Evaluation of 3 platforms (VM, container, unikernel) using subset of metrics important to 3 sets of enterprise stakeholders: developers/DevOps, CIO, and customers.
Unikernels are specialized virtual machines compiled from application code and only necessary operating system components. They provide benefits like reduced memory usage, faster load times, and a smaller attack surface compared to traditional virtual machines. Several unikernel implementations exist like MirageOS, Rumprun, and IncludeOS which are compiled from different languages and have varying boot times, image sizes, and hypervisor support. Unikernels are being applied to applications such as proxies, edge computing, and IoT gateways.
CIF16: Building the Superfluid Cloud with Unikernels (Simon Kuenzer, NEC Europe)The Linux Foundation
The confluence of a number of relatively recent trends including the development of virtualization technologies, the deployment of micro datacenters at PoPs, and the availability of microservers, opens up the possibility of evolving the cloud, and the network it is connected to, towards a superfluid cloud: a model where parties other than infrastructure owners can quickly deploy and migrate virtualized services throughout the network (in the core, at aggregation points and at the edge), enabling a number of novel use cases including virtualized CPEs and on-the-fly services, among others. Towards this goal, we identify a number of required mechanisms and present early evaluation results of their implementation.
On an inexpensive commodity server, we are able to concurrently run up to 10,000 specialized virtual machines (based on unikernels), instantiate a VM in as little as 10 milliseconds, and migrate it in under 100 milliseconds.
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
An important facilitator of Unikernel development, Xen Project continues to develop new and interesting technologies to support the needs of the next generation datacenter. Potentially game-changing technologies like Unikernels will never reach their full potential unless the hypervisor they rely on can handle a large number of potentially tiny VMs effectively and efficiently.
In this talk, Xen Project Advisory Board Chairman Lars Kurth will discuss some of the major advances in the hypervisor produced in last year's releases (4.5 and 4.6). He will also discuss some of the work in development which could appear in upcoming releases.
Linux, Unikernel, LinuxKit: towards redefining the cloud stack.Idit Levine
One of the major announcement last week at DockerCon 2017 was LinuxKit, a tool to create minimal and safer operating system for running your containers.
This announcement marks a new phase in the quest to redefine the the stack in the cloud, which had started with the introduction of Unikernels.
In this session we will provide a deep dive on LinuxKit, Unikernels and what they mean for the future of the cloud.
We will discuss how these approaches are Integrated with clusters management tools like kubernetes, and show a few demos.
Presentation given at the 2017 LinuxCon China
Unikernel is a novel software technology that links an application with OS in the form of a library and packages them into a specialized image that facilitates direct deployment on a hypervisor. Comparing to the traditional VM or the recent containers, Unikernels are smaller, more secure and efficient, making them ideal for cloud environments. There are already lots of open source projects like OSv, Rumprun and so on. But why these existing unikernels have yet to gain large popularity broadly? We think Unikernels are facing three major challenges: 1. Compatibility with existing applications; 2. Lack of production support (e.g. monitoring, debugging, logging); 3. Lack of compelling use case. In this presentation, we will review our investigations and exploration of if-how we can convert Linux as Unikernel to eliminate these significant shortcomings, plus some explorations of coordinating and cooperating with hypervisor.
In this talk, we will give an overview of the state of the Xen Project, trends that impact the project, see whether challenges that surfaced last year have been addressed and how we did it, and highlight new challenges and solutions for the coming year.
This document provides an overview of unikernels including definitions, how they work, advantages, approaches and security aspects. A unikernel is defined as a library operating system that compiles an application and required OS libraries into a single standalone executable. It provides the benefits of containers and VMs but with lower overhead through a minimized attack surface and footprint. Different approaches focus on speed, safety or compatibility. Unikernel security is enhanced through strong isolation, a small trusted computing base and limiting what executable code can do.
Unikernels are specialized virtual machines compiled from application code and only necessary operating system components. They provide benefits like reduced memory usage, faster load times, and a smaller attack surface compared to traditional virtual machines. Several unikernel implementations exist like MirageOS, Rumprun, and IncludeOS which are compiled from different languages and have varying boot times, image sizes, and hypervisor support. Unikernels are being applied to applications such as proxies, edge computing, and IoT gateways.
CIF16: Building the Superfluid Cloud with Unikernels (Simon Kuenzer, NEC Europe)The Linux Foundation
The confluence of a number of relatively recent trends including the development of virtualization technologies, the deployment of micro datacenters at PoPs, and the availability of microservers, opens up the possibility of evolving the cloud, and the network it is connected to, towards a superfluid cloud: a model where parties other than infrastructure owners can quickly deploy and migrate virtualized services throughout the network (in the core, at aggregation points and at the edge), enabling a number of novel use cases including virtualized CPEs and on-the-fly services, among others. Towards this goal, we identify a number of required mechanisms and present early evaluation results of their implementation.
On an inexpensive commodity server, we are able to concurrently run up to 10,000 specialized virtual machines (based on unikernels), instantiate a VM in as little as 10 milliseconds, and migrate it in under 100 milliseconds.
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
An important facilitator of Unikernel development, Xen Project continues to develop new and interesting technologies to support the needs of the next generation datacenter. Potentially game-changing technologies like Unikernels will never reach their full potential unless the hypervisor they rely on can handle a large number of potentially tiny VMs effectively and efficiently.
