Retour d'expérience sur la mise en production d'applications ( Java mais pas seulement ) sur Kubernetes à Devoxx France 2018
La vidéo avec la démo est disponible en ligne ici : https://www.youtube.com/watch?v=cqqLeS9mUyU
Java и Linux — особенности эксплуатации / Алексей Рагозин (Дойче Банк)Ontico
HighLoad++ 2017
Зал «Рио-де-Жанейро», 8 ноября, 11:00
Тезисы:
http://www.highload.ru/2017/abstracts/2884.html
Java на Linux встречается повсеместно в информационных системах от больших данных до новомодных serverless архитектур. Как Linux, так и Java имеют свои эксплуатационные нюансы. Понимание этих нюансов важно, чтобы заставить стек Java + Linux работать стабильно и эффективно.
Но на практике "джависты" очень любят мыслить кроссплатформенно и не хотят разбираться с особенностями операционной системы, a "линускоиды" считают JVM чуждым миру Linux процессом, пожирающим всю доступную на сервере память.
А потом появляется Docker, и нюансов становится ещё больше...
Цель доклада - рассказать "джавистам" про Linux и Docker, а "линуксоидам" про JVM.
This document provides an overview and planning guidelines for a first Ceph cluster. It discusses Ceph's object, block, and file storage capabilities and how it integrates with OpenStack. Hardware sizing examples are given for a 1 petabyte storage cluster with 500 VMs requiring 100 IOPS each. Specific lessons learned are also outlined, such as realistic IOPS expectations from HDD and SSD backends, recommended CPU and RAM per OSD, and best practices around networking and deployment.
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and LatencyHenning Jacobs
Talk given at JAX DevOps London on 2019-05-15
Kubernetes has the concept of resource requests and limits. Pods get scheduled on the nodes based on their requests and optionally limited in how much of the resource they can consume. Understanding and optimizing resource requests/limits is crucial both for reducing resource "slack" and ensuring application performance/low-latency. This talk shows our approach to monitoring and optimizing Kubernetes resources for 90+ clusters to achieve cost-efficiency and reducing impact for latency-critical applications. All shown tools are open source and can be applied to most Kubernetes deployments. Topics covered in the talk include: understanding resource requests and limits, cgroups and CFS quota behavior, contributing factors to cluster costs (in public clouds), and best practices for managing Kubernetes resources.
NUSE (Network Stack in Userspace) at #osioHajime Tazaki
This document describes Network Stack in Userspace (NUSE), which implements a full network stack as a userspace library. NUSE aims to allow faster evolution of network stacks outside the kernel and enable network protocol personalization. It works by patching the Linux kernel to include a new architecture, implementing the network stack components as a userspace library, and hijacking POSIX socket calls to redirect them to the NUSE implementation. Performance tests show NUSE adding only small overhead compared to kernel implementations. NUSE can also integrate with the ns-3 network simulator to enable controllable and reproducible network simulations using real protocol implementations.
This document provides instructions for setting up Apache Kafka and Spark Streaming to process streaming data from Kafka with Spark. It describes how to install Zookeeper and Kafka, create a Kafka topic, produce and consume messages, and run the KafkaWordCount Spark Streaming example application to perform word count on the streaming data from Kafka. It also explains the different processing semantics supported by Spark Streaming for Kafka integration.
The document discusses different approaches for distributed metadata management in scale-out storage systems. It describes the limitations of centralized and decentralized metadata approaches, which can result in overhead and single points of failure. It then introduces the Elastic Hash Algorithm used by GlusterFS, which hashes file paths to assign data across multiple volumes and physical devices in a way that provides load balancing, flexibility and avoids metadata bottlenecks. Diagrams illustrate how the algorithm works and how it allows elastic scaling of capacity and performance as needs change.
Running High Performance & Fault-tolerant Elasticsearch Clusters on DockerSematext Group, Inc.
This document discusses running Elasticsearch clusters on Docker containers. It describes how Docker containers are more lightweight than virtual machines and have less overhead. It provides examples of running official Elasticsearch Docker images and customizing configurations. It also covers best practices for networking, storage, constraints, and high availability when running Elasticsearch on Docker.
Java и Linux — особенности эксплуатации / Алексей Рагозин (Дойче Банк)Ontico
HighLoad++ 2017
Зал «Рио-де-Жанейро», 8 ноября, 11:00
Тезисы:
http://www.highload.ru/2017/abstracts/2884.html
Java на Linux встречается повсеместно в информационных системах от больших данных до новомодных serverless архитектур. Как Linux, так и Java имеют свои эксплуатационные нюансы. Понимание этих нюансов важно, чтобы заставить стек Java + Linux работать стабильно и эффективно.
Но на практике "джависты" очень любят мыслить кроссплатформенно и не хотят разбираться с особенностями операционной системы, a "линускоиды" считают JVM чуждым миру Linux процессом, пожирающим всю доступную на сервере память.
