The document discusses various AWS services for containerized applications and serverless architectures. It covers ECS, EKS, Lambda, serverless patterns, microservices, data lakes, machine learning, and Kubernetes. Key points include:
- ECS uses containers wrapped in task definitions and services wrapped in clusters. EKS launches Kubernetes clusters on EC2 instances in AWS accounts.
- Serverless patterns discussed include web applications using API Gateway and Lambda, stream processing with Kinesis, and data lakes using S3 and Athena.
- Best practices for serverless include avoiding hardcoding orchestration, using Step Functions, monitoring and testing, and considering costs of data and services used.
- Microservices tend to
BPF: Next Generation of Programmable DatapathThomas Graf
This session covers lessons learned while exploring BPF to provide a programmable datapath based on BPF and discusses options for OVS to leverage the technology.
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
We present a new open source project which provides IPv6 networking for Linux Containers by generating programs for each individual container on the fly and then runs them as JITed BPF code in the kernel. By generating and compiling the code, the program is reduced to the minimally required feature set and then heavily optimised by the compiler as parameters become plain variables. The upcoming addition of the Express Data Plane (XDP) to the kernel will make this approach even more efficient as the programs will get invoked directly from the network driver.
The webinar discussed accelerating P4 and eBPF programs on Netronome SmartNIC hardware. It covered the Linux kernel infrastructure like TC and XDP that supports offloading eBPF programs. It also explained how the NFP architecture is optimized for network flow processing with its multi-core design and memory hierarchy. The webinar demonstrated how eBPF programs can be translated to run efficiently on the NFP hardware by handling maps and applying optimizations.
Kernel Recipes 2013 - Nftables, what motivations and what solutionsAnne Nicolas
Iptables and Netfilter were introduced in 2001 along with Linux 2.4 as the full layer for firewall. The functionalities and the codes changed quite a lot during this decade, but nothing like what has been done with nftables.
The motivation for this change is to overcome the limitations of iptables that was beginning to date both foncionnal level and in the code design: problem with the system update rules (very expensive when the number of rules increases which has become a problem to manage not static rules), code duplication, problematic for code maintenance and users.
Nftables is a replacement for iptables that has been developed since 2008 by Patri ck McHardy who is the head of the Netfilter project. After a period of sleep, the developments around the project resumed in 2012 and a team of developers was formed and is working on the project.
Nftables solves the problem of updates performance using a communication message between the kernel and user space. Infrastructure Netlink was used because it is the basis of the latest major Netfilter developments.
The most notable changes:
incremental update and atomic rules guaranteeing the performance and consistency of the set of rules
expression of the rules using a pseudo machine for avoiding complex operations of writing core modules and additional extensions
Nftables exceeds the limitations of iptables and brings news that should resolve elegant and efficient way many problems. The work is already significant and only the high-level library has not yet been developed. Given the remaining work, the first official release is planned for late 2013.
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf
This talk will start with a deep dive and hands on examples of BPF, possibly the most promising low level technology to address challenges in application and network security, tracing, and visibility. We will discuss how BPF evolved from a simple bytecode language to filter raw sockets for tcpdump to the a JITable virtual machine capable of universally extending and instrumenting both the Linux kernel and user space applications. The introduction is followed by a concrete example of how the Cilium open source project applies BPF to solve networking, security, and load balancing for highly distributed applications. We will discuss and demonstrate how Cilium with the help of BPF can be combined with distributed system orchestration such as Docker to simplify security, operations, and troubleshooting of distributed applications.
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
Cilium is an open source project which provides networking, security and load balancing for application services that are deployed using Linux container technologies by using the native eBPF technology in the Linux kernel. In this presentation we talked about:
- The evolution of the BPF filters and explained the advantages of eBPF Filters and its use cases today in Linux especially on how Cilium networking utilizes the eBPF Filters to secure the Kubernetes workload with increased performance when compared to legacy iptables.
- How Cilium uses SOCKMAP for layer 7 policy enforcement - How Cilium integrates with Istio and handles L7 Network Policies with Envoy Proxies.
- The new features since the last release such as running Kubernetes cluster without kube-proxy, providing clusterwide NetworkPolicies, providing fully distributed networking and security observability platform for cloud native workloads etc.
This document discusses BPF (Berkeley Packet Filter), a mechanism for filtering network packets on Linux. BPF allows defining filters using an instruction set that is executed against packets to determine whether to accept or drop them. The document provides an overview of how BPF works, demonstrating simple BPF filters, and discusses using BPF for packet filtering and other applications like seccomp.
#Include os - From bootloader to REST API with the new C++IncludeOS
The document discusses IncludeOS, a minimal operating system implemented from scratch in C++. It can be included directly in an ELF binary to create a unikernel. IncludeOS is 300x smaller in disk size and 100x less memory usage than traditional operating systems. It supports building REST APIs and web servers directly in C++ applications using the operating system. Drivers are self-registering so applications only link in what they need. Interrupts are handled through delegating to subscriber functions. The document demonstrates building a TCP server and routing in a web application directly in C++ using the IncludeOS APIs and libraries.
BPF: Next Generation of Programmable DatapathThomas Graf
This session covers lessons learned while exploring BPF to provide a programmable datapath based on BPF and discusses options for OVS to leverage the technology.
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
We present a new open source project which provides IPv6 networking for Linux Containers by generating programs for each individual container on the fly and then runs them as JITed BPF code in the kernel. By generating and compiling the code, the program is reduced to the minimally required feature set and then heavily optimised by the compiler as parameters become plain variables. The upcoming addition of the Express Data Plane (XDP) to the kernel will make this approach even more efficient as the programs will get invoked directly from the network driver.
The webinar discussed accelerating P4 and eBPF programs on Netronome SmartNIC hardware. It covered the Linux kernel infrastructure like TC and XDP that supports offloading eBPF programs. It also explained how the NFP architecture is optimized for network flow processing with its multi-core design and memory hierarchy. The webinar demonstrated how eBPF programs can be translated to run efficiently on the NFP hardware by handling maps and applying optimizations.
Kernel Recipes 2013 - Nftables, what motivations and what solutionsAnne Nicolas
Iptables and Netfilter were introduced in 2001 along with Linux 2.4 as the full layer for firewall. The functionalities and the codes changed quite a lot during this decade, but nothing like what has been done with nftables.
The motivation for this change is to overcome the limitations of iptables that was beginning to date both foncionnal level and in the code design: problem with the system update rules (very expensive when the number of rules increases which has become a problem to manage not static rules), code duplication, problematic for code maintenance and users.
Nftables is a replacement for iptables that has been developed since 2008 by Patri ck McHardy who is the head of the Netfilter project. After a period of sleep, the developments around the project resumed in 2012 and a team of developers was formed and is working on the project.
Nftables solves the problem of updates performance using a communication message between the kernel and user space. Infrastructure Netlink was used because it is the basis of the latest major Netfilter developments.
The most notable changes:
incremental update and atomic rules guaranteeing the performance and consistency of the set of rules
expression of the rules using a pseudo machine for avoiding complex operations of writing core modules and additional extensions
Nftables exceeds the limitations of iptables and brings news that should resolve elegant and efficient way many problems. The work is already significant and only the high-level library has not yet been developed. Given the remaining work, the first official release is planned for late 2013.
