XS Japan 2008 Isolation Japanese

•

0 likes•739 views

1) This document discusses network configuration and traffic control in the Xen virtualization environment. 2) It describes using netfront and netback for networking between Dom0 and DomU virtual machines and configuring hierarchical token bucket (HTB) scheduling and priority queueing (PFIFO) to control network bandwidth and traffic prioritization. 3) Key aspects covered include marking traffic with iptables, configuring HTB classes and rates for each DomU, and applying traffic control filters to map traffic to the appropriate queues.

Technology

Xen Sumit Tokyo 2008

<simon@valinux.co.jp>
<inakoshi.hiroya@jp.fujitsu.com>

Netback/Netfront

Netfront NIC ,

dom0 CPU
dom0

Dom0
DomU

Netback Networking Core 物理NICのドライバ
Netfront

skb skb skb
リングバッファ
パケット
第１スロット
フラグメントフラグメントフラグメントフラグメント
第２スロット
メタデータ
...
free list

Xen

DomU

Dom0
eth0

vif0.0
DomU

eth0 vif1.0 xenbr0 peth0 network

DomU
vif2.0

eth0

3 domU

DomU :

DomU

Dom0
eth0

vif0.0
DomU

eth0 vif1.0 xenbr0 peth0 network

DomU
vif2.0

eth0

xenbr0
domU

DomU : iptables

domU ,fwmark

iptables -t mangle -A FORWARD -m physdev
--physdev-in vif2.0 -j MARK --set-mark 100
iptables -t mangle -A FORWARD -m physdev
--physdev-in vif3.0 -j MARK --set-mark 110
iptables -t mangle -A FORWARD -m physdev
--physdev-in vif5.0 -j MARK --set-mark 120

Netback/Netfront

DomU

p≤s

where: p: vifN.M dom0
n: netback
( = 256)

dom0
dom0
dom0 domU

DomU :

1: htb

1:1 htb
rate 900Mbit
ceil 900Mbit

1:100 htb 1:110 htb 1:120 htb 1:130 htb
rate 500Mbit rate 100Mbit rate 100Mbit rate 100Mbit
ceil 900Mbit ceil 900Mbit ceil 900Mbit ceil 900Mbit

1100: pfifo 1110: pfifo 1120: pfifo 1130: pfifo
limit 1000p limit 1000p limit 1000p limit 1000p

DomU : HTB : Root Inner

Root
tc qdisc add dev peth0 root handle 1: htb default 130

Inner

tc class add dev peth0 parent 1: classid 1:1 htb
rate 900Mbit ceil 900Mbit

DomU : HTB : Leaf

Leaf

tc class add dev peth0 parent 1:1 classid 1:100 htb
rate 500Mbit ceil 900Mbit
tc class add dev peth0 parent 1:1 classid 1:110 htb
rate 100Mbit ceil 900Mbit
tc class add dev peth0 parent 1:1 classid 1:120 htb
rate 100Mbit ceil 900Mbit
tc class add dev peth0 parent 1:1 classid 1:130 htb
rate 100Mbit ceil 900Mbit

DomU : FIFO

HTB Leaf FIFO
HTB qdisc
PFIFO

tc qdisc add dev peth0 parent 1:100 handle 1100: pfifo limit 1000
tc qdisc add dev peth0 parent 1:110 handle 1110: pfifo limit 1000
tc qdisc add dev peth0 parent 1:120 handle 1120: pfifo limit 1000
tc qdisc add dev peth0 parent 1:130 handle 1130: pfifo limit 1000

DomU :

iptables fwmark
handle N fwmark
flowid X:Y ﬂowid X:Y

tc filter add dev peth0 protocol ip parent 1:
handle 100 flowid 1:100
tc filter add dev peth0 protocol ip parent 1:
handle 110 flowid 1:110
tc filter add dev peth0 protocol ip parent 1:
handle 120 flowid 1:120

Алексей Туля, Senior Software Developer в Sam Solutions «Практический опыт профайлинга и оптимизации производительности Ruby-приложений» В своем докладе Алексей сделает краткий обзор различных реализаций Ruby, попытается найти причины, почему Ruby медленный. Рассмотрит вопрос сборки мусора в Ruby и вызова методов – почему в Ruby это дорого. Расскажет и покажет, что делать, чтобы поднять производительность, проведет обзор утилит для поиска проблемных мест, обзор профайлеров и расскажет, как интерпретировать результаты. Доклад в основном нацелен на практический подход по поиску проблем. Материал предназначен для пользователей Linux, поэтому все практические советы будут для ОС Linux.

