XPDS13: Performance Optimization on Xen-based Android Device - Jack Ren, Inte...The Linux Foundation
Mobile devices, such as smart phones and tablets, are becoming de-facto everyday computing and communication devices, virtualization can bring additional benfits to mobile devices for both security and manageability. IT department may use hypervisor, as a highly secure solution, to manage autherized mobile devices, such as for network traffic monitoring, filtering, scan (for virus detection), and/or OS update/patching even when the guest OS becomes completely dead. We insert Xen to the mobile OS Android to deprivilege Android as guest for security and manageability purpose. However, the usage case of mobile device is quit different with that of server, for example mobile devices runs completely different benchmarks (mostly multimedia focused) vs. that in server (mostly responsiveness focused). We analyze the gap of Xen as a mobile hypervisor and present how we improve the performance.
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...The Linux Foundation
XenServer is open source and freely available, but it is packaged as an appliance image which must be installed on dedicated hardware. xenserver-core repackages the core components of XenServer so they can easily be built and installed on a standard Linux distribution. Its main goals are: * to make it easy to download, modify and build XenServer components, or just learn how they work; * to help upstream distributions to include up-to-date XenServer packages; * to provide an environment for experimentation. This talk will explain the motivations behind xenserver-core and how it relates to the open-sourcing of XenServer. For developers, it will cover how to get the code, how to build it and how to contribute back to the project. For packagers, it will explain the project's development and release processes and what an upstream maintainer can expect from it.
The last two years have seen an extraordinary level of change within the Xen Project developer and user communities. The project introduced Document Days, Test Days, Release Managers and has become much more vocal in telling its story. The most significant was the move of the Xen Project to become a Linux Foundation Collaborative Project last year and the creation of the Xen Project Advisory Board. This talk we will highlight the key changes that have affected our User Community and outline what comes next. We will also make a short detour explaining the role and impact of the Xen Project Advisory Board.
The last two years have seen an extraordinary level of change within the Xen Project developer and user communities. Join Lars Kurth as he opens the 2014 Xen Project Developer Summit with a short round-up of the bad, the good, and the great developments in the Xen Project.
XPDS14: Xenstore Mandatory Access Control - James Bielman, GaloisThe Linux Foundation
Mandatory Access Control (MAC) is a security model in which access decisions are governed by a centralized security policy rather than the system's users. Systems with MAC are better protected from malicious or careless users and programs granting permissions that violate a system's desired security goals.
Xen supports MAC at the hypervisor level via the Flask Xen Security Module (XSM/Flask), building upon the widely used SELinux infrastructure. However, other critical components of the Xen architecture, such as Xenstore, are not covered by the XSM security policy.
Galois has developed an implementation of mandatory access control for a disaggregated Xenstore domain. In this presentation, James Bielman will discuss the implementation of Xenstore's nested security server in a Mirage-based Xen kernel.
XPDS14: Network Throughput Improvements in XenServer - Zoltan Kiss, CitrixThe Linux Foundation
XenServer Engineering spent concentrated effort in the past one year to improve the network performance of the virtual machines. In this presentation, Zoltan Kiss will present the various developments done in this area by his team, including the reintroduction of grant mapping on the TX path, multiqueue and various Open vSwitch improvements.
XPDS13: XenGT - A software based Intel Graphics Virtualization Solution - Hai...The Linux Foundation
GPU virtualization has become an increasingly important requirement for client virtualization and cloud. Significant challenges exists realizing the multiplexing of graphics, media and compute workloads from multiple VMs and achieving the goals of being fully functional, high performance and secure. In this presentation, we will first review existing graphics virtualization technologies, and then introduce how XenGT - an open source solution from Intel - approaches differently. Broad functionality and good performance is achieved by accelerating the native OS graphics stack in each VM with minimum hypervisor intervention. A software mediator ensures the secure multiplexing of workloads from the multiple VMs by managing the scheduling of VMs on the GPU and controlling access to privileged resources and operations.
Collaborative development is at the core of successful open source projects. Yet to be successful in today's competitive open source world, it is increasingly important to master many different disciplines and to develop an edge.
