The 4.5 release no a minor "point" update: it is one of the most feature-rich releases in the project's history. It contains several important additions. Most notably, new Xen PVH virtualization mode now supports running as dom0, enhanced support for Remus, significant ARM architecture updates, security improvements, real-time scheduling, support for Intel Cache Monitoring Technology (CMT), as well as improvements for automotive and embedded use-cases. Other enhancements include additional support for FreeBSD, systemd support, additional libvirt support, the release of Mirage OS 2.0, and more.
Besides giving an overview of Xen 4.5, we will explain the project's roadmap process and share what's ahead for 2015: such as improved OpenStack integration and hotpatching (applying security fixes without the need to reboot).
How to tune your Xen deployment for performance: Xen has several options and different kinds of guests, knowing when to use each kind of guest, and how to tune its parameters for optimal performance can make a big difference. This talk will cover the types of guests that can be deployed on Xen, and the different options you can use to obtain the best performance.
LF Collaboration Summit: Xen Project 4 4 Features and FuturesThe Linux Foundation
Xen Project 4.4 Release Information.
Delivered by Russell Pavlicek at Linux Foundation Collaborative Summit on March 27, 2014.
Updated for LinuxCon/CloudOpen North America in August 2014.
Delivered by Russell Pavlicek at CentOS Dojo, Denver, CO, April 10. 2014.
A basic introduction to Xen4CentOS: What it provides, how to install it, and where it is going.
Linuxcon EU : Virtualization in the Cloud featuring Xen and XCPThe Linux Foundation
The Xen Hypervisor was built for the Cloud from the outset: when Xen was designed, we anticipated a world, which today is known as cloud computing. Today, Xen powers the largest clouds in production. This talk explores success criteria, architecture, trade-offs and challenges for cloudy hypervisors.
It is intended for users and developers and starts with a brief introduction to Xen and XCP, their architecture, shine some light on common challenges for KVM and Xen, such as the NUMA performance tax and securing the cloud. It will introduce the concept of domain disaggregation as an approach to increase security, robustness and scalability: all important factors for building clouds at scale. The talk will conclude with an update on Xen support in Linux, Xen for ARM servers and other exciting developments in the Xen community and their implications for building open source clouds.
How to tune your Xen deployment for performance: Xen has several options and different kinds of guests, knowing when to use each kind of guest, and how to tune its parameters for optimal performance can make a big difference. This talk will cover the types of guests that can be deployed on Xen, and the different options you can use to obtain the best performance.
LF Collaboration Summit: Xen Project 4 4 Features and FuturesThe Linux Foundation
Xen Project 4.4 Release Information.
Delivered by Russell Pavlicek at Linux Foundation Collaborative Summit on March 27, 2014.
Updated for LinuxCon/CloudOpen North America in August 2014.
Delivered by Russell Pavlicek at CentOS Dojo, Denver, CO, April 10. 2014.
A basic introduction to Xen4CentOS: What it provides, how to install it, and where it is going.
Linuxcon EU : Virtualization in the Cloud featuring Xen and XCPThe Linux Foundation
The Xen Hypervisor was built for the Cloud from the outset: when Xen was designed, we anticipated a world, which today is known as cloud computing. Today, Xen powers the largest clouds in production. This talk explores success criteria, architecture, trade-offs and challenges for cloudy hypervisors.
It is intended for users and developers and starts with a brief introduction to Xen and XCP, their architecture, shine some light on common challenges for KVM and Xen, such as the NUMA performance tax and securing the cloud. It will introduce the concept of domain disaggregation as an approach to increase security, robustness and scalability: all important factors for building clouds at scale. The talk will conclude with an update on Xen support in Linux, Xen for ARM servers and other exciting developments in the Xen community and their implications for building open source clouds.
Xen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,PavlicekThe Linux Foundation
Many people have difficulty understanding the difference between the Xen Hypervisor, XenServer, and XAPI. In this session, James Bulpin, Director of Technology for XenServer, and Russell Pavlicek, Evangelist for the Xen Project, will attempt to clarify what each project is, what it does, and how it compares with the others. We will cover some of the basic features and functions, the tasks for which each is suitable, and where the projects overlap. Attendees will come away with a better sense of where these three projects fit in the world of Xen virtualization.
It is no accident that Xen software powers some of the largest Clouds in existence. From its outset, the Xen Project was intended to enable what we now call Cloud Computing. This session will explore how the Xen Architecture addresses the needs of the Cloud in ways which facilitate security, throughput, and agility. It will also cover some of the hot new developments of the Xen Project.
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicekbuildacloud
The Xen Project produces a mature, enterprise-grade virtualization technology designed for the Cloud featuring many advanced and unique security features. For this reason, it's a hypervisor of choice for government agencies like NSA and the DoD, as well as for new security-minded projects the QubesOS Secure Desktop. However, while much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, and Xen Security Modules (XSM), are not enabled by default. This session will describe many of the advanced security features of Xen, as well as explaining why Xen is an excellent choice for secure Clouds
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...The Linux Foundation
With the rapid growth in computing power of embedded platforms, system designers are turning to hypervisors to consolidate functionality in order to reduce the Size, Weight, Power, and Cost of embedded systems. With the recent addition of ARM support to the Xen hypervisor, Xen provides an attractive Open Source option for such systems. However, some of the industries most interested in this technology, such as automotive, medical, and avionics, have strict safety certification requirements. Nathan Studer will give a brief overview on DornerWorks efforts certifying Xen, describe the hurdles and advantages that Xen and its development model lend to the certification effort, and layout a proposed path for certifying Xen.
XPDS13: HVM Dom0 - Any unmodified OS as Dom0 - Will Auld, IntelThe Linux Foundation
It should be great if we can use an unmodified guest for dom0 or the driver domain. We found a way to achieve that. Since Xen's inception, the first guest on Xen is always a para-virtualized domain, and it can be modified Linux, NetBSD, and Solaris etc. In this way, dom0 can achieve near-native performance, so it is commonly used in the server market. However, modifications to guest kernels also implies limitations. For example, it can't support Windows OS as the dom0 or the driver domain. With the rapid evolution of hardware-assisted virtualization (e.g. VMX, VT-d technologies), HVM domains also can achieve comparable performance with para-virtualization. And, it's high time for Xen to such an unmodified guest as the dom0. In the presentation, we discuss its architectural changes and its benefits compared with the traditional PV or HVM dom0, and we also introduce what we have done.