А потом появляется Docker, и нюансов становится ещё больше...
Цель доклада - рассказать "джавистам" про Linux и Docker, а "линуксоидам" про JVM.
This document provides an overview and planning guidelines for a first Ceph cluster. It discusses Ceph's object, block, and file storage capabilities and how it integrates with OpenStack. Hardware sizing examples are given for a 1 petabyte storage cluster with 500 VMs requiring 100 IOPS each. Specific lessons learned are also outlined, such as realistic IOPS expectations from HDD and SSD backends, recommended CPU and RAM per OSD, and best practices around networking and deployment.
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and LatencyHenning Jacobs
Talk given at JAX DevOps London on 2019-05-15
Kubernetes has the concept of resource requests and limits. Pods get scheduled on the nodes based on their requests and optionally limited in how much of the resource they can consume. Understanding and optimizing resource requests/limits is crucial both for reducing resource "slack" and ensuring application performance/low-latency. This talk shows our approach to monitoring and optimizing Kubernetes resources for 90+ clusters to achieve cost-efficiency and reducing impact for latency-critical applications. All shown tools are open source and can be applied to most Kubernetes deployments. Topics covered in the talk include: understanding resource requests and limits, cgroups and CFS quota behavior, contributing factors to cluster costs (in public clouds), and best practices for managing Kubernetes resources.
NUSE (Network Stack in Userspace) at #osioHajime Tazaki
This document describes Network Stack in Userspace (NUSE), which implements a full network stack as a userspace library. NUSE aims to allow faster evolution of network stacks outside the kernel and enable network protocol personalization. It works by patching the Linux kernel to include a new architecture, implementing the network stack components as a userspace library, and hijacking POSIX socket calls to redirect them to the NUSE implementation. Performance tests show NUSE adding only small overhead compared to kernel implementations. NUSE can also integrate with the ns-3 network simulator to enable controllable and reproducible network simulations using real protocol implementations.
This document provides instructions for setting up Apache Kafka and Spark Streaming to process streaming data from Kafka with Spark. It describes how to install Zookeeper and Kafka, create a Kafka topic, produce and consume messages, and run the KafkaWordCount Spark Streaming example application to perform word count on the streaming data from Kafka. It also explains the different processing semantics supported by Spark Streaming for Kafka integration.
The document discusses different approaches for distributed metadata management in scale-out storage systems. It describes the limitations of centralized and decentralized metadata approaches, which can result in overhead and single points of failure. It then introduces the Elastic Hash Algorithm used by GlusterFS, which hashes file paths to assign data across multiple volumes and physical devices in a way that provides load balancing, flexibility and avoids metadata bottlenecks. Diagrams illustrate how the algorithm works and how it allows elastic scaling of capacity and performance as needs change.
Running High Performance & Fault-tolerant Elasticsearch Clusters on DockerSematext Group, Inc.
This document discusses running Elasticsearch clusters on Docker containers. It describes how Docker containers are more lightweight than virtual machines and have less overhead. It provides examples of running official Elasticsearch Docker images and customizing configurations. It also covers best practices for networking, storage, constraints, and high availability when running Elasticsearch on Docker.
This document contains configuration files for deploying a CoreOS cluster on Google Cloud Platform (GCP) and running a sample "busybox" application across the cluster nodes using Fleet. It specifies settings for etcd, fleet, SSH keys, and a unit file template for running the busybox container with load balancing. Instructions are provided for initializing the GCP project, launching 3 CoreOS instances, registering and starting the service units, and verifying failover when a node is deleted.
Red Hat Enterprise Linux OpenStack Platform on Inktank Ceph EnterpriseRed_Hat_Storage
This document summarizes performance testing of OpenStack with Cinder volumes on Ceph storage. It tested scaling performance with increasing instance counts on a 4-node and 8-node Ceph cluster. Key findings include:
- Large file sequential write performance peaked with a single instance per server due to data striping across OSDs. Read performance peaked at 32 instances per server.
- Large file random I/O performance scaled linearly with increasing instances up to the maximum tested (512 instances).
- Small file operations showed good scaling up to 32 instances per server for creates and reads, but lower performance for renames and deletes.
- Performance tuning like tuned profiles, device readahead, and Ceph journal configuration improved both
Java 8 introduced several new features for I/O and file handling including the java.nio.file package which provides an object-oriented view of the file system that is not dependent on the underlying operating system. It allows path manipulation, file metadata access and retrieval, file copying and moving, and file watching and tree walking. The new I/O classes improve performance and simplicity over the previous java.io.File classes.
Shared Memory Performance: Beyond TCP/IP with Ben Cotton, JPMorganHazelcast
- OpenHFT provides solutions for improving Java data locality and inter-process communication (IPC) transport, enabling ultra-low latency real-time Java deployments.