In this talk, Xen Project Advisory Board Chairman Lars Kurth will discuss some of the major advances in the hypervisor produced in last year's releases (4.5 and 4.6). He will also discuss some of the work in development which could appear in upcoming releases.
Linux, Unikernel, LinuxKit: towards redefining the cloud stack.Idit Levine
One of the major announcement last week at DockerCon 2017 was LinuxKit, a tool to create minimal and safer operating system for running your containers.
This announcement marks a new phase in the quest to redefine the the stack in the cloud, which had started with the introduction of Unikernels.
In this session we will provide a deep dive on LinuxKit, Unikernels and what they mean for the future of the cloud.
We will discuss how these approaches are Integrated with clusters management tools like kubernetes, and show a few demos.
Presentation given at the 2017 LinuxCon China
Unikernel is a novel software technology that links an application with OS in the form of a library and packages them into a specialized image that facilitates direct deployment on a hypervisor. Comparing to the traditional VM or the recent containers, Unikernels are smaller, more secure and efficient, making them ideal for cloud environments. There are already lots of open source projects like OSv, Rumprun and so on. But why these existing unikernels have yet to gain large popularity broadly? We think Unikernels are facing three major challenges: 1. Compatibility with existing applications; 2. Lack of production support (e.g. monitoring, debugging, logging); 3. Lack of compelling use case. In this presentation, we will review our investigations and exploration of if-how we can convert Linux as Unikernel to eliminate these significant shortcomings, plus some explorations of coordinating and cooperating with hypervisor.
In this talk, we will give an overview of the state of the Xen Project, trends that impact the project, see whether challenges that surfaced last year have been addressed and how we did it, and highlight new challenges and solutions for the coming year.
This document provides an overview of unikernels including definitions, how they work, advantages, approaches and security aspects. A unikernel is defined as a library operating system that compiles an application and required OS libraries into a single standalone executable. It provides the benefits of containers and VMs but with lower overhead through a minimized attack surface and footprint. Different approaches focus on speed, safety or compatibility. Unikernel security is enhanced through strong isolation, a small trusted computing base and limiting what executable code can do.
CIF16: Knock, Knock: Unikernels Calling! (Richard Mortier, Cambridge University)The Linux Foundation
The lightweight and secure nature of Unikernels means that a prime use-case is to customise network behaviour. At the same time, the high-level languages that many are written in means that this sort of low-level coding is opened up to those who might not traditionally consider themselves "systems developers".
MirageOS is a particular unikernel platform built in the OCaml functional programming language. Able to seamlessly target a range of environments, from a local (POSIX) development environment to Xen virtual machines running on the cloud, it is a prime example of the ways that unikernels open up low-level development.
I will briefly introduce MirageOS before walking through an example developing and then running on Xen a simple network proxy using MirageOS. This proxy will implement a basic form of port-knocking, requiring a sequence of TCP connections (SYNs) to be made to the proxy to indicate a target, before permitting an outgoing connection to that target to be made.
Thanks to Thomas Gazagnaire for the material used in the walkthrough!
This document introduces Mirage OS 2.0 and discusses how it can be used to build personal clouds. It summarizes that Mirage OS 2.0 allows applications to be written once in OCaml and then compiled for different platforms by changing system libraries. Unikernels produced with Mirage OS 2.0 are small enough to track in version control systems like Git, enabling new ways of deploying and managing the cloud that are more secure and efficient. The entire cloud deployment process from code to running VMs can be version controlled from a single codebase.
The talk is a status report for the latest release and development projects. It will cover the new features and important bug fixes (if any) in 4.7. It will also provide insight on what’s in the queue for the next major release. Retrospective on the release process will also be part of talk.
UniK - a unikernel compiler and runtimeLee Calcote
This document contains the slides from a presentation by Lee Calcote on UniK, an open source tool for building and deploying unikernels. UniK allows developers to compile applications written in languages like Java, C++, Python and Go directly into small, secure virtual machines called unikernels. It supports deploying unikernels on various cloud platforms and virtualization technologies. The presentation covers what unikernels are, the UniK tool, its architecture and components, and demonstrates how to use UniK to build and deploy a sample application as a unikernel.
This document discusses unikernels and LinuxKit as approaches to redefining the cloud stack. It describes how unikernels aim to run a single application with a single user on a single server by including only necessary dependencies. This reduces complexity compared to traditional OSes and improves security, performance and size. LinuxKit is presented as a solution that provides compatibility while aiming for efficiency. The document demonstrates unikernel creation and advantages, and shows how unikernels can help address problems through minimal layers of isolation and abstraction.
Unikernel User Summit 2015: Getting started in unikernels using the rump kernelThe Linux Foundation
Justin Cormack's presentation at the Unikernel User Summit at Texas Linux Fest 2015. He discusses the basic principles and techniques for using Rump Kernels to power POSIXy workloads in a small, fast, and secure package.