Gandi.net is a cloud provider running about 10000 VMs since 2008. We recently updated our infrastructure from Xen 4.1 to Xen 4.8 and decided to move all of our platform to Xen (from a mix of Xen and KVM). This plaform uses home-made code based on Xen python bindings and xl to orchestrate VMs. This talk will present our use cases and the experience we had with Xen, the shortcomings or issues we had while upgrading our platform, what features we use, and present some new features we would like to have in Xen. For example, it will discuss how we use live patching and live migration. The talk will consider both the Xen hypervisor and its associated userspace utilities.
Xen is a mature enterprise-grade virtual machine with many advanced security features which are unique to Xen. For this reason it's the hypervisor of choice for the NSA, the DoD, and the new QubesOS Secure Desktop project. However, while much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, XSM, and so on are not enabled by default. This session will describe all of the advanced security features of Xen, and the best way to configure them for the Cloud environment.
LCEU13: Securing your cloud with Xen's advanced security features - George Du...The Linux Foundation
Xen is a mature enterprise-grade virtual machine with many advanced security features which are unique to Xen. For this reason it's the hypervisor of choice for the NSA, the DoD, and the new QubesOS Secure Desktop project. While much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, XSM, and so on are not enabled by default. This session will describe all of the advanced security features of Xen, and the best way to configure them for the Cloud environment. When the audience leaves, they should have a general framework to evaluate the security of their system, know the key security features of Xen, and have a basic framework of knowledge to help them make sense of the documentation. This talk will *not* go into mind-numbing detail about specific commands to type or configuration options.
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...The Linux Foundation
The Xen Hypervisor is 15 years old, but like Linux, it is still undergoing significant upgrades and improvements. This talk will cover recent and upcoming developments in Xen on the x86 architecture, including the newly-released 'PVH' guest virtualization mode, the future of PV mode, qemu deprivileging, and more. We will cover why these new features are important for a wide range of environments, from cloud to embedded.
The talk is a status report for the latest release and development projects. It will cover the new features and important bug fixes (if any) in 4.7. It will also provide insight on what’s in the queue for the next major release. Retrospective on the release process will also be part of talk.
Linaro Connect Asia 13 : Citrix - Xen on ARM plenary sessionThe Linux Foundation
The Xen on ARM effort has had a short, but impressive, history. In late 2011, Citrix seeded a Xen.org community project to port Xen to ARMv7 with virtualization extensions targeting the Cortex A15 as the reference platform. In 2012, the project scope was expanded to include the ARMv8 architecture. Linux 3.7 was the first kernel release to run on Xen on ARM as Dom0 and DomU. Very soon now (Q2 2013), Xen 4.3 will fully support several different ARM platforms, including Samsung Chromebooks, Versatile Express Cortex A15 and Arndale development boards.
In this talk, we will outline how virtualization enabled server consolidation and cloud computing, as well as innovative and secure solutions for both desktops and mobile devices. We will explain why Citrix saw the need for the project, and why it is highly relevant in today’s cloud-centric virtualization landscape. We will discuss the opportunities this has brought to the Xen ecosystem, and then peek into the future possibilities which Xen on ARM will enable. While Xen is best known as technology powering some of the biggest clouds in the industry, but could also be powering virtual machines on devices that fit in your pocket.
The talk will also include a brief overview of the Xen on ARM architecture, including the key design principles employed. The techniques pioneered during the ARM port will allow the Xen community to remove many legacy components from the Xen code base, streamlining both the ARM and x86 implementations. We will share some data on the challenges in porting Xen to new ARM boards. Due to full reliance on Device Tree and to the minimal hardware requirements of the hypervisor, ports to new boards require surprisingly little effort.
Finally, the talk will conclude by outlining the immediate roadmap for Xen on ARM.
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
An important facilitator of Unikernel development, Xen Project continues to develop new and interesting technologies to support the needs of the next generation datacenter. Potentially game-changing technologies like Unikernels will never reach their full potential unless the hypervisor they rely on can handle a large number of potentially tiny VMs effectively and efficiently.
In this talk, Xen Project Advisory Board Chairman Lars Kurth will discuss some of the major advances in the hypervisor produced in last year's releases (4.5 and 4.6). He will also discuss some of the work in development which could appear in upcoming releases.
This talk provides an overview of the Xen Project eco-system and its main use-cases in a number of important market segments: it covers server virtualization, cloud computing and embedded, automotive and related. Lars Kurth highlights why the Xen Project is relevant in these market segments: he provides an overview of the Xen Project's architecture, relevant existing functionality and ongoing and planned developments. To complement the picture, he covers open-source projects that are related to Xen and are of interest for these use-cases. Excellent Software security is key to all of these use-cases. Thus, Lars specifically covers the Xen Project's security features, track record and touches on the project's security practices. He concludes with a few resources that help you get started with the Xen Project and highlight Internship Programs which the project supports.
The talk was delivered at Root Linux Conference 2017. Learn more: http://linux.globallogic.com/materials. The video is available at https://www.youtube.com/watch?v=sjQnAIJji4k
Xen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,PavlicekThe Linux Foundation
Many people have difficulty understanding the difference between the Xen Hypervisor, XenServer, and XAPI. In this session, James Bulpin, Director of Technology for XenServer, and Russell Pavlicek, Evangelist for the Xen Project, will attempt to clarify what each project is, what it does, and how it compares with the others. We will cover some of the basic features and functions, the tasks for which each is suitable, and where the projects overlap. Attendees will come away with a better sense of where these three projects fit in the world of Xen virtualization.
It is no accident that Xen software powers some of the largest Clouds in existence. From its outset, the Xen Project was intended to enable what we now call Cloud Computing. This session will explore how the Xen Architecture addresses the needs of the Cloud in ways which facilitate security, throughput, and agility. It will also cover some of the hot new developments of the Xen Project.
