Cloud Firewall (CFW) Logging also known as RFD 163 is a feature where we will start logging specific kinds of firewall records in a manner that doesn’t require as many per compute node resources.
This logging will allow us to pay attention to inbound packets that drop. We want to record new TCP connections or connectionless UDP sessions in a manner that fits in nicely and are “aggregatable” into a proper Triton deployment. To activate this, a user has to opt into logging by marking a firewall rule with the "log" attribute.
We will explain the purpose of the PMWG farm and the current goals we have (e.g. collect power measurements, share reference platforms, monitor power trends of the kernel). We will also address the limitations of our farm and invite everyone to discuss which results should be displayed for further analysis.
Fully programmable SmartNICs allow new offloads like OVS, eBPF, P4 or vRouter, and the Linux kernel is changing for supporting them. Having these same offloads when using DPDK is a possibility although the implications are not clear yet. Alejandro Lucero presented Netronome’s perspective for adding such a support to DPDK mainly for OVS and eBPF.
The TC Flower Classifier allows control of packets based on flows determined by matching of well-known packet fields and metadata. This is inspired by similar flow classification described by OpenFlow and implemented by Open vSwitch. Offload of the TC Flower classifier and related modules provides a powerful mechanism to both increase throughput and reduce CPU utilisation for users of such flow-based systems. This presentation will give an overview of the evolution of offload of the TC Flower classifier: where it came from, the current status and possible future directions.
BKK16-203 Irq prediction or how to better estimate idle timeLinaro
Review design. The current approach to predict the idle time duration is based on statistics on the previous idle time durations. The presentation will show the weaknesses of this approach and how by tracking the irq behavior we predict the next event to guess estimate the idle duration.
Cilium - Container Networking with BPF & XDPThomas Graf
This talk demonstrates that programmability and performance does not require user space networking, it can be achieved in the kernel by generating BPF programs and leveraging the existing kernel subsystems. We will demo an early prototype which provides fast IPv6 & IPv4 connectivity to containers, container labels based security policy with avg cost O(1), and debugging and monitoring based on the per-cpu perf ring buffer. We encourage a lively discussion on the approach taken and next steps.
XPDS14: Removing the Xen Linux Upstream Delta of Various Linux Distros - Luis...The Linux Foundation
Xen is being used in production by many folks, but are they really using the upstream code? If not what are they using? At least SUSE's supported delta for the Linux kernel consists of 116 patches totaling 353,770 lines of code. Debian has 43 patches for a delta of about 1693 lines of code. What is this delta and how do we shrink it? I will give an overview of the supported Linux kernel delta for Xen at SUSE and Debian with upstream but also layout a proposed roadmap of addressing the delta in collaboration with different teams in the Xen community.
The Open vSwitch kernel datapath may have flows offloaded to hardware using the TC Flower classifier and related actions. This is a powerful mechanism to both increase throughput and reduce CPU utilisation. This presentation will give an overview of the evolution of this offload mechanism: features available in OvS v2.8, those targeted at v2.9 and possible future directions.
We will explain the purpose of the PMWG farm and the current goals we have (e.g. collect power measurements, share reference platforms, monitor power trends of the kernel). We will also address the limitations of our farm and invite everyone to discuss which results should be displayed for further analysis.
Fully programmable SmartNICs allow new offloads like OVS, eBPF, P4 or vRouter, and the Linux kernel is changing for supporting them. Having these same offloads when using DPDK is a possibility although the implications are not clear yet. Alejandro Lucero presented Netronome’s perspective for adding such a support to DPDK mainly for OVS and eBPF.
The TC Flower Classifier allows control of packets based on flows determined by matching of well-known packet fields and metadata. This is inspired by similar flow classification described by OpenFlow and implemented by Open vSwitch. Offload of the TC Flower classifier and related modules provides a powerful mechanism to both increase throughput and reduce CPU utilisation for users of such flow-based systems. This presentation will give an overview of the evolution of offload of the TC Flower classifier: where it came from, the current status and possible future directions.