Secure Container solution is to enhance container security by isolating memory between Docker containers inside one VM with Intel VT-x EPT HW, which is highly effective to protect container’s memory and at the meantime defends ret2user privilege escalation attack that exploits kernel vulnerabilities (eg. CVE-2017-6074 UAF (use-after-free) vulnerability). It extends KVM interfaces which the guest OS can leverage to isolate container memory from other containers, and the interfaces rely on Intel VT-x EPT hardware extension and provide memory access protection for the container which sits in an isolated memory region. Each secure container has a dedicated EPT table rather than sharing one EPT table with guest OS, which enforces the cross-EPT memory access protection. The whole solution is user-friendly to fit in the existing cloud server infrastructure with very limited changes.
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
Released as Open Source Software (OSS) in June 2014, OpenXT is a collection of hardened Linux VMs configured to provide a user facing Xen platform for client devices. This default configuration was mostly static, applying some disaggregation techniques to segregate system components based on a general threat analysis. The goals embodied in
this code base up to its release produced a one-size-fits-most configuration with extensibility in specific areas to encapsulate 3rd party value-add.
With a community now forming around OpenXT we must come to terms with the limitations of the this approach. In this talk Philip will define what OpenXT is and in this definition, show that OpenXT can meet the varied needs of the security and virtualization community through the
construction of a toolkit for the configurable disaggregation of a Xen platform.
This document discusses unikernels and how they aim to optimize application deployment by including only the necessary libraries and system components. It notes that traditional OSes include many more layers than an application may need. Unikernels provide isolation at the virtual hardware level and include only the runtime, dependencies, and drivers required by the application. This results in smaller, more secure deployments that have minimal surface area for attacks and are easier to reason about. The document also describes how unikernels can help address issues like compatibility and efficiency and notes several open source unikernel projects and tools like UniK that allow building and deploying unikernels on different platforms.
Mirage - Extreme specialization of cloud appliances (OSCON 2013)Amir Chaudhry
This document summarizes a presentation on the Mirage project, which aims to create specialized virtual machines called "unikernels" tailored to run a single application. The presentation outlines how Mirage builds unikernels using OCaml to eliminate unnecessary OS components and achieve benefits like smaller sizes, faster boot times, and higher performance. It shows how Mirage unikernels have outperformed traditional virtual machines and general-purpose operating systems in benchmarks for applications like DNS and web serving. The document concludes by discussing ongoing and potential future work with Mirage.
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...The Linux Foundation
The document summarizes a Cloud Innovators Forum event focused on unikernels. It provides an agenda for the day-long event, which includes several presentations on past, present and future applications of unikernels from various organizations. Unikernels are described as providing a thin, fast alternative to virtual machines by including only the minimal components needed to perform a task, improving security, performance and efficiency. The document discusses how unikernels have evolved from proof-of-concepts to more mainstream applications and languages, with potential to enable transient microservices and high density cloud deployments.
UPDATED OCTOBER 2015: Unikernels are small, fast, easily deployable, and very secure application stacks. Lacking a traditional operating system layer, they provide a new way of looking at the cloud which goes beyond the methodologies used by Docker and other container technologies.
This is an update of the deck as delivered by Russell Pavlicek. This includes some ground-breaking work done in the Rump Kernel project to bring web servers, database, and scripting language into the world of Unikernels.
Deck result of the Ohio Linuxfest 2015 in Columbus, OH.
XPDDS18: Linux-based Device Model Stubdomains in Qubes OS - Marek Marczykowsk...The Linux Foundation
One of the killer features of Xen is the ability to contain qemu in a minimal stubdomain. But even though qemu-upstream has been supported by Xen for a long time, stubdomains are compatible only with the ancient qemu-traditional. There were multiple approaches to this problem discussed over time (rumprun, Linux, ...), including some PoC patches. In this presentation I'll explain why we've chosen the Linux solution in Qubes OS and what challenges we faced to make it really work.
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...The Linux Foundation
Defending the security of interconnected systems is shifting to depend upon methods for determining the level of trust to be placed in devices and users, with mandatory enforcement of access control policies and robust mechanisms for ensuring the integrity of communication between mutually-authenticated entities.
Virtualization-based security leverages trust in the hypervisor to provide strong mechanisms to virtual machines, enabling increased protection, in server, client and embedded deployments.
The interfaces provided by the hypervisor for inter-domain communication determine critical properties for data isolation and control of information flow.
Hypervisor-Mediated data eXchange describes key aspects of these data transfer primitives and has some support in Hyper-V. The first Open Source implementation of HMX is Argo, a Xen hypervisor feature developed with the OpenXT Project.
Resource placement is a policy-rich problem, particularly across multi-cluster, multi-geography and multi-cloud environments. Placement may be based on company conventions, external regulation, pricing, performance requirements, or complex combinations of those. Furthermore, placement policies evolve over time and vary across organizations. As a result, it is very difficult to anticipate the policy requirements of all users.
In this presentation, Torin Sandal (Lead Engineer of Open Policy Agent) will present, along with Irfan Ur Rehman, and demonstrate the work they've done integrating OPA into the Kubernetes Cluster Federation Control Plane. This enables high level policies to be expressed in a easy to understand policy language, and automatically enforced across federations of Kubernetes clusters.
An overview of the libvirt+xen OpenStack CI, explaining the various components, how they fit together and the specific customisations needed to test libvirt+xen under OpenStack.