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicekbuildacloud
The Xen Project produces a mature, enterprise-grade virtualization technology designed for the Cloud featuring many advanced and unique security features. For this reason, it's a hypervisor of choice for government agencies like NSA and the DoD, as well as for new security-minded projects the QubesOS Secure Desktop. However, while much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, and Xen Security Modules (XSM), are not enabled by default. This session will describe many of the advanced security features of Xen, as well as explaining why Xen is an excellent choice for secure Clouds
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...The Linux Foundation
With the rapid growth in computing power of embedded platforms, system designers are turning to hypervisors to consolidate functionality in order to reduce the Size, Weight, Power, and Cost of embedded systems. With the recent addition of ARM support to the Xen hypervisor, Xen provides an attractive Open Source option for such systems. However, some of the industries most interested in this technology, such as automotive, medical, and avionics, have strict safety certification requirements. Nathan Studer will give a brief overview on DornerWorks efforts certifying Xen, describe the hurdles and advantages that Xen and its development model lend to the certification effort, and layout a proposed path for certifying Xen.
XPDS13: HVM Dom0 - Any unmodified OS as Dom0 - Will Auld, IntelThe Linux Foundation
It should be great if we can use an unmodified guest for dom0 or the driver domain. We found a way to achieve that. Since Xen's inception, the first guest on Xen is always a para-virtualized domain, and it can be modified Linux, NetBSD, and Solaris etc. In this way, dom0 can achieve near-native performance, so it is commonly used in the server market. However, modifications to guest kernels also implies limitations. For example, it can't support Windows OS as the dom0 or the driver domain. With the rapid evolution of hardware-assisted virtualization (e.g. VMX, VT-d technologies), HVM domains also can achieve comparable performance with para-virtualization. And, it's high time for Xen to such an unmodified guest as the dom0. In the presentation, we discuss its architectural changes and its benefits compared with the traditional PV or HVM dom0, and we also introduce what we have done.
Gandi.net is a cloud provider running about 10000 VMs since 2008. We recently updated our infrastructure from Xen 4.1 to Xen 4.8 and decided to move all of our platform to Xen (from a mix of Xen and KVM). This plaform uses home-made code based on Xen python bindings and xl to orchestrate VMs. This talk will present our use cases and the experience we had with Xen, the shortcomings or issues we had while upgrading our platform, what features we use, and present some new features we would like to have in Xen. For example, it will discuss how we use live patching and live migration. The talk will consider both the Xen hypervisor and its associated userspace utilities.
Xen is a mature enterprise-grade virtual machine with many advanced security features which are unique to Xen. For this reason it's the hypervisor of choice for the NSA, the DoD, and the new QubesOS Secure Desktop project. However, while much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, XSM, and so on are not enabled by default. This session will describe all of the advanced security features of Xen, and the best way to configure them for the Cloud environment.
LCEU13: Securing your cloud with Xen's advanced security features - George Du...The Linux Foundation
Xen is a mature enterprise-grade virtual machine with many advanced security features which are unique to Xen. For this reason it's the hypervisor of choice for the NSA, the DoD, and the new QubesOS Secure Desktop project. While much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, XSM, and so on are not enabled by default. This session will describe all of the advanced security features of Xen, and the best way to configure them for the Cloud environment. When the audience leaves, they should have a general framework to evaluate the security of their system, know the key security features of Xen, and have a basic framework of knowledge to help them make sense of the documentation. This talk will *not* go into mind-numbing detail about specific commands to type or configuration options.
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...The Linux Foundation
The Xen Hypervisor is 15 years old, but like Linux, it is still undergoing significant upgrades and improvements. This talk will cover recent and upcoming developments in Xen on the x86 architecture, including the newly-released 'PVH' guest virtualization mode, the future of PV mode, qemu deprivileging, and more. We will cover why these new features are important for a wide range of environments, from cloud to embedded.
The talk is a status report for the latest release and development projects. It will cover the new features and important bug fixes (if any) in 4.7. It will also provide insight on what’s in the queue for the next major release. Retrospective on the release process will also be part of talk.
Linaro Connect Asia 13 : Citrix - Xen on ARM plenary sessionThe Linux Foundation
The Xen on ARM effort has had a short, but impressive, history. In late 2011, Citrix seeded a Xen.org community project to port Xen to ARMv7 with virtualization extensions targeting the Cortex A15 as the reference platform. In 2012, the project scope was expanded to include the ARMv8 architecture. Linux 3.7 was the first kernel release to run on Xen on ARM as Dom0 and DomU. Very soon now (Q2 2013), Xen 4.3 will fully support several different ARM platforms, including Samsung Chromebooks, Versatile Express Cortex A15 and Arndale development boards.
In this talk, we will outline how virtualization enabled server consolidation and cloud computing, as well as innovative and secure solutions for both desktops and mobile devices. We will explain why Citrix saw the need for the project, and why it is highly relevant in today’s cloud-centric virtualization landscape. We will discuss the opportunities this has brought to the Xen ecosystem, and then peek into the future possibilities which Xen on ARM will enable. While Xen is best known as technology powering some of the biggest clouds in the industry, but could also be powering virtual machines on devices that fit in your pocket.
The talk will also include a brief overview of the Xen on ARM architecture, including the key design principles employed. The techniques pioneered during the ARM port will allow the Xen community to remove many legacy components from the Xen code base, streamlining both the ARM and x86 implementations. We will share some data on the challenges in porting Xen to new ARM boards. Due to full reliance on Device Tree and to the minimal hardware requirements of the hypervisor, ports to new boards require surprisingly little effort.
Finally, the talk will conclude by outlining the immediate roadmap for Xen on ARM.
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
An important facilitator of Unikernel development, Xen Project continues to develop new and interesting technologies to support the needs of the next generation datacenter. Potentially game-changing technologies like Unikernels will never reach their full potential unless the hypervisor they rely on can handle a large number of potentially tiny VMs effectively and efficiently.
In this talk, Xen Project Advisory Board Chairman Lars Kurth will discuss some of the major advances in the hypervisor produced in last year's releases (4.5 and 4.6). He will also discuss some of the work in development which could appear in upcoming releases.
This talk provides an overview of the Xen Project eco-system and its main use-cases in a number of important market segments: it covers server virtualization, cloud computing and embedded, automotive and related. Lars Kurth highlights why the Xen Project is relevant in these market segments: he provides an overview of the Xen Project's architecture, relevant existing functionality and ongoing and planned developments. To complement the picture, he covers open-source projects that are related to Xen and are of interest for these use-cases. Excellent Software security is key to all of these use-cases. Thus, Lars specifically covers the Xen Project's security features, track record and touches on the project's security practices. He concludes with a few resources that help you get started with the Xen Project and highlight Internship Programs which the project supports.