BKK16-203 Irq prediction or how to better estimate idle timeLinaro
Review design. The current approach to predict the idle time duration is based on statistics on the previous idle time durations. The presentation will show the weaknesses of this approach and how by tracking the irq behavior we predict the next event to guess estimate the idle duration.
Cilium - Container Networking with BPF & XDPThomas Graf
This talk demonstrates that programmability and performance does not require user space networking, it can be achieved in the kernel by generating BPF programs and leveraging the existing kernel subsystems. We will demo an early prototype which provides fast IPv6 & IPv4 connectivity to containers, container labels based security policy with avg cost O(1), and debugging and monitoring based on the per-cpu perf ring buffer. We encourage a lively discussion on the approach taken and next steps.
XPDS14: Removing the Xen Linux Upstream Delta of Various Linux Distros - Luis...The Linux Foundation
Xen is being used in production by many folks, but are they really using the upstream code? If not what are they using? At least SUSE's supported delta for the Linux kernel consists of 116 patches totaling 353,770 lines of code. Debian has 43 patches for a delta of about 1693 lines of code. What is this delta and how do we shrink it? I will give an overview of the supported Linux kernel delta for Xen at SUSE and Debian with upstream but also layout a proposed roadmap of addressing the delta in collaboration with different teams in the Xen community.
The Open vSwitch kernel datapath may have flows offloaded to hardware using the TC Flower classifier and related actions. This is a powerful mechanism to both increase throughput and reduce CPU utilisation. This presentation will give an overview of the evolution of this offload mechanism: features available in OvS v2.8, those targeted at v2.9 and possible future directions.
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
Container runtimes cause Linux to return to its original purpose: to serve applications interacting directly with the kernel. At the same time, the Linux kernel is traditionally difficult to change and its development process is full of myths. A new efficient in-kernel programming language called eBPF is changing this and allows everyone to extend existing kernel components or glue them together in new forms without requiring to change the kernel itself.
The OpenCSD library for decoding CoreSight traces has reached the point where it is ready to be integrated into applications. This session will present an overview of the state of the library, its interfaces and explore and demonstrate a sample integration with perf.
Solo Prize Winner - 6WIND Speed Matters: The Challenge Contest
Ostinato is a network packet and traffic generator and analyzer with a friendly GUI. It aims to be "Wireshark in Reverse" and thus become complementary to Wireshark. It is useful for both functional and performance testing. (GPL, Linux/BSD/OSX/Win32)
Accompanying code: https://github.com/pstavirs/dpdk-ostinato
TRex is an open source, low cost, stateful traffic generator fuelled by DPDK. It generates L4-7 traffic based on pre-processing and a smart replay of real traffic templates. TRex amplifies both client and server side traffic and can scale to 200Gb/sec with one UCS.
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf
This talk will start with a deep dive and hands on examples of BPF, possibly the most promising low level technology to address challenges in application and network security, tracing, and visibility. We will discuss how BPF evolved from a simple bytecode language to filter raw sockets for tcpdump to the a JITable virtual machine capable of universally extending and instrumenting both the Linux kernel and user space applications. The introduction is followed by a concrete example of how the Cilium open source project applies BPF to solve networking, security, and load balancing for highly distributed applications. We will discuss and demonstrate how Cilium with the help of BPF can be combined with distributed system orchestration such as Docker to simplify security, operations, and troubleshooting of distributed applications.
BKK16-505 Kernel and Bootloader Consolidation and UpstreamingLinaro
An update to the state of reference platform kernel and bootloader and a discussion about the patch-inclusion policy. We’ll also cover roadmap plans. Participation is invited if you have ideas on how we can make it easy to use the reference platform kernel for your development projects.
Kernel Recipes 2017 - What's new in the world of storage for Linux - Jens AxboeAnne Nicolas
Storage keeps moving forward, and so does the Linux IO stack. This talk will detail some of the recent additions and changes that have gone into the Linux kernel storage stack, helping Linux get the most out of industry innovations in that space.