Presentation given at the 2017 LinuxCon China
With the booming of Container technology, it brings obvious advantages for cloud: simple and faster deployment, portability and lightweight cost. But the networking challenges are significant. Users need to restructure their network and support container deployment with current cloud framework, like container and VMs.
In this presentation, we will introduce new container networking solution, which provides one management framework to work with different network componenets through Open/friendly modelling mechnism. iCAN can simplify network deployment and management with most orchestration systems and a variety of data plane components, and design extendsible architect to define and validate Service Level Agreement(SLA) for cloud native applications, which is important factor for enterprise to deliver successful and stable service via containers.
Evolution of the Windows Kernel Architecture, by Dave Probertyang
Dave Probert is a kernel architect at Microsoft who has over 13 years of experience working on Windows kernels. He helped design key aspects of Windows such as multi-core support and user-mode scheduling. Probert provided an overview of how the Windows kernel architecture has evolved over time from Windows NT to recent versions, focusing on changes made to improve scalability, security and energy efficiency. He also discussed Microsoft's Windows Academic Program which provides universities access to Windows kernel source code and curriculum materials.
CIF16: Knock, Knock: Unikernels Calling! (Richard Mortier, Cambridge University)The Linux Foundation
The lightweight and secure nature of Unikernels means that a prime use-case is to customise network behaviour. At the same time, the high-level languages that many are written in means that this sort of low-level coding is opened up to those who might not traditionally consider themselves "systems developers".
MirageOS is a particular unikernel platform built in the OCaml functional programming language. Able to seamlessly target a range of environments, from a local (POSIX) development environment to Xen virtual machines running on the cloud, it is a prime example of the ways that unikernels open up low-level development.
I will briefly introduce MirageOS before walking through an example developing and then running on Xen a simple network proxy using MirageOS. This proxy will implement a basic form of port-knocking, requiring a sequence of TCP connections (SYNs) to be made to the proxy to indicate a target, before permitting an outgoing connection to that target to be made.
Thanks to Thomas Gazagnaire for the material used in the walkthrough!
This document introduces Mirage OS 2.0 and discusses how it can be used to build personal clouds. It summarizes that Mirage OS 2.0 allows applications to be written once in OCaml and then compiled for different platforms by changing system libraries. Unikernels produced with Mirage OS 2.0 are small enough to track in version control systems like Git, enabling new ways of deploying and managing the cloud that are more secure and efficient. The entire cloud deployment process from code to running VMs can be version controlled from a single codebase.
The talk is a status report for the latest release and development projects. It will cover the new features and important bug fixes (if any) in 4.7. It will also provide insight on what’s in the queue for the next major release. Retrospective on the release process will also be part of talk.
UniK - a unikernel compiler and runtimeLee Calcote
This document contains the slides from a presentation by Lee Calcote on UniK, an open source tool for building and deploying unikernels. UniK allows developers to compile applications written in languages like Java, C++, Python and Go directly into small, secure virtual machines called unikernels. It supports deploying unikernels on various cloud platforms and virtualization technologies. The presentation covers what unikernels are, the UniK tool, its architecture and components, and demonstrates how to use UniK to build and deploy a sample application as a unikernel.
This document discusses unikernels and LinuxKit as approaches to redefining the cloud stack. It describes how unikernels aim to run a single application with a single user on a single server by including only necessary dependencies. This reduces complexity compared to traditional OSes and improves security, performance and size. LinuxKit is presented as a solution that provides compatibility while aiming for efficiency. The document demonstrates unikernel creation and advantages, and shows how unikernels can help address problems through minimal layers of isolation and abstraction.
Unikernel User Summit 2015: Getting started in unikernels using the rump kernelThe Linux Foundation
Justin Cormack's presentation at the Unikernel User Summit at Texas Linux Fest 2015. He discusses the basic principles and techniques for using Rump Kernels to power POSIXy workloads in a small, fast, and secure package.
Secure Container solution is to enhance container security by isolating memory between Docker containers inside one VM with Intel VT-x EPT HW, which is highly effective to protect container’s memory and at the meantime defends ret2user privilege escalation attack that exploits kernel vulnerabilities (eg. CVE-2017-6074 UAF (use-after-free) vulnerability). It extends KVM interfaces which the guest OS can leverage to isolate container memory from other containers, and the interfaces rely on Intel VT-x EPT hardware extension and provide memory access protection for the container which sits in an isolated memory region. Each secure container has a dedicated EPT table rather than sharing one EPT table with guest OS, which enforces the cross-EPT memory access protection. The whole solution is user-friendly to fit in the existing cloud server infrastructure with very limited changes.
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
Released as Open Source Software (OSS) in June 2014, OpenXT is a collection of hardened Linux VMs configured to provide a user facing Xen platform for client devices. This default configuration was mostly static, applying some disaggregation techniques to segregate system components based on a general threat analysis. The goals embodied in
this code base up to its release produced a one-size-fits-most configuration with extensibility in specific areas to encapsulate 3rd party value-add.
With a community now forming around OpenXT we must come to terms with the limitations of the this approach. In this talk Philip will define what OpenXT is and in this definition, show that OpenXT can meet the varied needs of the security and virtualization community through the
construction of a toolkit for the configurable disaggregation of a Xen platform.