The talk was delivered at Root Linux Conference 2017. Learn more: http://linux.globallogic.com/materials. The video is available at https://www.youtube.com/watch?v=sjQnAIJji4k
Note: also see https://www.slideshare.net/xen_com_mgr/ossna18-xen-beginners-training-exercise-script
The Xen Project supports some of the biggest clouds in production today and is moving into new industries, like security and automotive. Usually, you will use Xen indirectly as part of a commercial product, a distro, a hosting or cloud service and only indirectly use Xen. By following this session you will learn how Xen and virtualization work under the hood exploring high-level topics like architecture concepts related to virtualization to more technical attributes of the hypervisor like memory management (ballooning), virtual CPUs, scheduling, pinning, saving/restoring and migrating VMs.
The Xen Hypervisor was built for the Cloud from the outset: when Xen was designed, we anticipated a world, which today is known as cloud computing. Today, 10 years after the project started, Xen powers the largest clouds in production.
This talk explores success criteria, architecture, trade-offs and challenges for cloudy hypervisors. It is intended for users and developers and starts with a brief introduction to Xen and XCP, their architecture, common challenges for KVM and Xen and securing the cloud. It will introduce concepts such as the virtualization spectrum, the concept of domain disaggregation and the Xen Security Modules as techniques to increase security, robustness and scalability. All important factors for building clouds at scale.
The talk will conclude with exciting developments in the Xen community, such as Xen support for ARM servers, Mirage appliances that can be run on any Xen based cloud, etc. and explore their implications for building open source clouds.
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
Russell Pavlicek explores the security features of Xen within the cloud. Delivered at Build-A-Cloud Day at USENIX LISA 2013 and at Virtual Build-A-Cloud Day in December 2013.
For people who want to start out with #opensource , #openstack, #cloud , #bigdata Linux is the foundational skill. Consider this a beginner guide to linux , understand why it is important , what is the landscape and how easy it is to learn it.
The learning cheat sheet can be utilized from http://linoxide.com/guide/linux-command-shelf.html
PDF version attached as well .
Kernel Recipes 2014 - Xen as a foundation for cloud infrastructureAnne Nicolas
It is no accident that Xen software powers some of the largest Clouds in existence. From its outset, the Xen Project was intended to enable what we now call Cloud Computing.
This session will explore how the Xen Architecture addresses the needs of the Cloud in ways which facilitate security, throughput, and agility. It will also cover some of the hot new developments of the Xen Project.
Julien Grall, Citrix
What's New In 2008 R2 Hyper V and VMM 2008 R2 - Updated Oct 2009Aidan Finn
This is the presentation I gave at the UK/Ireland MVP open day in Reading in October 2009. There is no NDA content in here. It's an updated and expanded version of the presentation.
Static partitioning is used to split an embedded system into multiple domains, each of them having access only to a portion of the hardware on the SoC. It is key to enable mixed-criticality scenarios, where a critical application, often based on a small RTOS, runs alongside a larger non-critical app, typically based on Linux. The two domains cannot interfere with each other.
This talk will explain how to use Xen for static partitioning. It will introduce dom0-less, a new Xen feature written for the purpose. Dom0-less allows multiple VMs to start at boot time directly from the Xen hypervisor, decreasing boot times drastically. It makes it very easy to partition the system without virtualization overhead. Dom0 becomes unnecessary.
This presentation will go into details on how to setup a Xen dom0-less system. It will show configuration examples and explain device assignment. The talk will discuss its implications for latency-sensitive and safety-critical environments.
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
TrenchBoot is a cross-community OSS integration project for hardware-rooted, late launch integrity of open and proprietary systems. It provides a general purpose, open-source DRTM kernel for measured system launch and attestation of device integrity to trust-centric access infrastructure. TrenchBoot closes the UEFI Measurement Gap and reduces the need to trust system firmware. This talk will introduce TrenchBoot architecture and a recent collaboration with Oracle to launch the Linux kernel directly with Intel TXT or AMD SVM Secure Launch. It will propose mechanisms for integrating the Xen hypervisor into a TrenchBoot system launch. DRTM-enabled capabilities for client, server and embedded platforms will be presented for consideration by the Xen community.
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
Artem will briefly cover what has been done since the first talk on Xen in Automotive domain back in 2013, what is going on now and what is still missing for broad adaptation of Xen in vehicles. The following topics will be covered:
Embedded/automotive features of Xen
Collaboration with AGL and GENIVI organizations for standardization
Efforts on Functional Safety compliance
Artem will also go over typical automotive use scenarios for Xen which may not be the same as generic computing use of hypervisor.
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...The Linux Foundation
In this keynote talk, we will give an overview of the state of the Xen Project, trends that impact the project, see whether challenges that surfaced last year have been addressed and how we did it, and highlight new challenges and solutions for the coming year.
In recent years unikernels have shown immense performance potential (e.g., boot times of only a few ms, image sizes of only hundreds of KBs).The fundamental drawback of unikernels is that they require that applications be manually ported to the underlying minimalistic OS, needing both expert work and often considerable amount of time.
The Unikraft project provides a unikernel code base and build system that significantly simplifies the building of unikernels. In addition to support for a number CPU architectures, languages and frameworks, Unikraft provides debugging and tracing features that are generally sorely missing from unikernel projects. In this talk we will talk about these features, show a set of preliminary performance numbers, and provide a roadmap for the project's future.
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...The Linux Foundation
The idea of making Xen secret-free has been floating since Spectre and Meltdown came into light. In this talk we will discuss what is being done and what needs to be done next.
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
This talk will introduce Dom0-less: a new way of using Xen to build mixed-criticality solutions. Dom0-less is a Xen feature that adds a novel approach to static partitioning based on virtualization. It allows multiple domains to start at boot time directly from the Xen hypervisor, decreasing boot times dramatically. Xen userspace tools, such as xl and libvirt, become optional.
Dom0-less extends the existing device tree based Xen boot protocol to cover information required by additional domains. Binaries, such as kernels and ramdisks, are loaded by the bootloader (u-boot) and advertised to Xen via new device tree bindings.
The audience will learn how to use Dom0-less to partition the system. Uboot and device tree configuration details will be explained to enable the audience to get the most out of this feature. The talk will include a status update and details on future plans.
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...The Linux Foundation
As the number of contributions grow, reviewer bandwidth becomes a bottleneck; and maintainers are always asking for more help. However, ultimately maintainers must at least Ack every patch that goes in; so if you're not a maintainer, how can you contribute? Why should anyone care about your opinion?