In this talk we will cover a wide range of topics relevant to developers and members of open source communities who want to increase participation in their projects. Topics range from growing your developer base (e.g. by participation in GSoC, OPW and similar programs), rewarding participation, projecting momentum in the media and press, coercing large companies into contributing more and in different ways to your project, running community initiatives successfully and measuring success.
We will use real-life examples and where appropriate share tools and mental models that help you make the right decisions for your project.
XPDS13: Performance Optimization on Xen-based Android Device - Jack Ren, Inte...The Linux Foundation
Mobile devices, such as smart phones and tablets, are becoming de-facto everyday computing and communication devices, virtualization can bring additional benfits to mobile devices for both security and manageability. IT department may use hypervisor, as a highly secure solution, to manage autherized mobile devices, such as for network traffic monitoring, filtering, scan (for virus detection), and/or OS update/patching even when the guest OS becomes completely dead. We insert Xen to the mobile OS Android to deprivilege Android as guest for security and manageability purpose. However, the usage case of mobile device is quit different with that of server, for example mobile devices runs completely different benchmarks (mostly multimedia focused) vs. that in server (mostly responsiveness focused). We analyze the gap of Xen as a mobile hypervisor and present how we improve the performance.
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...The Linux Foundation
XenServer is open source and freely available, but it is packaged as an appliance image which must be installed on dedicated hardware. xenserver-core repackages the core components of XenServer so they can easily be built and installed on a standard Linux distribution. Its main goals are: * to make it easy to download, modify and build XenServer components, or just learn how they work; * to help upstream distributions to include up-to-date XenServer packages; * to provide an environment for experimentation. This talk will explain the motivations behind xenserver-core and how it relates to the open-sourcing of XenServer. For developers, it will cover how to get the code, how to build it and how to contribute back to the project. For packagers, it will explain the project's development and release processes and what an upstream maintainer can expect from it.
The last two years have seen an extraordinary level of change within the Xen Project developer and user communities. The project introduced Document Days, Test Days, Release Managers and has become much more vocal in telling its story. The most significant was the move of the Xen Project to become a Linux Foundation Collaborative Project last year and the creation of the Xen Project Advisory Board. This talk we will highlight the key changes that have affected our User Community and outline what comes next. We will also make a short detour explaining the role and impact of the Xen Project Advisory Board.
The last two years have seen an extraordinary level of change within the Xen Project developer and user communities. Join Lars Kurth as he opens the 2014 Xen Project Developer Summit with a short round-up of the bad, the good, and the great developments in the Xen Project.
XPDS14: Xenstore Mandatory Access Control - James Bielman, GaloisThe Linux Foundation
Mandatory Access Control (MAC) is a security model in which access decisions are governed by a centralized security policy rather than the system's users. Systems with MAC are better protected from malicious or careless users and programs granting permissions that violate a system's desired security goals.
Xen supports MAC at the hypervisor level via the Flask Xen Security Module (XSM/Flask), building upon the widely used SELinux infrastructure. However, other critical components of the Xen architecture, such as Xenstore, are not covered by the XSM security policy.
Galois has developed an implementation of mandatory access control for a disaggregated Xenstore domain. In this presentation, James Bielman will discuss the implementation of Xenstore's nested security server in a Mirage-based Xen kernel.
XPDS14: Network Throughput Improvements in XenServer - Zoltan Kiss, CitrixThe Linux Foundation
XenServer Engineering spent concentrated effort in the past one year to improve the network performance of the virtual machines. In this presentation, Zoltan Kiss will present the various developments done in this area by his team, including the reintroduction of grant mapping on the TX path, multiqueue and various Open vSwitch improvements.
XPDS13: XenGT - A software based Intel Graphics Virtualization Solution - Hai...The Linux Foundation
GPU virtualization has become an increasingly important requirement for client virtualization and cloud. Significant challenges exists realizing the multiplexing of graphics, media and compute workloads from multiple VMs and achieving the goals of being fully functional, high performance and secure. In this presentation, we will first review existing graphics virtualization technologies, and then introduce how XenGT - an open source solution from Intel - approaches differently. Broad functionality and good performance is achieved by accelerating the native OS graphics stack in each VM with minimum hypervisor intervention. A software mediator ensures the secure multiplexing of workloads from the multiple VMs by managing the scheduling of VMs on the GPU and controlling access to privileged resources and operations.