- It includes Chronicle Map, an off-heap concurrent map that avoids garbage collection pauses compared to on-heap maps. It also provides faster IPC than UDP/TCP via shared memory.
- Tests show Chronicle Map accessed via shared memory IPC can be over 1000x faster than Red Hat Infinispan accessed via UDP for a distributed cache workload.
(PFC303) Milliseconds Matter: Design, Deploy, and Operate Your Application fo...Amazon Web Services
You can't (yet) bend the law of Physics, but you can use the power of the cloud to design applications that run as fast as the speed of light! This session will focus on the best practices for optimizing performance to the very last millisecond. We'll dive into topics such as caching at every layer of your application, TCP optimizations, SSL optimizations, latency based routing, and much more. These best practices can help you to streamline your infrastructure utilization, improve performance and allow you to scale economically.
This document provides an overview of Guava, a core Java library developed by Google. It discusses the goals of Guava, including providing cleaner code through utilities that reduce code length and simplify programming. Some key features highlighted are string splitting, collection initialization, caching, and helper methods for hashcodes, equals and comparators. The document also covers limitations, reasons to use Guava compared to other libraries, and examples for caching, measuring performance, and generating hashcode/equals methods.
Guava Overview Part 2 Bucharest JUG #2 Andrei Savu
This document provides an overview of Guava and discusses caches and services. Guava is Google's core Java library that contains utilities like caches, primitives, collections, and concurrency libraries. Caches can improve performance by storing values to avoid expensive re-computation. Services in Guava define lifecycles for objects with operational state and allow asynchronous starting and stopping. The document describes cache eviction strategies, service implementations, and where to find more information on Guava features like functional idioms and concurrency.
This document summarizes a presentation about the advantages of using ZFS for data replication compared to rsync. It provides several examples showing ZFS performing full dataset replications between 289x and 1,148x faster than rsync due to its use of copy-on-write snapshots and incremental block-level replication. It also briefly explains how copy-on-write snapshots and incremental replication work at a high-level in ZFS to provide such performance advantages over rsync. Additional context is provided about data services that offer ZFS-based replication for $60 or less per terabyte per month.
Docker and friends at Linux Days 2014 in Praguetomasbart
Docker allows deploying applications easily across various environments by packaging them along with their dependencies into standardized units called containers. It provides isolation and security while allowing higher density and lower overhead than virtual machines. Core OS and Mesos both integrate with Docker to deploy containers on clusters of machines for scalability and high availability.
This document discusses using Gluster object storage with OpenStack Swift. Gluster-Swift mounts the Swift storage using FUSE and allows Swift to interface with Gluster backends. This avoids reimplementing the Swift object API. Gluster-Swift overrides Swift's distribution and replication to use the Gluster backend. The Swift API is implemented using FUSE operations on the Gluster volume. Future work includes upgrading Gluster-Swift, packaging, optimizations, and potentially developing a native Gluster object interface.
Elasticsearch allows users to group related data into logical units called indices. An index can be defined using the create index API and documents are indexed to an index. Indices are partitioned into shards which can be distributed across multiple nodes for scaling. Each shard is a standalone Lucene index. Documents must be in JSON format with a unique ID and can contain any text or numeric data to be searched or analyzed.
This presentation is from the Gophercon-India where we talked about how to design a concurrent high performance database client in go language. We talked about how we use goroutines and channels to our advantages. we also talked about how to use pools for efficient memory utilization.
The document discusses the glance-replicator tool in OpenStack. Glance-replicator allows replication of images between two glance servers. It can replicate images and also import and export images. The document provides examples of using glance-replicator commands like compare, livecopy to replicate images between two devstack all-in-one OpenStack environments. It demonstrates the initial state with only one environment having images and after replication both environments having the same set of images.
Vous avez récemment commencé à travailler sur Spark et vos jobs prennent une éternité pour se terminer ? Cette présentation est faite pour vous.
Himanshu Arora et Nitya Nand YADAV ont rassemblé de nombreuses bonnes pratiques, optimisations et ajustements qu'ils ont appliqué au fil des années en production pour rendre leurs jobs plus rapides et moins consommateurs de ressources.
Dans cette présentation, ils nous apprennent les techniques avancées d'optimisation de Spark, les formats de sérialisation des données, les formats de stockage, les optimisations hardware, contrôle sur la parallélisme, paramétrages de resource manager, meilleur data localité et l'optimisation du GC etc.
Ils nous font découvrir également l'utilisation appropriée de RDD, DataFrame et Dataset afin de bénéficier pleinement des optimisations internes apportées par Spark.
[Open Infrastructure & Cloud Native Days Korea 2019]
커뮤니티 버전의 OpenStack 과 Ceph를 활용하여 대고객서비스를 구축한 사례를 공유합니다. 유연성을 확보한 기업용 클라우드 서비스 구축 사례와 높은 수준의 보안을 요구하는 거래소 서비스를 구축, 운영한 사례를 소개합니다. 또한 이 프로젝트에 사용된 기술 스택 및 장애 해결사례와 최적화 방안을 소개합니다. 오픈스택은 역시 오픈소스컨설팅입니다.