Jens Axboe, Facebook
Open vSwitch Offload: Conntrack and the Upstream KernelNetronome
Offloading all or part of the Open vSwitch datapath to SmartNICs has been shown to not only release CPU resources on the server, but improve traffic processing performance. Recently steps have been made to support such offloading in the upstream Linux kernel. This has focused on creating an OVS datapath using the TC flower filter and utilizing the offload hooks already present here. This presentation focuses on how Connection Tracking (Conntrack) may fit into this model. It describes current work being undertaken with the Netfilter community to allow offloading of Conntrack entries. It continues to link this work with the offloading of Conntrack rules within OVS-TC.
HKG18-110 - net_mdev: Fast path user space I/OLinaro
Session ID: HKG18-110
Session Name: HKG18-110 - net_mdev: Fast path user space I/O
Speaker: Ilias Apalodimas
Track: Networking
★ Session Summary ★
User space I/O offers significant speedup potential for data plane and other high-performance applications, but at the high cost of writing and maintaining separate device drivers. Building on the existing kernel mediated device framework originally introduced to support GPUs, net\_mdev extends this support to network I/O, requiring only minor changes to existing kernel drivers. Applications, in turn, need only provide ""mini drivers"" to handle the performance I/O paths in user space while leaving control operations in the kernel.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/hkg18/hkg18-110/
Presentation: http://connect.linaro.org.s3.amazonaws.com/hkg18/presentations/hkg18-110.pdf
Video: http://connect.linaro.org.s3.amazonaws.com/hkg18/videos/hkg18-110.mp4
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2018 (HKG18)
19-23 March 2018
Regal Airport Hotel Hong Kong
---------------------------------------------------
Keyword: Networking
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
Android 5.0 Lollipop brings huge change, compare to before.
This report includes statistics from source code with data and hidden features from source code & git log investigation.
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
Container runtimes cause Linux to return to its original purpose: to serve applications interacting directly with the kernel. At the same time, the Linux kernel is traditionally difficult to change and its development process is full of myths. A new efficient in-kernel programming language called eBPF is changing this and allows everyone to extend existing kernel components or glue them together in new forms without requiring to change the kernel itself.
The OpenCSD library for decoding CoreSight traces has reached the point where it is ready to be integrated into applications. This session will present an overview of the state of the library, its interfaces and explore and demonstrate a sample integration with perf.
Solo Prize Winner - 6WIND Speed Matters: The Challenge Contest
Ostinato is a network packet and traffic generator and analyzer with a friendly GUI. It aims to be "Wireshark in Reverse" and thus become complementary to Wireshark. It is useful for both functional and performance testing. (GPL, Linux/BSD/OSX/Win32)
Accompanying code: https://github.com/pstavirs/dpdk-ostinato
TRex is an open source, low cost, stateful traffic generator fuelled by DPDK. It generates L4-7 traffic based on pre-processing and a smart replay of real traffic templates. TRex amplifies both client and server side traffic and can scale to 200Gb/sec with one UCS.
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf
This talk will start with a deep dive and hands on examples of BPF, possibly the most promising low level technology to address challenges in application and network security, tracing, and visibility. We will discuss how BPF evolved from a simple bytecode language to filter raw sockets for tcpdump to the a JITable virtual machine capable of universally extending and instrumenting both the Linux kernel and user space applications. The introduction is followed by a concrete example of how the Cilium open source project applies BPF to solve networking, security, and load balancing for highly distributed applications. We will discuss and demonstrate how Cilium with the help of BPF can be combined with distributed system orchestration such as Docker to simplify security, operations, and troubleshooting of distributed applications.
BKK16-505 Kernel and Bootloader Consolidation and UpstreamingLinaro
An update to the state of reference platform kernel and bootloader and a discussion about the patch-inclusion policy. We’ll also cover roadmap plans. Participation is invited if you have ideas on how we can make it easy to use the reference platform kernel for your development projects.
Kernel Recipes 2017 - What's new in the world of storage for Linux - Jens AxboeAnne Nicolas
Storage keeps moving forward, and so does the Linux IO stack. This talk will detail some of the recent additions and changes that have gone into the Linux kernel storage stack, helping Linux get the most out of industry innovations in that space.
