XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerrigan, Assured Information Security, Inc.

•

1 recomendación•673 vistas

High level toolstacks for server and cloud virtualization are very mature with large communities using and supporting them. Client virtualization is a much more niche community with unique requirements when compared to those found in the server space. In this talk, we’ll introduce a client virtualization toolstack for Xen (redctl) that we are using in Redfield, a new open-source client virtualization distribution that builds upon the work done by the greater virtualization and Linux communities. We will present a case for maturing libxl’s Go bindings and discuss what advantages Go has to offer for high level toolstacks, including in the server space.

Software

Overview
• Introduction
• Motivation
• Evaluation
• Redfield and redctl
• Libxl Go (Golang) bindings
• Questions

Introduction
• Brendan Kerrigan – Principal Engineer at Assured Information
Security, Inc.
• Hypervisors
• Graphics virtualization
• Embedded
• Nicholas Rosbrook – Software Engineer at Assured Information
Security, Inc.
• Cryptography
• VPNs and Networking
• Go expert

Motivation
• We do a lot of client virtualization work
• Utilizing hypervisors to do end point security
• Mostly OpenXT based products now
• OpenXT isn’t the easiest project to work on (10 years of development
means there are lots of components)
• Sometimes key high-security features can be a hindrance to some use
cases
• Client virtualization is pretty different than server virtualization
• Especially when it comes to toolstacks

Evaluation
• What’s out there we can leverage?
• XenMgr
• Libvirt (+ qubectl)
• What if we had a clean slate?

XenMgr
• XenMgr is high friction
• Haskell
• Esoteric
• Tough to find developers
• Lots of legacy interfaces that are unexercised and unaudited (audit in
progress)
• A lot of cryptic code that essentially reads a database and writes an xl
config and calls exec/fork
• Local and remote APIs are different 
• The command line tool is great

Libvirt
• One layer of abstraction too many
• XML domain configurations are too complex
• Designed to work with several virtualization technologies – KVM, Xen,
LXC, etc.
• We want to work with Xen and do it well
• Does a lot more than we need it to
• There is an existing Go package (developed by DigitalOcean)

redctl
• Introducing redctl, the client toolstack to our Xen
distribution, Redfield
• The good:
• A client toolstack where remote and local management
APIs are unified
• Utilize gRPC
• Don’t dictate transport (IPv4, IPv6, PV channels, Argo, vsock)
• Easy to understand and test language (Go)
• Make the command line tool awesome (like XenMgr’s)
• The bad:
• Still doing exec/fork a lot when dealing with libxl…

What is cgo?
• Cgo enables Go programs to call C code through a pseudo-
package, “C”
• Allows access of C types, variables, and functions
• E.g. C.size_t, C.stdout, C.printf
• The “preamble”
• A block comment used to include headers, set CFLAGS, LDFLAGS, etc.
• Immediately precedes the import “C” statement

What is cgo?
• C fields that cannot be expressed in Go are omitted
• The C type void* is represented by Go’s unsafe.Pointer
• Cannot call C function pointers from Go
• There are some restrictions on passing pointers between C and Go

Writing a Go Package for libxl
• Writing the cgo code by hand is tedious
• Cgo is simple enough to make code generation easy
• We use c-for-go: https://github.com/xlab/c-for-go
• Define translation and generation rules with a YAML configuration file
• Accept or ignore symbols, rename variables, apply rules to a given scope,
and more

Writing a Go Package for libxl
• Finally, we need some wrappers…

Writing a Go Package for libxl
• Instead of:

Writing a Go Package for libxl
• We want:

Future Work
• Continue writing wrappers
• Trim the size of the package
• Integrate into redctl
• Upstream
• Current fork: https://github.com/enr0n/xen/tree/libxl-go

Questions?
• https://ainfosec.com
• https://gitlab.com/redfield

XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerrigan, Assured Information Security, Inc.

Más contenido relacionado

La actualidad más candente

Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach. Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach. The topic will cover content such as: * Why virtualisation in embedded * Hypervisor architectures on ARM and a quick roundup of examples * Relevant security technologies * Specific requirements for embedded systems * Example usage of FOSS based hypervisors in embedded * Challenges such as safety certification and how this may be approached

Fosdem 18: Securing embedded Systems using Virtualization

The Linux Foundation

TrenchBoot is a cross-community OSS integration project for hardware-rooted, late launch integrity of open and proprietary systems. It provides a general purpose, open-source DRTM kernel for measured system launch and attestation of device integrity to trust-centric access infrastructure. TrenchBoot closes the UEFI Measurement Gap and reduces the need to trust system firmware. This talk will introduce TrenchBoot architecture and a recent collaboration with Oracle to launch the Linux kernel directly with Intel TXT or AMD SVM Secure Launch. It will propose mechanisms for integrating the Xen hypervisor into a TrenchBoot system launch. DRTM-enabled capabilities for client, server and embedded platforms will be presented for consideration by the Xen community.

XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...

