This session offers techniques for securing Docker containers and hosts using open source network virtualization technologies to implement microsegmentation. Come learn real tips and tricks that you can apply to keep your production environment secure.
Moby is an open source project providing a "LEGO set" of dozens of components, the framework to assemble them into specialized container-based systems, and a place for all container enthusiasts to experiment and exchange ideas.
One of these assemblies is Docker CE, an open source product that lets you build, ship, and run containers.
This talk will explain how you can leverage the Moby project to assemble your own specialized container-based system, whether for IoT, cloud or bare metal scenarios.
We will cover Moby itself, the framework, and tooling around the project, as well as many of it’s components: LinuxKit, InfraKit, containerd, SwarmKit, Notary.
Then we will present a few use cases and demos of how different companies have leveraged Moby and some of the Moby components to create their own container-based systems.
Video at https://www.youtube.com/watch?v=kDp22YkD6WY
A basic introductory slide set on Kubernetes: What does Kubernetes do, what does Kubernetes not do, which terms are used (Containers, Pods, Services, Replica Sets, Deployments, etc...) and how basic interaction with a Kubernetes cluster is done.
Networking For Nested Containers: Magnum, Kuryr, Neutron IntegrationFawad Khaliq
In the OpenStack ecosystem, containers were introduced as first class citizens recently with the project Magnum and the networking for containers has also evolved since then. Project Kuryr makes networking available to containers through Neutron. This all brings together how Neutron networking benefits containers like it does virtual machines. However, to make Neutron, Kuryr and Magnum cover all the use cases for containers, nested containers inside Nova VMs require networking to work as seamlessly as it works for virtual machines or bare metal containers. In this session, we will talk about Magnum, Kuryr, Neutron integration and how the problem of nested container networking has been solved in the OpenStack community, it's architecture, the design, current status and next steps.
This document discusses OpenStack Neutron and software defined networking. It provides an overview of Neutron and how it allows network as a service capabilities. It describes the packet flow for virtual machines accessing the external network or communicating between virtual machines on the same network. It explains how Neutron integrates with Open vSwitch on the compute nodes to provide networking and discusses the various Neutron agents.
A quick introduction to Openstack Network Features, an overview of the Open vSwitch plugin with logical-2-physical mappins
3rd meetup Openstack User Group Italy
Kubernetes is a container orchestration system that manages the deployment and scaling of containerized applications. It groups containers into Pods and coordinates multiple Pods across a cluster of nodes. The document provides an overview of Kubernetes architecture, including its use of master and worker nodes, controllers that manage components and respond to events, and how containers are scheduled and replicated across nodes for scalability. It also compares containers to traditional virtual machines and microservices to provide context on Kubernetes and containerization.
The document discusses using EMC ECS for geo-replicated Docker registries and multi-protocol access for microservice applications. It describes how ECS provides an active/active geo-distributed architecture for object storage that can be used to replicate Docker registries across multiple sites for high availability. It also explains how ECS supports multiple protocols like S3, Swift, HDFS, and NFS that can be used by different microservices in an application to access data stored in ECS. There is a demo of a geo-replicated Docker registry using ECS and an example of a MosaicMe application that uses ECS for multi-protocol data access across microservices.
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...Cloud Native Day Tel Aviv
As OpenStack matures, more users move from “dipping a toe” to deploying at large scale, with 1000's of nodes.
OpenStack networking has long been a limiting factor in scaling beyond a few hundreds of nodes, forcing users to turn to cell splitting, or to complete offloading of the networking to the underlay systems and forfeit the overlay network altogether.
Dragonflow is a fully distributed, open source, SDN implementation of Neutron, that handles large scale deployments without splitting to cells.
In testing we've conducted, we were able to scale to 4000+ controllers (each controller is typically deployed on a compute node), while maintaining the same performance we had on a small 30 node environment.
The document discusses using TOSCA modeling to orchestrate Kubernetes on OpenStack in a hybrid environment. It describes defining custom node types for Kubernetes, MongoDB, and microservices to model the target architecture. Workflows then execute to render the modeled infrastructure by deploying the necessary VMs, containers, and services. Metrics collected by a Diamond container are sent to Riemann, which triggers Kubernetes scaling through the orchestrator when thresholds are breached. TOSCA allows portably modeling multi-cloud orchestrations and hiding cloud implementation details.
This document discusses Docker, a container system for code. It describes how Docker eliminates inconsistencies between development, testing, and production environments by allowing applications to run anywhere using containers. It provides an overview of the Docker ecosystem, including the core components like Engine, Compose, Swarm, and Machine. It also discusses how Docker compares to virtual machines and the benefits it provides for both developers and administrators.
Gaetano Borgione's presentation from the 2017 Open Networking Summit.
Networking is vital for cloud-native apps where distributed computing and development models require speed, simplicity, and scale for massive number of ephemeral containers. Two of the most prevalent container networking models are CNI and CNM for developers using Docker, Mesos, or Kubernetes. This session will present an overview of distributed development, how CNI and CNM models work, and how container frameworks use these models for networking. Gaetano will also discuss the additional functions users need to consider in the control plane and data plane to achieve operational scale and efficiency.
The Containers Ecosystem, the OpenStack Magnum Project, the Open Container In...Daniel Krook
Presentation at the OpenStack Summit in Tokyo, Japan on October 27, 2015.
http://sched.co/49x0
The technology industry has been abuzz about cloud workload containerization since the open source Docker project became a phenomenon in early 2014.
Meanwhile, an OpenStack Containers Team was formed and the Magnum project launched to provide users with a convenient Containers-as-a-Service solution for OpenStack environments.
As the potential of both technologies emerged, many wanted to see shared governance over the baseline container specification and runtime technology to ensure an open cloud ecosystem.
This past June, a new group was formed with a goal of creating open, industry standards around container formats and runtimes, called the Open Container Initiative (http://www.opencontainers.org).