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf
This talk will start with a deep dive and hands on examples of BPF, possibly the most promising low level technology to address challenges in application and network security, tracing, and visibility. We will discuss how BPF evolved from a simple bytecode language to filter raw sockets for tcpdump to the a JITable virtual machine capable of universally extending and instrumenting both the Linux kernel and user space applications. The introduction is followed by a concrete example of how the Cilium open source project applies BPF to solve networking, security, and load balancing for highly distributed applications. We will discuss and demonstrate how Cilium with the help of BPF can be combined with distributed system orchestration such as Docker to simplify security, operations, and troubleshooting of distributed applications.
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
Cilium is an open source project which provides networking, security and load balancing for application services that are deployed using Linux container technologies by using the native eBPF technology in the Linux kernel. In this presentation we talked about:
- The evolution of the BPF filters and explained the advantages of eBPF Filters and its use cases today in Linux especially on how Cilium networking utilizes the eBPF Filters to secure the Kubernetes workload with increased performance when compared to legacy iptables.
- How Cilium uses SOCKMAP for layer 7 policy enforcement - How Cilium integrates with Istio and handles L7 Network Policies with Envoy Proxies.
- The new features since the last release such as running Kubernetes cluster without kube-proxy, providing clusterwide NetworkPolicies, providing fully distributed networking and security observability platform for cloud native workloads etc.
This document discusses BPF (Berkeley Packet Filter), a mechanism for filtering network packets on Linux. BPF allows defining filters using an instruction set that is executed against packets to determine whether to accept or drop them. The document provides an overview of how BPF works, demonstrating simple BPF filters, and discusses using BPF for packet filtering and other applications like seccomp.
#Include os - From bootloader to REST API with the new C++IncludeOS
The document discusses IncludeOS, a minimal operating system implemented from scratch in C++. It can be included directly in an ELF binary to create a unikernel. IncludeOS is 300x smaller in disk size and 100x less memory usage than traditional operating systems. It supports building REST APIs and web servers directly in C++ applications using the operating system. Drivers are self-registering so applications only link in what they need. Interrupts are handled through delegating to subscriber functions. The document demonstrates building a TCP server and routing in a web application directly in C++ using the IncludeOS APIs and libraries.
Linux Kernel Cryptographic API and Use CasesKernel TLV
The Linux kernel has a rich and modular cryptographic API that is used extensively by familiar user facing software such as Android. It's also cryptic, badly documented, subject to change and can easily bite you in unexpected and painful ways.
This talk will describe the crypto API, provide some usage example and discuss some of the more interesting in-kernel users, such as DM-Crypt, DM-Verity and the new fie system encryption code.
Gilad Ben-Yossef is a principal software engineer at ARM. He works on the kernel security sub-system and the ARM CryptCell engine. Open source work done by Gilad includes an experiment in integration of network processors in the networking stack, a patch set for reducing the interference caused to user space processes in large multi-core systems by Linux kernel “maintenance” work and on SMP support for the Synopsys Arc processor among others.
Gilad has co-authored O’Reilly’s “Building Embedded Linux Systems” 2nd edition and presented at such venues as Embedded Linux Conference Europe and the Ottawa Linux Symposium, as well as co-founded Hamakor, an Israeli NGO for the advancement for Open Source and Free Software in Israel. When not hacking on kernel code you can find Gilad meditating and making dad jokes on Twitter.
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondAnne Nicolas
Berkeley Packet Filter is an old friend for most people that deal with network under Linux. But its extended version eBPF is completely redefining the scope of usage and interaction with the kernel. It can indeed be used to instrument most parts of the kernel. This goes from network tracing to process or I/O monitoring.
This talk will provide an overview of eBPF, from concept to tools like BCC. It will then focus on XDP for eXtreme Data Path and the possible applications in term of networking provided by this new framework.
Eric Leblond, Stamus Network
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
FirewallD provides firewall management as a service in RHEL 7, abstracting policy definition and handling configuration. The kernel includes new filtering capabilities like connection tracking targets and extended accounting. Nftables, a new packet filtering subsystem to eventually replace iptables, uses a state machine-based approach with unified nft user interface.
Exactly Once Semantics Revisited (Jason Gustafson, Confluent) Kafka Summit NY...confluent
Two years ago, we helped to contribute a framework for exactly once semantics (or EOS) to Apache Kafka. This much-needed feature brought transactional guarantees to stream processing engines such as Kafka Streams. In this talk, we will recount the journey since then and the lessons we have learned as usage has gradually picked up steam. What did we get right and what did we get wrong? Most importantly, we will discuss how the work is continuing to evolve in order to provide more reliability and better performance. This talk assumes basic familiarity with Kafka and the log abstraction. What you will get out of it is a deeper understanding of the underlying architecture of the EOS framework in Kafka, what its limitations are, and how you can use it to solve problems.
The Linux kernel is undergoing the most fundamental architecture evolution in history and is becoming a microkernel. Why is the Linux kernel evolving into a microkernel? The potentially biggest fundamental change ever happening to the Linux kernel. This talk covers how companies like Facebook and Google use BPF to patch 0-day exploits, how BPF will change the way features are added to the kernel forever, and how BPF is introducing a new type of application deployment method for the Linux kernel.
CETH for XDP [Linux Meetup Santa Clara | July 2016] IO Visor Project
This document discusses CETH (Common Ethernet Driver Framework), which aims to improve kernel networking performance for virtualization. CETH simplifies NIC drivers by consolidating common functions. It supports various NICs and accelerators. CETH features efficient memory and buffer management, flexible TX/RX scheduling, and a customizable metadata structure. It is being simplified to work with XDP for even higher performance network I/O processing in the kernel. Next steps include further optimizations and measuring performance gains when using CETH with XDP and virtualized environments.
OpenStack is an open source cloud computing platform that can be used to build an IaaS cloud. It consists of microservices that can be assembled together. Cloud applications can be defined using orchestration templates. OpenStack provides modular REST APIs for service access and communication. The document discusses architectural considerations and the ecosystem for using OpenStack for telco cloud environments.
This document discusses Open vSwitch and its support for stateful services like connection tracking (conntrack) and network address translation (NAT). Open vSwitch is designed to manage overlay networks and provides programmable flow tables and remote management. It aims to integrate conntrack to enable stateful firewalling and NAT functions. This will allow matching on connection states and leveraging existing Linux conntrack and NAT modules. Examples are given of how conntrack and NAT rules could be implemented using these new Open vSwitch capabilities.
netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers.
iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different netfilter modules) and the chains and rules it stores.
Many systems use iptables/netfilter, Linux's native packet filtering/mangling framework since Linux 2.4, be it home routers or sophisticated cloud network stacks.
In this session, we will talk about the netfilter framework and its facilities, explain how basic filtering and mangling use-cases are implemented using iptables, and introduce some less common but powerful extensions of iptables.
Shmulik Ladkani, Chief Architect at Nsof Networks.
Long time network veteran and kernel geek.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
Some billions of forwarded packets later, Shmulik left his position as Jungo's lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud-based service, focusing around virtualization systems, network virtualization and SDN.
Recently he co-founded Nsof Networks, where he's been busy architecting network infrastructure as a cloud-based service, gazing at internet routes in astonishment, and playing the chkuku.
This presentation features a walk through the Linux kernel networking stack covering the essentials and recent developments a developer needs to know. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as segmentation offloading, TCP small queues, and low latency polling. We will cover APIs exposed by the kernel that go beyond use of write()/read() on sockets and will look into how they are implemented on the kernel side.