#openstack #ceph #openinfraday #cloudnative #opensourceconsulting
The document discusses software defined storage based on OpenStack. It provides background on the author's experience including medical image processing and OpenStack development. It then describes key OpenStack storage components including Cinder for block storage, Swift for object storage, and Manila for shared file systems. Cinder uses plugins to support different backend storage types and utilizes a scheduler to determine which host to provision volumes. Swift uses a ring hashing algorithm to partition and replicate data across multiple storage nodes for high scalability and availability.
Масштабируемая конфигурация Nginx, Игорь Сысоев (Nginx)Ontico
This document discusses best practices for scalable nginx configuration. It begins by comparing nginx's location-based configuration to Apache's more complex configuration using various containers. The document then outlines nginx's configuration including using server blocks, locations by prefix, regular expressions, and inheritance. It emphasizes keeping similar locations together, using inclusive locations, and avoiding rewrites or unnecessary "if" blocks for improved performance and scalability.
This talk will focus on a brief history, including a demo and overview of how we at Superbalist use Kubernetes, and how Kubernetes uses Docker, does load balancing, deployments, and data migrations.
Talk from Cape Town DevOps meetup on Jun 21, 2016:
https://www.meetup.com/Cape-Town-DevOps/events/231530172/
Code: https://github.com/zoidbergwill/kubernetes-examples
Slides as markdown: http://www.zoidbergwill.com/presentations/2016/kubernetes-1.2-and-spread/index.md
Learn from the dozens of large-scale deployments how to get the most out of your Kubernetes environment:
- Container images optimization
- Organizing namespaces
- Readiness and Liveness probes
- Resource requests and limits
- Failing with grace
- Mapping external services
- Upgrading clusters with zero downtime
This document contains configuration files for deploying a CoreOS cluster on Google Cloud Platform (GCP) and running a sample "busybox" application across the cluster nodes using Fleet. It specifies settings for etcd, fleet, SSH keys, and a unit file template for running the busybox container with load balancing. Instructions are provided for initializing the GCP project, launching 3 CoreOS instances, registering and starting the service units, and verifying failover when a node is deleted.
Red Hat Enterprise Linux OpenStack Platform on Inktank Ceph EnterpriseRed_Hat_Storage
This document summarizes performance testing of OpenStack with Cinder volumes on Ceph storage. It tested scaling performance with increasing instance counts on a 4-node and 8-node Ceph cluster. Key findings include:
- Large file sequential write performance peaked with a single instance per server due to data striping across OSDs. Read performance peaked at 32 instances per server.
- Large file random I/O performance scaled linearly with increasing instances up to the maximum tested (512 instances).
- Small file operations showed good scaling up to 32 instances per server for creates and reads, but lower performance for renames and deletes.
- Performance tuning like tuned profiles, device readahead, and Ceph journal configuration improved both
Java 8 introduced several new features for I/O and file handling including the java.nio.file package which provides an object-oriented view of the file system that is not dependent on the underlying operating system. It allows path manipulation, file metadata access and retrieval, file copying and moving, and file watching and tree walking. The new I/O classes improve performance and simplicity over the previous java.io.File classes.
Shared Memory Performance: Beyond TCP/IP with Ben Cotton, JPMorganHazelcast
- OpenHFT provides solutions for improving Java data locality and inter-process communication (IPC) transport, enabling ultra-low latency real-time Java deployments.
- It includes Chronicle Map, an off-heap concurrent map that avoids garbage collection pauses compared to on-heap maps. It also provides faster IPC than UDP/TCP via shared memory.
- Tests show Chronicle Map accessed via shared memory IPC can be over 1000x faster than Red Hat Infinispan accessed via UDP for a distributed cache workload.
(PFC303) Milliseconds Matter: Design, Deploy, and Operate Your Application fo...Amazon Web Services
You can't (yet) bend the law of Physics, but you can use the power of the cloud to design applications that run as fast as the speed of light! This session will focus on the best practices for optimizing performance to the very last millisecond. We'll dive into topics such as caching at every layer of your application, TCP optimizations, SSL optimizations, latency based routing, and much more. These best practices can help you to streamline your infrastructure utilization, improve performance and allow you to scale economically.
This document provides an overview of Guava, a core Java library developed by Google. It discusses the goals of Guava, including providing cleaner code through utilities that reduce code length and simplify programming. Some key features highlighted are string splitting, collection initialization, caching, and helper methods for hashcodes, equals and comparators. The document also covers limitations, reasons to use Guava compared to other libraries, and examples for caching, measuring performance, and generating hashcode/equals methods.