So how will OpenStack Magnum influence - and be influenced by - the new OCI group? Why is the OCI under the stewardship of the Linux Foundation? What is the scope of the OCI effort? What project goals and/or principles will guide their work?
Attend this session to learn the following:
* A brief history of the open container ecosystem and the major benefits that containerization provides
* An overview of the Magnum CaaS plugin architecture and design goals
* Insider details on the the progress of the Linux Foundation Open Container Initiative (and the related Cloud Native Computing Foundation)
* What it all means for deploying container orchestration engines on your cloud with OpenStack Magnum
Megan Kostick - Software Engineer, Cloud and Open Source Technologies, IBM
Daniel Krook - Senior Software Engineer, Cloud and Open Source Technologies, IBM
Jeffrey Borek - WW Program Director, Open Technologies and Partnerships, Cloud Computing
Building Clustered Applications with Kubernetes and DockerSteve Watt
This document discusses building clustered applications with Kubernetes and Docker. It provides an overview of Kubernetes, including its architecture and components. It then demonstrates how to install Kubernetes, define and deploy pods, add replication controllers and services. It discusses using volumes for persistence, including different volume types like GlusterFS. Finally, it touches on debugging and provides contact information for following up.
Designed for IT professionals looking to expand their OpenStack Networking knowledge, “Navigating OpenStack Networking” is a comprehensive and fast-paced session which provides an overview of OpenStack Networking, its history, its predecessor (Nova Networks), its components and then dives deep into the architecture, its features and plugin model and its role in building an OpenStack Cloud.
Docker allows building portable software that can run anywhere by packaging an application and its dependencies in a standardized unit called a container. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery. Kubernetes can replicate containers, provide load balancing, coordinate updates between containers, and ensure availability. Defining applications as Kubernetes resources allows them to be deployed and updated easily across a cluster.
- OpenStack provides network virtualization and automation capabilities through projects like Neutron, Heat, and plugins like Midonet.
- Neutron evolved networking in OpenStack to allow pluggable networking models beyond the initial Nova networking. It supports overlay technologies and network automation.
- Heat allows you to define infrastructure like servers, networks, and their relationships in templates that can be deployed through the OpenStack API. This provides automation of virtual network deployment.
- Plugins like Midonet provide distributed virtual networking models to improve scalability and performance over overlay approaches like OVS. They also allow automation of physical network configuration.
Optimising nfv service chains on open stack using dockerAnanth Padmanabhan
Uploading slides presented in the OpenStack summit, at Austin in April, 2016. Here is the link to the video,
https://www.openstack.org/videos/video/optimising-nfv-service-chains-on-openstack-using-docker
Service mesh from linkerd to conduit (cloud native taiwan meetup)Chia-Chun Shih
A service mesh is a dedicated infrastructure layer that handles communication between microservices. It provides reliable delivery of requests through complex application topologies using lightweight proxies deployed alongside application code without requiring code changes. Popular service meshes include Linkerd, the first service mesh, Conduit, a new ultralight service mesh from the creators of Linkerd, and Istio, a more full-featured service mesh.
- Introduction to Kubernetes features
- A look at Kubernetes Networking and Service Discovery
- New features in Kubernetes 1.6
- Kubernetes Installation options
To know more about our Kubernetes expertise, visit our center of excellence at: http://www.opcito.com/kubernetes/
El documento habla sobre la introducción a la gestión hotelera. La gestión hotelera implica funciones como la planificación, organización, dirección y control para lograr los objetivos de un hotel de manera eficiente. Además, una buena gestión requiere trabajar en equipo, motivar al personal, y comunicarse efectivamente.
O documento discute como as empresas podem obter vantagens competitivas através de planos de marketing focados em sustentabilidade. A empresa Natura é citada como exemplo por ter incorporado a sustentabilidade como estratégia competitiva desde 1983, reunindo ações relacionadas ao bem-estar em um círculo virtuoso que é seu diferencial no mercado. Profissionais de marketing devem buscar gerar uma sociedade mais igualitária e uma economia sustentável capaz de expandir a estrutura produtiva com geração de empregos de qualidade.
This document discusses network intelligence and how understanding the structure of networks can provide insights. It examines the structure of different industries and networks to understand how industries evolve over time. Understanding network structure at a high level of detail, similar to understanding the cell, could reveal what is possible. Key questions are discussed, such as which companies are positioned for explosive growth and which jobs will employ the workforce in the future. Nurturing, identifying, exploring, and connecting within networks is important for strategy and innovation.
Ambientes de aprendizaje para el desarrollo humanokmilo Viasus
Este documento describe los ambientes de aprendizaje como procesos escolares para el desarrollo humano. Explica que los ambientes de aprendizaje tienen propósitos, aprendizajes, evaluación, secuencia, estrategias didácticas y recursos. También identifica a los estudiantes y maestros como los protagonistas principales de los ambientes de aprendizaje.
This document summarizes a study on extended-spectrum beta-lactamases (ESBLs) among extraintestinal Enterobacter cloacae isolates recovered from patients with catheter-associated urinary tract infections (CAUTIs) in Hilla, Iraq. The study found that 7 out of 53 urine culture samples were identified as E. cloacae, with 5 isolates able to form biofilms. Phylogenetic analysis revealed that 5 isolates belonged to extraintestinal groups B2 and D. Phenotypic and genotypic testing found that 5 isolates were ESBL-positive, with 3 carrying blaTEM, blaSHV, and blaCTX-M genes. The study concludes that although E. cloac
The Charleston Battery, a professional soccer team based in Charleston, SC, is partnering with local libraries and elementary schools to launch a "Reading is Cool" program to encourage literacy among students. The program consists of weekly story times featuring Battery players called "Just for Kicks" and a reading contest called "Battery Book Bonanza" to reward the student who reads the most books. The goal is to increase motivation for reading and literacy levels among elementary school children through positive athlete role models and incentives.