The document discusses using eBPF to offload Open vSwitch (OVS) flow processing. It proposes replacing the entire OVS kernel datapath with an eBPF datapath to improve extensibility and reduce dependencies on kernel versions. The eBPF datapath would handle packet parsing, flow table lookups, and action execution. Performance evaluation shows the eBPF datapath can achieve over 1 Mpps for simple actions but has room for improvement in more complex processing like parsing.
nftables - the evolution of Linux FirewallMarian Marinov
This document provides an overview of nftables, the new packet filtering framework that replaces iptables in the Linux kernel. It discusses the history and predecessors to nftables, how nftables works, key differences from iptables like its more flexible table and chain configuration, and examples of basic nftables rulesets. It also covers topics like matches, jumps, load balancing performance, and kernel configuration options for nftables.
Comprehensive XDP Offload-handling the Edge CasesNetronome
While XDP is less complex to offload than other forms of kernel functionality due to the fact that it sits at the bottom of the stack, there are a number of items that lead to complexity when dealing with XDP offload. This talk will explore some of the ideas around how to implement these concepts as well as share some of the results we have seen while implementing offload on a 32 bit architecture.
Linux Traffic Control allows administrators to control network traffic through mechanisms like shaping, scheduling, classifying, policing, dropping and marking. It uses components like queuing disciplines (qdiscs), classes, filters, and actions. The tc command can be used to configure these components by adding, changing or deleting traffic control settings on network interfaces.
This document evaluates the Gasnet messaging library on the Barrelfish operating system and Intel SCC processor. It describes the motivation, software architecture, and test configurations. Performance tests were conducted between 1 to 1 nodes using the Testam benchmark, measuring latency of different message passing patterns. The best performance was achieved with the Linux operating system and shared memory conduit, showing message latencies around 0.5-1 microseconds.
This document summarizes a presentation on packet crafting. It discusses various tools for packet generation and manipulation including ping, traceroute, telnet, nmap, ng_source, tcpdump, bridges, VLANs, yersinia, nemesis, hyenae, Scapy, netmap, iperf, and PF_PACKET sockets. It provides examples of using these tools to inject, send, receive, and analyze packets. The presentation aims to provide an introduction to packet crafting and manipulation on FreeBSD and Linux systems.
Anti disassembly using cryptographic hash functionsUltraUploader
This document proposes and evaluates a new method of anti-disassembly for computer viruses based on cryptographic hash functions. It uses dynamic code generation to obscure viral code until runtime, making static analysis difficult. The method finds byte sequences or "runs" within hash function outputs by brute-forcing salt values concatenated to an input key. Empirical tests found salts to produce desired runs for MD5, SHA-1 and SHA-256 in hours on a desktop computer, demonstrating the method's viability. It is portable, targeted, and the code is never present in analyzable form before running.
Slides from my talk as part of the NBIS ChIP-seq tutorial course. I describe how we process ChIP-seq data at the Swedish National Genomics Infrastructure and how our NGI-ChIPseq analysis pipeline works. https://github.com/SciLifeLab/NGI-ChIPseq
This work presents a P4 compiler backend targeting XDP, the eXpress Data Path. P4 is a domain-specific language describing how packets are processed by the data plane of a programmable network elements. XDP is designed for users who want programmability as well as performance.
https://github.com/williamtu/p4c-xdp/
The OpenCSD library for decoding CoreSight traces has reached the point where it is ready to be integrated into applications. This session will present an overview of the state of the library, its interfaces and explore and demonstrate a sample integration with perf.
Linux Kernel Cryptographic API and Use CasesKernel TLV
The Linux kernel has a rich and modular cryptographic API that is used extensively by familiar user facing software such as Android. It's also cryptic, badly documented, subject to change and can easily bite you in unexpected and painful ways.
This talk will describe the crypto API, provide some usage example and discuss some of the more interesting in-kernel users, such as DM-Crypt, DM-Verity and the new fie system encryption code.
Gilad Ben-Yossef is a principal software engineer at ARM. He works on the kernel security sub-system and the ARM CryptCell engine. Open source work done by Gilad includes an experiment in integration of network processors in the networking stack, a patch set for reducing the interference caused to user space processes in large multi-core systems by Linux kernel “maintenance” work and on SMP support for the Synopsys Arc processor among others.
Gilad has co-authored O’Reilly’s “Building Embedded Linux Systems” 2nd edition and presented at such venues as Embedded Linux Conference Europe and the Ottawa Linux Symposium, as well as co-founded Hamakor, an Israeli NGO for the advancement for Open Source and Free Software in Israel. When not hacking on kernel code you can find Gilad meditating and making dad jokes on Twitter.
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondAnne Nicolas
Berkeley Packet Filter is an old friend for most people that deal with network under Linux. But its extended version eBPF is completely redefining the scope of usage and interaction with the kernel. It can indeed be used to instrument most parts of the kernel. This goes from network tracing to process or I/O monitoring.
This talk will provide an overview of eBPF, from concept to tools like BCC. It will then focus on XDP for eXtreme Data Path and the possible applications in term of networking provided by this new framework.
Eric Leblond, Stamus Network
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
FirewallD provides firewall management as a service in RHEL 7, abstracting policy definition and handling configuration. The kernel includes new filtering capabilities like connection tracking targets and extended accounting. Nftables, a new packet filtering subsystem to eventually replace iptables, uses a state machine-based approach with unified nft user interface.
Exactly Once Semantics Revisited (Jason Gustafson, Confluent) Kafka Summit NY...confluent
Two years ago, we helped to contribute a framework for exactly once semantics (or EOS) to Apache Kafka. This much-needed feature brought transactional guarantees to stream processing engines such as Kafka Streams. In this talk, we will recount the journey since then and the lessons we have learned as usage has gradually picked up steam. What did we get right and what did we get wrong? Most importantly, we will discuss how the work is continuing to evolve in order to provide more reliability and better performance. This talk assumes basic familiarity with Kafka and the log abstraction. What you will get out of it is a deeper understanding of the underlying architecture of the EOS framework in Kafka, what its limitations are, and how you can use it to solve problems.
The Linux kernel is undergoing the most fundamental architecture evolution in history and is becoming a microkernel. Why is the Linux kernel evolving into a microkernel? The potentially biggest fundamental change ever happening to the Linux kernel. This talk covers how companies like Facebook and Google use BPF to patch 0-day exploits, how BPF will change the way features are added to the kernel forever, and how BPF is introducing a new type of application deployment method for the Linux kernel.
CETH for XDP [Linux Meetup Santa Clara | July 2016] IO Visor Project
This document discusses CETH (Common Ethernet Driver Framework), which aims to improve kernel networking performance for virtualization. CETH simplifies NIC drivers by consolidating common functions. It supports various NICs and accelerators. CETH features efficient memory and buffer management, flexible TX/RX scheduling, and a customizable metadata structure. It is being simplified to work with XDP for even higher performance network I/O processing in the kernel. Next steps include further optimizations and measuring performance gains when using CETH with XDP and virtualized environments.
OpenStack is an open source cloud computing platform that can be used to build an IaaS cloud. It consists of microservices that can be assembled together. Cloud applications can be defined using orchestration templates. OpenStack provides modular REST APIs for service access and communication. The document discusses architectural considerations and the ecosystem for using OpenStack for telco cloud environments.
This document discusses Open vSwitch and its support for stateful services like connection tracking (conntrack) and network address translation (NAT). Open vSwitch is designed to manage overlay networks and provides programmable flow tables and remote management. It aims to integrate conntrack to enable stateful firewalling and NAT functions. This will allow matching on connection states and leveraging existing Linux conntrack and NAT modules. Examples are given of how conntrack and NAT rules could be implemented using these new Open vSwitch capabilities.
netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers.
iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different netfilter modules) and the chains and rules it stores.
