SlideShare a Scribd company logo

Nydus_Image_Service_for_Confidential_Containers.pptx

Download as PPTX, PDF
X
xiso

Nydus_Image_Service_for_Confidential_Containers

Engineering
1 of 18
Nydus Image Service for Confidential Containers Gerry Liu Senior Staff Engineer Alibaba Cloud
Introduction • Gerry Liu <gerry@linux.alibaba.com> • Working at OS Team, Alibaba Cloud • Interested in Linux kernel and cloud-native related technologies • Member of • Kata Containers: <https://github.com/kata-containers/kata-containers> • Confidential Containers: <https://github.com/confidential-containers> • Nydus Image Service: <https://github.com/dragonflyoss/image-service > • rust-vmm: <https://github.com/rust-vmm>
What We Will Discuss Today • What makes CoCo image management special? • What is Nydus Image Service? • Nydus Image Service for CoCo
Project CoCo (Confidential Containers) Confidential Containers are designed to protect confidentiality and integrity of container workloads by using hardware TEEs. What types of resources to protect? We are going to talk about image management CPU Memory Image Storage Net Device Hardware TEE Encryption • dm-crypt • dm-integrity • ZFS • TLS/HTTPS ? ? Application Container
Container Rootfs Container Rootfs Host File System CoCo Image Management Challenges 1. download image blobs from registry 2. store blobs to host FS Container Rootfs 3. convert blobs to container rootfs 4. access files from container image • Image layers are shared and reused among containers • All contents are visible on host side 1 Images should be protected on registry and host 2 Rootfs should be mounted inside guest 3 Images should be reused with low memory overhead
CoCo Image Management Solutions Image formats with integrity & confidentiality • ocicrypt • ocicrypt-rs • cosign 1 Image management inside trusted execution environment • Containerd with remote image management • Kata Containers with image service • image-rs: content store and snapshotter for CC 2 Image Content Lazy Loading & Caching • Downloading images for every container • Slow startup • High pressure on local storage • High pressure on registry • How to achieve similar startup time as native containers? • Image Caching • Image Lazy Loading • Nydus Image Service 3
What We Will Discuss Today • What makes CoCo image management special? • What is Nydus Image Service? • Nydus Image Service for CoCo
What is Nydus Image Service? An image format w/ advanced features: • Lazy loading • Data deduplication • Native or OCIv1 compatible modes • Encryption(in progress) A readonly filesystem for containers (runC/Kata/Kata CC), AI models and software packages by: • Linux/MacOS FUSE • Virtio-fs • EROFS with page sharing • User space library (in progress) An image service integrated with ecosystem: • OCI distribution compatible • Integrated with buildkit/containerd/cri- o/nerdctl/Kata/harbor/dragonfly A node level storage subsystem with P2P, cache and data deduplication 1 2 3 4
Nydus Image Format • Native Mode: • File data is split into chunks • Chunks may be compressed and/or encrypted • Chunk deduplication by comparing chunk digests at build time • OCIv1 Compatible Mode: • Contains no file data, referring file data in OCIv1 images instead • RAFS metadata for lazy loading, ~5% size of original OCIv1 image • RAFS Data Blob: contain both file data and FS metadata • RAFS Metadata Blob: only contain merged FS metadata from all data blobs. Avoid runtime overhead by overlay layers at build time. Chunked file data with compression and/or encryption Info to locate and decode chunk data Info to provide filesystem view & locate chunk info 1 Merged FS View No File Chunk Data
Flexible FS for Read-only Workload Flexible Deployment Modes • RunC/Application: Nydusd + FsCache + EROFS • RunC/Application: Nydusd + FUSE • Kata: Nydusd + Virtio-fs • Kata: Nydusd + virtio-fs + EROFS • Kata-CC: Nydusd + virtio-blk + EROFS • Kata-CC: Nydusd + FsCache + EROFS • Application: Nydus userspace library 2 Nydus is EROFS Compatible • Nydus filesystem format is EROFS compatible • Linux in-kernel EROFS can mount Nydus images • FsCache enables data cache and lazy-loading for EROFS
Runtime Data Deduplication 3 • Nydus supports chunk-based data deduplication at build time, by using a chunk dictionary. • Nydus optionally supports local CAS, to manages all chunks downloaded. • When running a new image, all chunks already exists in local CAS will be reused. It may dramatically reduce resource consumptions in case of software upgrading/CVE fixing.
Integration with the Eco-system 4
What We Will Discuss Today • What makes CoCo image management special? • What is Nydus Image Service? • Nydus Image Service for CoCo
Nydus Enhancements for CoCo EK: Encryption Key BEK: Blob Encryption Key Manifest: contains wrapped EKs Metadata Blob: contains BEKs Data Blob: contains chunked file data Encryption Integrity Protected by ocicrypt Protected by Nydus Protected by Nydus Protected by cosign
Lazy-Loading and Image Cache for CoCo Image Sources • Registry through network • Image sharing with P2P • Image cache on host through virtio-fs/blk Working Modes • Nydusd + FUSE • Nydusd + FsCache + EROFS • EROFS with decryption (researching)
Image Caching Modes • Blob-Based Image Cache • First lazy-loading without caching • Then lazy-loading with blob cache • At last image fs cache with EROFS • Block-Based Image Cache • Simple but inflexible 1 1 2 2 3 3
Development Plan Nydus: targeting v2.3, 2023Q2 • Runtime data deduplication • Data encryption • ocicrypt for Nydus metadata blob Useful Links: • Nydus Image Service Project • image-rs Project • ocicrypt-rs Project CoCo: targeting v0.5 • Improve quality of image-rs • Integrate Nydus w/o encryption • Integrate Nydus with encryption
Nydus_Image_Service_for_Confidential_Containers.pptx