Guava Overview Part 2 Bucharest JUG #2 Andrei Savu
This document provides an overview of Guava and discusses caches and services. Guava is Google's core Java library that contains utilities like caches, primitives, collections, and concurrency libraries. Caches can improve performance by storing values to avoid expensive re-computation. Services in Guava define lifecycles for objects with operational state and allow asynchronous starting and stopping. The document describes cache eviction strategies, service implementations, and where to find more information on Guava features like functional idioms and concurrency.
This document summarizes a presentation about the advantages of using ZFS for data replication compared to rsync. It provides several examples showing ZFS performing full dataset replications between 289x and 1,148x faster than rsync due to its use of copy-on-write snapshots and incremental block-level replication. It also briefly explains how copy-on-write snapshots and incremental replication work at a high-level in ZFS to provide such performance advantages over rsync. Additional context is provided about data services that offer ZFS-based replication for $60 or less per terabyte per month.
Docker and friends at Linux Days 2014 in Praguetomasbart
Docker allows deploying applications easily across various environments by packaging them along with their dependencies into standardized units called containers. It provides isolation and security while allowing higher density and lower overhead than virtual machines. Core OS and Mesos both integrate with Docker to deploy containers on clusters of machines for scalability and high availability.
This document discusses using Gluster object storage with OpenStack Swift. Gluster-Swift mounts the Swift storage using FUSE and allows Swift to interface with Gluster backends. This avoids reimplementing the Swift object API. Gluster-Swift overrides Swift's distribution and replication to use the Gluster backend. The Swift API is implemented using FUSE operations on the Gluster volume. Future work includes upgrading Gluster-Swift, packaging, optimizations, and potentially developing a native Gluster object interface.
Elasticsearch allows users to group related data into logical units called indices. An index can be defined using the create index API and documents are indexed to an index. Indices are partitioned into shards which can be distributed across multiple nodes for scaling. Each shard is a standalone Lucene index. Documents must be in JSON format with a unique ID and can contain any text or numeric data to be searched or analyzed.
This presentation is from the Gophercon-India where we talked about how to design a concurrent high performance database client in go language. We talked about how we use goroutines and channels to our advantages. we also talked about how to use pools for efficient memory utilization.
The document discusses the glance-replicator tool in OpenStack. Glance-replicator allows replication of images between two glance servers. It can replicate images and also import and export images. The document provides examples of using glance-replicator commands like compare, livecopy to replicate images between two devstack all-in-one OpenStack environments. It demonstrates the initial state with only one environment having images and after replication both environments having the same set of images.
Vous avez récemment commencé à travailler sur Spark et vos jobs prennent une éternité pour se terminer ? Cette présentation est faite pour vous.
Himanshu Arora et Nitya Nand YADAV ont rassemblé de nombreuses bonnes pratiques, optimisations et ajustements qu'ils ont appliqué au fil des années en production pour rendre leurs jobs plus rapides et moins consommateurs de ressources.
Dans cette présentation, ils nous apprennent les techniques avancées d'optimisation de Spark, les formats de sérialisation des données, les formats de stockage, les optimisations hardware, contrôle sur la parallélisme, paramétrages de resource manager, meilleur data localité et l'optimisation du GC etc.
Ils nous font découvrir également l'utilisation appropriée de RDD, DataFrame et Dataset afin de bénéficier pleinement des optimisations internes apportées par Spark.
[Open Infrastructure & Cloud Native Days Korea 2019]
커뮤니티 버전의 OpenStack 과 Ceph를 활용하여 대고객서비스를 구축한 사례를 공유합니다. 유연성을 확보한 기업용 클라우드 서비스 구축 사례와 높은 수준의 보안을 요구하는 거래소 서비스를 구축, 운영한 사례를 소개합니다. 또한 이 프로젝트에 사용된 기술 스택 및 장애 해결사례와 최적화 방안을 소개합니다. 오픈스택은 역시 오픈소스컨설팅입니다.
#openstack #ceph #openinfraday #cloudnative #opensourceconsulting
The document discusses software defined storage based on OpenStack. It provides background on the author's experience including medical image processing and OpenStack development. It then describes key OpenStack storage components including Cinder for block storage, Swift for object storage, and Manila for shared file systems. Cinder uses plugins to support different backend storage types and utilizes a scheduler to determine which host to provision volumes. Swift uses a ring hashing algorithm to partition and replicate data across multiple storage nodes for high scalability and availability.
Масштабируемая конфигурация Nginx, Игорь Сысоев (Nginx)Ontico
This document discusses best practices for scalable nginx configuration. It begins by comparing nginx's location-based configuration to Apache's more complex configuration using various containers. The document then outlines nginx's configuration including using server blocks, locations by prefix, regular expressions, and inheritance. It emphasizes keeping similar locations together, using inclusive locations, and avoiding rewrites or unnecessary "if" blocks for improved performance and scalability.
This talk will focus on a brief history, including a demo and overview of how we at Superbalist use Kubernetes, and how Kubernetes uses Docker, does load balancing, deployments, and data migrations.