Collaborative development is at the core of successful open source projects. Yet to be successful in today's competitive open source world, it is increasingly important to master many different disciplines and to develop an edge.
In this talk we will cover a wide range of topics relevant to developers and members of open source communities who want to increase participation in their projects. Topics range from growing your developer base (e.g. by participation in GSoC, OPW and similar programs), rewarding participation, projecting momentum in the media and press, coercing large companies into contributing more and in different ways to your project, running community initiatives successfully and measuring success.
We will use real-life examples and where appropriate share tools and mental models that help you make the right decisions for your project.
In Infrastructure-as-a-Service (IAAS) clouds, Xen is a popular choice of hypervisor. While the Xen hypervisor has strong isolation, integrating with the cloud infrastructure environment (switches, routers, load balancers, firewalls, ip address allocation) requires additional work by the IAAS cloud management platform (CMP) to achieve this. We will look at various solutions such as network virtualization, SDN, network function virtualization and L3 isolation that work with the Xen hypervisor, in the context of the Apache CloudStack IAAS platform. Attendees will come away with an understanding of the challenges of network isolation, how Apache CloudStack solves some of the scaling issues and the future of Xen-based clouds.
This document provides an overview of using the Xen management API with the Ruby programming language. It discusses how the API standardizes the data model and communication protocol. It then demonstrates how to use a Ruby gem to interface with the API, giving examples of accessing virtual machines, calling methods on them, and using the API to perform operations equivalent to "xm create".
XPDS13: On Paravirualizing TCP - Congestion Control on Xen VMs - Luwei Cheng,...The Linux Foundation
While datacenters are increasingly adopting VMs to provide elastic cloud services, they still rely on traditional TCP for congestion control. In this talk, I will first show that VM scheduling delays can heavily contaminate RTTs sensed by VM senders, preventing TCP from correctly learning the physical network condition. Focusing on the incast problem, which is commonly seen in large-scale distributed data processing such as MapReduce and web search, I find that the solutions that have been developed for *physical* clusters fall short in a Xen *virtual* cluster. Second, I will provide a concrete understanding of the problem, and reveal that the situations that when the sending VM is preempted versus when the receiving VM is preempted, are different. Third, I will introduce my recent attempts on paravirtualizing TCP to overcome the negative effect caused by VM scheduling delays.
XPDS13: Increasing XenServer's VM density - Jonathan Davies, CitrixThe Linux Foundation
The document discusses increasing VM density on XenServer. It outlines various hard limits on VM density imposed by factors like the number of dom0 event channels. It analyzes how these limits were addressed in XenServer 6.1 and 6.2 through techniques like increasing the number of event channels and minor numbers. It also examines soft limits caused by high CPU usage from components like xenstored and qemu that can impact density. The goal is to understand current limits and ways to remove barriers to scaling density with hardware.
This document introduces security features of the Xen hypervisor for securing cloud installations. It begins with an overview of Xen Project architecture including driver domains and control domains. It then discusses potential attack surfaces like the network path and PyGrub boot loader. It analyzes what could be compromised from successful exploits, such as control of the entire system. The document recommends security features like driver domains, which isolate hardware drivers in a limited VM, and fixed kernels, which remove the ability to choose the kernel and thus block that attack path.
CentOS Virt SIG - Community virtualization packages on an immutable coreThe Linux Foundation
CentOS is a "distribution" with a rather unique description: it is a free (gratis) clone of a commercially-supported "distribution" with all the branding removed. Being enterprise-grade distribution means solid and well-tested; but it also means not having the latest functionality. It also means having a small enough feature set to provide commercial support in a viable manner: and that typically means choosing one technology and sticking with it.