This document discusses unikernels and how they aim to optimize application deployment by including only the necessary libraries and system components. It notes that traditional OSes include many more layers than an application may need. Unikernels provide isolation at the virtual hardware level and include only the runtime, dependencies, and drivers required by the application. This results in smaller, more secure deployments that have minimal surface area for attacks and are easier to reason about. The document also describes how unikernels can help address issues like compatibility and efficiency and notes several open source unikernel projects and tools like UniK that allow building and deploying unikernels on different platforms.
Mirage - Extreme specialization of cloud appliances (OSCON 2013)Amir Chaudhry
This document summarizes a presentation on the Mirage project, which aims to create specialized virtual machines called "unikernels" tailored to run a single application. The presentation outlines how Mirage builds unikernels using OCaml to eliminate unnecessary OS components and achieve benefits like smaller sizes, faster boot times, and higher performance. It shows how Mirage unikernels have outperformed traditional virtual machines and general-purpose operating systems in benchmarks for applications like DNS and web serving. The document concludes by discussing ongoing and potential future work with Mirage.
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...The Linux Foundation
The document summarizes a Cloud Innovators Forum event focused on unikernels. It provides an agenda for the day-long event, which includes several presentations on past, present and future applications of unikernels from various organizations. Unikernels are described as providing a thin, fast alternative to virtual machines by including only the minimal components needed to perform a task, improving security, performance and efficiency. The document discusses how unikernels have evolved from proof-of-concepts to more mainstream applications and languages, with potential to enable transient microservices and high density cloud deployments.
UPDATED OCTOBER 2015: Unikernels are small, fast, easily deployable, and very secure application stacks. Lacking a traditional operating system layer, they provide a new way of looking at the cloud which goes beyond the methodologies used by Docker and other container technologies.
This is an update of the deck as delivered by Russell Pavlicek. This includes some ground-breaking work done in the Rump Kernel project to bring web servers, database, and scripting language into the world of Unikernels.
Deck result of the Ohio Linuxfest 2015 in Columbus, OH.
XPDDS18: Linux-based Device Model Stubdomains in Qubes OS - Marek Marczykowsk...The Linux Foundation
One of the killer features of Xen is the ability to contain qemu in a minimal stubdomain. But even though qemu-upstream has been supported by Xen for a long time, stubdomains are compatible only with the ancient qemu-traditional. There were multiple approaches to this problem discussed over time (rumprun, Linux, ...), including some PoC patches. In this presentation I'll explain why we've chosen the Linux solution in Qubes OS and what challenges we faced to make it really work.
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...The Linux Foundation
Defending the security of interconnected systems is shifting to depend upon methods for determining the level of trust to be placed in devices and users, with mandatory enforcement of access control policies and robust mechanisms for ensuring the integrity of communication between mutually-authenticated entities.
Virtualization-based security leverages trust in the hypervisor to provide strong mechanisms to virtual machines, enabling increased protection, in server, client and embedded deployments.
The interfaces provided by the hypervisor for inter-domain communication determine critical properties for data isolation and control of information flow.
Hypervisor-Mediated data eXchange describes key aspects of these data transfer primitives and has some support in Hyper-V. The first Open Source implementation of HMX is Argo, a Xen hypervisor feature developed with the OpenXT Project.
Resource placement is a policy-rich problem, particularly across multi-cluster, multi-geography and multi-cloud environments. Placement may be based on company conventions, external regulation, pricing, performance requirements, or complex combinations of those. Furthermore, placement policies evolve over time and vary across organizations. As a result, it is very difficult to anticipate the policy requirements of all users.
In this presentation, Torin Sandal (Lead Engineer of Open Policy Agent) will present, along with Irfan Ur Rehman, and demonstrate the work they've done integrating OPA into the Kubernetes Cluster Federation Control Plane. This enables high level policies to be expressed in a easy to understand policy language, and automatically enforced across federations of Kubernetes clusters.
An overview of the libvirt+xen OpenStack CI, explaining the various components, how they fit together and the specific customisations needed to test libvirt+xen under OpenStack.
Presentation given at the 2017 LinuxCon China
With the booming of Container technology, it brings obvious advantages for cloud: simple and faster deployment, portability and lightweight cost. But the networking challenges are significant. Users need to restructure their network and support container deployment with current cloud framework, like container and VMs.
In this presentation, we will introduce new container networking solution, which provides one management framework to work with different network componenets through Open/friendly modelling mechnism. iCAN can simplify network deployment and management with most orchestration systems and a variety of data plane components, and design extendsible architect to define and validate Service Level Agreement(SLA) for cloud native applications, which is important factor for enterprise to deliver successful and stable service via containers.
Evolution of the Windows Kernel Architecture, by Dave Probertyang
Dave Probert is a kernel architect at Microsoft who has over 13 years of experience working on Windows kernels. He helped design key aspects of Windows such as multi-core support and user-mode scheduling. Probert provided an overview of how the Windows kernel architecture has evolved over time from Windows NT to recent versions, focusing on changes made to improve scalability, security and energy efficiency. He also discussed Microsoft's Windows Academic Program which provides universities access to Windows kernel source code and curriculum materials.