Many systems use iptables/netfilter, Linux's native packet filtering/mangling framework since Linux 2.4, be it home routers or sophisticated cloud network stacks.
In this session, we will talk about the netfilter framework and its facilities, explain how basic filtering and mangling use-cases are implemented using iptables, and introduce some less common but powerful extensions of iptables.
Shmulik Ladkani, Chief Architect at Nsof Networks.
Long time network veteran and kernel geek.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
Some billions of forwarded packets later, Shmulik left his position as Jungo's lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud-based service, focusing around virtualization systems, network virtualization and SDN.
Recently he co-founded Nsof Networks, where he's been busy architecting network infrastructure as a cloud-based service, gazing at internet routes in astonishment, and playing the chkuku.
This presentation features a walk through the Linux kernel networking stack covering the essentials and recent developments a developer needs to know. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as segmentation offloading, TCP small queues, and low latency polling. We will cover APIs exposed by the kernel that go beyond use of write()/read() on sockets and will look into how they are implemented on the kernel side.
The document discusses using eBPF to offload Open vSwitch (OVS) flow processing. It proposes replacing the entire OVS kernel datapath with an eBPF datapath to improve extensibility and reduce dependencies on kernel versions. The eBPF datapath would handle packet parsing, flow table lookups, and action execution. Performance evaluation shows the eBPF datapath can achieve over 1 Mpps for simple actions but has room for improvement in more complex processing like parsing.
nftables - the evolution of Linux FirewallMarian Marinov
This document provides an overview of nftables, the new packet filtering framework that replaces iptables in the Linux kernel. It discusses the history and predecessors to nftables, how nftables works, key differences from iptables like its more flexible table and chain configuration, and examples of basic nftables rulesets. It also covers topics like matches, jumps, load balancing performance, and kernel configuration options for nftables.
Comprehensive XDP Offload-handling the Edge CasesNetronome
While XDP is less complex to offload than other forms of kernel functionality due to the fact that it sits at the bottom of the stack, there are a number of items that lead to complexity when dealing with XDP offload. This talk will explore some of the ideas around how to implement these concepts as well as share some of the results we have seen while implementing offload on a 32 bit architecture.
Linux Traffic Control allows administrators to control network traffic through mechanisms like shaping, scheduling, classifying, policing, dropping and marking. It uses components like queuing disciplines (qdiscs), classes, filters, and actions. The tc command can be used to configure these components by adding, changing or deleting traffic control settings on network interfaces.
This document evaluates the Gasnet messaging library on the Barrelfish operating system and Intel SCC processor. It describes the motivation, software architecture, and test configurations. Performance tests were conducted between 1 to 1 nodes using the Testam benchmark, measuring latency of different message passing patterns. The best performance was achieved with the Linux operating system and shared memory conduit, showing message latencies around 0.5-1 microseconds.
This document summarizes a presentation on packet crafting. It discusses various tools for packet generation and manipulation including ping, traceroute, telnet, nmap, ng_source, tcpdump, bridges, VLANs, yersinia, nemesis, hyenae, Scapy, netmap, iperf, and PF_PACKET sockets. It provides examples of using these tools to inject, send, receive, and analyze packets. The presentation aims to provide an introduction to packet crafting and manipulation on FreeBSD and Linux systems.
Anti disassembly using cryptographic hash functionsUltraUploader
This document proposes and evaluates a new method of anti-disassembly for computer viruses based on cryptographic hash functions. It uses dynamic code generation to obscure viral code until runtime, making static analysis difficult. The method finds byte sequences or "runs" within hash function outputs by brute-forcing salt values concatenated to an input key. Empirical tests found salts to produce desired runs for MD5, SHA-1 and SHA-256 in hours on a desktop computer, demonstrating the method's viability. It is portable, targeted, and the code is never present in analyzable form before running.
Slides from my talk as part of the NBIS ChIP-seq tutorial course. I describe how we process ChIP-seq data at the Swedish National Genomics Infrastructure and how our NGI-ChIPseq analysis pipeline works. https://github.com/SciLifeLab/NGI-ChIPseq
This work presents a P4 compiler backend targeting XDP, the eXpress Data Path. P4 is a domain-specific language describing how packets are processed by the data plane of a programmable network elements. XDP is designed for users who want programmability as well as performance.
https://github.com/williamtu/p4c-xdp/
The OpenCSD library for decoding CoreSight traces has reached the point where it is ready to be integrated into applications. This session will present an overview of the state of the library, its interfaces and explore and demonstrate a sample integration with perf.
The document provides an overview of Red Hat OpenShift Container Platform, including:
- OpenShift provides a fully automated Kubernetes container platform for any infrastructure.
- It offers integrated services like monitoring, logging, routing, and a container registry out of the box.
- The architecture runs everything in pods on worker nodes, with masters managing the control plane using Kubernetes APIs and OpenShift services.
- Key concepts include pods, services, routes, projects, configs and secrets that enable application deployment and management.
Mauricio Roman discusses detecting anomalies in Nginx log data through multi-dimensional analysis. He explores his company's Nginx logs, extracting over 100 features to identify unexpected error patterns. Parsing logs with open source tools, he sends data to Kafka and finds: 1) 408 errors correlate with large GET payloads, 2) most 4xx errors come from Opera, 3) Opera 4xx errors originate from specific countries. His vision is to automate such exploration and correlate HTTP and application logs in real time to monitor error rates and identify true anomalies.
Ruby on embedded devices rug::b Aug 2014Eno Thierbach
This document discusses using Ruby on embedded devices. It notes that while Ruby has good network libraries and is platform independent, using gems can be problematic due to dependencies. It recommends using alternative languages for specific tasks, like C for performance critical code, Bash for portable scripts, Flex for pattern matching, and Go for networking. It also recommends using jit to compile scripts to native binaries for performance. The document promotes UN*X tools over rebuilding functionality in Ruby and ends by mentioning they are crowdfunding their project at https://getkinko.com.
This document summarizes news and features in C# and .NET 4.0, including named and default method parameters, interoperability with dynamic languages via the Dynamic Language Runtime (DLR), generics covariance and contravariance, exceptions handling improvements, application dump debugging, code contracts, application domain profiling, enhanced garbage collection, parallel computing features like Parallel LINQ and the Task Parallel Library, and references for further information. Key topics covered are using dynamic for interoperability while avoiding performance penalties, handling corrupted state exceptions, debugging .NET 4.0 application dumps in Visual Studio 2010, and demonstrations of threading constructs, PLINQ, TPL, and the unified cancellation model.
Vector Packet Technologies such as DPDK and FD.io/VPP revolutionized software packet processing initially for discrete appliances and then for NFV use cases. Container based VNF deployments and it's supporting NFV infrastructure is now the new frontier in packet processing and has number of strong advocates among both traditional Comms Service Providers and in the Cloud. This presentation will give an overview of how DPDK and FD.io/VPP project are rising to meet the challenges of the Container dataplane. The discussion will provide an overview of the challenges, recent new features and what is coming soon in this exciting new area for the software dataplane, in both DPDK and FD.io/VPP!
About the speaker: Ray Kinsella has been working on Linux and various other open source technologies for about twenty years. He is recently active in open source communities such as VPP and DPDK but is a constant lurker in many others. He is interested in the software dataplane and optimization, virtualization, operating system design and implementation, communications and networking.