But what if you wanted your entire system to be solid, and well-tested, but want the latest features for one particular package or program? Or what if you really wanted an enterprise system, but wanted to use one of the alternate technoligies that were not selected?
This is where CentOS SIGs come in. The new CentOS is still at its core a clone of an upstream enterprise distribution. But having had success with the Xen4CentOS project, which provided a version of Xen to run on CentOS 6, they have now generalized the process.
This talk will talk about CentOS SIGs: the vision, the structure, what SIGs are available. We will compare and contrast them to other community distro development models like Fedora, OpenSuSE, Debian, Ubuntu, and so forth. We will also share lessons from the CentOS Virt SIG, in which a number of virtualisation and related technologies such as Xen, oVirt, Docker and others collaborate.
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
Released as Open Source Software (OSS) in June 2014, OpenXT is a collection of hardened Linux VMs configured to provide a user facing Xen platform for client devices. This default configuration was mostly static, applying some disaggregation techniques to segregate system components based on a general threat analysis. The goals embodied in
this code base up to its release produced a one-size-fits-most configuration with extensibility in specific areas to encapsulate 3rd party value-add.
With a community now forming around OpenXT we must come to terms with the limitations of the this approach. In this talk Philip will define what OpenXT is and in this definition, show that OpenXT can meet the varied needs of the security and virtualization community through the
construction of a toolkit for the configurable disaggregation of a Xen platform.
This document provides an overview of securing a Xen virtualization environment. It begins with introducing Russell Pavlicek, a Xen Project Evangelist from Citrix Systems. It then discusses some key security features of Xen like driver domains, stub domains, PVgrub, and the FLASK security module. It examines potential attack surfaces like the network interface, PyGrub bootloader, Qemu device model, and the Xen hypervisor itself. It explains how the security features can be used to mitigate attacks and limit the impact of potential exploits. The document provides basic instructions on configuring some of these security features.
This document discusses emotional intelligence and its components: empathy, emotion reflection, and self-control. It provides information and exercises on developing these skills. Empathy involves understanding other people's perspectives without judgment. Emotion reflection requires recognizing and controlling one's emotions. Self-control means regulating impulses and anger through awareness of triggers, thoughts, and solutions. Developing these abilities can improve social skills and relationships.
LGBT history month research lesson 2017Felt-tip-pen
This document outlines a lesson plan for students to research LGBT artists during LGBT History Month. It instructs students to get into groups and research one of several artists - including Andy Warhol, David Hockney, and Frida Kahlo. It provides directions for structuring their time to research the artist individually and then create a 10-slide PowerPoint presentation to present their findings to the class. The document also lists elements students should include in their presentation and provides feedback guidelines for their peers.
This document discusses family relationships and important people in a person's life. It lists common family members like parents, children, grandparents, as well as other relatives and neighbors who are considered important. Family roles covered include mother, father, son, daughter, grandmother, grandfather, grandchildren, cousins, great-grandparents and neighbors.
A empresa de tecnologia anunciou um novo sistema operacional para computadores pessoais. O novo sistema é mais rápido e seguro que o anterior, com melhorias na interface do usuário e privacidade reforçada. A nova versão estará disponível para download no outono e trará mudanças significativas na experiência do usuário.
Xen Project Contributor Training Part2 : Processes and Conventions v1.1The Linux Foundation
The document outlines the governance principles and processes of the Xen Project open source hypervisor community. It discusses principles of openness, transparency and meritocracy. It describes roles like maintainers, committers and project leads. It covers topics like decision making, design reviews, release processes, earning status, and resolving conflicts.
Scale14x: Are today's foss security practices robust enough in the cloud era ...The Linux Foundation
Recent vulnerabilities like Heartbleed and Shellshock have brought the security practices and track record of open-source projects into the spotlight. A project’s response to security issues has a major impact on how much risk end users are exposed to and how the project is perceived in the technology industry.