Jens Axboe, Facebook
Open vSwitch Offload: Conntrack and the Upstream KernelNetronome
Offloading all or part of the Open vSwitch datapath to SmartNICs has been shown to not only release CPU resources on the server, but improve traffic processing performance. Recently steps have been made to support such offloading in the upstream Linux kernel. This has focused on creating an OVS datapath using the TC flower filter and utilizing the offload hooks already present here. This presentation focuses on how Connection Tracking (Conntrack) may fit into this model. It describes current work being undertaken with the Netfilter community to allow offloading of Conntrack entries. It continues to link this work with the offloading of Conntrack rules within OVS-TC.
HKG18-110 - net_mdev: Fast path user space I/OLinaro
Session ID: HKG18-110
Session Name: HKG18-110 - net_mdev: Fast path user space I/O
Speaker: Ilias Apalodimas
Track: Networking
★ Session Summary ★
User space I/O offers significant speedup potential for data plane and other high-performance applications, but at the high cost of writing and maintaining separate device drivers. Building on the existing kernel mediated device framework originally introduced to support GPUs, net\_mdev extends this support to network I/O, requiring only minor changes to existing kernel drivers. Applications, in turn, need only provide ""mini drivers"" to handle the performance I/O paths in user space while leaving control operations in the kernel.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/hkg18/hkg18-110/
Presentation: http://connect.linaro.org.s3.amazonaws.com/hkg18/presentations/hkg18-110.pdf
Video: http://connect.linaro.org.s3.amazonaws.com/hkg18/videos/hkg18-110.mp4
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2018 (HKG18)
19-23 March 2018
Regal Airport Hotel Hong Kong
---------------------------------------------------
Keyword: Networking
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
Android 5.0 Lollipop brings huge change, compare to before.
This report includes statistics from source code with data and hidden features from source code & git log investigation.
In Red Hat Enterprise Linux 7 a new method of interacting with netfilter has been introduced: firewalld.
firewalld is a system daemon that:
Can configure and monitor the system firewall rules
Applications can talk to firewalld to request ports to be opened using the Dbus messaging system
Both covers IPv4, IPv6, and potentially ebtables settings is installed from the firewalld package. This package is part of a base install , but not part of a minimal install
Simplifies firewall management by classifying all network traffic into zones.
Pluggable Infrastructure with CI/CD and DockerBob Killen
The docker cluster ecosystem is still young, and highly modular. This presentation covers some of the challenges we faced deciding on what infrastructure to deploy, and a few tips and tricks in making both applications and infrastructure easily adaptable.
A talk presented at the Automotive Grade Linux All-Members meeting on September 8, 2015. The focus on why AGL should adopt systemd, and highlights two of the more difficult integration issues that may arise while doing so. The embedded SVG image, courtesy Marko Hoyer of ADIT, is at http://she-devel.com/2015-07-23_amm_demo.svg
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
"Attestation is hard" is something you might hear from security researchers tracking nation states and APTs, but it's actually pretty true for most network-connected systems!
Modern deployment methodologies mean that disparate teams create workloads for shared worker-hosts (ranging from Jenkins to Kubernetes and all the other orchestrators and CI tools in-between), meaning that at any given moment your hosts could be running any one of a number of services, connecting to who-knows-what on the internet.
So when your network-based intrusion detection system (IDS) opaquely declares that one of these machines has made an "anomalous" network connection, how do you even determine if it's business as usual? Sure you can log on to the host to try and figure it out, but (in case you hadn't noticed) computers are pretty fast these days, and once the connection is closed it might as well not have happened... Assuming it wasn't actually a reverse shell...
At Yelp we turned to the Linux kernel to tell us whodunit! Utilizing the Linux kernel's eBPF subsystem - an in-kernel VM with syscall hooking capabilities - we're able to aggregate metadata about the calling process tree for any internet-bound TCP connection by filtering IPs and ports in-kernel and enriching with process tree information in userland. The result is "pidtree-bcc": a supplementary IDS. Now whenever there's an alert for a suspicious connection, we just search for it in our SIEM (spoiler alert: it's nearly always an engineer doing something "innovative")! And the cherry on top? It's stupid fast with negligible overhead, creating a much higher signal-to-noise ratio than the kernels firehose-like audit subsystems.