In this talk, a closer look into the lifecycle of operators will be presented. With an understanding of how operators evolve, it becomes clear what
challenges during operator upgrades. A brief overview of lifecycle management tools such as Helm, OLM, and Carvel is presented in this context. In particular, it will be discussed whether these tools can help, which restrictions apply and where further development would be desirable.
At the end of this talk, you will know what operator lifecycle management is about, what its challenges are, and which tools may be used to reduce operational friction.
This talk was given by Julian Fischer for DoK Day Europe @ KubeCon 2022.
Link: https://youtu.be/_lQhoCUQReU
https://go.dok.community/slack
https://dok.community/
From the DoK Day EU 2022 (https://youtu.be/Xi-h4XNd5tE)
The ability to extend Kubernetes with Custom Resource Definitions and respective controllers has led to the OperatorSDK, which became
the de facto standard for data service automation on Kubernetes. There are countless operator implementations available, and new operators are
being released on a daily basis. Organizations managing hundreds of Kubernetes clusters for dozens of developer teams are also challenged to
manage the lifecycle of hundreds of Kubernetes operators. The goal is to keep the operational overhead to a minimum.
In this talk, a closer look into the lifecycle of operators will be presented. With an understanding of how operators evolve, it becomes clear what
challenges during operator upgrades. A brief overview of lifecycle management tools such as Helm, OLM, and Carvel is presented in this context. In particular, it will be discussed whether these tools can help, which restrictions apply and where further development would be desirable.
At the end of this talk, you will know what operator lifecycle management is about, what its challenges are, and which tools may be used to reduce operational friction.
-----
Julian Fischer, CEO of anynines, has dedicated his career to the automation of software operations. In more than fifteen years, he has built several application platforms. He has been using Kubernetes, Cloud Foundry, and BOSH in recent years. Within platform automation, Julian has a strong focus on data service automation at scale.
Klepsydra Streaming Distribution Optimiser (SDO):
• • • •
•
Runs on a separate computer
Executes several dry runs on the OBC
Collect statistics
Runs a genetic algorithm to find the optimal solution for latency, power or throughput
The main variable to optimise is the distribution of layers are the two dimension of the threading model.
Spying on the Linux kernel for fun and profitAndrea Righi
Do you ever wonder what the kernel is doing while your code is running? This talk will explore some methodologies and techniques (eBPF, ftrace, etc.) to look under the hood of the Linux kernel and understand what it’s actually doing behind the scenes.
Andrea Righi - Spying on the Linux kernel for fun and profitlinuxlab_conf
Do you ever wonder what the kernel is doing while your code is running? This talk will explore some methodologies and techniques (eBPF, ftrace, etc.) to look under the hood of the Linux kernel and understand what it’s actually doing behind the scenes.
This talk explores methodologies that allow to take a look “live” at kernel internal operations, from a network perspective, to I/O paths, CPU usage, memory allocations, etc., using in-kernel technologies, like eBPF and ftrace. Understanding such kernel internals can be really helpful to track down performance bottlenecks, debug system failures and it can be also a very effective way to approach to kernel development.
This document discusses Kubeflow operators and how they enable Kubeflow to support multiple machine learning frameworks like TensorFlow, PyTorch, MXNet, and Chainer. It explains that operators and custom resource definitions (CRDs) allow ML jobs to be defined and managed for different frameworks. It provides examples of how jobs are defined for TensorFlow using TFJobs and for Chainer using ChainerJobs. It also summarizes how operators work by expanding the custom resources into Kubernetes objects like pods, services, and statefulsets.
Ceph is an open-source distributed storage system that provides object, block, and file storage. The document discusses optimizing Ceph for an all-flash configuration and analyzing performance issues when using Ceph on all-flash storage. It describes SK Telecom's testing of Ceph performance on VMs using all-flash SSDs and compares the results to a community Ceph version. SK Telecom also proposes their all-flash Ceph solution with custom hardware configurations and monitoring software.
Accelerating Software Development with NetApp's P4flexPerforce
The challenge for developers who work with large volumes of data such as multimedia assets, video game art, and firmware designs, etc., is the ability to get a quick copy of source and build assets. By combining the technologies of Perforce and NetApp, a new Perforce workspace can be created in minutes instead of hours. Perforce in collaboration with NetApp has developed a p4 broker script written in Python that allows users to create workspaces quickly using NetApp FlexClone technology.
Ceph Benchmarking Tool (CBT) is a Python framework for benchmarking Ceph clusters. It has client and monitor personalities for generating load and setting up the cluster. CBT includes benchmarks for RADOS operations, librbd, KRBD on EXT4, KVM with RBD volumes, and COSBench tests against RGW. Test plans are defined in YAML files and results are archived for later analysis using tools like awk, grep, and gnuplot.
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterAnne Nicolas
NDIV is a young, very simple, yet efficient network traffic diverter. Its purpose is to help build network applications that intercept packets at line rate with a very low processing overhead. A first example application is a stateless HTTP server reaching line rate on all packet sizes.
Willy Tarreau, HaproxyTech
Slides for a general webinar about BonFIRE, the features offered, the sites making up this multi-site testbed and the tools available for experimenters using the facility.
A video with audio is available on YouTube: http://youtu.be/0ulgvs32wvI
The recent launch of the Docker Init command has significantly simplified the process of generating Dockerfiles and Docker Compose templates for containerized applications. This presentation aims to explore the evolution of Docker deployment resources generation process, comparing its approach prior to the Docker Init command release and discussing the way forward. Before the introduction of the Docker Init command, I've been delivering some projects like the "alfresco-docker-installer"[1], which provides custom scripts and configurations to streamline the process of deploying Alfresco in Docker containers. These kinds of projects use tools like Yeoman or raw Python. There are some differences between a Docker Template for a technology (Go, Python, Node or Rust) and a Docker Template for a product (like Alfresco) that may be covered when generating automatic deployment resources. This presentation will delve into the methodologies employed before the Docker Init command:
Custom Dockerfile Extension
Compose Template for a complete product deployment, including a set of services like the database, content repository, search engine, or web application
Configuration Management, including techniques such as environment variable injection, externalized configuration files, and configuration overrides
Following the release of the Docker Init command, this presentation will provide insights into the possibilities and advantages it brings to complex products Docker deployment process. A PoC of a Docker Plugin, including this product-oriented approach for docker init, will be demoed live. >> Note that the Open Source Alfresco product is used only to explain the concepts of building a Docker Compose generator with a real example.
artificial intelligence and data science contents.pptxGauravCar
What is artificial intelligence? Artificial intelligence is the ability of a computer or computer-controlled robot to perform tasks that are commonly associated with the intellectual processes characteristic of humans, such as the ability to reason.
› ...
Artificial intelligence (AI) | Definitio
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...IJECEIAES
Medical image analysis has witnessed significant advancements with deep learning techniques. In the domain of brain tumor segmentation, the ability to
precisely delineate tumor boundaries from magnetic resonance imaging (MRI)
scans holds profound implications for diagnosis. This study presents an ensemble convolutional neural network (CNN) with transfer learning, integrating
the state-of-the-art Deeplabv3+ architecture with the ResNet18 backbone. The
model is rigorously trained and evaluated, exhibiting remarkable performance
metrics, including an impressive global accuracy of 99.286%, a high-class accuracy of 82.191%, a mean intersection over union (IoU) of 79.900%, a weighted
IoU of 98.620%, and a Boundary F1 (BF) score of 83.303%. Notably, a detailed comparative analysis with existing methods showcases the superiority of
our proposed model. These findings underscore the model’s competence in precise brain tumor localization, underscoring its potential to revolutionize medical
image analysis and enhance healthcare outcomes. This research paves the way
for future exploration and optimization of advanced CNN models in medical
imaging, emphasizing addressing false positives and resource efficiency.