We will compare the security practices of key projects such as Linux, Docker, Xen Project, OpenStack and others. We will explore the trade-offs of different security practices, such as community trust, competing stakeholder interests, fairness and media coverage of vulnerabilities. Finally, we will explore the evolution of the Xen Project’s security process over the past 3 years as a case study. We will illustrate the trade-offs, pain points and unexpected issues we have experienced, to help other projects understand the pit-falls in designing robust security processes and help users of open source projects understand how open source projects manage security vulnerabilities.
XPDS16: Live Migration of vGPU - Xiao Zheng, Intel Asia-Pacific Research & De...The Linux Foundation
GPU virtualization is hot in cloud usages including VDI, media processing, etc. While Intel GVT-g (a.k.a XenGT) helps unleash those compelling usages on Intel Processor Graphics, new requirements are emerging such as VM live migration with vGPU. In this session we will introduce the challenges of supporting vGPU live migration on current migration framework, then elaborate techniques to bring vGPU live migration into XenGT.
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
This document summarizes Xen security framework (XSM) which enables fine-grained control over interactions between domains, hypervisor, and resources. XSM uses mandatory access control based on security labels rather than discretionary access control. Permissions for subjects (processes or VMs) to interact with objects (files, ports, devices, etc.) are defined in security policies. The architecture includes security policies, a policy controlling entity, security server, access vector cache, and policy database. The decision making process involves checking the access vector cache, consulting the security server and policy database if needed, and returning the access decision. Challenges include ensuring atomic policy changes and consistency between security policy and runtime policy database.
Selecting the correct hypervisor for CloudStack 4.5Tim Mackey
Apache CloudStack supports multiple hypervisors out of the box, and the obvious question is which hypervisor is best for CloudStack. In this session we cover core CloudStack components such as networking, storage and virtualization functions to present which hypervisor is able to meet a given requirement. The core take-away is that with an understanding of the services to be delivered the correct hypervisor, or hypervisors, can be selected with relative ease. This deck is as delivered at CloudStack Days 2015 in Seattle.
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...The Linux Foundation
Since its inception, the Xen Orchestra project which uses AGPLv3, always had a philosophy to listen and engage the community. User feedback shaped our initial concept, which first targeted system administrators. Eventually, our users drove us to support cloud-scale deployments supporting up to 2000 VM's. Retaining simplicity in usage and installation, while evolving Xen Orchestra to cloud scale posed many challenges. This led us to build many new features such ACLs, self-service, live charts, config drive management, and more, forced us to constantly evolve our architecture. First we will show how user needs changed our architecture, and how we implemented challenging problems such as user permissions, ACLs, Containers in a virtualized infrastructure and self service. We will conclude with a short demo, what is next and a lessons learned.
In Infrastructure-as-a-Service (IAAS) clouds, Xen is a popular choice of hypervisor. While the Xen hypervisor has strong isolation, integrating with the cloud infrastructure environment (switches, routers, load balancers, firewalls, ip address allocation) requires additional work by the IAAS cloud management platform (CMP) to achieve this. We will look at various solutions such as network virtualization, SDN, network function virtualization and L3 isolation that work with the Xen hypervisor, in the context of the Apache CloudStack IAAS platform. Attendees will come away with an understanding of the challenges of network isolation, how Apache CloudStack solves some of the scaling issues and the future of Xen-based clouds.
This document provides an overview of using the Xen management API with the Ruby programming language. It discusses how the API standardizes the data model and communication protocol. It then demonstrates how to use a Ruby gem to interface with the API, giving examples of accessing virtual machines, calling methods on them, and using the API to perform operations equivalent to "xm create".
XPDS13: On Paravirualizing TCP - Congestion Control on Xen VMs - Luwei Cheng,...The Linux Foundation
While datacenters are increasingly adopting VMs to provide elastic cloud services, they still rely on traditional TCP for congestion control. In this talk, I will first show that VM scheduling delays can heavily contaminate RTTs sensed by VM senders, preventing TCP from correctly learning the physical network condition. Focusing on the incast problem, which is commonly seen in large-scale distributed data processing such as MapReduce and web search, I find that the solutions that have been developed for *physical* clusters fall short in a Xen *virtual* cluster. Second, I will provide a concrete understanding of the problem, and reveal that the situations that when the sending VM is preempted versus when the receiving VM is preempted, are different. Third, I will introduce my recent attempts on paravirtualizing TCP to overcome the negative effect caused by VM scheduling delays.