Recommended

Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
State of the Container Ecosystem
State of the Container EcosystemState of the Container Ecosystem
State of the Container Ecosystem
Vinay Rao
 
Storage Requirements and Options for Running Spark on Kubernetes
Storage Requirements and Options for Running Spark on KubernetesStorage Requirements and Options for Running Spark on Kubernetes
Storage Requirements and Options for Running Spark on Kubernetes
DataWorks Summit
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
LinuxCon ContainerCon CloudOpen China
 
Spark volume requirements 2018
Spark volume requirements 2018Spark volume requirements 2018
Spark volume requirements 2018
Rachit Arora
 
Containers and security
Containers and securityContainers and security
Containers and security
sriram_rajan
 

Recommended

Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
State of the Container Ecosystem
State of the Container EcosystemState of the Container Ecosystem
State of the Container Ecosystem
Vinay Rao
 
Storage Requirements and Options for Running Spark on Kubernetes
Storage Requirements and Options for Running Spark on KubernetesStorage Requirements and Options for Running Spark on Kubernetes
Storage Requirements and Options for Running Spark on Kubernetes
DataWorks Summit
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
LinuxCon ContainerCon CloudOpen China
 
Spark volume requirements 2018
Spark volume requirements 2018Spark volume requirements 2018
Spark volume requirements 2018
Rachit Arora
 
Containers and security
Containers and securityContainers and security
Containers and security
sriram_rajan
 
Understanding Docker and IBM Bluemix Container Service
Understanding Docker and IBM Bluemix Container ServiceUnderstanding Docker and IBM Bluemix Container Service
Understanding Docker and IBM Bluemix Container Service
Andrew Ferrier
 
Lightweight Virtualization Docker in Practice
Lightweight Virtualization Docker in PracticeLightweight Virtualization Docker in Practice
Lightweight Virtualization Docker in Practice
Docker, Inc.
 
Head in the clouds
Head in the cloudsHead in the clouds
Head in the clouds
Steve Mactaggart
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
Ravindu Fernando
 
Lessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker ContainersLessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker Containers
BlueData, Inc.
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aci
Rajesh Kolla
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
Salesforce Engineering
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Cloudsolutionday 2016: DevOps workflow with Docker on AWS
Cloudsolutionday 2016: DevOps workflow with Docker on AWSCloudsolutionday 2016: DevOps workflow with Docker on AWS
Cloudsolutionday 2016: DevOps workflow with Docker on AWS
AWS Vietnam Community
 
FILEgrain: Transport-Agnostic, Fine-Grained Content-Addressable Container Ima...
FILEgrain: Transport-Agnostic, Fine-Grained Content-Addressable Container Ima...FILEgrain: Transport-Agnostic, Fine-Grained Content-Addressable Container Ima...
FILEgrain: Transport-Agnostic, Fine-Grained Content-Addressable Container Ima...
Akihiro Suda
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
Docker, Inc.
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
Alternatives to layer-based image distribution: using CERN filesystem for images
Alternatives to layer-based image distribution: using CERN filesystem for imagesAlternatives to layer-based image distribution: using CERN filesystem for images
Alternatives to layer-based image distribution: using CERN filesystem for images
George Lestaris
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
Dr Ganesh Iyer
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
Dr Ganesh Iyer
 