There are 3 major techniques used for branding clothes: embroidery, which uses thread stitched onto the garment; heat transfer, which uses a plastic backing to digitally transfer images and designs; and screen printing, which applies ink that is then dried on the garment, suitable for large logos. The document discusses these branding techniques and provides contact information for a company that uses these methods on uniforms.
Este documento presenta el plan de redacción de un proyecto de investigación sobre las causas que generan la saturación de los desagües en el distrito de José Leonardo Ortiz. El objetivo general es sugerir el cambio de todo el alcantarillado para mejorar la satisfacción de la comunidad. Los objetivos específicos son describir los riesgos, causas y métodos de prevención, y dar a conocer el problema a las autoridades. El marco teórico cubre los sistemas de alcantarillado y la prestación de servicios públicos en
Strengthen customer relationships through excellent customer service to increase sales and market share. LiveAgent provides a customer service platform that centrally collects customer information, routes it to the appropriate support representatives, and includes built-in live chat and other features to help businesses better serve customers and measure results.
Noam Chomsky fue el fundador de la gramática generativa transformacional, un sistema de análisis lingüístico que desafió la lingüística tradicional. Su libro de 1957 Estructuras sintácticas revolucionó la disciplina de la lingüística. La teoría de Chomsky sugiere que cada expresión humana tiene una estructura superficial y una estructura profunda, y que los mecanismos para adquirir un lenguaje son naturales en los seres humanos.
El documento presenta las actividades a realizar en un taller sobre el uso de Microsoft Word y editores de texto. Se instruye a los participantes a repasar conceptos sobre sistemas operativos y componentes de computadoras, identificar funciones de editores de texto, utilizar plantillas de Word para crear documentos con diferentes estilos, generar y editar documentos en Word con imágenes e inserciones, y participar en discusiones y ejercicios grupales para practicar los temas cubiertos.
Este documento describe varias enfermedades de transmisión sexual como la gonorrea, el herpes genital, las verrugas genitales, la clamidia y la sífilis. Explica los síntomas y efectos de cada una, así como su transmisión y gravedad. También destaca la importancia del uso del preservativo para prevenir algunas ETS de forma parcial o total.
Este documento presenta un manual básico de Ubuntu. Contiene secciones sobre cómo iniciar Ubuntu desde un CD, realizar la instalación, configurar el sistema, manejar aplicaciones básicas como el explorador de archivos y la terminal, cómo realizar tareas comunes y sustituir aplicaciones de Windows. También incluye consejos útiles y enlaces de interés para usuarios nuevos de Ubuntu.
The document summarizes a meeting about modernizing Lafayette Elementary School. It discusses updates to exterior and site lighting, including previously existing lighting and the updated design. HVAC sound data is also presented for daytime and nighttime scenarios both at 5' and 25' above grade. The document concludes with next steps in the project schedule, including finalizing stormwater management design, play equipment, trailer removal, and anticipated completion of site work in October 2016.
This document summarizes a meetup about serverless technologies. It introduces the organizer and details that the meetup group was started as an experiment and has grown to 140 members who meet monthly. The key aspects of serverless technologies highlighted are that they are fast evolving and poorly documented. The most important things about the meetup are to join online discussions, present topics, provide contributions and ideas, and help spread awareness of serverless technologies.
El documento describe los principios del branding y diseño de espacios comerciales. Explica que el branding está ligado al marketing y que una marca puede ser un producto, logotipo u otra cosa que se pueda vender. También señala que el espacio comercial debe reflejar los valores y cualidades de la marca a través de su diseño interior, colores y estilos para reforzar el mensaje de la marca de manera coherente. Además, los valores y la imagen de una marca la distinguen de sus competidores y definen la cultura y percepción del producto
This document is a textbook on embedded systems programming with the Microchip PIC16F877 microcontroller. It introduces embedded systems and their prevalence. It discusses four levels of embedded systems in terms of size, options, and complexity - from high level systems like air traffic control to low level systems like appliances. The book will cover fundamental and advanced embedded programming techniques that can apply to any microcontroller, as well as an introduction to digital signal processing using the PIC16F877.
Este documento presenta una guía sobre la gestión de servicios basada en los fundamentos de ITIL v3. Explica brevemente la historia de ITIL y su evolución a través de las versiones. Describe los conceptos clave de ITIL v3 como el ciclo de vida del servicio, los procesos que lo componen y los roles involucrados. Finalmente, resume los principales cambios introducidos en ITIL v3 con respecto a versiones anteriores.
The document discusses managing containers and virtual machines in hybrid networking environments. It provides an overview of Kubernetes networking basics and challenges with Kubernetes and OpenStack interoperability. It then describes the OpenStack Kuryr project which bridges container networking and OpenStack Neutron. It discusses Kuryr components and modes of operation. It also briefly outlines Opendaylight COE architecture for integrating Kubernetes and OpenStack. Finally, it introduces the concept of a service mesh for managing communication between microservices and summarizes key components of the Istio service mesh.
Oscon 2017: Build your own container-based system with the Moby projectPatrick Chanezon
Build your own container-based system
with the Moby project
Docker Community Edition—an open source product that lets you build, ship, and run containers—is an assembly of modular components built from an upstream open source project called Moby. Moby provides a “Lego set” of dozens of components, the framework for assembling them into specialized container-based systems, and a place for all container enthusiasts to experiment and exchange ideas.
Patrick Chanezon and Mindy Preston explain how you can leverage the Moby project to assemble your own specialized container-based system, whether for IoT, cloud, or bare-metal scenarios. Patrick and Mindy explore Moby’s framework, components, and tooling, focusing on two components: LinuxKit, a toolkit to build container-based Linux subsystems that are secure, lean, and portable, and InfraKit, a toolkit for creating and managing declarative, self-healing infrastructure. Along the way, they demo how to use Moby, LinuxKit, InfraKit, and other components to quickly assemble full-blown container-based systems for several use cases and deploy them on various infrastructures.