Talk from Cape Town DevOps meetup on Jun 21, 2016:
https://www.meetup.com/Cape-Town-DevOps/events/231530172/
Code: https://github.com/zoidbergwill/kubernetes-examples
Slides as markdown: http://www.zoidbergwill.com/presentations/2016/kubernetes-1.2-and-spread/index.md
Learn from the dozens of large-scale deployments how to get the most out of your Kubernetes environment:
- Container images optimization
- Organizing namespaces
- Readiness and Liveness probes
- Resource requests and limits
- Failing with grace
- Mapping external services
- Upgrading clusters with zero downtime
Kubernetes Architecture and Introduction – Paris Kubernetes MeetupStefan Schimanski
The document provides an overview of Kubernetes architecture and introduces how to deploy Kubernetes clusters on different platforms like Mesosphere's DCOS, Google Container Engine, and Mesos/Docker. It discusses the core components of Kubernetes including the API server, scheduler, controller manager and kubelet. It also demonstrates how to interact with Kubernetes using kubectl and view cluster state.
The document discusses cache concepts and the Varnish caching software. It provides an agenda that covers cache concepts like levels and types of caches as well as HTTP headers that help caching. It then covers Varnish, describing it as an HTTP accelerator, and discusses its process architecture, installation, basic configuration using VCL, backends, probes, directors, functions/subroutines, and tuning best practices.
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...Xiaohui Chen
This document summarizes best practices for managing Kubernetes clusters and deploying containerized applications on Netease Cloud. It discusses implementing container networking in VPC, using cloud disks for storage, automating cluster creation, managing nodes, exposing services via ingress, extending ingress controllers, developing deployment pipelines with Helm, and managing application environments with operators. Overall principles and resources are also provided.
About docker cluster management tools
1. Base concepts of cluster
management and docker
2. Docker Swarm
3. Amazon EC2 Container Service
4. Kubernetes
5. Mesosphere
Container technologies use namespaces and cgroups to provide isolation between processes and limit resource usage. Docker builds on these technologies using a client-server model and additional features like images, containers, and volumes to package and run applications reliably and at scale. Kubernetes builds on Docker to provide a platform for automating deployment, scaling, and operations of containerized applications across clusters of hosts. It uses labels and pods to group related containers together and services to provide discovery and load balancing for pods.
Container Performance Analysis Brendan Gregg, NetflixDocker, Inc.
The document summarizes a talk on container performance analysis. It discusses identifying bottlenecks at the host, container, and kernel level using various Linux performance tools. It also provides an overview of how containers work in Linux using namespaces and control groups (cgroups). Specifically, it demonstrates analyzing resource usage and limitations for containers using tools like docker stats, systemd-cgtop, and investigating namespaces.
The document summarizes a talk on container performance analysis. It discusses identifying bottlenecks at the host, container, and kernel level using various Linux performance tools. It then provides an overview of how containers work in Linux using namespaces and control groups (cgroups). Finally, it demonstrates some example commands like docker stats, systemd-cgtop, and bcc/BPF tools that can be used to analyze containers and cgroups from the host system.
This document discusses security mechanisms in Docker containers, including control groups (cgroups) to limit resources, namespaces to isolate processes, and capabilities to restrict privileges. It covers secure computing modes like seccomp that sandbox system calls. Linux security modules like AppArmor and SELinux are also mentioned, along with best practices for the Docker daemon and container security overall.
Web scale infrastructures with kubernetes and flannelpurpleocean
La capacità di rispondere in poche frazioni di secondo alle richieste degli utenti - indipendentemente dal loro numero - è un fattore determinante per il successo dei servizi sul web. Secondo Amazon, bastano 100 millisecondi di latenza nella risposta per generare una perdita economica di circa l'1% sul
fatturato [1]. In base alle statistiche di Google AdWords, inoltre, il 2015 ha sancito l’ufficiale superamento del numero di interazioni mobile rispetto a quelle desktop [2], con la conseguente riduzione della durata media delle sessioni di navigazione web.
In uno scenario di questo tipo, la razionalizzazione dell’utilizzo delle risorse hardware e la capacità di scalare rispetto al numero di utenti sono fattori determinanti per il successo del business.
In questo talk racconteremo la nostra esperienza di migrazione di soluzioni e-commerce di tipo enterprise in Magento da un’architettura basata su VM tradizionali ad una di tipo software-defined basata su Kubernetes, Flannel e Docker. Discuteremo, quindi, delle reali difficoltà da noi incontrate nel porting su container di soluzioni in produzione e daremo evidenza di come, alla fine di questo lungo viaggio, i nostri sforzi siano stati concretamente premiati dall’aumento di resilienza, affidabilità e automazione della soluzione finale.
A supporto della conversazione, mostreremo i risultati dei benchmark da noi condotti per valutare la scalabilità della nuova architettura presentando delle evidenze delle reali capacità di Kubernetes come strumento di orchestrazione di servizi erogati in Docker container.