This talk will look at how you can tune the signal-to-noise ratio of your IDS by making it reflect your business logic and common usage patterns, get more work done by reducing MTTR for false positives, use eBPF and the kernel to do all the hard work for you, accidentally load test your new IDS by not filtering all RFC-1918 addresses, and abuse Docker to get to production ASAP!
As well as looking at some of the technologies that the kernel puts at your disposal, this talk will also tell pidtree-bcc's road from hackathon project to production system and how focus on demonstrating business value early on allowed the organization to give us buy-in to build and deploy a brand new project from scratch.
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
Matt Carroll
Infrastructure Security Engineer at Yelp
"Attestation is hard" is something you might hear from security researchers tracking nation states and APTs, but it's actually pretty true for most network-connected systems!
Modern deployment methodologies mean that disparate teams create workloads for shared worker-hosts (ranging from Jenkins to Kubernetes and all the other orchestrators and CI tools in-between), meaning that at any given moment your hosts could be running any one of a number of services, connecting to who-knows-what on the internet.
So when your network-based intrusion detection system (IDS) opaquely declares that one of these machines has made an "anomalous" network connection, how do you even determine if it's business as usual? Sure you can log on to the host to try and figure it out, but (in case you hadn't noticed) computers are pretty fast these days, and once the connection is closed it might as well not have happened... Assuming it wasn't actually a reverse shell...
At Yelp we turned to the Linux kernel to tell us whodunit! Utilizing the Linux kernel's eBPF subsystem - an in-kernel VM with syscall hooking capabilities - we're able to aggregate metadata about the calling process tree for any internet-bound TCP connection by filtering IPs and ports in-kernel and enriching with process tree information in userland. The result is "pidtree-bcc": a supplementary IDS. Now whenever there's an alert for a suspicious connection, we just search for it in our SIEM (spoiler alert: it's nearly always an engineer doing something "innovative")! And the cherry on top? It's stupid fast with negligible overhead, creating a much higher signal-to-noise ratio than the kernels firehose-like audit subsystems.
This talk will look at how you can tune the signal-to-noise ratio of your IDS by making it reflect your business logic and common usage patterns, get more work done by reducing MTTR for false positives, use eBPF and the kernel to do all the hard work for you, accidentally load test your new IDS by not filtering all RFC-1918 addresses, and abuse Docker to get to production ASAP!
As well as looking at some of the technologies that the kernel puts at your disposal, this talk will also tell pidtree-bcc's road from hackathon project to production system and how focus on demonstrating business value early on allowed the organization to give us buy-in to build and deploy a brand new project from scratch.
This workshop was given at Crikeycon 2019 in Brisbane. It introduces Velociraptor and explains some of the design goals and implementation.
Note - this slide deck is outdated but might still be useful. The tool has evolved significantly since Crikeycon.
The CFEngine Roadshow @ITGilde.
Live and interactive demonstration of the configuration and deployment of Webservices like Jenkins and Hudson on real VM's.
The attendees will deploy their own Webservices on their prepared VM's.
How to Use Telegraf and Its Plugin EcosystemInfluxData
Telegraf is the open source server agent which is used to collect metrics from your stacks, sensors and systems. It is InfluxDB’s native data collector that supports over 250+ inputs and outputs. Learn how to send data from a variety of systems, apps, databases and services in the appropriate format to InfluxDB. Discover tips and tricks on how to write your own plugins.
Join this webinar as Jessica Ingrassellino and Samantha Wang dive into:
Types of Telegraf plugins (i.e. input, output, aggregator and processor)
Specific plugins including Execd input plugins and the Starlark processor plugin
How to create your own Telegraf plugin
Meet the Experts: InfluxDB Product UpdateInfluxData
Learn more about InfluxData’s time series platform. InfluxDB 2.0 OSS is generally available, and since launch, we have made updates to the product.
Join Tim Hall, VP of Products, as he demonstrates the latest features in InfluxDB 2.0 Open Source.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Modern design is crucial in today's digital environment, and this is especially true for SharePoint intranets. The design of these digital hubs is critical to user engagement and productivity enhancement. They are the cornerstone of internal collaboration and interaction within enterprises.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
2. Overview
● Cloud Firewall (CFW) Logging records the following events:
○ Dropped inbound packets.