Using Docker in production: Get started today!
Using Docker in production: Get started today!Using Docker in production: Get started today!
Using Docker in production: Get started today!
Clarence Bakirtzidis
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
Dave Ward
 
Online Meetup: Intro to LinuxKit
Online Meetup: Intro to LinuxKitOnline Meetup: Intro to LinuxKit
Online Meetup: Intro to LinuxKit
Docker, Inc.
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifei
dotCloud
 
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Cynthia Thomas
 
se01.ppt
se01.pptse01.ppt
se01.ppt
xiso
 
IRDeck_Q322Highlights_FINAL.pdf
IRDeck_Q322Highlights_FINAL.pdfIRDeck_Q322Highlights_FINAL.pdf
IRDeck_Q322Highlights_FINAL.pdf
xiso
 

More Related Content

Similar to Nydus_Image_Service_for_Confidential_Containers.pptx

Lightweight Virtualization Docker in Practice
Lightweight Virtualization Docker in PracticeLightweight Virtualization Docker in Practice
Lightweight Virtualization Docker in Practice
Docker, Inc.
 
Lessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker ContainersLessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker Containers
BlueData, Inc.
 
FILEgrain: Transport-Agnostic, Fine-Grained Content-Addressable Container Ima...
FILEgrain: Transport-Agnostic, Fine-Grained Content-Addressable Container Ima...FILEgrain: Transport-Agnostic, Fine-Grained Content-Addressable Container Ima...
FILEgrain: Transport-Agnostic, Fine-Grained Content-Addressable Container Ima...
Akihiro Suda
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
Docker, Inc.
 
Alternatives to layer-based image distribution: using CERN filesystem for images
Alternatives to layer-based image distribution: using CERN filesystem for imagesAlternatives to layer-based image distribution: using CERN filesystem for images
Alternatives to layer-based image distribution: using CERN filesystem for images
George Lestaris
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
Dave Ward
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifei
dotCloud
 

Similar to Nydus_Image_Service_for_Confidential_Containers.pptx (20)

Understanding Docker and IBM Bluemix Container Service
Understanding Docker and IBM Bluemix Container ServiceUnderstanding Docker and IBM Bluemix Container Service
Understanding Docker and IBM Bluemix Container Service
 
Lightweight Virtualization Docker in Practice
Lightweight Virtualization Docker in PracticeLightweight Virtualization Docker in Practice
Lightweight Virtualization Docker in Practice
 
Head in the clouds
Head in the cloudsHead in the clouds
Head in the clouds
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
 
Lessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker ContainersLessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker Containers
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aci
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Container Security
Container SecurityContainer Security
Container Security
 
Cloudsolutionday 2016: DevOps workflow with Docker on AWS
Cloudsolutionday 2016: DevOps workflow with Docker on AWSCloudsolutionday 2016: DevOps workflow with Docker on AWS
Cloudsolutionday 2016: DevOps workflow with Docker on AWS
 
FILEgrain: Transport-Agnostic, Fine-Grained Content-Addressable Container Ima...
FILEgrain: Transport-Agnostic, Fine-Grained Content-Addressable Container Ima...FILEgrain: Transport-Agnostic, Fine-Grained Content-Addressable Container Ima...
FILEgrain: Transport-Agnostic, Fine-Grained Content-Addressable Container Ima...
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Alternatives to layer-based image distribution: using CERN filesystem for images
Alternatives to layer-based image distribution: using CERN filesystem for imagesAlternatives to layer-based image distribution: using CERN filesystem for images
Alternatives to layer-based image distribution: using CERN filesystem for images
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
Using Docker in production: Get started today!
Using Docker in production: Get started today!Using Docker in production: Get started today!
Using Docker in production: Get started today!
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
 
Online Meetup: Intro to LinuxKit
Online Meetup: Intro to LinuxKitOnline Meetup: Intro to LinuxKit
Online Meetup: Intro to LinuxKit
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifei
 