Building specialized container-based systems with Moby: a few use cases
This talk will explain how you can leverage the Moby project to assemble your own specialized container-based system, whether for IoT, cloud or bare metal scenarios. We will cover Moby itself, the framework, and tooling around the project, as well as many of it’s components: LinuxKit, InfraKit, containerd, SwarmKit, Notary. Then we will present a few use cases and demos of how different companies have leveraged Moby and some of the Moby components to create their own container-based systems.
Why Kubernetes as a container orchestrator is a right choice for running spar...DataWorks Summit
Building and deploying an analytic service on Cloud is a challenge. A bigger challenge is to maintain the service. In a world where users are gravitating towards a model where cluster instances are to be provisioned on the fly, in order for these to be used for analytics or other purposes, and then to have these cluster instances shut down when the jobs get done, the relevance of containers and container orchestration is more important than ever.
Container orchestrators like Kubernetes can be used to deploy and distribute modules quickly, easily, and reliably. The intent of this talk is to share the experience of building such a service and deploying it on a Kubernetes cluster. In this talk, we will discuss all the requirements which an enterprise grade Hadoop/Spark cluster running on containers bring in for a container orchestrator.
This talk will cover in details how Kubernetes orchestrator can be used to meet all our needs of resource management, scheduling, networking, and network isolation, volume management, etc. We will discuss how we have replaced our home grown container orchestrator with Kubernetes which used to manage the container lifecycle and manage resources in accordance to our requirements. We will also discuss the feature list as container orchestrator which is helping us deploy and patch 1000s of containers and also a list which we believe need improvement or can be enhanced in a container orchestrator.
Speaker
Rachit Arora, SSE, IBM
Containers are changing the compute landscape and for NFVi support of Containers is key. Kubernetes is a well known Container Cluster Management software and this is slide deck from a talk given in Opendaylight Summit 2016. This slide gives an insight about Microservice architecture, Kuberentes and how it can be integrated with ODL. Session Video can be found at https://www.youtube.com/watch?v=a4_pkp2qiX8&list=PL8F5jrwEpGAiRCzJIyboA8Di3_TAjTT-2
Centralizing Kubernetes and Container OperationsKublr
While developers see and realize the benefits of Kubernetes, how it improves efficiencies, saves time, and enables focus on the unique business requirements of each project; InfoSec, infrastructure, and software operations teams still face challenges when managing a new set of tools and technologies, and integrating them into an existing enterprise infrastructure.
These meetup slides go over what’s needed for a general architecture of a centralized Kubernetes operations layer based on open source components such as Prometheus, Grafana, ELK Stack, Keycloak, etc., and how to set up reliable clusters and multi-master configuration without a load balancer. It also outlines how these components should be combined into an operations-friendly enterprise Kubernetes management platform with centralized monitoring and log collection, identity and access management, backup and disaster recovery, and infrastructure management capabilities. This presentation will show real-world open source projects use cases to implement an ops-friendly environment.
Check out this and more webinars in our BrightTalk channel: https://goo.gl/QPE5rZ
Kubernetes is an open-source platform for managing containerized applications across multiple hosts. It provides tools for deployment, scaling, and management of containers. Kubernetes handles tasks like scheduling containers on nodes, scaling resources, applying security policies, and monitoring applications. It ensures containers are running and if not, restarts them automatically.
Containers, OCI, CNCF, Magnum, Kuryr, and You!Daniel Krook
This document discusses container technology and its integration with OpenStack. It provides an overview of how containerization has evolved over time through various independent projects. It describes how several OpenStack projects like Nova, Heat, Kolla, Murano leverage containers. It focuses on how Magnum provides APIs for container orchestration engines and how Kuryr connects Docker and Kubernetes networks to OpenStack. It then introduces the Open Container Initiative (OCI) and Cloud Native Computing Foundation (CNCF), which aim to develop open standards for containers and cloud-native applications. The presenters encourage attendees to get involved in these standards bodies to help ensure the standards meet their usage scenarios.
The slides give the brief idea of the current situation of the container orchestration integration in OpenStack and how OpenStack Kuryr can improve the situation.
This document discusses container orchestration integration between OpenStack Kuryr and Apache Mesos. It begins with introductions to Docker and Mesos, describing how they are used to distribute workloads across container hosts. It then reviews the history of networking in Docker and Mesos, how libnetwork was developed for Docker networking, and how Mesos uses IPAM and network isolator modules. Finally, it describes how OpenStack Kuryr acts as a translator between Neutron and libnetwork, allowing Neutron networking APIs to manage containers running on Mesos.
Kubernetes: від знайомства до використання у CI/CDStfalcon Meetups
Kubernetes: від знайомства до використання у CI/CD
Олександр Занічковський
Technical Lead у компанії SoftServe
14+ років досвіду розробки різноманітного програмного забезпечення, як для десктопа, так і для веб
Працював фріланс-програмістом та в команді
Цікавиться архітектурою ПЗ, автоматизацією процесів інтеграції та доставки нових версій продукту, хмарними технологіями
Віднедавна займається менторінгом майбутніх техлідів
У вільний від роботи час грає на гітарі і мріє про велику сцену
Олександр поділиться власним досвідом роботи з Kubernetes:
ознайомить з базовими поняттями та примітивами K8S
опише можливі сценарії використання Kubernetes для CI/CD на прикладі GitLab
покаже, як можна використовувати постійне сховище, збирати метрики контейнерів, використовувати Ingress для роутинга запитів за певними правилами
покаже, як можна самому встановити K8S для ознайомлення чи локальної роботи
This document provides an overview of Kubernetes networking concepts including:
- Pods share the same network namespace so containers within a Pod can communicate via loopback, while different Pods each get their own IP address.
- Services provide load-balancing to Pods through labels and selectors, with a single IP/port exposed for a set of Pods. This includes options for east-west (Pod-to-Pod) and north-south (external access) traffic.