○ New TCP connections or UDP sessions.
● It does so in a manner that’s aggregatable for a Triton
deployment.
● Specified in RFD 163, the changes needed were “full stack”
(ick, pardon the cliché).
○ illumos and fwadm(1M), CFW log daemon, *API support.
○ This talk will proceed from the bottom up.
3. Motivation
● Korean law requires logging on inbound connections.
● Logging per-guest presents some complications:
○ ipfilter’s existing ipmon requires one file descriptor (FD) per
VM if you wish to aggregate.
○ existing ipfilter already does most of the work we need with
its “keep state” option.
● We want to be able to add “log” to a Triton-administered
firewall rule.
4. Constraints
● As mentioned earlier, we really don’t want one FD per VM.
● Yet we need per-VM attributions of CFW Logging events.
● We need to make sure a post-CFW-Logging platform works
on older Triton deployments.
● Or have newer Triton deployments understand older PIs
won’t allow CFW-Logging.
5. illumos changes - /dev/ipfev
● All illumos changes are encapsulated as OS-7667.
● Creates a new global-zone-only device: /dev/ipfev
● /dev/ipfev is only openable by one process.
● Its being open is a check for performing event generation.
● Events are 88bytes. Listed below by purpose, not by layout:
○ Type, length, zone DID (unique)
○ IP packet information (src, dst, proto, ports)
○ ipfilter ruleid, CFW rule UUID
● Both Zone DID and rule UUID needed to be added to ipfilter’s
internal state.
6. illumos changes - ipfilter rules
● ipfilter in SmartOS has two types of filter rules:
○ Traditional root@zone per-netstack ones (incl. global)
○ Global-zone-administered ones for non-global zones.
■ These are the ones we wish to monitor.
■ We now cache the zone DID in these rulebases.
● New ipf(4) extensions (we chose rule tags) needed for:
○ Do we care if this ipfilter rule is CFW-logged?
○ If so, what is the CFW rule UUID?
● CFW-logged rules need to keep state (for new connections)
○ ... keep state set-tag(cfwlog,uuid=a7d57476-4699-4d2a-b4ae-7af857fea3d5)
7. illumos changes - /dev/ipfev in context
● So every event generated by any VM’s ipfilter gets put on a
global ring buffer.
● The single /dev/ipfev consumer reads off the ring buffer.
COMPUTE NODE
RING BUFFER
VM/Zone VM/Zone VM/ZoneVM/Zone VM/Zone VM/ZoneVM/ZoneVM/Zone
/dev/ipfev
cfwlogd
8. smartos-live changes
● All smartos-live changes encapsulated as OS-7668.
● New fwadm versioning mechanism. (As of this, Version 2.)
● fwadm(1M) rule json now has new boolean: log.
● Existing log and uuid pass through to new ipf(4) rules
mentioned earlier.
9. cfwlogd
● Needed a performant userland daemon capable of
connecting to “/dev/ipfev” and sucking down events out of the
ring buffer.
● The daemon needs to translate events from raw bytes
represented by cfwev_t in the kernel into new line separated
JSON formatted logs
● There’s been a recent interest in Rust from multiple
engineering groups within Joyent.
10. cfwlogd
● Rust has a great FFI interface to interface with OS level
concepts such as issuing ioctls.
● There’s a great serialization/deserialization crate (library) in
rust called serde.
○ Gives us the ability to translate from raw bytes directly to
JSON
● Rust offers safety and performance out of the box!
11. cfwlogd - gathering info
● We need to be able to get the customer uuid, the zone uuid,
and the zone alias when we only have the zonedid from the
kernel
○ We have something that does this already, it’s called
vminfod and it provides access to this information in real
time via an http stream!
● Match the information from vminfod with the event from the
device ring buffer and use serde to serialize the log out to
disk as newline separated JSON.
12. cfwlogd - data flow
vminfod
127.0.0.1:9090
/dev/ipfev
cfwlogd
global zone
kernel
Customer 1
Zone 1
Alias: node-app1
Customer 2
Zone 2
Alias: web1
Customer 2
Zone 1
Alias: openvpn1
Customer 1
Zone 2
Alias: ruby-app2
ixgb0 - External Network
● Runs as an agent in the global
zone.