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECTjpsjournal1
The rivalry between prominent international actors for dominance over Central Asia's hydrocarbon
reserves and the ancient silk trade route, along with China's diplomatic endeavours in the area, has been
referred to as the "New Great Game." This research centres on the power struggle, considering
geopolitical, geostrategic, and geoeconomic variables. Topics including trade, political hegemony, oil
politics, and conventional and nontraditional security are all explored and explained by the researcher.
Using Mackinder's Heartland, Spykman Rimland, and Hegemonic Stability theories, examines China's role
in Central Asia. This study adheres to the empirical epistemological method and has taken care of
objectivity. This study analyze primary and secondary research documents critically to elaborate role of
china’s geo economic outreach in central Asian countries and its future prospect. China is thriving in trade,
pipeline politics, and winning states, according to this study, thanks to important instruments like the
Shanghai Cooperation Organisation and the Belt and Road Economic Initiative. According to this study,
China is seeing significant success in commerce, pipeline politics, and gaining influence on other
governments. This success may be attributed to the effective utilisation of key tools such as the Shanghai
Cooperation Organisation and the Belt and Road Economic Initiative.
Software Engineering and Project Management - Introduction, Modeling Concepts...Prakhyath Rai
Introduction, Modeling Concepts and Class Modeling: What is Object orientation? What is OO development? OO Themes; Evidence for usefulness of OO development; OO modeling history. Modeling
as Design technique: Modeling, abstraction, The Three models. Class Modeling: Object and Class Concept, Link and associations concepts, Generalization and Inheritance, A sample class model, Navigation of class models, and UML diagrams
Building the Analysis Models: Requirement Analysis, Analysis Model Approaches, Data modeling Concepts, Object Oriented Analysis, Scenario-Based Modeling, Flow-Oriented Modeling, class Based Modeling, Creating a Behavioral Model.
Comparative analysis between traditional aquaponics and reconstructed aquapon...bijceesjournal
The aquaponic system of planting is a method that does not require soil usage. It is a method that only needs water, fish, lava rocks (a substitute for soil), and plants. Aquaponic systems are sustainable and environmentally friendly. Its use not only helps to plant in small spaces but also helps reduce artificial chemical use and minimizes excess water use, as aquaponics consumes 90% less water than soil-based gardening. The study applied a descriptive and experimental design to assess and compare conventional and reconstructed aquaponic methods for reproducing tomatoes. The researchers created an observation checklist to determine the significant factors of the study. The study aims to determine the significant difference between traditional aquaponics and reconstructed aquaponics systems propagating tomatoes in terms of height, weight, girth, and number of fruits. The reconstructed aquaponics system’s higher growth yield results in a much more nourished crop than the traditional aquaponics system. It is superior in its number of fruits, height, weight, and girth measurement. Moreover, the reconstructed aquaponics system is proven to eliminate all the hindrances present in the traditional aquaponics system, which are overcrowding of fish, algae growth, pest problems, contaminated water, and dead fish.
Null Bangalore | Pentesters Approach to AWS IAMDivyanshu
#Abstract:
- Learn more about the real-world methods for auditing AWS IAM (Identity and Access Management) as a pentester. So let us proceed with a brief discussion of IAM as well as some typical misconfigurations and their potential exploits in order to reinforce the understanding of IAM security best practices.
- Gain actionable insights into AWS IAM policies and roles, using hands on approach.
#Prerequisites:
- Basic understanding of AWS services and architecture
- Familiarity with cloud security concepts
- Experience using the AWS Management Console or AWS CLI.
- For hands on lab create account on [killercoda.com](https://killercoda.com/cloudsecurity-scenario/)
# Scenario Covered:
- Basics of IAM in AWS
- Implementing IAM Policies with Least Privilege to Manage S3 Bucket
- Objective: Create an S3 bucket with least privilege IAM policy and validate access.
- Steps:
- Create S3 bucket.
- Attach least privilege policy to IAM user.
- Validate access.
- Exploiting IAM PassRole Misconfiguration
-Allows a user to pass a specific IAM role to an AWS service (ec2), typically used for service access delegation. Then exploit PassRole Misconfiguration granting unauthorized access to sensitive resources.
- Objective: Demonstrate how a PassRole misconfiguration can grant unauthorized access.
- Steps:
- Allow user to pass IAM role to EC2.
- Exploit misconfiguration for unauthorized access.
- Access sensitive resources.
- Exploiting IAM AssumeRole Misconfiguration with Overly Permissive Role
- An overly permissive IAM role configuration can lead to privilege escalation by creating a role with administrative privileges and allow a user to assume this role.
- Objective: Show how overly permissive IAM roles can lead to privilege escalation.
- Steps:
- Create role with administrative privileges.
- Allow user to assume the role.
- Perform administrative actions.
- Differentiation between PassRole vs AssumeRole
Try at [killercoda.com](https://killercoda.com/cloudsecurity-scenario/)
1. !.
#.
$.
%.
AWS ReInvent Educ4tion :
ECS:
Cont4iner <Wr4pped By> T4sk Definition <Wr4pped By> Service <Wr4pped
By> Cluster
Cont4iner:
Docker
or docker-compose
specify network 4ttributes including DNS, Stor4ge mount points
specify resource limits
T4sk Definition:
Describes one or more cont4iners, 4ttributes 4t both cont4iner 4nd t4sk
level
Network mode: 4wsvpc
Role Needed: ecsT4skExecutionRole
Comp4tibility : F4rg4te -> register t4sk def 4nd F4rg4te m4n4ges the
infr4structure 4nd l4unches
: EC2 -> Self m4n4ged EC2 inst4nces
Service: Includes the security group 4nd lo4d b4l4ncer type
Cluster : F4rg4te Cluster, VPCID 4nd SubNet det4ils
EKS:
St4rt with 4 cluster N4me
Am4zon EKS exposes 4 Kubernetes API endpoint.
Your existing Kubernetes tooling c4n connect directly to EKS m4n4ged
control pl4ne. Worker nodes run 4s EC2 inst4nces in your 4ccount.
You c4n cre4te this cluster with K8S version 1.10
In your VPC
In your Subnet
With your security groups
Mond4y : Mythic4l mysfits: (CON321-R, CON214-R1, CON322-R) (sitting with
pointclickc4re 4 CAN firm)
4ws-mythic4l-mysfits@4m4zon.com
Source->Build->Test->Production
Build in tooling, 4utom4tion, security every step
Source/Build -> CI
Source/Build/Test/Production-> C-Delivery ( only production re4dy 4rtif4ct is
re4dy to deploy. Does not h4ve to be deployed to PROD)
2. `.
a.
b.
c.
d.
!e.
!!.
!#.
!$.
!%.
!`.
!.
#.
Continuous Deployment -> Deployed to production
CI/CD -> velocity, reduced risk, shorter feedb4ck loop,
NOTE TO SELF : C4n our ENV te4m be c4lled DevOps te4m.
S3 : h4s 200 steps for its deployment
Ch4llenges : Get buy in for Autom4tion, Metrics, leg4cy process, leg4cy
4nything
Common p4tterns : Autom4tion (st4rt sm4ll), Microservices, Strict API
contr4cts, Testing
Source -> AWS Code commit, Build -> AWS Code build , Test -> Third p4rty
tooling, Production AWS F4rg4te.