Dave Probert is a kernel architect at Microsoft who has over 13 years of experience working on Windows kernels. He helped design key aspects of kernels from Windows 2000 to Windows 7 such as multi-core support and user-mode scheduling. Probert also runs the Windows Academic Program which provides Windows kernel source code and curriculum materials to universities to help teach operating systems concepts.
Ceph Day Shanghai - On the Productization Practice of Ceph Ceph Community
H3C has requirements for a distributed storage solution for productization including cost, ease of use, reliability, availability, and maintainability. Ceph was chosen due to its scalability, ease of maintenance, unified storage, ability to combine with cloud, and use of commodity hardware. H3C has developed a Ceph-based product with a web UI and automated deployment. There are still technical issues to address like suboptimal CRUSH solutions, OSD flapping, and high availability of iSCSI. Future plans include participating in the open source Ceph community, cooperating with other manufacturers, addressing customer issues, and contributing improvements in reliability, availability and maintainability.
Dave Probert is a kernel architect at Microsoft who has worked on Windows kernels for over 13 years. He manages platform-independent kernel development and works on support for multi-core and heterogeneous parallel computing. Probert also co-instigated the Windows Academic Program which provides kernel source code and curriculum materials to universities to aid in operating systems education. The document discusses differences between the UNIX and Windows NT design environments and how those influenced OS design choices. It provides an overview of the Windows kernel architecture and changes made in newer versions like Windows 7 to improve scalability and support for multi-core systems.
BMC: Bare Metal Container @Open Source Summit Japan 2017Kuniyasu Suzaki
The document introduces Bare Metal Containers (BMC), which allow applications running in containers to customize the kernel and select the machine architecture in order to optimize performance and power consumption. BMC measures power usage for each application running on different hardware to provide incentives for developing low power applications. It discusses the current implementation of the BMC manager and evaluations of the boot performance overhead on various machine types.
Google Cloud Computing on Google Developer 2008 Dayprogrammermag
The document discusses the evolution of computing models from clusters and grids to cloud computing. It describes how cluster computing involved tightly coupled resources within a LAN, while grids allowed for resource sharing across domains. Utility computing introduced an ownership model where users leased computing power. Finally, cloud computing allows access to services and data from any internet-connected device through a browser.
(Embedded Linux Conference Europe 2014)
Linux uses many kind of embedded products. The products include not only consumer electronics but also control systems such as programmable logic controllers. There are many type of infrastructure systems and each system has different technical requirements. The requirements include not only real-time performance but also reliability-related functions. The infrastructure systems have to meet all the requirements. This presentation gives a summary of our study and development to adapt the Linux to infrastructure systems. Then we discuss the direction of future development. Please note, this presentation doesn't focus on a specific product.
A generic log analyzer for auto recovery of container orchestration systemConference Papers
This document proposes a generic log analyzer to automate troubleshooting in container orchestration systems. It describes a typical container orchestration architecture and how logs are generated at different levels. The proposed model uses Elasticsearch for centralized log management and Kibana for log visualization. The log analyzer consists of six main components: log detector, log predictor, action monitor, solution analyzer, database, and log manager. An algorithm is presented for how the log analyzer would identify errors from logs, group related errors, determine solutions from the solution analyzer, initiate action plans, monitor statuses, and update the database. Several troubleshooting cases involving components like the worker node, master node, and registry are used to demonstrate how the log analyzer would automate resolving issues
Introduction – Multiple tasks and multiple processes – Multirate systems- Preemptive realtime operating systems- Priority based scheduling- Interprocess communication mechanisms – Evaluating operating system performance- power optimization strategies for processes –Example Real time operating systems-POSIX-Windows CE. – Distributed embedded systems – MPSoCs and shared memory multiprocessors. – Design Example – Audio player, Engine control unit – Video accelerator.
Vijayendra Shamanna from SanDisk presented on optimizing the Ceph distributed storage system for all-flash architectures. Some key points:
1) Ceph is an open-source distributed storage system that provides file, block, and object storage interfaces. It operates by spreading data across multiple commodity servers and disks for high performance and reliability.
2) SanDisk has optimized various aspects of Ceph's software architecture and components like the messenger layer, OSD request processing, and filestore to improve performance on all-flash systems.
3) Testing showed the optimized Ceph configuration delivering over 200,000 IOPS and low latency with random 8K reads on an all-flash setup.
This document discusses AIOps and its importance for operating Kubernetes at scale. It begins with an introduction of the speaker and then discusses some of the challenges of monitoring and managing infrastructure and applications as they grow in complexity. Specifically, it notes the explosion of metrics from containers and microservices that make problems harder to identify and isolate. It then introduces AIOps as an approach that can help with both reactive and proactive monitoring through techniques like correlation of metrics, what-if analysis, and optimization of resources. Examples are given of how AIOps has been applied at companies to improve performance and utilization through techniques like scheduling, placement, and controlled oversubscription of resources.
Mpls conference 2016-data center virtualisation-11-marchAricent
Aricent’s presentation on “Micro VNFs and Micro service environment” on next generation Virtualized Network Functions (VNFs) is heating up. In debate on micro services, carriers has requested communities to step up research on micro service deployments.