● Drops as many privileges(5) as
it can at startup after opening
/dev/ipfev
● Talks to /dev/ipfev to suck
down events out of the
Kernel’s ring buffer
● Correlates the events with
information gathered from
vminfod in real time
13. cfwlogd - data flow continued
vminfod
Event Reader Thread
Fanout Thread
/dev/ipfev
Vminfod Watcher Thread Signal Listener Thread
Zone Logger Thread
Zonedid: 1
Customer: 1
Alias: Redis
Zone Logger Thread
Zonedid: 2
Customer: 2
Alias: OpenVPN
Zone Logger Thread
Zonedid: 3
Customer: 3
Alias: Nginx
CN Filesystem: /var/log/firewall/<customer>/<zone uuid>/current.log
Main Thread
SIGHUP
SIGTERM
SIG...
cfwlogd
14. cfwlogd - setup
● Install/Modify/Check cfwlogd
○ sdcadm post-setup firewall-logger-agent
○ sdcadm experimental update firewall-logger-
agent@<uuid> -C experimental
○ sdcadm health firewall-logger-agent
● If cfwlogd lands on a CN that doesn’t have “/dev/ipfev” it
gracefully exits telling SMF that the service was successful
but leaves no process running.
○ Also useful if a CN needs to get it’s PI rolled back.
15. cfwlogd - next steps
● Want to incorporate CMON metrics to alert operators that
cfwlogd’s internal queues are maxed out and we are dropping
events. (We try as hard as possible to remain running).
● Want more control over queue size per zone so that one bad
actor doesn’t hurt everyone. (Serializing data and writing to
disk is slower than event generation).
16. cfwlogd - next steps continued
● Would like to break out the vminfod client into a more generic
crate that other consumers could use.
● Add support for any future event types such as “Ruleset
change”.
● Explore a different model other than a thread per zone once
zone density increases per CN?
17. Triton changes
● Need to build "something" to take the log files generated by
cwflogd and put them into manta under a location the user
can have access to, maybe use RBAC …
● ... we already got Hermes to do that for Triton services from
the sdc zone.
● Should not add more stuff to the sdc zone. If possible, what
we should do is to remove from there.
18. Triton changes: logarchiver
● New service/zone pair logarchiver, including its own
Hermes instance, which is able to deploy its own agent
logarchiver-agent that will run in parallel with hermes-
agent.
● sdcadm post-setup logarchiver
● Same configuration than the sdc zone to talk to manta.
● Manta location for log files:
/:customer_login/reports/firewall-
logs/:year/:month/:day/:vm_uuid/:iso8601stamp
.log.gz
19. Triton changes: Hermes
● Added ability to connect customers’ UUIDs with manta
accounts using MAHI.
● Ability to deploy different agents FMRIs depending on the
zone running hermes-proxy.
● Ability to delete some logs based in the same logsets we use
to upload log files.
20. Triton changes: log (Boolean)
● fwrules have now a new attribute `log (Boolean)` which
defaults to false when not present.
● AdminUI: Checkbox for log or not fwrules.
● CloudAPI/node-triton: Log column added to rules list. `-l|--
log` option added to rule creation/update.
$ ./bin/triton -i fwrule ls
SHORTID ENABLED GLOBAL LOG RULE
78d77145 true - true FROM any TO vm 3a2b9998... BLOCK tcp PORT 666
21. Triton changes: firewaller-agent
● ipf*.conf files modifications are not backwards
compatible.
● requires a service that makes sure that each zone gets the
rules which are compatible with the running system:
firewaller-config-migration.
● vmadm and zones services depend on firewaller-
config-migration
22. Triton changes: firewaller-agent
● There’s a # smartos_ipf_version <version> line into
ipf*.conf files to determine which config is used.
● The configuration supported by a CN is at
/etc/ipf/smartos_version, which consist of a single
line containing a single integer.
● Rules tag fragments added/removed depending on versions
set-tag(uuid=rule.uuid,cfwlog).