Le slides hanno l'obiettivo di evidenziare le nuove features di sicurezza introdotte nell'ultima release docker sia descrivendone il funzionamento sia mostrando, attraverso alcune demo, l'eventuale impatto in ambienti di produzione. Viene fatta una comparazione, in termini di analisi del rischio, tra ambienti host utilizzanti engine inferiore a release 1.9 e nuove versioni, soffermandosi su mancanze e future implementazioni.

Lec7

Heather Kulik

Cpu高效编程技术Feng Yu

Docker container management

Karol Kreft

Rpm Introduction

Shrinivasan T

Linux CommandsUtkarsh Sengar

Haproxy - zastosowania

Łukasz Jagiełło

Performance tweaks and tools for Linux (Joe Damato)Ontico

What's hot

SiteGround Tech TeamBuilding

Marian Marinov

Basic command for linuxgt0ne

Sermonsamaria1

TcpdumpMohamed Gamel

Linux fundamental - Chap 09 pkg

Kenny (netman)

Linux fundamental - Chap 05 filter

Kenny (netman)

Linux fundamental - Chap 00 shell

Kenny (netman)

Lev

Kazuya Kawaguchi

Ngrep commands

Rishu Seth

[MathWorks] Versioning Infrastructure

Perforce

Introduction to tcpdumpLev Walkin

Logเบญจมาศ วัฒนะพระยา

TechTalkThursday 29.06.2017: Wie verhält sich DDoS in der Realität?

nine

Logsaefuddinasep

Container security: seccomp, network e namespaces

Kiratech

Lec7

Heather Kulik

Cpu高效编程技术Feng Yu

Docker container management

Karol Kreft

Rpm Introduction

Shrinivasan T

Linux CommandsUtkarsh Sengar

What's hot (20)

SiteGround Tech TeamBuilding

Basic command for linux

Sermon

Tcpdump

Linux fundamental - Chap 09 pkg

Linux fundamental - Chap 05 filter

Linux fundamental - Chap 00 shell

Lev

Ngrep commands

[MathWorks] Versioning Infrastructure

Introduction to tcpdump

Log

TechTalkThursday 29.06.2017: Wie verhält sich DDoS in der Realität?

Log

Container security: seccomp, network e namespaces

Lec7

Cpu高效编程技术

Docker container management

Rpm Introduction

Linux Commands

Similar to XS Japan 2008 Isolation Japanese

Haproxy - zastosowania

Łukasz Jagiełło

Performance tweaks and tools for Linux (Joe Damato)Ontico

Complete squid & firewall configuration. plus easy mac binding

Chanaka Lasantha

25 most frequently used linux ip tables rules examplesTeja Bheemanapally

Adsl lab

VNG

Ubuntu server wireless access point (eng)

Anatoliy Okhotnikov

Velocity 2011 - Our first DDoS attack

Cosimo Streppone

Debugging Ruby Systems

Engine Yard

CCNA_200-301_June_2023-v1.2.pdf

CCIEHOMER

Pound VarnishMário Luz

Deeper Dive in Docker Overlay Networks

Docker, Inc.

The Docker network overlay driver relies on several technologies: network namespaces, VXLAN, Netlink and a distributed key-value store. This talk will present each of these mechanisms one by one along with their userland tools and show hands-on how they interact together when setting up an overlay to connect containers. The talk will continue with a demo showing how to build your own simple overlay using these technologies. Finally, it will show how we can dynamically distribute IP and MAC information to every hosts in the overlay.

20210415 IoTLT vol74 kitazaki v1

Ayachika Kitazaki

IPv6 for Pentesters

NotSoSecure Global Services

IPv6 for Pentesters

camsec

Cisco CCNA- DHCP Server

Hamed Moghaddam

DUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center

Andrey Kudryavtsev

NFS and OracleKyle Hailey

Configure Mikrotik Khmer.pdf

BT Digital

Collaborate nfs kyle_finalKyle Hailey

Similar to XS Japan 2008 Isolation Japanese (20)

Haproxy - zastosowania

Performance tweaks and tools for Linux (Joe Damato)

Complete squid & firewall configuration. plus easy mac binding

25 most frequently used linux ip tables rules examples

Adsl lab

Ubuntu server wireless access point (eng)