This talk will try to lay out some advice and guidelines for non-maintainers, for how they can do code review in a way which will effectively reduce the load on maintainers when they do come to review a patch.
This talk is a follow-up to our Summit 2017 presentation in which we covered our plans for Intel VMFUNC and #VE, as well as related use-cases. This year, we will provide a report on what we have accomplished in Xen 4.12, and what remains to be addressed. We will also give a brief status update of VMI on AMD hardware. The session will end with some real-world numbers of the Hypervisor Introspection solution running on Citrix Hypervisor 8.0 with #VE enabled.
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
Safety certification is one of the essential requirements for software to be used in highly regulated industries. Besides technical and compliance issues (such as ISO 26262 vs IEC 611508) transitioning an existing project to become more easily safety certifiable requires significant changes to development practices within an open source project.
In this session, we will lay out some challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the Xen Project has followed thus far and highlight lessons learned along the way. The talk will primarily focus on necessary process, tooling changes and community challenges that can prevent progress. We will be offering an in-depth review of how Xen Project is approaching this challenging goal and try to derive lessons for other projects and contributors.
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...The Linux Foundation
Safety certification is one of the essential requirements for software to be used in highly regulated industries. The Xen Project, a secure and stable hypervisor that is used in many different markets, has been exploring the feasibility of building safety certified products on top of Xen for a year, looking at key aspects of its code base and development practices.
In this session, we will lay out the motivation and challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the project has followed thus far and highlight lessons learned along the way. The talk will cover technical enablers, necessary process and tooling changes and community challenges offering an in-depth review of how Xen Project is approaching this exciting and and challenging goal.
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixThe Linux Foundation
2018 saw fundamental shifts in security boundaries which were previously taken for granted. A lot of work has been done in the past 2 years, and largely in secret under embargo, but there is plenty more work to be done to strengthen the existing mitigations and to try to recover some performance without reopening security holes.
This talk will look at speculative execution sidechannels, the work which has already been done to mitigate the security holes, and future work which hopes to bring some improvements.
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdThe Linux Foundation
The Arm architecture provides a set of guidelines that any software should abide by when accessing the memory with MMU off and update page-tables. Failing to do so may result in getting TLB conflicts or breaking coherency.
In a previous talk ("Keeping coherency on Arm"), we focused on updating safely the stage-2 (aka P2M) page-tables. This talk will focus on the boot code and Xen memory management.
During this session, we will introduce some of the guidelines and when they should be used. We will also discuss how Xen boot sequence needs to be reworked to avoid breaking the guidelines.
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...The Linux Foundation
For many years the QEMU codebase has contained PV backends for Xen guests, giving them paravirtual access to storage, network, keyboard, mouse, etc. however these backends have not been configurable as QEMU devices as their implementation did not fully adhere to the QEMU Object Model (QOM).
Particularly the PV storage backend not using proper QOM devices, or qdevs, meant that the QEMU block layer needed to maintain legacy code that was cluttering up the source. This was causing push-back from the maintainers who did not want to accept any patches relating to that Xen backend until it was 'qdevified'.
In this talk, I'll explain the modifications I made to QEMU to achieve 'qdevification' of the PV storage backend, how compatibility with the libxl toolstack was maintained, and what the next steps in both QEMU and libxl development should be.
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DThe Linux Foundation
PCI is a local computer bus for attaching hardware devices in a computer, and is the main peripheral bus on modern x86 systems. As such, having a proper way to emulate it is crucial for Xen to be able to expose both fully emulated devices or passthrough devices to guests.
This talk will focus on the current status of PCI emulation in Xen, how and where it is used, what are its main limitations and future plans to improve it in order to be more robust and modular.
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
Volodymyr will speak about TEE mediators. This is a new feature in Xen which allows multiple virtual machines to interact with Trusted Execution Environment available on platform. He developed mediator for one of TEEs, namely OP-TEE.
He will give background information on why TEE is needed at all and share some implementation details.
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...The Linux Foundation
Xen is a very powerful hypervisor with a talented and diverse developers community. Despite the fact it's almost everywhere (from the Cloud to the embedded world), it can be difficult to set up and manage as a system administrator. General purpose distros have Xen packages, but that's just a start in your Xen journey: you need some tooling and knowledge to have a working and scalable platform.
XCP-ng was built to overcome those issues: by bringing Xen to the masses with a fully turnkey distro with Xen as its core. It's the logical sequel to the XCP project, with a community focus from the start. We'll see how it happened, what we did, and what's next. Finally, we'll see the impact of XCP-ng on the Xen Project.
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...The Linux Foundation
Doug has long advocated for more CI/CD (Continuous Integration / Continuous Delivery) processes to be adopted by the Xen Project from the use of Travis CI and now GitLab CI. This talk aims to propose ideas for building upon the existing process and transforming the development process to provide users a higher quality with each release by the Xen Project.
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...The Linux Foundation
High level toolstacks for server and cloud virtualization are very mature with large communities using and supporting them. Client virtualization is a much more niche community with unique requirements when compared to those found in the server space. In this talk, we’ll introduce a client virtualization toolstack for Xen (redctl) that we are using in Redfield, a new open-source client virtualization distribution that builds upon the work done by the greater virtualization and Linux communities. We will present a case for maturing libxl’s Go bindings and discuss what advantages Go has to offer for high level toolstacks, including in the server space.
Today Xen is scheduling guest virtual cpus on all available physical cpus independently from each other. Recent security issues on modern processors (e.g. L1TF) require to turn off hyperthreading for best security in order to avoid leaking information from one hyperthread to the other. One way to avoid having to turn off hyperthreading is to only ever schedule virtual cpus of the same guest on one physical core at the same time. This is called core scheduling.