Build/Test/Deploy -> AWS Code Pipeline
https://github.com/4ws-s4mples/4ws-modern-4pplic4tion-workshop/tree/
f4rg4te/workshop-2
https://s3.4m4zon4ws.com/mythic4l-mysfits-website/f4rg4te-devsecops/
core.yml
Aws18Reinvent%
Comm4nds : 4ws ecs list-t4sk-definitions, 4ws ecr describe-repositories
Servless 4pplic4tions 4rchitecture m4cro p4tterns:
Serverless : AWS L4mbd4, Cognito, Kinesis, Steps functions, X-R4y, Athen4,
S3, DDB, SQS, 4pi gw, Cloudw4tch
Cold or W4rm st4rt for l4mbd4 : 128M to 3GB memory (incre4ses CPI/
NEtwork)
3. $.
%.
`.
a.
b.
c.
d.
!e.
GitHub.com/4lexc4s4lboni/4ws-l4md4-power-tuning
L4md4 : minimize p4ck4ge size, put j4rs in lib/j4r, simpler IOC (D4gger2),
sm4ller 4nd f4ster fr4meworks (j4ckson-jr), use ENV v4ri4bles, SQS Visibility
timeout check.
AWS SAM : CFT optimized, functions, APIS, t4bles, SAM-CLI (Servlets
4pplic4tion model)
AWS cloud9
AWS codest4r -> CodeCommit, CodeBuild, CodeDeploy
AWS Code pipeline -> Code Pipeline
Ali4s Tr4ffic shifting
P4ttern 1:
Web 4pplic4tion p4ttern. <——— P1
Cloudfront, S3
API g4tew4y, AWS L4mbd4, DDB for stor4ge
3 different API g4tew4y endpoints:
Edge optimized API (client l4tency reduction)
L4mbd4 4t Edge <—— NEW TO COMPUTE AT EDGE
JWT (J4son Web Tokens)
Route 53, Cloudfront distribution
Priv4te API ( API only inside VPC)
Cross Account L4mbd4 <———— ?? (Resource policies) e.g. 4n 4ccount just
for l4mbd4 functions
Per method throttling
AWS Cognito Authoriz4tion
L4mbd4 4uthorizer function
Gr4phQL (4n 4ltern4tive to Gr4phQL) -> HTTP, MQTT, WebSockets
AWS AppSync API ( Gr4phQL)
Stre4m Processing <————P2
Kenesis Video stre4ming, Kinesis D4t4 Stre4ms, Firehose, An4lytics
Source record b4ckup
L4mbd4 tr4nsform4tion, enrichment
delivery type : S3, Redshift, El4sticSe4rch
Buffer size, Buffer interv4ls ( when fills will deliver)
1MB ingest, 2MB egress / Sh4rd
Customer reference : Otonomo
Mess4ging comp4rison on : ordering, push/pull, delivery (once -ex4ctly or 4t le4st
once), retention, p4r4llel consumers,
D4t4 L4ke <————— P3
store for che4p, open form4t stor4ge (schem4 on re4d),
AWS Tr4nsfer for SFTP (SFTP endpoint to ingestion into S3)
S3 decouples compute / stor4ge
4. S3 select, New Block Public Access
Dyn4moDB 4s D4t4 C4t4log (Met4 d4t4) <- using L4mbd4 ( Glue (hive
comp4tibility), Redshift)
Athen4 : serverless query service, (P4rquet, AVRO, ORC)
Blog for Athen4 best pr4ctice.
L4mbd4 : 15 mins
Pywren (custom python 4nd sends to l4mbd4 in p4r4llel) <- pywren.io
ML P4ttern <————— P4
Vision, L4ngu4ge,
Im4ge processing : Am4zon Rekognition Im4ge
Medi4 4n4lysis solution
Am4zon Connect <- AWS c4ll center service
Lex ch4tbot
Glue fine gr4ined 4ccess control:
Access control for d4t4 c4t4logs
Identity 4nd resource b4sed policies (en4ble cross 4ccount 4ccess)
C4t4log / region / 4ccount
Resources 4re : c4t4log, d4t4b4se, connection, t4ble, function
Only one policy per c4t4log
IAM policy to user, Glue resource policy on c4t4log <- to get him 4ccess.
Access gr4nts up to t4bles 4nd not p4rtitions (e.g. if t4ble h4s both PII 4nd non-
PII this will be 4n issue)
WIP : T4g b4sed 4nd p4rtition b4sed ACL, N4tive support for View, EMR 4ccess
using IAM profile.
E2E encryption is support, KMS is supported.
EMR : Ap4che R4nger : https://4ws.4m4zon.com/blogs/big-d4t4/implementing-
4uthoriz4tion-4nd-4uditing-using-4p4che-r4nger-on-4m4zon-emr/
VMW4re Cloud on AWS:
Usec4ses:
Cloud migr4tions
D4t4 Center Extension - On dem4nd, Test/Dev
DR (most common use c4se) [ Replic4ted ]
Next gen 4pplic4tions
NSX VPN or AWS Direct connect
Distributed fireb4lling
SDDC : Softw4re defined d4t4 center
============================================================
5. ===============
Tuesd4y
=======
https://github.com/vmw4re/liot4
https://s3.4m4zon4ws.com/cloudform4tion-ex4mples/
Boostr4ppingApplic4tionsWithAWSCloudForm4tion.pdf
https://4ws.4m4zon.com/blogs/4ws/powerful-new-fe4tures-for-4ws-
cloudform4tion/
Serverless 4ntip4tterns:
Good for dyn4mic sc4l4bility
Well 4rchitected fr4mework: OE, security, Reli4bility, Perform4nce Efficiency, Cost
optimiz4tion
https://d1.4wsst4tic.com/whitep4pers/4rchitecture/AWS-Serverless-Applic4tions-
Lens.pdf
Orchestr4ting AWS L4mbd4 functions mist4kes:
Anti-p4tterns:
H4rd coding to orchestr4tion (ch4llenges : h4rd code, timeout, execution tr4cking,
m4n4ge4bility)
Events to orchestr4tion (execution tr4cking, m4n4ge4bility, h4ndling flow, stor4ge
cost)
Schedule to orchestr4tion (tr4cking, m4n4ge4bility, flow, w4ste compute cycle,
stor4ge cost)
BP : Use step functions (L4mbd4 4nd ECS) : PE, R, CO : AWS-SA-Lense
Anti-p4ttern 4re4:
Debugging 4nd testing : need str4tegy for debugging 4nd testing
Monitoring ; logging 4nd monitoring
Gr4nul4rity : donʼt do too much or too little
Securing : AuthN, AuthZ, bound4ries, V4lid4tion, Compli4nce
Design : right scope dependencies between functions, d4t4 stores, mess4ging
4nd other services
Network connectivity : consider networking requirements 4nd bound4ries
Orchestr4ting : Step functions us4ge
Cost :
API G4tew4y :
Not just compute : consider d4t4, mess4ging, stre4ming, identify, monitoring,
deployment
6. D4t4 Volume : L4mbd4 (15M limit), in 15 minutes processing window
Sync vs. Async : response , error 4nd retry
ALM in serverless: CI/CD
Code reuse:
St4nd4rds 4nd conventions
Env. V4ri4bles
L4mbd4 needs to run in VPC. (Cre4tes 4 new ENI c4uses 10sec del4y in VPC,
E4ch VPC h4s ENI limits)
L4mbd4 still needs IP 4ddresses.