Concluderemo l’intervento presentando il nostro progetto di distribuzione geografica dei nodi master di Kubernetes facendo uso di reti SD-WAN per garantire performance e continuità di servizio della soluzione.
This document summarizes the key aspects of a public cloud archive storage solution. It offers affordable and unlimited storage using standard transfer protocols. Data is stored using erasure coding for redundancy and fault tolerance. Accessing archived data takes 10 minutes to 12 hours depending on previous access patterns, with faster access for inactive archives. The solution uses middleware to handle sealing and unsealing archives along with tracking access patterns to regulate retrieval times.
Who is afraid of privileged containers ?Marko Bevc
This document discusses container security and demonstrates how privileges can be escalated in Kubernetes clusters. It covers security mechanisms for containers like rootless containers and privilege dropping. It then demonstrates how a user can escalate privileges by mounting host secrets or escaping containers to gain host access. The document concludes that while orchestration platforms improve security, following security best practices like least privilege pods and RBAC are needed. It advocates that all users should fear privileged containers.
The document discusses different platforms for deploying microservices using containers including Docker, Kubernetes, AWS ECS, AWS Elastic Beanstalk, OpenShift, and Fabric8. Docker allows deploying containers but does not provide orchestration capabilities. Kubernetes provides orchestration of containers across clusters and can be deployed on-premises or on cloud providers. AWS ECS and Elastic Beanstalk integrate Docker containers with AWS but lack portability. OpenShift is a distribution of Kubernetes that can be used to deploy and manage containerized applications. Fabric8 builds upon Docker and Kubernetes to provide a full Platform as a Service with DevOps capabilities.
Come costruire una Platform As A Service con Docker, Kubernetes Go e JavaCodemotion
"Come costruire una Platform As A Service con Docker, Kubernetes Go e Java" by Massimiliano Dessì
Per automatizzare la CI e la CD, durante sviluppo, test, in preproduzione e in produzione si utilizzano le tecniche chiamate attualmente DevOps, in locale con Vagrant oppure su una PAAS su cloud, privati o pubblici. Possiamo costruire una PAAS scalabile utilizzando solo Docker, Docker e Kubernetes oppure soluzioni già pronte come Openshift 3 (che sta sopra Docker e Kubernetes). Nella presentazione vedremo come avere questi tre tipi di PAAS con in più uno strato di orchestrazione in GO/Java e Ansible per automatizzare il comportamento in base ad eventi monitorati
ContainerD is a daemon that controls the runC runtime to execute and manage containers according to the OCI specification. It has a gRPC API and a low-level CLI (ctr) for debugging. ContainerD is designed to be embedded in larger systems rather than directly used by end-users. It focuses on container execution, images, storage, and networking.
Drupalcamp es 2013 drupal with lxc docker and vagrant Ricardo Amaro
This document discusses using containers like LXC and Docker to automate Drupal deployments. It begins with an introduction to the speaker and overview of virtual machines versus containers. The speaker then demonstrates using LXC containers on Ubuntu with tools like Vagrant and Puppet for configuration management. Docker is presented as an improvement allowing developers to package applications and dependencies into portable containers that can be run anywhere without reconfiguration.
How Zalando runs Kubernetes clusters at scale on AWS - AWS re:InventHenning Jacobs
Many clusters, many problems? Having many clusters has benefits: reduced blast radius, less vertical scaling of cluster components, and a natural trust boundary. In this session, Zalando shows its approach for running 140+ clusters on AWS, how it does continuous delivery for its cluster infrastructure, and how it created open-source tooling to manage cost efficiency and improve developer experience. The company openly shares its failures and the learnings collected during three years of Kubernetes in production.
AWS re:Invent session OPN211 on 2019-12-05
Similar to Devoxx France 2018 : Mes Applications en Production sur Kubernetes (20)
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
3. #DevoxxFR
Kubernetes ?
•C’est un « cluster manager » :
K8S gère une flotte de machines (physiques ou virtuelles)
•C’est un ensemble d’ «objets » :
K8S permet de déclarer l’état attendu d’une application
•Pilotable par API :
Référence : https://kubernetes.io/docs/concepts/
6. #DevoxxFR
Un POD ?
metadata:
labels:
app: lab-java
spec:
containers:
- name: lab
image: barkbay/k8s-app-lab:java-v0
ports:
- containerPort: 8080
Une liste de
conteneurs
Quelques
métadonnées
7. #DevoxxFR
A security context defines privilege
and access control settings for a
Pod or Container :
• User ID
• Linux Capabilities
• SELinux labels
• AllowPrivilegeEscalation
Security context
9. #DevoxxFR
« SCCs are objects that define a set of conditions that a pod must run
with in order to be accepted into the system. »
TL;DR : Les SCCs permettent d’appliquer un contexte de sécurité par
défaut sur les PODs.