- Ingress controllers provide layer 7 routing and load-balancing for external access to Services within a cluster.
- Network policies allow restricting traffic to Pods using selectors and rules for ingress sources and egress destinations.
OSDC 2017: Automating Kubernetes Cluster Operations with Operators by Timo De...NETWAYS
At Giant Swarm, we manage Kubernetes clusters for customers 24/7, both on-premises and in the cloud. That means we do not just set something up and hand it over, but we actually take care that it’s operational and up-to-date at all times.
In this talk Timo explains how Giant Swarm are using Operators to codify all operational tasks of managing Kubernetes cluster and distributed applications on top. The operators manage PKI infrastructures, networks, VMs and storage both on-premises and in the cloud. There have been a lots of challenges and learnings in the past year and Timo would like to share them with you.
OSDC 2017 - Timo Derstappen - Automating kubernetes cluster operations with o...NETWAYS
At Giant Swarm, we manage Kubernetes clusters for customers 24/7, both on-premises and in the cloud. That means we do not just set something up and hand it over, but we actually take care that it’s operational and up-to-date at all times.
In this talk Timo explains how Giant Swarm are using Operators to codify all operational tasks of managing Kubernetes cluster and distributed applications on top. The operators manage PKI infrastructures, networks, VMs and storage both on-premises and in the cloud. There have been a lots of challenges and learnings in the past year and Timo would like to share them with you.
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...Amazon Web Services
Customers from over all over the world streamed forty-two billion hours of Netflix content last year. Various Netflix batch jobs and an increasing number of service applications use containers for their processing. In this session, Netflix presents a deep dive on the motivations and the technology powering container deployment on top of Amazon Web Services. The session covers our approach to resource management and scheduling with the open source Fenzo library, along with details of how we integrate Docker and Netflix container scheduling running on AWS. We cover the approach we have taken to deliver AWS platform features to containers such as IAM roles, VPCs, security groups, metadata proxies, and user data. We want to take advantage of native AWS container resource management using Amazon ECS to reduce operational responsibilities. We are delivering these integrations in collaboration with the Amazon ECS engineering team. The session also shares some of the results so far, and lessons learned throughout our implementation and operations.
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Patrick Chanezon
Docker Desktop and Enterprise Edition now both include Kubernetes as an optional orchestration component. This talk will explain how to use Docker Desktop (Mac or Windows) to develop and debug a cloud native application, then how Docker Enterprise Edition helps you deploy it to Kubernetes in production.
What's Running My Containers? A review of runtimes and standards.Phil Estes
A talk given at Open Source Leadership Summit (OSLS) on Thursday, March 14th in Half Moon Bay, CA. In this talk the current status of the Open Container Initiative (OCI) standards as well as the Kubernetes Container Runtime Interface (CRI) were presented, with a view towards how these components have provided a level playing field with significant choice when it comes to container runtimes for use in Kubernetes, as well as interoperability per the OCI standards.
Kubernetes – An open platform for container orchestrationinovex GmbH
Datum: 30.08.2017
Event: GridKA School 2017
Speaker: Johannes M. Scheuermann
Mehr Tech-Vorträge: https://www.inovex.de/de/content-pool/vortraege/
Mehr Tech-Artikel: https://www.inovex.de/blog/
Similar to Secure Your Containers: What Network Admins Should Know When Moving Into Production (20)
CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My IdentityCynthia Thomas
Identities are a crucial part of running workloads on Kubernetes. How do you ensure Pods can securely access Cloud resources? In this lightning talk, you will learn how large Cloud providers work together to share Identity Provider responsibilities in order to federate identities in multi-cloud environments.
KubeCon NA'22 Lightning Talk: Where did all my IPs go?Cynthia Thomas
Kubernetes cluster planning requires quite a few things to get started. What about IPs? Common IP management hurdles with Kubernetes clusters include IP assignments when building a cluster and challenges faced when deploying in a multi-faceted environment. Kubernetes Admins often need to use IP addressing handed out by Network Admins juggling other non-k8s workload IP assignments and IP exhaustion. In this talk, Cynthia will discuss new and existing KEPs that SIG-network has implemented to help mitigate IP challenges. Such features include discontiguous cluster CIDRs and the journey to IPv6. Cynthia will also discuss how the best practices for Kubernetes IP management are changing with these new capabilities to help scale and grow instead of rebuild.
https://sched.co/184sj
Kernel advantages for Istio realized with CiliumCynthia Thomas
Istio brings a myriad of options to provide routing rules, encryption, and monitoring for microservices, typically in container environments. Cilium provides accelerated network security using a modern kernel technology called BPF. Put the two together and what do you get? A distributed security solution enabling microservices traffic management, security, and monitoring while enforcing policy as close to the microservices as possible.
Cynthia Thomas and Romain Lenglet discuss the architectural and performance benefits of using Cilium with Istio and provide a demo of this BPF-based, Linux kernel technology. Cilium provides an API-aware security solution that can make a decision on every single microservice flow, with the ability to enforce protocols such as HTTP, Kafka, and gRPC. By addressing security policy at the API layer, you can enforce policy efficiently with kernel capabilities while reducing the attack surface in a microservices deployment.
Cilium:: Application-Aware Microservices via BPFCynthia Thomas
Intro to Cilium Microservices Security with Kubernetes Integration
Open Source Cilium website: cilium.io
GH: github.com/cilium/cilium
Join our Slack! cilium.herokuapp.com
Follow us on Twitter!
@ciliumproject
@_techcet_
Cilium: Seattle Kubernetes MeetUp Dec 2017Cynthia Thomas
BPF (Berkeley Packet Filter) is becoming the fastest growing technology in the Linux kernel and is revolutionizing networking, security and tracing. At the same time, the rise of container-based orchestration platforms such as Kubernetes is creating demand for routing, load-balancing & security infrastructure that is highly scalable, application-aware, and resilient.