Velocity 2011 - Our first DDoS attack

Debugging Ruby Systems

CCNA_200-301_June_2023-v1.2.pdf

Pound Varnish

Deeper Dive in Docker Overlay Networks

20210415 IoTLT vol74 kitazaki v1

IPv6 for Pentesters

Cisco CCNA- DHCP Server

DUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center

NFS and Oracle

Configure Mikrotik Khmer.pdf

Collaborate nfs kyle_final

More from The Linux Foundation

ELC2019: Static Partitioning Made Simple

The Linux Foundation

Static partitioning is used to split an embedded system into multiple domains, each of them having access only to a portion of the hardware on the SoC. It is key to enable mixed-criticality scenarios, where a critical application, often based on a small RTOS, runs alongside a larger non-critical app, typically based on Linux. The two domains cannot interfere with each other. This talk will explain how to use Xen for static partitioning. It will introduce dom0-less, a new Xen feature written for the purpose. Dom0-less allows multiple VMs to start at boot time directly from the Xen hypervisor, decreasing boot times drastically. It makes it very easy to partition the system without virtualization overhead. Dom0 becomes unnecessary. This presentation will go into details on how to setup a Xen dom0-less system. It will show configuration examples and explain device assignment. The talk will discuss its implications for latency-sensitive and safety-critical environments.

XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...

The Linux Foundation

TrenchBoot is a cross-community OSS integration project for hardware-rooted, late launch integrity of open and proprietary systems. It provides a general purpose, open-source DRTM kernel for measured system launch and attestation of device integrity to trust-centric access infrastructure. TrenchBoot closes the UEFI Measurement Gap and reduces the need to trust system firmware. This talk will introduce TrenchBoot architecture and a recent collaboration with Oracle to launch the Linux kernel directly with Intel TXT or AMD SVM Secure Launch. It will propose mechanisms for integrating the Xen hypervisor into a TrenchBoot system launch. DRTM-enabled capabilities for client, server and embedded platforms will be presented for consideration by the Xen community.

XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...

The Linux Foundation

Artem will briefly cover what has been done since the first talk on Xen in Automotive domain back in 2013, what is going on now and what is still missing for broad adaptation of Xen in vehicles. The following topics will be covered: Embedded/automotive features of Xen Collaboration with AGL and GENIVI organizations for standardization Efforts on Functional Safety compliance Artem will also go over typical automotive use scenarios for Xen which may not be the same as generic computing use of hypervisor.

XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...

The Linux Foundation

XPDDS19 Keynote: Unikraft Weather Report

The Linux Foundation

In recent years unikernels have shown immense performance potential (e.g., boot times of only a few ms, image sizes of only hundreds of KBs).The fundamental drawback of unikernels is that they require that applications be manually ported to the underlying minimalistic OS, needing both expert work and often considerable amount of time. The Unikraft project provides a unikernel code base and build system that significantly simplifies the building of unikernels. In addition to support for a number CPU architectures, languages and frameworks, Unikraft provides debugging and tracing features that are generally sorely missing from unikernel projects. In this talk we will talk about these features, show a set of preliminary performance numbers, and provide a roadmap for the project's future.

XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...

The Linux Foundation

XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx

The Linux Foundation

This talk will introduce Dom0-less: a new way of using Xen to build mixed-criticality solutions. Dom0-less is a Xen feature that adds a novel approach to static partitioning based on virtualization. It allows multiple domains to start at boot time directly from the Xen hypervisor, decreasing boot times dramatically. Xen userspace tools, such as xl and libvirt, become optional. Dom0-less extends the existing device tree based Xen boot protocol to cover information required by additional domains. Binaries, such as kernels and ramdisks, are loaded by the bootloader (u-boot) and advertised to Xen via new device tree bindings. The audience will learn how to use Dom0-less to partition the system. Uboot and device tree configuration details will be explained to enable the audience to get the most out of this feature. The talk will include a status update and details on future plans.

XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...

The Linux Foundation

As the number of contributions grow, reviewer bandwidth becomes a bottleneck; and maintainers are always asking for more help. However, ultimately maintainers must at least Ack every patch that goes in; so if you're not a maintainer, how can you contribute? Why should anyone care about your opinion? This talk will try to lay out some advice and guidelines for non-maintainers, for how they can do code review in a way which will effectively reduce the load on maintainers when they do come to review a patch.

XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender

The Linux Foundation

This talk is a follow-up to our Summit 2017 presentation in which we covered our plans for Intel VMFUNC and #VE, as well as related use-cases. This year, we will provide a report on what we have accomplished in Xen 4.12, and what remains to be addressed. We will also give a brief status update of VMI on AMD hardware. The session will end with some real-world numbers of the Hypervisor Introspection solution running on Citrix Hypervisor 8.0 with #VE enabled.

OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...

The Linux Foundation

Safety certification is one of the essential requirements for software to be used in highly regulated industries. Besides technical and compliance issues (such as ISO 26262 vs IEC 611508) transitioning an existing project to become more easily safety certifiable requires significant changes to development practices within an open source project. In this session, we will lay out some challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the Xen Project has followed thus far and highlight lessons learned along the way. The talk will primarily focus on necessary process, tooling changes and community challenges that can prevent progress. We will be offering an in-depth review of how Xen Project is approaching this challenging goal and try to derive lessons for other projects and contributors.

OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...

The Linux Foundation

Safety certification is one of the essential requirements for software to be used in highly regulated industries. The Xen Project, a secure and stable hypervisor that is used in many different markets, has been exploring the feasibility of building safety certified products on top of Xen for a year, looking at key aspects of its code base and development practices. In this session, we will lay out the motivation and challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the project has followed thus far and highlight lessons learned along the way. The talk will cover technical enablers, necessary process and tooling changes and community challenges offering an in-depth review of how Xen Project is approaching this exciting and and challenging goal.

XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix

The Linux Foundation

2018 saw fundamental shifts in security boundaries which were previously taken for granted. A lot of work has been done in the past 2 years, and largely in secret under embargo, but there is plenty more work to be done to strengthen the existing mitigations and to try to recover some performance without reopening security holes. This talk will look at speculative execution sidechannels, the work which has already been done to mitigate the security holes, and future work which hopes to bring some improvements.

XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd

The Linux Foundation

The Arm architecture provides a set of guidelines that any software should abide by when accessing the memory with MMU off and update page-tables. Failing to do so may result in getting TLB conflicts or breaking coherency. In a previous talk ("Keeping coherency on Arm"), we focused on updating safely the stage-2 (aka P2M) page-tables. This talk will focus on the boot code and Xen memory management. During this session, we will introduce some of the guidelines and when they should be used. We will also discuss how Xen boot sequence needs to be reworked to avoid breaking the guidelines.

XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...

The Linux Foundation

For many years the QEMU codebase has contained PV backends for Xen guests, giving them paravirtual access to storage, network, keyboard, mouse, etc. however these backends have not been configurable as QEMU devices as their implementation did not fully adhere to the QEMU Object Model (QOM). Particularly the PV storage backend not using proper QOM devices, or qdevs, meant that the QEMU block layer needed to maintain legacy code that was cluttering up the source. This was causing push-back from the maintainers who did not want to accept any patches relating to that Xen backend until it was 'qdevified'. In this talk, I'll explain the modifications I made to QEMU to achieve 'qdevification' of the PV storage backend, how compatibility with the libxl toolstack was maintained, and what the next steps in both QEMU and libxl development should be.

XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D

The Linux Foundation

PCI is a local computer bus for attaching hardware devices in a computer, and is the main peripheral bus on modern x86 systems. As such, having a proper way to emulate it is crucial for Xen to be able to expose both fully emulated devices or passthrough devices to guests. This talk will focus on the current status of PCI emulation in Xen, how and where it is used, what are its main limitations and future plans to improve it in order to be more robust and modular.

XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems

The Linux Foundation

XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...

The Linux Foundation

Xen is a very powerful hypervisor with a talented and diverse developers community. Despite the fact it's almost everywhere (from the Cloud to the embedded world), it can be difficult to set up and manage as a system administrator. General purpose distros have Xen packages, but that's just a start in your Xen journey: you need some tooling and knowledge to have a working and scalable platform. XCP-ng was built to overcome those issues: by bringing Xen to the masses with a fully turnkey distro with Xen as its core. It's the logical sequel to the XCP project, with a community focus from the start. We'll see how it happened, what we did, and what's next. Finally, we'll see the impact of XCP-ng on the Xen Project.

XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...

The Linux Foundation

XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...

The Linux Foundation

High level toolstacks for server and cloud virtualization are very mature with large communities using and supporting them. Client virtualization is a much more niche community with unique requirements when compared to those found in the server space. In this talk, we’ll introduce a client virtualization toolstack for Xen (redctl) that we are using in Redfield, a new open-source client virtualization distribution that builds upon the work done by the greater virtualization and Linux communities. We will present a case for maturing libxl’s Go bindings and discuss what advantages Go has to offer for high level toolstacks, including in the server space.

XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE

The Linux Foundation

Today Xen is scheduling guest virtual cpus on all available physical cpus independently from each other. Recent security issues on modern processors (e.g. L1TF) require to turn off hyperthreading for best security in order to avoid leaking information from one hyperthread to the other. One way to avoid having to turn off hyperthreading is to only ever schedule virtual cpus of the same guest on one physical core at the same time. This is called core scheduling. This presentation shows results from the effort to implement core scheduling in the Xen hypervisor. The basic modifications in Xen are presented and performance numbers with core scheduling active are shown.

More from The Linux Foundation (20)