Aricent believes that existing VNFs, which comes directly from the physical appliances software are not rightly designed and are less suited for cloud operations. These first generation VNFs are replication of physical appliances, monolithic architecture and need more computational power. These are heavy with physical appliance platform features i.e. HA, ISSU, Nonstop Routing/Switching and they have lots of redundant code which may not be necessary on cloud. As cloud platform provides these feature through its inherent platform capabilities.
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...The Linux Foundation
This talk presents a production-ready automotive virtualization solution with Xen. The key requirements that we focus are super-fast startup and recovery from failure, static virtual machine creation with dedicated resources, and performance effective graphics rendering. To reduce the boot time, we optimize the Xen startup procedure by effectively initializing Xen heap and VM memory, and booting multiple VMs concurrently. We provide fast recovery mechanism by re-implementing the VM reset feature. We also develop a highly optimized graphics APIs-forwarding mechanism supporting OpenGLES APIs up to v3.2. The pass rate of Khronos CTS in a guest OS is comparable to the Domain0’s. Our experiment shows that our virtualization solution provides reasonable performance for ARM-based automotive systems (hypervisor booting: less than 70ms, graphics performance: about 96% of Domain0).
Google and Intel speak on NFV and SFC service delivery
The slides are as presented at the meet up "Out of Box Network Developers" sponsored by Intel Networking Developer Zone
Here is the Agenda of the slides:
How DPDK, RDT and gRPC fit into SDI/SDN, NFV and OpenStack
Key Platform Requirements for SDI
SDI Platform Ingredients: DPDK, IntelⓇRDT
gRPC Service Framework
IntelⓇ RDT and gRPC service framework
Big Lab Problems Solved with Spectrum Scale: Innovations for the Coral Programinside-BigData.com
In this video from the DDN User Group at SC16, Sven Oehme Chief Research Strategist, IBM, presents "Big Lab Problems Solved with Spectrum Scale: Innovations for the Coral Program."
Watch the video presentation: http://wp.me/p3RLHQ-g52
Sign up for our insideHPC Newsletter: http://wp.me/p3RLHQ-g52
This profile summarizes Wonho Park's experience working in automotive software, embedded Linux/Android development, and SoC architecture design. Park has over 15 years of experience bringing up boards, porting operating systems, and optimizing performance. Currently, Park is involved in designing battery management and infotainment systems for electric vehicles after recently joining the automotive industry.
Amazon EC2 provides a broad selection of instance types to accommodate a diverse mix of workloads. In this session, we provide an overview of the Amazon EC2 instance platform, key platform features, and the concept of instance generations. We dive into the current generation design choices of the different instance families, including the General Purpose, Compute Optimized, Storage Optimized, Memory Optimized, and GPU instance families. We also detail best practices and share performance tips for getting the most out of your Amazon EC2 instances.
Similar to Metrics towards enterprise readiness of unikernels (20)
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
DDS Security Version 1.2 was adopted in 2024. This revision strengthens support for long runnings systems adding new cryptographic algorithms, certificate revocation, and hardness against DoS attacks.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Odoo ERP software
Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth.
The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently.
This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...kalichargn70th171
A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
2. Agenda
Introduction - bios
Unikernel Background
Developer/DevOps care about
Metric Set 1: Application lifecycle overhead
CIO cares about
Metric Set 2: Application datacenter footprint
2
3. Unikernel Background
Working Definition: Single Process env for running code
3
Unmodified Legacy App
support
Multi-threaded App support
OSv Partial Yes (1: glibc subset, no
fork/exec)
Yes* (pthread subset)
MirageOS No* (until non-OCAML language
bindings are available, no
fork/execve)
Green threads (event loop) only
Rumprun Yes* (no
fork/execve/sigaction/mmap)
Yes (pthread)
4. Developer/DevOps care about
Enterprise Application Lifecycle management
Developer: Time to build app from source code, preferably unmodified
DevOps: Time to configure runtime parameters (ex: TCP port, log file
location)
DevOps: Time to deploy application
DevOps: Qualitative ease of managing+debugging long-running (weeks /
months) application 4
6. Metric Set 1: Application Lifecycle
Convert
Code to
Image
(Hours)
VM 8 (1 , 2,
3)
Container 0
Unikernel 40 ( 1, 2)
6
7. Metric Set 1: Application Lifecycle
Convert
Code to
Image
(Hours)
Start Time
(Seconds)
VM 8 (1 , 2,
3)
66.557
Container 0 1.113
Unikernel 40 ( 1, 2) 0.483
7
8. Metric Set 1: Application Lifecycle
Convert
Code to
Image
(Hours)
Start Time
(Seconds)
Stop Time
(Seconds)
VM 8 (1 , 2,
3)
66.557 7.478
Container 0 1.113 0.685
Unikernel 40 ( 1, 2) 0.483 0.019
8
9. Metric Set 1: Application Lifecycle
Convert
Code to
Image
(Hours)
Start Time
(Seconds)
Stop Time
(Seconds)