PSP : Pod Security Policy is a cluster-level resource that controls
security sensitive aspects of the pod specification.
OU
Un SecurityContext automatique ?
10. #DevoxxFR
Comprendre les SecurityContext, travailler avec vos OPS sur la mise en œuvre des PSP (ou
utilisez Openshift)
SELinux : "Every time you run setenforce 0, you make Dan Walsh weep. Dan is a nice guy and
he certainly doesn't deserve that. »
Utiliser des namespaces dédiés
Utiliser des ServiceAccount : des comptes techniques qui vous permettront de jouer avec les
RBAC
Quelle sécurité pour les flux applicatifs ? TLS de bout en bout ?
Security takeaway
12. #DevoxxFR
Multi-tenant : Share Cpu and memory
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
- name: lab
image: barkbay/k8s-app-lab:java-v0
resources:
requests:
memory: "128Mi"
cpu: "500m"
limits:
memory: "192Mi"
cpu: "2"
securityContext:
allowPrivilegeEscalation: false
ports:
- containerPort: 8080
Limits control the maximum amount of
resources that the container may use
The scheduler uses resources
requests to find a node with an
appropriate fit for all containers in a
POD.
13. #DevoxxFR
Multi-tenant : Share Cpu and memory
containers:
- name: lab
image: barkbay/k8s-app-lab:java-v0
resources:
requests:
memory: "128Mi"
cpu: "500m"
limits:
memory: "192Mi"
cpu: "2"
« Converted to its millicore value and
multiplied by 100. The resulting value is the
total amount of CPU time that a container
can use every 100ms. A container cannot
use more than its share of CPU time during
this interval. »
On appelle ça faire du Throttling
16. #DevoxxFR
Monitoring CPU cgroup
$ cat /sys/fs/cgroup/cpu/cpu.stat
user 1637
system 88
nr_periods 520
nr_throttled 364 : number of times tasks in a cgroup have been
throttled
throttled_time 72988838516 : the total time duration (in
nanoseconds) for which tasks in a cgroup have been throttled.
1
20. #DevoxxFR
OOM-KILLER In Action
java invoked oom-killer: gfp_mask=0xd0, order=0, oom_score_adj=872
[…]
memory: usage 196608kB, limit 196608kB, failcnt 1953
[…]
[ pid ] uid tgid total_vm rss nr_ptes swapents oom_score_adj name
[25616] 1000 25616 254 1 4 0 -998 pause
[25687] 1000 25687 678075 48764 165 0 872 java
Memory cgroup out of memory: Kill process 25908 (java) score 1864 or
sacrifice child
Killed process 25687 (java) total-vm:2712300kB, anon-rss:191448kB, file-
rss:3520kB, shmem-rss:0kB
The failcnt field gives the number of times that the
cgroup limit was exceeded.
limits:
memory: "192Mi"
21. #DevoxxFR
Avoid OOM-Killer with Java 8
$ # Dans le conteneur
$ cat /sys/fs/cgroup/memory/memory.limit_in_bytes
402653184 #384Mo max
$ # A vous de calculer le Xmx qui va bien
ou
-XX:+UnlockExperimentalVMOptions
-XX:+UseCGroupMemoryLimitForHeap
27. #DevoxxFR
Monitoring your own metrics
kind: Service
apiVersion: v1
metadata:
name: lab-java-service
annotations:
prometheus.io/scrape: "true"
spec:
selector:
app: lab-java
ports:
- protocol: TCP
port: 80
targetPort: 8080
+
endpoint_hello_total{status="get",} 1606.0
Implement call to /metrics :
28. #DevoxxFR
HPA : Horizontal Pod Autoscaler
COREAPICustomMetricAPI
API
POD
de
Mediation
scale up !H.P.A.
PROMETHEUS
/metrics
POD POD POD
GET /apis/custom.metrics.k8s.io/[…]/lab-java-service/endpoint_hello
42
30. #DevoxxFR
Is it alive ?
spec:
containers:
- name: lab
image: barkbay/k8s-app-lab:java-v0
livenessProbe:
tcpSocket:
port: 8080
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 2
ports:
- containerPort: 8080
Ouvrir les flux ?
Redémarrer
le conteneur ?
31. #DevoxxFR
Pod Disruption Budget (a.k.a. PDB)
En cas de "disruption" "volontaire" permet de maintenir un nombre minimum
d’instances.
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: lab-java-pdb
spec:
minAvailable: 1
selector:
matchLabels:
app: lab-java
32. #DevoxxFR
Takeaway
•Security first
•Exposer des métriques
•Collecter des métriques
•Surveiller :
•cgroups : memory and cpu
•application restarts
•events dans les namespaces
•Implementer des tests Liveness and Readiness simples
33. #DevoxxFR
Merci / Thank you
Code source de l’application :
https://github.com/barkbay/k8s-app-lab/