarm
root@astricon-sfo-1:~# docker swarm init —advertise-addr 107.170.205.26
Now run that join line on each worker
root@astricon-london-1:~# docker swarm join --token
SWMTKN-1-4n2nbpa5lntnbpomq8h412xliz9orjcxlrdjwhrg2v756nzfg0-0q4061v448gvcnqckd8t1z75k 107.170.205.26:2377
This node joined a swarm as a worker.
Swarm initialized: current node (uri5s1oes546txryvdv5hyu69) is now a manager.
To add a worker to this swarm, run the following command:
docker swarm join --token
SWMTKN-1-4n2nbpa5lntnbpomq8h412xliz9orjcxlrdjwhrg2v756nzfg0-0q4061v448gvcnqckd8t1z75k 107.170.205.26:2377
To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
Success
9. Your Swarm Is Ready!
root@astricon-sfo-1:~# docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS
zaecqxqlgj5n1jtxwi34r08cg astricon-london-1 Ready Active
gq45t7og425dmanur0b4fz0p6 astricon-nyc-1 Ready Active
uri5s1oes546txryvdv5hyu69 * astricon-sfo-1 Ready Active Leader
• Only a single Manager
• Managers are also workers with a little more overhead
• All nodes report ready
11. Swarm mode
• Build your own Asterisk or utilize an existing image from Docker Hub
• Docker Hub is built into all engines:
• We’ll be using:
• Now we need to define our services
• We need to build a Stack file
• A stack file is simply aYAML file in Compose format that lists the various
services run by the swarm
docker pull <IMAGE>
respoke/asterisk:14
13. version: "3.4"
services:
### To demonstrate mesh networking, let’s use Nginx
nginx:
image: nginx
ports:
- 80:80
networks:
- astricon-is-radical
networks:
astricon-is-radical:
attachable: true
Stack file for Nginx
14. root@astricon-sfo-1:~# docker stack deploy -c nginx.yml astricon_swarm
Creating network astricon_swarm_astricon-is-radical
Creating service astricon_swarm_nginx
• Deploy the Stack!
• Check the Stack!
root@astricon-sfo-1:~# docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
7a1292n9v49n astricon_swarm_nginx replicated 1/1 nginx:latest *:80->80/tcp
• Scale the Stack!
root@astricon-sfo-1:~# docker service scale —-detach=true astricon_swarm_nginx=2
astricon_swarm_nginx scaled to 2
ID NAME MODE REPLICAS IMAGE PORTS
7a1292n9v49n astricon_swarm_nginx replicated 2/2 nginx:latest *:80->80/tcp
NYC-1 SFO-1 LONDON-1
15. NYC-1 SFO-1 LONDON-1
astriconswarm.io
• All requests pointed at IP addresses
associated with the swarm will be load-
balanced to machines with that exposed port
• Even machines that aren’t running anything!
Every node becomes and ingress node and
will automatically address the correct service.
• You can ping by
service name!
Overlay Network
172.18.0.2/16
17. version: "3.4"
services:
### The Big Kahuna!
asterisk:
image: respoke/asterisk:14
networks:
- host_mode
deploy:
placement:
constraints: [node.labels.service == asterisk]
networks:
host_mode:
external:
name: 'host'
Asterisk Stack File
The Paralysis of Choice
version: "3.4"
services:
### The Big Kahuna!
asterisk:
image: respoke/asterisk:14
networks:
- astricon-is-radical
deploy:
placement:
constraints: [node.labels.service == asterisk]
networks:
astricon-is-radical:
attachable: true
Host Mode Overlay Network
18. Choosing a Network Mode
• The issue: opening ports in Docker uses iptables
• Opening many ports (*caugh RTP caugh*) results in a severe memory crunch
• Each UDP port = ~1MB in RAM (Debian 9.1, DO)
• Overlay Mode
• Has full access to service discovery and mesh networking
• Can’t run many open ports — perhaps a few hundred at most.
• Host Mode
• No access to overlay or service discovery network
• Has full access to the underlying networking subsystems
• Unlimited ports
19. SECRET TRICK
CIP=$(sudo docker inspect --format='{{.NetworkSettings.IPAddress}}' $CID)
sudo iptables -A DOCKER -t nat -p udp -m udp ! -i docker0 --dport 10000:65535 -j DNAT --to-destination $CIP:10000-65535
sudo iptables -A DOCKER -p udp -m udp -d $CIP/32 ! -i docker0 -o docker0 --dport 10000:65535 -j ACCEPT
sudo iptables -A POSTROUTING -t nat -p udp -m udp -s $CIP/32 -d $CIP/32 --dport 10000:65535 -j MASQUERADE
Shout out to BetterVoice
• Allows for a large port range to be opened with a single iptables rule
• Must be run on any machine that is running Asterisk and can’t be run from
inside the container (Swarm doesn’t allow privilege escalation)
20. version: "3.4"
services:
### The Big Kahuna!
asterisk:
image: respoke/asterisk:14
networks:
- host_mode
deploy:
placement:
constraints: [node.labels.service == asterisk]
networks:
host_mode:
external:
name: 'host'
Asterisk Stack File
version: "3.4"
services:
### The Big Kahuna!
asterisk:
image: respoke/asterisk:14
networks:
- astricon-is-radical
deploy:
placement:
constraints: [node.labels.service == asterisk]
networks:
astricon-is-radical:
attachable: true
Revisited
• Better for small business deployments
• Simpler to manage, requires no extra
DevOps (with small port ranges)
• One at a time
• Works more like a traditional Asterisk
installation
• Still functions with built-in HA / health
checks / swarm deployment options
• Many at a time
22. DNS - Route 53
• Setup Geolocation to route
to closest server
• SRV records point to multiple
datacenters
• Health checks or API calls to
verify uptime/downtime
25. version: "3.4"
services:
### The Big Kahuna!
asterisk:
image: respoke/asterisk:14
networks:
- host_mode
deploy:
placement:
constraints: [node.labels.service == asterisk]
healthcheck:
test: ["CMD", "sipsak", "-s", "sip:foo@astricon.swarm"]
interval: 30s
timeout: 15s
retries: 3
networks:
host_mode:
external:
name: 'host'
Docker Healthcheck
• Send an OPTIONS ping every 30s
• If failure occurs, retry 3 times with a wait
period of 15 seconds
26. Data Persistence
Secrets Management docker secrets create
Node labels docker node update --label-add
Private Registry docker service update --with-registry-auth
27. Final Tips
• Make your images generic
• E.G. RingPlus abstracted away all business logic to API calls.This made our
B2BUAs functionally interchangeable.
• Cows, not kittens.
• Leverage all the pieces of Swarm that you can.
• It can replace a bunch of auxiliary tools and cron scripts
• It forces you to think of things as components in a larger system and how
they all fit together.
• No singleVM running 15 different components installed by a consultant
or someone who left the company a year ago.
• Your deployments become far less brittle and are easier to test.
• Development / Production Parity