This presentation shows results from the effort to implement core scheduling in the Xen hypervisor. The basic modifications in Xen are presented and performance numbers with core scheduling active are shown.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Generating a custom Ruby SDK for your web service or Rails API using Smithy
LFCOLLAB15: Xen 4.5 and Beyond
1. Lars Kurth
Community Manger, Xen Project
Chairman, Xen Project Advisory Board
Lead CentOS Virtualization SIG
Director, Open Source Business Office, Citrix lars_kurth
2. Released on January 15, 2015 (10 months of development)
Resources:
Blog: bit.do/xen-4-5-blog
Docs: bit.do/xen-4-5-docs
Download: bit.do/xen-4-5-download
Stats:
Changesets: 1812
KLOC Added: 81
KLOC Removed: 141 (mostly removal of XM)
Contributors:102 individuals
Employers: 39 (93 individuals working for them)
4. 0
50
100
150
200
250
2010 2011 2012 2013 2014
Developers
Employers
Using GitDM over Git logs using our database of developers and organizations to remove duplicates
across all sub-projects
Reasons for faster Innovation:
More developers and orgs
Fewer forked up-streams
(e.g. Linux, BSDs, QEMU, …)
Architecture clean-up
(e.g. XM – XL)
Better Development Process
7. Xen 4.5: XEND / XM has been removed
XL now the default interface into Xen
Resources:
Docs: bit.do/xen-xl
Comparison: bit.do/xen-4-5-xm-2-xl-compare
Migration Guide: bit.do/xen-4-5-xm-2-xl
Libvirt integration has been vastly improved
Resources:
Docs: bit.do/xen-libvirt
Complete List: bit.do/xen-4-5-blog
Dom0
Dom0 Kernel
Drivers
Toolstack(s)
LIBXENLIGHT
XL LIBVIRT
XEND
XM
8. Xen via Libvirt in Openstack:
Great Platform for Production Deployments
Get into Quality Group A in 2015
Great Platform for Development
Great DevStack support
Libvirt:
Better Quality, Stability & Usability
Drivers: OpenStack, CentOS Virt SIG – learning what a distro needs
Resources:
Docs: bit.do/xen-openstack
Plans: bit.do/xen-openstack-fosdem15
Install Video: https://vimeo.com/119572029
XenServer
(XAPI)
ESX Hyper-V
Group B
NOVA
LIBVIRT
KVM
Group A
Xen
Group C
Group A
9. Number 1 priority for the project
Vendor funded Test Infrastructure
More capacity & coverage
Automated performance testing
Vendor funded OpenStack CI loop
Xen Project Rack
10. Overview
Xen 4.5: Real-Time Deferrable Server Scheduler
What is next?
Resources:
Docs: bit.do/xen-schedulers
11. HWCPUsMemoryI/O
Dom0
Dom0 Kernel
Drivers
The Xen Project Hypervisor supports several
different schedulers with different properties.
Different schedulers can be assigned to…
… an entire host
e.g. Credit2 Scheduler
12. HWCPUsMemoryI/O
Dom0
Dom0 Kernel
Drivers
The Xen Project Hypervisor supports several
different schedulers with different properties.
Different schedulers can be assigned to…
… an entire host
… a pool of physical CPU’s (=CPU Pool) on a host
(VMs need to be assigned to a pool or pinned to a CPU)
e.g. RTDS Scheduler e.g. Credit Scheduler
14. Soft Real-time CPU scheduler (experimental)
Guarantees CPU capacity to guest VMs on SMP hosts
Budget: Amount of time assigned to a VM
Period: Time period in which depleted budgets are replenished
Global:
Allow VCPU Migration across CPUs
Partitioned:
Pin VCPU to a physical CPU
Schedule VMs per CPU
More flexibility & best utilization
Migration Overhead & Cache Penalty
May underutilize CPU
Lower overheads & lower latency
16. Scheduler Use-cases Xen 4.5 Plans for 4.6+
Credit General Purpose Supported
Default
Supported
Optional
Credit 2 General Purpose
Optimized for lower latency, higher VM density
Experimental Supported
Default
RTDS Soft & Firm Real-time
Multicore
Embedded, Automotive, Graphics & Gaming in
the Cloud, Low Latency Workloads
Experimental Hardening
Optimization
Better XL support
<1μs granularity
Supported
ARINC 653 Hard Real-time
Single core
Avionics, Drones, Medical
Supported
Compile time
No change
Legend:
likely in 4.6
possible in 4.6
17. Overview
Jan 2015: Intel GVT-g (XenGT) Updates
What is next?
Resources:
News: bit.do/xengt-jan15
Docs: bit.do/xengt-jan15-docs
18. Watch the demo at
https://www.youtube.com/
watch?v=V2i8HCcAnY8
Virtual GPU per VM
Performance critical resources
directly assigned to VM
19. XenGT support is currently out-of-tree
Q4-2014 refresh by Intel: In use by XenClient 5.5
First patches have been posted for review on xen-devel
Requires some Linux and QEMU patches also
Motivation: create a common code base for Xen & KVM
Likely complete for Xen 4.6 (or shortly afterwards)
Will initially be experimental
22. Shortcut Mode With
HVM / Fully Virtualized HVM
HVM + PV drivers HVM PV Drivers
PVHVM HVM PVHVM Drivers
PVH PV pvh=1
PV PV
Poor Performance
Scope for Improvement
Optimal Performance
VS VS VS VH
P VS VS VH
P P VS VH
P P P VH
P P P P
P = Paravirtualized
VS = Software Virtualized (QEMU)
VH = Hardware Virtualized
WindowsLinux,BSDs,…
23. PVH PV P P P VH
PV PV P P P P
ARM PV P P P VH
Simplicity: Less code & fewer Interfaces in Linux/FreeBSD
– Security : smaller TCB and attack surface, fewer possible exploits
– Clean-up : possibility to simplify Linux kernel and reduce maintenance burden
Better Performance & Lower Latency
– Dom0 must be a PV guest
– 64 bit: VM’s run in ring 0 instead of ring 3
(fewer expensive TLB flushes)
This is the most complex part
of Xen today!
24. Feature Complete
Hardware support for AMD x86 chips
Add support for PCI passthrough
Migration of PVH Dom U’s (including systems with PVH Dom 0)
Hardening & Tuning
Add PVH to test suite and make test failures blocking
Benchmarking and performance tests
Code clean-up
25. x86
HPET: Better and faster resolution values
Parallel memory scrubbing on boot (large machines)
Lower interrupt latency for PCI passthrough (machines > 2 sockets)
Soft affinity for non-NUMA machines
Multiple IO-REQ services for guests
(remove bottlenecks for HVM guests by allowing multiple QEMU back-ends)
Intel
SandyBridge: VT-d posted interrupts for PVHVM
(I/O intensive workloads)
26. Vulnerabilities published in 2014
Evolution of Xen Security Features
Xen 4.5 : Virtual Machine Introspection
A new Model for Cloud Security
What is next?