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
 

More from xiso

More from xiso (10)

se01.ppt
se01.pptse01.ppt
se01.ppt
 
IRDeck_Q322Highlights_FINAL.pdf
IRDeck_Q322Highlights_FINAL.pdfIRDeck_Q322Highlights_FINAL.pdf
IRDeck_Q322Highlights_FINAL.pdf
 
TechTalk5-WhatDoesItTakeToRunLLVMBuildbots.pdf
TechTalk5-WhatDoesItTakeToRunLLVMBuildbots.pdfTechTalk5-WhatDoesItTakeToRunLLVMBuildbots.pdf
TechTalk5-WhatDoesItTakeToRunLLVMBuildbots.pdf
 
2022-05-03 SoC Interest Group Meeting - Deploying and testing firmware-softwa...
2022-05-03 SoC Interest Group Meeting - Deploying and testing firmware-softwa...2022-05-03 SoC Interest Group Meeting - Deploying and testing firmware-softwa...
2022-05-03 SoC Interest Group Meeting - Deploying and testing firmware-softwa...
 
Colin-Ian-King-Mentorship-Stress-ng.pdf
Colin-Ian-King-Mentorship-Stress-ng.pdfColin-Ian-King-Mentorship-Stress-ng.pdf
Colin-Ian-King-Mentorship-Stress-ng.pdf
 
Embedded-Linux-Community-Update-2022-02-JJ78.pdf
Embedded-Linux-Community-Update-2022-02-JJ78.pdfEmbedded-Linux-Community-Update-2022-02-JJ78.pdf
Embedded-Linux-Community-Update-2022-02-JJ78.pdf
 
slides.pdf
slides.pdfslides.pdf
slides.pdf
 
introduction.pdf
introduction.pdfintroduction.pdf
introduction.pdf
 
inside-linux-kernel-rng-presentation-sept-13-2022.pdf
inside-linux-kernel-rng-presentation-sept-13-2022.pdfinside-linux-kernel-rng-presentation-sept-13-2022.pdf
inside-linux-kernel-rng-presentation-sept-13-2022.pdf
 
murach12.pptx
murach12.pptxmurach12.pptx
murach12.pptx
 

Recently uploaded

Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Recently uploaded (20)