XPDS13: Increasing XenServer's VM density - Jonathan Davies, CitrixThe Linux Foundation
The document discusses increasing VM density on XenServer. It outlines various hard limits on VM density imposed by factors like the number of dom0 event channels. It analyzes how these limits were addressed in XenServer 6.1 and 6.2 through techniques like increasing the number of event channels and minor numbers. It also examines soft limits caused by high CPU usage from components like xenstored and qemu that can impact density. The goal is to understand current limits and ways to remove barriers to scaling density with hardware.
This document introduces security features of the Xen hypervisor for securing cloud installations. It begins with an overview of Xen Project architecture including driver domains and control domains. It then discusses potential attack surfaces like the network path and PyGrub boot loader. It analyzes what could be compromised from successful exploits, such as control of the entire system. The document recommends security features like driver domains, which isolate hardware drivers in a limited VM, and fixed kernels, which remove the ability to choose the kernel and thus block that attack path.
CentOS Virt SIG - Community virtualization packages on an immutable coreThe Linux Foundation
CentOS is a "distribution" with a rather unique description: it is a free (gratis) clone of a commercially-supported "distribution" with all the branding removed. Being enterprise-grade distribution means solid and well-tested; but it also means not having the latest functionality. It also means having a small enough feature set to provide commercial support in a viable manner: and that typically means choosing one technology and sticking with it.
But what if you wanted your entire system to be solid, and well-tested, but want the latest features for one particular package or program? Or what if you really wanted an enterprise system, but wanted to use one of the alternate technoligies that were not selected?
This is where CentOS SIGs come in. The new CentOS is still at its core a clone of an upstream enterprise distribution. But having had success with the Xen4CentOS project, which provided a version of Xen to run on CentOS 6, they have now generalized the process.
This talk will talk about CentOS SIGs: the vision, the structure, what SIGs are available. We will compare and contrast them to other community distro development models like Fedora, OpenSuSE, Debian, Ubuntu, and so forth. We will also share lessons from the CentOS Virt SIG, in which a number of virtualisation and related technologies such as Xen, oVirt, Docker and others collaborate.
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
Released as Open Source Software (OSS) in June 2014, OpenXT is a collection of hardened Linux VMs configured to provide a user facing Xen platform for client devices. This default configuration was mostly static, applying some disaggregation techniques to segregate system components based on a general threat analysis. The goals embodied in
this code base up to its release produced a one-size-fits-most configuration with extensibility in specific areas to encapsulate 3rd party value-add.
With a community now forming around OpenXT we must come to terms with the limitations of the this approach. In this talk Philip will define what OpenXT is and in this definition, show that OpenXT can meet the varied needs of the security and virtualization community through the
construction of a toolkit for the configurable disaggregation of a Xen platform.
This document provides an overview of securing a Xen virtualization environment. It begins with introducing Russell Pavlicek, a Xen Project Evangelist from Citrix Systems. It then discusses some key security features of Xen like driver domains, stub domains, PVgrub, and the FLASK security module. It examines potential attack surfaces like the network interface, PyGrub bootloader, Qemu device model, and the Xen hypervisor itself. It explains how the security features can be used to mitigate attacks and limit the impact of potential exploits. The document provides basic instructions on configuring some of these security features.
This document discusses emotional intelligence and its components: empathy, emotion reflection, and self-control. It provides information and exercises on developing these skills. Empathy involves understanding other people's perspectives without judgment. Emotion reflection requires recognizing and controlling one's emotions. Self-control means regulating impulses and anger through awareness of triggers, thoughts, and solutions. Developing these abilities can improve social skills and relationships.
LGBT history month research lesson 2017Felt-tip-pen
This document outlines a lesson plan for students to research LGBT artists during LGBT History Month. It instructs students to get into groups and research one of several artists - including Andy Warhol, David Hockney, and Frida Kahlo. It provides directions for structuring their time to research the artist individually and then create a 10-slide PowerPoint presentation to present their findings to the class. The document also lists elements students should include in their presentation and provides feedback guidelines for their peers.