27. Escalation Linux Container KVM + QEMU Xen (PV)
Xen (HVM+Stub)
Privilege
Escalation
(guest to host)
7 – 9 3 – 5 0
Denial of Service
(by guest of host) 12 5 – 7 3
Information Leak
(from host to guest) 1 0 1
Assumptions
x86 vulnerabilities from guest to host that hosting/cloud providers worry about
Xen (HVM) without stub domains has slightly more than Xen (PV) due to use of QEMU, less than KVM + QEMU
Have the underlying analysis (but won’t cover it in the talk)
29. 2007 2008 2009 2010 201520142011 2012 2013
Stub Domains : QEMU in separate domains
Flask / Xen Security Modules (Xen’s version of SE Linux)
vTPM (Virtual Trusted Module)
Driver Domains (Network, Disk, … drivers in a separate VM)
TODAY: Mainly used by security apps (XenClient,
Qubes OS, …), Forensic, Military & Embedded
TODAY: In general use
(but has trade-offs at cloud scale)
XenAccess / XenProbes VM Introspection (via LibVMI)
Major
Upgrades
30. 2007 2008 2009 2010 201520142011 2012 2013
XenAccess / XenProbes VM Introspection (via LibVMI)
Exposed lots of existing Xen functionality in LibVMI
Hypervisor can bring paged out guest memory
Mem_access-emulate(-with-no-write)
Many more patches currently under review for Xen 4.6
31. Watch the demo at
https://www.youtube.com/wa
h?v=ZJPHfpDiN4o
Credit: Tamas K Lengyel
32. VM3
Guest OS
App
VMn
Guest OS
App
VM2
Guest OS
App
Dom0
Dom0 Kernel
Drivers Agent(s) Agent(s) Agent(s)
Installed in-guest agents, e.g. anti-virus software,
VM disk & memory scanner, network monitor, etc.
Anti virus storm, deployment/maintenance, …
33. Several
VM3 VMnVM2Dom0
Dom0 Kernel
Drivers
VM3
Guest OS
App
VMn
Guest OS
App
VM2
Guest OS
App
Security
Appliance
VM1
Introspection
Engine
Protected area
Agent Agent Agent
Hybrid approach: no need to move
everything outside (chose best trade-off)
XSM/Flask
34. Major re-work of Virtual Machine Introspection
Optimization, Code cleanup/future-proofing
Support for ARM CPUs
Intel #VE support
Turn on Xen Security Modules on by default and include in test suite
Disabled today and not automatically tested
Specialist Use General Use!
35. Reduce TCB
QEMU secure mode for HVM without stub domains
Move the instruction emulator into non-privilege mode
Move the Xen compatibility layer into a lower privilege ring
Binary Live Patching for the Xen Hypervisor
Depends on which solution the kernel will standardize on
(kpatch / kGraft / ftrace-based)
We want to share tooling
37. Remus: Non-stop Service Replication
Continually live migrates a copy of a running VM to a backup server
Automatically activates if the primary server fails
Expensive in terms of overheads and hardware requirements
COLO: A different approach (building on top of Remus)
Relaxes requirement of backup server/VM being an exact replica
If backup server generates the same response to input we are able to fail
over without service stop
Eliminates overheads, reduces hardware requirements
38. Remus
Some “loose ends”, e.g. one fix for PV
guests not in upstream kernel
Better tools integration and control
(“xl remus” instead of “remus”)
Optimizations for COLO
COLO
Out-of-tree
Integrates with Remus via “xl remus” –
works with Xen 4.5
Some known issues
Fix “loose ends”
Include into Xen Hypervisor code base
Switch block replication from blktap2 to
qdisk (motivation: performance &
alignment)
Hardening
40. Larger VMs
Up to 1TB of guest RAM
Lower virtualization overhead
Super page mappings and faster interrupt EOIs (no maintenance interrupts)
Improved Interrupt handling
Support for priorities and irq migration (virtual and physical)
Near feature parity with x86
Boot via UEFI firmware
QEMU PV backends (disk, console, keyboard, mouse, framebuffer)
Many new IP blocks, firmware interfaces and platforms are supported
E.g. AMD Seattle 64-bit server SoC – see bit.do/xen-4-5-docs
41. Hardening
Inclusion of 64 Bit Hardware into test infrastructure
VM Save/Restore and Live Migration
Note: Remus and COLO are architecture independent
PCI Passthrough
Note: passthrough of MMIO regions works in 4.6
ACPI and UEFI support for guests
More IP blocks, …
Support for more Hardware
42. Determine the usage of cache by VMs running
Monitors the L3 cache (LLC in most server platforms)
$ xl psr-cmt-attach vm-id
$ xl psr-cmt-show cache_occupancy
Identify noisy neighbor VMs and take corrective action
E.g. Migrate VM to a different host
E.g. CPU pinning, CPU pools, schedulers
What’s Next?
Intel Cache Allocation Technology
Longer term: schedulers can use HW utilization information
44. Release Manager: Wei Liu
Proposal: Tweaked Release Process for Xen 4.6
lists.xenproject.org/archives/html/xen-devel/2015-02/msg01214.html
Development start: 6 Jan 2015
Feature freeze: 10 Jul 2015
Release date: 9 Oct 2015 (could release earlier)
45. Master branch on xen.git
Feature Development
Feature
Freeze
point
Wait period
to clear test pushgate
RC’s
Release
Announcement
RELEASE-4.5.0 branch on xen.git
46. Master branch on xen.git
Feature Development RC’s
This is when patches for the ongoing release
need to be submitted for review
Wait period
to clear test pushgate
No new features will be accepted, unless there is a Freeze Exception
Bug fixes are allowed, with approval by Maintainers/Release Manager
Release Manager declares that only bug fixes deemed
blockers can be accepted
47. Release Manager:
Sends first
Xen x.y Development Update
email on xen-devel@
Deferred features from previous
release, Timetable, etc.