This talk introduces the open source project Cilium - a modern networking and security platform for microservices. Cilium is built on top of BPF and provides Linux native networking and security services with application protocol awareness. Cilium works hand in hand with application proxies such as Envoy and the services management orchestration layer Istio to provide infrastructure services in a transparent manner and with minimal overhead. This talk will discuss the challenges of exposing services via APIs and the solution that Cilium provides to enforce least privilege security.
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPFCynthia Thomas
We have introduced Cilium at DockerCon US 2017 this year. Cilium provides application-aware network connectivity, security, and load-balancing for containers. This talk will follow up on the introduction and deep dive into recent kernel developments that address two fundamental questions: How can I provide application-aware security and routing efficiently without overhead embedded into every service? How can container hosts protect themselves from internal and external DDoS attacks? The solutions include:
kproxy: a kernel-based socket proxy which allows for application-aware routing and security enforcement with minimal overhead.
XDP: A lightning-fast packet processing datapath using BPF. The technology is intended for DDoS mitigation, load-balancing, and forwarding.
This talk will deep dive into these exciting technologies and show how Cilium makes BPF and these kernel features available on Linux for your Docker containers.
A look at the project’s progression from Nova-Network to Neutron and Beyond. We will recall the early stages of Nova-Networking and how the functionality evolved to what is Neutron networking today. We will discuss previous default Neutron plugin implementation issues and current solutions with the now open-source SDN solution, MidoNet.
CloudKC: Evolution of Network VirtualizationCynthia Thomas
This document discusses the evolution of network virtualization. It begins with an overview of using VLANs for network virtualization, which provides L2 isolation but has limitations around scalability and management. OpenFlow is presented as an early approach that uses a centralized controller but has performance impacts. The document then introduces network overlays using software-defined networking as a more advanced approach, allowing network services to be decoupled from physical network hardware for improved scalability, agility and fault tolerance. It provides an overview of using the Midokura network virtualization platform with OpenStack Neutron for network automation and management.
From Nova-Network to Neutron and Beyond: A Look at OpenStack NetworkingCynthia Thomas
This document provides an overview of the evolution of network virtualization and OpenStack networking. It describes how networking started with manually configured VLANs, moved to OpenFlow which required programming flows, and then to network overlays using software defined networking. It outlines the requirements for network virtualization. It also details the evolution of OpenStack networking from Nova network to Quantum/Neutron, including the transition to using overlays and supporting plugins. Key features of Neutron are summarized, as well as upcoming features planned for future OpenStack releases.
7 Most Powerful Solar Storms in the History of Earth.pdfEnterprise Wired
Solar Storms (Geo Magnetic Storms) are the motion of accelerated charged particles in the solar environment with high velocities due to the coronal mass ejection (CME).
How RPA Help in the Transportation and Logistics Industry.pptxSynapseIndia
Revolutionize your transportation processes with our cutting-edge RPA software. Automate repetitive tasks, reduce costs, and enhance efficiency in the logistics sector with our advanced solutions.
Transcript: Details of description part II: Describing images in practice - T...BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
Coordinate Systems in FME 101 - Webinar SlidesSafe Software
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
Best Practices for Effectively Running dbt in Airflow.pdfTatiana Al-Chueyr
As a popular open-source library for analytics engineering, dbt is often used in combination with Airflow. Orchestrating and executing dbt models as DAGs ensures an additional layer of control over tasks, observability, and provides a reliable, scalable environment to run dbt models.
This webinar will cover a step-by-step guide to Cosmos, an open source package from Astronomer that helps you easily run your dbt Core projects as Airflow DAGs and Task Groups, all with just a few lines of code. We’ll walk through:
- Standard ways of running dbt (and when to utilize other methods)
- How Cosmos can be used to run and visualize your dbt projects in Airflow
- Common challenges and how to address them, including performance, dependency conflicts, and more
- How running dbt projects in Airflow helps with cost optimization
Webinar given on 9 July 2024
Measuring the Impact of Network Latency at TwitterScyllaDB
Widya Salim and Victor Ma will outline the causal impact analysis, framework, and key learnings used to quantify the impact of reducing Twitter's network latency.
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...Erasmo Purificato
Slide of the tutorial entitled "Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Emerging Trends" held at UMAP'24: 32nd ACM Conference on User Modeling, Adaptation and Personalization (July 1, 2024 | Cagliari, Italy)
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Bert Blevins
Today’s digitally connected world presents a wide range of security challenges for enterprises. Insider security threats are particularly noteworthy because they have the potential to cause significant harm. Unlike external threats, insider risks originate from within the company, making them more subtle and challenging to identify. This blog aims to provide a comprehensive understanding of insider security threats, including their types, examples, effects, and mitigation techniques.
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfNeo4j
Presented at Gartner Data & Analytics, London Maty 2024. BT Group has used the Neo4j Graph Database to enable impressive digital transformation programs over the last 6 years. By re-imagining their operational support systems to adopt self-serve and data lead principles they have substantially reduced the number of applications and complexity of their operations. The result has been a substantial reduction in risk and costs while improving time to value, innovation, and process automation. Join this session to hear their story, the lessons they learned along the way and how their future innovation plans include the exploration of uses of EKG + Generative AI.
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc
Six months into 2024, and it is clear the privacy ecosystem takes no days off!! Regulators continue to implement and enforce new regulations, businesses strive to meet requirements, and technology advances like AI have privacy professionals scratching their heads about managing risk.
What can we learn about the first six months of data privacy trends and events in 2024? How should this inform your privacy program management for the rest of the year?
Join TrustArc, Goodwin, and Snyk privacy experts as they discuss the changes we’ve seen in the first half of 2024 and gain insight into the concrete, actionable steps you can take to up-level your privacy program in the second half of the year.