This document discusses family relationships and important people in a person's life. It lists common family members like parents, children, grandparents, as well as other relatives and neighbors who are considered important. Family roles covered include mother, father, son, daughter, grandmother, grandfather, grandchildren, cousins, great-grandparents and neighbors.
A empresa de tecnologia anunciou um novo sistema operacional para computadores pessoais. O novo sistema é mais rápido e seguro que o anterior, com melhorias na interface do usuário e privacidade reforçada. A nova versão estará disponível para download no outono e trará mudanças significativas na experiência do usuário.
Xen Project Contributor Training Part2 : Processes and Conventions v1.1The Linux Foundation
The document outlines the governance principles and processes of the Xen Project open source hypervisor community. It discusses principles of openness, transparency and meritocracy. It describes roles like maintainers, committers and project leads. It covers topics like decision making, design reviews, release processes, earning status, and resolving conflicts.
Scale14x: Are today's foss security practices robust enough in the cloud era ...The Linux Foundation
Recent vulnerabilities like Heartbleed and Shellshock have brought the security practices and track record of open-source projects into the spotlight. A project’s response to security issues has a major impact on how much risk end users are exposed to and how the project is perceived in the technology industry.
We will compare the security practices of key projects such as Linux, Docker, Xen Project, OpenStack and others. We will explore the trade-offs of different security practices, such as community trust, competing stakeholder interests, fairness and media coverage of vulnerabilities. Finally, we will explore the evolution of the Xen Project’s security process over the past 3 years as a case study. We will illustrate the trade-offs, pain points and unexpected issues we have experienced, to help other projects understand the pit-falls in designing robust security processes and help users of open source projects understand how open source projects manage security vulnerabilities.
XPDS16: Live Migration of vGPU - Xiao Zheng, Intel Asia-Pacific Research & De...The Linux Foundation
GPU virtualization is hot in cloud usages including VDI, media processing, etc. While Intel GVT-g (a.k.a XenGT) helps unleash those compelling usages on Intel Processor Graphics, new requirements are emerging such as VM live migration with vGPU. In this session we will introduce the challenges of supporting vGPU live migration on current migration framework, then elaborate techniques to bring vGPU live migration into XenGT.
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
This document summarizes Xen security framework (XSM) which enables fine-grained control over interactions between domains, hypervisor, and resources. XSM uses mandatory access control based on security labels rather than discretionary access control. Permissions for subjects (processes or VMs) to interact with objects (files, ports, devices, etc.) are defined in security policies. The architecture includes security policies, a policy controlling entity, security server, access vector cache, and policy database. The decision making process involves checking the access vector cache, consulting the security server and policy database if needed, and returning the access decision. Challenges include ensuring atomic policy changes and consistency between security policy and runtime policy database.
Selecting the correct hypervisor for CloudStack 4.5Tim Mackey
Apache CloudStack supports multiple hypervisors out of the box, and the obvious question is which hypervisor is best for CloudStack. In this session we cover core CloudStack components such as networking, storage and virtualization functions to present which hypervisor is able to meet a given requirement. The core take-away is that with an understanding of the services to be delivered the correct hypervisor, or hypervisors, can be selected with relative ease. This deck is as delivered at CloudStack Days 2015 in Seattle.
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...The Linux Foundation
Since its inception, the Xen Orchestra project which uses AGPLv3, always had a philosophy to listen and engage the community. User feedback shaped our initial concept, which first targeted system administrators. Eventually, our users drove us to support cloud-scale deployments supporting up to 2000 VM's. Retaining simplicity in usage and installation, while evolving Xen Orchestra to cloud scale posed many challenges. This led us to build many new features such ACLs, self-service, live charts, config drive management, and more, forced us to constantly evolve our architecture. First we will show how user needs changed our architecture, and how we implemented challenging problems such as user permissions, ACLs, Containers in a virtualized infrastructure and self service. We will conclude with a short demo, what is next and a lessons learned.