Choice run time (python, j4v4script)
Cold st4rt 4void4nce str4tegy (work with it r4ther th4n working 4round it)
Use secret m4n4ger or p4r4meter store for environment
If it feels like cost is not the only driver, 4nd we 4re overdoing/thinking 4 problem
with l4mbd4 solution look for other serverless p4tterns
Few ch4llenges : R4ndom f4ilures during testing, file processing 4nd file
movement, doing blocking c4lls, VPC/Network, KMS 4ccess, donʼt use l4mbd4 4s
4 proxy for API g4tew4y
7. Microservices:
Tend to be more 4sync in communic4tion 4nd use mess4ging
Independent deployment
Extern4lize st4te for st4te m4n4gement
St4te m4chine : offered 4s step functions : define in JSON, Visu4lize in console,
Monitor execution
St4te : Action st4te, Choice st4te, P4r4llel processing
Usec4se: Xylem : D4t4 prep workflow, simple st4te m4chine : Serverless during
l4rge pe4k to 4ver4ge v4ri4tion : file from bin4ry to d4t4 l4ke in p4rquet form4t
OnPrem d4t4 store to Dyn4moDB
Usec4se: Coinb4se : reduce new 4mount deployment time, incre4se the reli4bility
of deployment
Integr4ted with CodeFlow configur4tion m4n4gement tool, end to end security
v4lid4tion into production, sex months from ide4 to use for 4ll production
deployment
Usec4se: Gr4nul4r: Integr4tion between modern 4nd leg4cy infr4structure,
heterogeneous technology st4ck.
Usec4se Nov4rtis: Python LAmbd4, AWS B4tch : Use exponenti4l b4ck off 4nd
retry: step functions timeouts: m4x events - 25K events: Network dependency
between DC 4nd Cloud for file movements
Use st4te m4chines with 4 minim4l 4mount of steps
Use S3 4nd p4ss object keys
Extr4ct cert4in business function4lity by st4te m4chine
Error h4ndling : possible exceptions in e4ch step, result of error h4ndling - stop,
recover, continue: c4tch exceptions.
Kubernetes Port4ble Applic4tions :
Cont4iner orchestr4tor : loosely coupled collection of components centered
4round deploying, m4int4ining 4nd sc4ling
Pl4ces cont4iners on nodes
Recovers from f4ilure
B4sic monitoring, logging, he4lth checking
En4bles cont4iners to find e4ch other
11. AWS D4t4 Sync
S3: ML driven intelligent Tier
Am4zon FSX for windows File Server <- AD integr4ted
Am4zon FSX for Lustre (m4n4ged file system for HPC)
AWS Control Tower <- L4nding Zone (on the console)
AWS Security Hub
AWS L4ke Form4tion
DDB re4dwrite c4p4city on dem4nd
Am4zon Timestre4m (1000X f4ster 4nd 1/10th of RDBMS cost)
Blockch4in : DLT - Centr4lized 4nd distributed peer to peer. : QLDB (4ppend only
mut4ble ledger ) -> Qu4ntum Ledger D4t4b4se (QLDB)
Immut4ble, Cryptogr4phic4lly verifi4ble, tr4nsp4rent, f4st, sc4l4ble, e4sy
Am4zon M4n4ged Blockch4in : Hyperledger F4bric/Ethereum
Am4zon El4stic Inference : ML interf4ce 4cceler4tion using GPU
AWS Inferenti4 Chip (custom designed by AWS)
S4geM4ker Ground Truth
S4geM4ker M4rketpl4ce for M4chine le4rning
Am4zon S4gem4ker RL (ReInforcement Le4rning models)
Intel Co4ch, R4y RL
AWS RoboM4ker
AWS DeepR4cer
Tr4nsit G4tew4y
VPC Priv4te Link
Redshift dyn4mic concurrency sc4ling
AWS IDE Integr4tion : Cloud9, IntelliJ, PyCh4rm, VCode (Note, Python, Go)
Ruby 4nd custom runtime for L4mbd4
Step Functions to integr4te AWS services (including ECS, F4rg4te, SQS, SNS, ..)
ALB support for L4mbd4
Am4zon M4n4ged Stre4ming for K4fk4
12.
13. PostgreSQL:
Jim Mldgenski:
EKS:
St4testreet (running 4 OSS DB Vikes)
Components : Client responsible components (Docker, Worker nodes), EKS (AWS)
owned components.
Docker: Sm4ller size, use multist4ge docker build
Minim4list OS : Alpine Linux, St4tic4lly Go bin4ry
Popul4r b4se im4ges: node:l4test, j4v4:l4test, node:slim, ubuntu:l4test,
4lpine:l4test, busy box:l4test
? Admission Controllers ?
Use resource constr4ints
Setup 4nti-4ffinity rules.
14. Optimize the worker nodes by using better EC2 inst4nces (c5 vs c4) [ crmp ]
AWS owned 4nd oper4ted eKS control pl4ne.
15.
16.
17. Yekes4 Kosuru (MD) from St4te Street
DBMS with high concurrency, low l4tency, OSS, Cloud n4tive for quick f4ilure
recovery
MySQL with RocksDB (LSM d4t4 structure )
Demo: 30 nodes, 169 PDS
18.
19.
20. Mess4ging services:
SQS St4nd4rd Queues :
Duplic4te mess4ge c4n be cre4ted if sender retries to send 4 mess4ge.
Invisibility timeout.
Out of order mess4ges
At le4st once delivery
SQS FIFO Queues:
Kinesis d4t4 stre4m
===================================================
Thursd4y Keynote (CTO 4m4zon.com):
Reducing bl4st r4dius
Sh4rding, Sh4red Nothing, Sh4red Disk
Auror4 : AZ+1 f4ilure support with low MTBF 4nd f4ster MTTR
Every write in MQSQL (with one re4d replic4) results in 5 writes.
Auror4 Replic4tion is 4chieved by moving log
S3 h4s 255 microservices
21. Welllington session:
10K CFT
8K L4mbd4
4K EC2, 5 Regions
4K SQS
362 VPC (worklo4d isol4tion)
Segmented Network on AWS
EU Region (US E4st1, 2)
On Colo : M4rket D4t4 vendor - Network interf4ces , NAS, Centr4lized DBs,
Best pr4ctices:
F4ult dom4ins upfront with n VPC
EC2 with 4utosc4le
Multi-AZ
Cross region only if needed bec4use itʼs h4rder, complex 4nd costly.
Monitor
Sep4r4te Dev/test/st4te/prod
B4stion hosts for 4ll login to AWS process. (SOC1 compli4nce)
Enforce resiliency p4ttern 4utom4tic4lly
Simi4n Army p4ttern (Monkeys : EC2T4g, Shutdown non-prod, ..)
Monitor service us4ge
Autom4te/script f4ilure testing
T4gging v4lues come from CMDB (4ped, Applic4tion ), Logon Group (AD Group
N4me)
Use CloudCheckr & T4be4u for cost reporting 4nd controlling
2019 : All AWS costs will be distributed to LOBs.
They 4re 4ble to project 4nd report cost per 4pplic4tion/4sset:
OneView D4t4 M4rt (AWS Cost)
CADM (Cost)
OneView
Envoy
Fund D4t4 Hub
Journey to AWS is h4rder for less technic4l resources.
Guidelines for permitting services : E.g. if no KMS service not 4llowed.