data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 

Nydus_Image_Service_for_Confidential_Containers.pptx

  • 1. Nydus Image Service for Confidential Containers Gerry Liu Senior Staff Engineer Alibaba Cloud
  • 2. Introduction • Gerry Liu <gerry@linux.alibaba.com> • Working at OS Team, Alibaba Cloud • Interested in Linux kernel and cloud-native related technologies • Member of • Kata Containers: <https://github.com/kata-containers/kata-containers> • Confidential Containers: <https://github.com/confidential-containers> • Nydus Image Service: <https://github.com/dragonflyoss/image-service > • rust-vmm: <https://github.com/rust-vmm>
  • 3. What We Will Discuss Today • What makes CoCo image management special? • What is Nydus Image Service? • Nydus Image Service for CoCo
  • 4. Project CoCo (Confidential Containers) Confidential Containers are designed to protect confidentiality and integrity of container workloads by using hardware TEEs. What types of resources to protect? We are going to talk about image management CPU Memory Image Storage Net Device Hardware TEE Encryption • dm-crypt • dm-integrity • ZFS • TLS/HTTPS ? ? Application Container
  • 5. Container Rootfs Container Rootfs Host File System CoCo Image Management Challenges 1. download image blobs from registry 2. store blobs to host FS Container Rootfs 3. convert blobs to container rootfs 4. access files from container image • Image layers are shared and reused among containers • All contents are visible on host side 1 Images should be protected on registry and host 2 Rootfs should be mounted inside guest 3 Images should be reused with low memory overhead
  • 6. CoCo Image Management Solutions Image formats with integrity & confidentiality • ocicrypt • ocicrypt-rs • cosign 1 Image management inside trusted execution environment • Containerd with remote image management • Kata Containers with image service • image-rs: content store and snapshotter for CC 2 Image Content Lazy Loading & Caching • Downloading images for every container • Slow startup • High pressure on local storage • High pressure on registry • How to achieve similar startup time as native containers? • Image Caching • Image Lazy Loading • Nydus Image Service 3
  • 7. What We Will Discuss Today • What makes CoCo image management special? • What is Nydus Image Service? • Nydus Image Service for CoCo
  • 8. What is Nydus Image Service? An image format w/ advanced features: • Lazy loading • Data deduplication • Native or OCIv1 compatible modes • Encryption(in progress) A readonly filesystem for containers (runC/Kata/Kata CC), AI models and software packages by: • Linux/MacOS FUSE • Virtio-fs • EROFS with page sharing • User space library (in progress) An image service integrated with ecosystem: • OCI distribution compatible • Integrated with buildkit/containerd/cri- o/nerdctl/Kata/harbor/dragonfly A node level storage subsystem with P2P, cache and data deduplication 1 2 3 4
  • 9. Nydus Image Format • Native Mode: • File data is split into chunks • Chunks may be compressed and/or encrypted • Chunk deduplication by comparing chunk digests at build time • OCIv1 Compatible Mode: • Contains no file data, referring file data in OCIv1 images instead • RAFS metadata for lazy loading, ~5% size of original OCIv1 image • RAFS Data Blob: contain both file data and FS metadata • RAFS Metadata Blob: only contain merged FS metadata from all data blobs. Avoid runtime overhead by overlay layers at build time. Chunked file data with compression and/or encryption Info to locate and decode chunk data Info to provide filesystem view & locate chunk info 1 Merged FS View No File Chunk Data
  • 10. Flexible FS for Read-only Workload Flexible Deployment Modes • RunC/Application: Nydusd + FsCache + EROFS • RunC/Application: Nydusd + FUSE • Kata: Nydusd + Virtio-fs • Kata: Nydusd + virtio-fs + EROFS • Kata-CC: Nydusd + virtio-blk + EROFS • Kata-CC: Nydusd + FsCache + EROFS • Application: Nydus userspace library 2 Nydus is EROFS Compatible • Nydus filesystem format is EROFS compatible • Linux in-kernel EROFS can mount Nydus images • FsCache enables data cache and lazy-loading for EROFS
  • 11. Runtime Data Deduplication 3 • Nydus supports chunk-based data deduplication at build time, by using a chunk dictionary. • Nydus optionally supports local CAS, to manages all chunks downloaded. • When running a new image, all chunks already exists in local CAS will be reused. It may dramatically reduce resource consumptions in case of software upgrading/CVE fixing.
  • 12. Integration with the Eco-system 4
  • 13. What We Will Discuss Today • What makes CoCo image management special? • What is Nydus Image Service? • Nydus Image Service for CoCo
  • 14. Nydus Enhancements for CoCo EK: Encryption Key BEK: Blob Encryption Key Manifest: contains wrapped EKs Metadata Blob: contains BEKs Data Blob: contains chunked file data Encryption Integrity Protected by ocicrypt Protected by Nydus Protected by Nydus Protected by cosign
  • 15. Lazy-Loading and Image Cache for CoCo Image Sources • Registry through network • Image sharing with P2P • Image cache on host through virtio-fs/blk Working Modes • Nydusd + FUSE • Nydusd + FsCache + EROFS • EROFS with decryption (researching)
  • 16. Image Caching Modes • Blob-Based Image Cache • First lazy-loading without caching • Then lazy-loading with blob cache • At last image fs cache with EROFS • Block-Based Image Cache • Simple but inflexible 1 1 2 2 3 3
  • 17. Development Plan Nydus: targeting v2.3, 2023Q2 • Runtime data deduplication • Data encryption • ocicrypt for Nydus metadata blob Useful Links: • Nydus Image Service Project • image-rs Project • ocicrypt-rs Project CoCo: targeting v0.5 • Improve quality of image-rs • Integrate Nydus w/o encryption • Integrate Nydus with encryption

Editor's Notes

  1. When running Linux native containers with containerd, containerd takes the responsibility to prepare root filesystem for containers. It first downloads binary blobs from container image registry, and then converts and mounts those downloaded blobs as filesystems. So when running Linux native containers with containerd, All data blobs are stored on host side Filesystems are mounted on host side, so visible on host side Data blobs and mounted filesystems can be reused for multiple rounds or different containers.
  2. When running confidential containers with hardware TEEs,
  3. Random access compression in BlobFS: https://fuchsia.googlesource.com/fuchsia/+/a2cc44846d47/docs/concepts/filesystems/random-access-compression.md?autodive=0%2F%2F%2F%2F%2F%2F%2F