Release Manager:
Sends Monthly
Xen x.y Development Update
email on xen-devel@
Release Manager:
RC Announcements, Test Days
Release Manager:
RC Announcement
Contributors:
Expected to reply if they are working on a feature that is not
on the list of tracked features
Expected to provide Status updates on features & bugs on the list
Not engaging with the process may lead to removal or downgrading
Contributors:
Expected to reply if they are working on a feature that is not
on the list of tracked features and tracked bugs
Same as above: can also ask for Freeze Exceptions
Contributors:
Expected to provide Status updates on tracked bugs on the list
49. Embedded & Automotive
Sound, graphics, and other drivers for Linux and other OS’es
Lots of other enablers: e.g. security features
Certification
VMWare Tools support
Run VMWare images unmodified in Xen
More: First 4.6 Development Update
lists.xenproject.org/archives/html/xen-devel/2015-02/msg01816.html
50. Mirage OS
Safer and cleaner TLS stackopenmirage.org/blog/announcing-bitcoin-
pinata
Irmin: Git-like distributed, branchable storage
Jitsu: a DNS server that spawns unikernels in
response to DNS requests
IPv6, Tooling, etc.
VMn
Language run-time
Application
Cubieboard2 serving
2048 game @ FOSDEM’15
50 Minutes! ACTUAL TALK TIME
The 4.5 release no a minor "point" update: it is one of the most feature-rich releases in the project's history. It contains several important additions. Most notably, new Xen PVH virtualization mode now supports running as dom0, enhanced support for Remus, significant ARM architecture updates, security improvements, real-time scheduling, support for Intel Cache Monitoring Technology (CMT), as well as improvements for automotive and embedded use-cases. Other enhancements include additional support for FreeBSD, systemd support, additional libvirt support, the release of Mirage OS 2.0, and more. Besides giving an overview of Xen 4.5, we will explain the project's roadmap process and share what's ahead for 2015: such as improved OpenStack integration and hotpatching (applying security fixes without the need to reboot).
Remo
TIMING: 35 MINUTES
Unit tests, Tempest
= 18 MINS =
Ties back to the previous use-case
Notes: Seen up to 6 VM’s with graphics at good performance
TODO: a few notes to zoom stuff forward (playing time)
= 22 MINS =
Virt spectrum
PVH Dom0 : Why relevant?
E.g. on EC2 when you chose HVM for Linux and the Linux, you actually get PVHVM – while you get HVM + PV drivers for Windows
PVH Dom0 : Why relevant?
2nd part:
On x86-32 ISA, Xen ran PV guest kernels in ring 1 to protect the hypervisor from the guests.
x86-64 ISA removed rings 1 and 2 (leaving ring 0 for kernels and ring 3 for userspace) and eliminated the segmentation mechanism.
This means that on x86-64, the guest kernel and userspace both run in ring 3, requiring a complete TLB flush for transitions between them.
This is very expensive and is part of the reason why HVM can outperform PV x86-64 Hardware for some workloads
HPET=High Precision Event Timer
Soft affinity=sysadmin to define an arbitrary set of physical CPUs on which vCPUs prefer to run on
= 27 MINS =
VMI – HW assisted
Security Process Changes
Next (Table)
32 vulnerabilities in 2014 : some require a several conditions to hold at the same time, some affect code and configurations that is not used in a standard hosting provider config
Of course the same applies to LXC and KVM
Assumptions
Intel x86 CPU
general purpose operating system as the guest
attacker has already gained control of the guest
vulnerabilities which, for example, a cloud hosting provider would worry about (containers and KVM both make the case that they are secure in such environments)
Dedicated: other features, such as PVH, etc. also have a security dimension
TPM=standard for a secure cryptoprocessor
There has been a lot of security functionality in Xen for a long time, BUT it is primarily used in a very narrow market segment.
Reasons:
Security wasn’t such a hot topic until recently.
Some of these features in Xen were not well documented, enabled by default …
---
Early signs are that this is changing: and you can see some of this if you look at the work which is currently performed by various stake-holders in the community
LibVMI: target’s Xen but support for other HV exists (but Xen is by far the best supported).
LibVMI: KVM support is rather “rough”. KVM doesn't have the same type of APIs as Xen does to map VM memory into another process, or to forward events. Although some work is going on to improve the situation.
1) Two features that the Bitdefender guys added was the capability to inject pagefaults so that the guest OS would bring back paged-out memory.
2) The other one is mem_access-emulate(-with-no-write)
which is very handy when you are tracing the VM execution with EPT permissions (mem_access)
you don't need to reset the page permissions every time a trap is hit to let the VM progress.
If the -with-no-write flag is enabled than the emulation will not touch the guest VM memory, a good way to get pass the execution of shellcodes safely.
Players: BitDefender, TU Muncih, Zentific, Intel (McAfee) as well as the HW group, Cisco
Shell in Dom0
Running DRAKVUF Dynamic Malware Analysis System (sits on top of LibVMI)
Other issues:
Complex deployment / maintenance, Visibility, etc.
Duplication of resources
Etc.
Several = for multi-tenancy, one per customer
Advantages:
Easier deployment / maintenance, etc. – e.g. centrally managed
Better visitiblity / performance
Avoids Duplication of resources – e.g. anti-virus storm
Hardware support coming: Intel #VE
Etc.
Notes:
Introspection engine is NOT running in Dom0
Use XSM/Flask to tightly control what the security appliance can do
Motivator for block replication: performance and community alignment
TODO: Split in two and add a picture?
= 39 =
16GB => 1TB
PCI: In the ARM world, it is quite common to have no PCIe devices and to only access devices using MMIO regions.
LLC=last level cache
NOISY neighbor :
Consider a VM as equivalent to a process. VM A can be running processes that consume (evict) many cache entries from VM b and, therefore, slowing down the performance of VM B.
In this case the noisy neighbor is a VM and now your can consider mitigation actions like live migrating VM A to a different host (or at least be able to explain why VM B is running slower than expected). The noisy neighbor is the situation where you 2 processes, A & B. Process A can be noisy in that it runs an algorithm that dirties many entries in the cache, evicting cache entries for process B and thereby slowing down process B. CMT, today, allows you to track which processes are using how much cache and identify the noisy ones (the process A’s that consume too much cache).
= 44 =
Show example of the first 4.6 mail …
= 27 MINS =
VMI – HW assisted
Security Process Changes
Next (Table)
Other examples: OSv, HalVM, ErlangOnXen/Ling, Rump Kernels
Jitsu: DNS server that spawns unikernels in response to DNS requests and boots them in real-time with no perceptible lag to the end user.
Goal = enable a community cloud of ARM-based Cubieboard2 boards that serve user content without requiring centralised data centers, but with the ease-of-use of existing systems.