This webinar will review:
- Key changes to privacy regulations in 2024
- Key themes in privacy and data governance in 2024
- How to maximize your privacy program in the second half of 2024
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Chris Swan
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Details of description part II: Describing images in practice - Tech Forum 2024BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Details of description part II: Describing images in practice - Tech Forum 2024
Secure Your Containers: What Network Admins Should Know When Moving Into Production
1. Secure Your Containers!
What Network Admins
Should Know When Moving
Into Production Cynthia Thomas
Systems Engineer
@_techcet_
2. { Why is networking an afterthought?
Containers, Containers,
Containers!
3. Why Containers?
• Much lighter weight and less overhead than virtual
machines
• Don’t need to copy entire OS or libraries – keep track of deltas
• More efficient unit of work for cloud-native aps
• Crucial tools for rapid-scale application development
• Increase density on a physical host
• Portable container image for moving/migrating resources
4. Containers: Old and New
• LXC: operating system-level virtualization through a virtual
environment that has its own process and network space
• 8 year old technology
• Leverages Linux kernel cgroup
• Also other namespaces for isolation
• Focus on System Containers
• Security:
• Previously possible to run code on Host systems as root on guest system
• LXC 1.0 brought “unprivileged containers” for HW accessibility restrictions
• Ecosystem:
• Vendor neutral, Evolving LXD, CGManager, LXCFS
5. Containers: Old and New
• Explosive growth: Docker created a de-facto standard image format and API for
defining and interacting with containers
• Docker: also operating system-level virtualization through a virtual environment
• 3 year old technology
• Application-centric API
• Also leverages Linux kernel cgroups and kernal namespaces
• Moved from LXC to libcontainer implementation
• Portable deployment across machines
• Brings image management and more seamless updates through versioning
• Security:
• Networking: linuxbridge, IPtables
• Ecosystem:
• CoreOS, Rancher, Kubernetes
6. Container Orchestration Engines
• Step forth the management of containers for application
deployment!
• Scale applications with clusters where the underlying
deployment unit is a container
• Examples include Docker Swarm, Kubernetes, Apache Mesos
8. What’s the problem?
Why are containers insecure?
• They weren’t designed with full isolation like VMs
• Not everything in Linux is namespaced
• What do they do to the network?
9. COEs help container orchestration!
…but what about networking?
• Scaling Issues for ad-hoc security
implementation with Security/Policy
complexity
• Which networking model to choose? CNM? CNI?
• Why is network security always seemingly considered last?
10. { Your Network Security team!
And you should too.
Who’s going to care?
11. Containers add network complexity!!!
• More components
= more endpoints
• Network Scaling
Issues
• Security/Policy
complexity
12. Perimeter Security approach is not enough
• Legacy architectures
tended to put higher layer
services like Security and
FWs at the core
• Perimeter protection is
useful for north-south
flows, but what about
east-west?
• More = better? How to
manage more pinch
points?
13. #ThrowbackThursday
What did OpenStack do?
• Started in 2010 as an open source community for cloud compute
• Gained a huge following and became production ready
• Enabled collaboration amongst engineers for technology advancement
14. #ThrowbackThursday
Neutron came late in the game!
• Took 3 years before dedicated project formed
• Neutron enabled third party plugin solutions
• Formed advanced networking framework via community
15. What is Neutron?
• Production-grade open framework for Networking:
Multi-tenancy
Scalable, fault-tolerant devices (or device-
agnostic network services).
L2 isolation
L3 routing isolation
• VPC
• Like VRF (virtual routing and fwd-ing)
Scalable Gateways
Scalable control plane
• ARP, DHCP, ICMP
Floating/Elastic Ips
Decoupled from Physical Network
Stateful NAT
• Port masquerading
• DNAT
ACLs
Stateful (L4) Firewalls
• Security Groups
Load Balancing with health checks
Single Pane of Glass (API, CLI, GUI)
Integration with COEs & management platforms
• Docker Swarm, K8S
• OpenStack, CloudStack
• vSphere, RHEV, System Center
19. What is Kuryr?
Kuryr has become a collection of projects
and repositories:
- kuryr-lib: common libraries (neutron-client,
keystone-client)
- kuryr-libnetwork: docker networking plugin
- kuryr-kubernetes: k8s api watcher and CNI driver
- fuxi: docker cinder driver
20. Project Kuryr Contributions
As of Oct. 18th, 2016: http://stackalytics.com/?release=all&module=kuryr-
group&metric=commits
21. Some previous* networking options with
Docker
STOP
IPtables maybe?
IPtables maybe?
Done with Neutron? Tell me more,
please!
• libnetwork:
• Null (with nothing in its networking namespace)
• Bridge
• Overlay
• Remote
22. Kuryr: Docker (1.9+)’s remote driver
for Neutron networking
Kuryr implements a libnetwork remote network
driver and maps its calls to OpenStack Neutron.
It translates between libnetwork's Container
Network Model (CNM) and Neutron's networking
model.
Kuryr also acts as a libnetwork IPAM driver.
24. Kuryr translation please!
• Docker uses PUSH model to call a service for libnetwork
• Kuryr maps the 3 main CNM components to Neutron
networking constructs
• Ability to attach to existing Neutron networks with host
isolation (container cannot see host network)
libnetwork neutron
Network Network
Sandbox Subnet, Ports, netns
Endpoint Port
25. Networking services from Neutron, for containers!
Distributed Layer 2 Switching
Distributed Layer 3 Gateways
Floating IPs
Service Insertion
Layer 4 Distributed Stateful NAT
Distributed Firewall
VTEP Gateways
Distributed DHCP
Layer 4 Load Balancer-as-a-
Service (with Health Checks)
Policy without the need for IP tables
Distributed Metadata
TAP-as-a-Service
27. { It’s an enabler for existing, well-defined
networking plugins for containers
Kuryr delivers for CNM,
but what about CNI?