Debuggability
VM 8 (1 , 2,
3)
66.557 7.478
Container 0 1.113 0.685
Unikernel 40 ( 1, 2) 0.483 0.019
10. CIO cares about
Consolidation of applications on finite hardware resources
Multi-tenant security isolation amongst applications on a compute node
Multi-tenant Resource Management
Manageability, Accounting, Auditability
Infrastructure Power consumption
10
11. Metric Set 2: Data center footprint
Image Size
(MB)
VM 143
Container 182.8
Unikernel 7.8
12. Metric Set 2: Data center footprint
Image Size
(MB)
Runtime Memory
Overhead (MB)
VM 143 619
(/proc/{vboxpid}/status/{V
mSize} - Configured)
Container 182.8 274.4 (containerd-shim
/proc/{pid}/status/{VmSize
})
Unikernel 7.8 1222
(/proc/{qemupid}/status/{V
mSize} - Configured)
13. Metric Set 2: Data center footprint
Image Size
(MB)
Runtime Memory
Overhead (MB)
Security (Tenant
Isolation)
VM 143 619
(/proc/{vboxpid}/status/{V
mSize} - Configured)
Strong
Container 182.8 274.4 (containerd-shim
/proc/{pid}/status/{VmSize
})
Weak
Unikernel 7.8 1222
(/proc/{qemupid}/status/{V
mSize} - Configured)
Strong
14. Metric Set 2: Data center footprint
Image Size
(MB)
Runtime Memory
Overhead (MB)
Security (Tenant
Isolation)
Resource Knobs
VM 143 619
(/proc/{vboxpid}/status/{V
mSize} - Configured)
Strong Strong
(Reservation,
Limits)
Container 182.8 274.4 (containerd-shim
/proc/{pid}/status/{VmSize
})
Weak Moderate (Limits)
Unikernel 7.8 1222
(/proc/{qemupid}/status/{V
mSize} - Configured)
Strong Moderate (knobs
available, not used
yet)
18. Metrics Set 3: Throughput Explanation
nginx-osv > nginx-linux > nginx-docker > nginx-vm
Baseline: 1 thread/client
Nginx-linux (bare metal) ~600 requests/sec
Nginx-vm slightly lower: expected because the client request needs to traverse two I/O
stacks - the hypervisor’s and the Guest OS’s
Nginx-docker is close to bare metal: expected since the only thing separating the container
from the workload generator is a network bridge
Nginx-osv slightly better than bare metal: client requests still have to go through the
unikernel’s I/O stack but the I/O stack for OSV was designed to be light/lower-overhead -
influenced by a design based on Van Jacobson’s net channels
10 threads
Results get slightly more than 10X better (this is mostly because of reductions in average
latency - next graph) but the ordering remains the same 18
19. Metrics Set 3: Response Time Explanation
nginx-osv > nginx-linux > nginx-docker > nginx-vm
Overall response times between 1ms and 2ms
Single thread case ~1.5ms, and 10 thread case < 1.5ms
Reduction in response time moving 1 to 10 threads is mostly a result of
caching and multiplexing.
With multiple threads, more work gets done per-unit time. While thread A is processing the
results of a response, thread B, which was waiting, can quickly be given a cached copy of
the static file being served.
19
20. Summary
Developer/DevOps care about
Metric Set 1: Application lifecycle overhead
CIO cares about
Metric Set 2: Application datacenter footprint
Customer cares about
Metric Set 3: Application performance
20
Owner: Rean
Note: Refer to image size and overhead for cost estimates.
Worker connections = #clients simultaneously served
Worker processes * worker connections = anticipated upper limit on reqs/sec
Workload version of Rain (git hash b0b29438)
Workload configuration files:
https://github.com/rean/rain-workload-toolkit/blob/master/config/rain.config.nginx.json (determines workload duration, warm up and warm down)
https://github.com/rean/rain-workload-toolkit/blob/master/config/profiles.config.nginx.json (controls the IP address and port, number of threads, workload generator to use)
Experiment description
* simple HTTP GET workload, run for 5 minutes (10 sec warmup before, 10 sec rampdown afterwards) x 5 repeats
* Load generator and nginx instance run on the same machine so there’s no network jitter. We’re mainly capturing I/O stack overheads/differences
* Results reported = average over 5 repeats, error bars are 95% confidence intervals
Response time results
* 1 thread/client is the baseline case
* bare metal (Nginx-linux) ~600 requests/sec, Nginx-vm slightly lower (expected because the client request needs to traverse two I/O stacks - the hypervisor’s and the Guest OS’s), Nginx-docker is close to bare metal (expected since the only thing separating the container from the workload generator is a network bridge), Nginx-osv slightly better than bare metal (client requests still have to go through the unikernel’s I/O stack but the I/O stack for OSV was designed to be light/lower-overhead - influenced by a design based on Van Jacobson’s net channels)
* General ordering is nginx-osv > nginx-linux > nginx-docker > nginx-vm
* 10 threads
* Results get slightly more than 10X better (this is mostly because of reductions in average latency - next graph) but the ordering remains the same
nginx-osv > nginx-linux > nginx-docker > nginx-vm
Response time results
* Overall response times between 1ms and 2ms
* Single thread case ~1.5ms, and 10 thread case < 1.5ms
* The reduction in response time moving 1 to 10 threads is mostly a result of caching and multiplexing. With multiple threads more work gets done per-unit time. While thread A is processing the results of a response, thread B, which was waiting, can quickly be given a cached copy of the static file being served.
Summarize:
3 perspectives on what might be important (CIO, developer, customer). Measurements.