28. Kubernetes Presence in Container Orchestration
• Open sourced from production-grade, scalable technology used by
Borg & Omega at Google for over 10 years
• Explosive use over the last 12 months, including users like eBay and
Lithium Technologies
• Portable, extensible, self-healing
Impressive automated rollouts & rollbacks with one command
• Growing ecosystem supporting Kubernetes:
• CoreOS, RH OpenShift, Platform9, Weaveworks, Midokura!
30. • etcd
• All persistent master state is
stored in an instance of etcd
• To date, runs as single instance;
HA clusters in future
• Provides a “great” way to store
configuration data reliably
• With watch support,
coordinating components can
be notified very quickly of
changes
Kubernetes Control Plane
31. • K8S API Server
• Serves up the Kubernetes API
• Intended to be a CRUD-y server, with separate components or in plug-ins
for logic implementation
• Processes REST operations, validates them, and updates the corresponding
objects in etcd
• Scheduler
• Binds unscheduled pods to nodes
• Pluggable, for multiple cluster schedulers and even user-provided
schedulers in the future
• K8S Controller Manager Server
• All other cluster-level functions are currently performed by the Controller
Manager
• E.g. Endpoints objects are created and updated by the endpoints
controller; and nodes are discovered, managed, and monitored by the
node controller.
• The replicationcontroller is a mechanism that is layered on top of the
simple pod API
• Planned to be a pluggable mechanism
Kubernetes Control Plane Continued
32. • kubelet
• Manages pods and their
containers, their images, their
volumes, etc
• kube-proxy
• Run on each node to provide
a simple network proxy and
load balancer
• Reflects services as defined in
the Kubernetes API on each
node and can do simple TCP
and UDP stream forwarding
(round robin) across a set of
backends
Kubernetes Worker Node
33. Kubernetes Networking Model
There are 4 distinct networking problems to solve:
1. Highly-coupled container-to-container
communications
2. Pod-to-Pod communications
3. Pod-to-Service communications
4. External-to-internal communications
34. Kubernetes Networking Options
Flannel provides an overlay to enable cross-host communication
- IP per POD
- VXLAN tunneling between hosts
- IPtables for NAT
- Multi-tenancy?
- Host per tenant?
- Cluster per tenant?
- How to share VMs and containers on the same network for the same tenant?
- Security Risk on docker bridge? Shared networking stack
37. Security at the edge
1. vPort1 initiates a packet flow through the virtual network
2. MN Agent fetches the virtual topology/state
3. MN simulates the packet through the virtual network
4. MN installs a flow in the kernel at the ingress host
5. Packet is sent in tunnel to egress host
38. Kubernetes Integration: How with Kuryr?
Kubernetes 1.2+
Two integration components:
CNI driver
• Standard container networking: preferred K8S network extension point
• Can serve rkt, appc, docker
• Uses Kuryr port binding library to bind local pod using metadata
Raven (Part of Kuryr project)
• Python 3
• AsyncIO
• Extensible API watcher
• Drives the K8S API to Neutron API translation
39. Kubernetes Integration: How with Kuryr+MidoNet?
Defaults:
kube-proxy: generates iptables rules which map portal_ips
such that the traffic gets to the local kube-proxy daemon. Does the
equivalent of a NAT to the actual pod address
flannel: default networking integration in CoreOS
Enhanced by:
Kuryr CNI driver: enables the host binding
Raven: process used to proxy K8S API to Neutron API
MidoNet agent: provides higher layer services to the pods
40. Kubernetes Integration: How with Kuryr?
Raven: used to proxy K8S API to Neutron API + IPAM
- focuses only on building the virtual network topology translated
from the events of the internal state changes of K8S through its API
server
Kuryr CNI driver: takes care of binding virtual ports to physical
interfaces on worker nodes for deployed pods
Kubernetes API Neutron API
Namespace Network
Cluster Subnet Subnet
Pod Port
Service LBaaS Pool LBaaS VIP (FIP)
Endpoint LBaaS Pool Member
41. Kubernetes Integration: How with Kuryr+MidoNet?
Raven: used to proxy K8S API to Neutron API
Kuryr CNI driver: takes care of binding virtual ports to physical
interfaces on worker nodes for deployed pods
42. Kubernetes Integration: How with Kuryr+MidoNet?
Raven: used to proxy K8S API to Neutron API
Kuryr CNI driver: takes care of binding virtual
ports to physical interfaces on worker nodes
for deployed pods
43. Completed integration components:
- CNI driver
- Raven
- Namespace Implementation (a mechanism to partition resources created
by users into a logically named group):
- - each namespace gets its own router
- - all pods driven by the RC should be on the same logical network
CoreOS support
- Containerized MidoNet services
Kubernetes Integration: Where are we now with MidoNet?
44. Where will Kuryr go next?
• Bring container and VM networking under one API
• Multi-tenancy
• Advanced networking services/map Network Policies
• QoS
• Adapt implementation to work with other COEs
• kuryr-mesos
• kuryr-cloudfoundry
• kuryr-openshift
• Magnum Support (containers in VMs) in OpenStack
Purpose
Examples of existing ones
What are COE networking models?
Docker: CNM
K8S & Mesos: CNI
Maturity?
Re-inventing wheel, including the political battles, but that’s the fun that open source brings
- Otto’s Magnum webinar compares COEs: (minute 16:30??)
http://blog.midokura.com/2016/05/project-magnum-introduction/
Talk about which are good for what
If 10K nodes, use …
Reference: https://github.com/kubernetes/kubernetes/blob/master/docs/design/architecture.md
Service endpoints are currently found via DNS or through environment variables (both Docker-links-compatible and Kubernetes {FOO}_SERVICE_HOST and {FOO}_SERVICE_PORT variables are supported). These variables resolve to ports managed by the service proxy.
The kubelet ships with built-in support for cAdvisor, which collects, aggregates, processes and exports information about running containers on a given system. cAdvisor includes a built-in web interface available on port 4194