The Linux Foundation

The talk covers several technologies and best practices to managing Security Vulnerabilities, which are told as interconnected stories. We will cover how the largest clouds in production came together through the Xen Project to develop an industry leading open source security process to manage software vulnerabilities effectively, how those vendors collaborated to stop cloud reboots through Live Patching and how security and CPU vendors collaborated to protect against 0-day vulnerabilities and advanced persistent threats using hardware assisted virtual machine introspection. Finally, we will also provide information how you can use tools such as CVE Details to assess how secure an open source technology is relative to another, such that you don't have to rely solely on security stories from the technology press. The talk will cover how these technologies work, the limitations and challenges which still remain and how they are used in practice using examples of Xen Project based products and installations. We will also cover how these technologies impact software vulnerability management processes and system administrators.

OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)

The Linux Foundation

The Xen Project is used by more than 10 million users, powers some of the largest clouds on the planet, and is starting to build momentum in embedded and safety-conscious market segments. It is also nearly 16 years old. The Xen Project’s success and longevity can be attributed to its flexible architecture, but more importantly to enabling community members to contribute ideas and code, even if they are not core to the project's main use-case. This has brought Xen far beyond server virtualization. Lars will share how the project has supported new technologies and ideas, which may include some really interesting things you might not know about Xen (especially around defense applications), and will derive best practices that may help other projects.

Scale17x: Thinking outside of the conceived tech comfort zone

The Linux Foundation

What do “Crazy in Love” by Beyonce and the “Xen Project” have in common? They are both 15-year-old hits. Flash forward to today. The Xen Project is used by more than 10 million users, powers some of the largest clouds on the planet, and is starting to build momentum in embedded and safety-conscious market segments. The Xen Project played a key role in developing technologies outside of the hypervisor, like hardware virtualization, and open source security disclosure standards that impact entire industries. The Xen Project’s success and longevity can be attributed to its flexible architecture, but more importantly to enabling community members to contribute ideas and code, even if they are not core to the project's main use-case. We will share how the project has supported new technologies and ideas (sometimes in the form of failures and sometimes wins) and will derive best practices that may help other projects .

Xen Project 15 Years down the Line

The Linux Foundation

This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.

OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...

The Linux Foundation

NVDIMM is a standard for allowing non-volatile memory to be exposed to as normal RAM, which can be directly mapped to guests. This simple concept has the potential to dramatically change the way software is written; but also has a number of surprising problems to solve. Furthermore, this area is plagued with incomplete specifications and confusing terminology. This talk will attempt to give an overview of NVDIMMs from an operating system perspective: What the terminology means, how they are discovered and partitioned, issues relating to filesystems, a brief description of the functionality available in Linux, and so on. It will then describe the various issues and design choices a Xen system has to make in order to allow Xen systems to use NVDIMMs effectively.

OSSEU18: NVDIMM and Virtualization - George Dunlap, Citrix

The Linux Foundation

XPDDS19: Xen API Archaeology: Creating a Full-Featured VMI Debugger for the...

The Linux Foundation

Thursday, July 13 • 11:55 - 12:25 Edit Speaker Tools Hypervisor-Based Security: Bringing Virtualized Exceptions Into the Game - Mihai Dontu, Bitdefender Click here to add to My Sched. http://sched.co/AjH7 Tweet Share Feedback form is now closed. With this presentation, Mihai Donțu will cover the current status of #VE support in Xen, how Bitdefender plans to use it to improve the performance of its Hypervisor Introspection (HVI) solution, and the changes Bitdefender is working on mainlining in the hope that they will find their way into all major Xen deployments. The aim is to make VMI an even more appealing security option for customers running workloads on supporting Intel hardware.

XPDDS17: Hypervisor-Based Security: Bringing Virtualized Exceptions Into the ...

The Linux Foundation

2018 Genivi Xen Overview Nov Update

The Linux Foundation

ALSS14: Xen Project Automotive Hypervisor (Demo)

The Linux Foundation

Docker and other container runtimes are gathering momentum and becoming the new industry standard for server applications. Linux namespaces, commonly used to run Docker apps, come with a large surface of attack which is difficult to reduce. Intel’s Clear Containers use KVM to run containers as VMs to provide additional isolation. It is possible to provide VM-like isolation for containers without sacrificing performance. This talk focuses on the benefits of using Xen to provide an execution environment for Docker apps. The presentation starts by listing the requirements of this environment. It explains why monitoring container syscalls is important and what its security benefits are. The talk introduces a new paravirtualized protocol to virtualize IP sockets and provides the design and implementation details. The presentation clarifies the impact of the new protocol from a security perspective. The discussion concludes by comparing performance figures with the traditional PV network frontend and backend drivers in Linux, explaining the reasons for any performance gaps.

XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...

The Linux Foundation

2018 saw fundamental shifts in security boundaries which were previously taken for granted. A lot of work has been done in the past 2 years, and largely in secret under embargo, but there is plenty more work to be done to strengthen the existing mitigations and to try to recover some performance without reopening security holes. This talk will look at speculative execution sidechannels, the work which has already been done to mitigate the security holes, and future work which hopes to bring some improvements.

XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix

The Linux Foundation

Safety certification is one of the essential requirements for software to be used in highly regulated industries. Besides technical and compliance issues (such as ISO 26262 vs IEC 611508) transitioning an existing project to become more easily safety certifiable requires significant changes to development practices within an open source project. In this session, we will lay out some challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the Xen Project has followed thus far and highlight lessons learned along the way. The talk will primarily focus on necessary process, tooling changes and community challenges that can prevent progress. We will be offering an in-depth review of how Xen Project is approaching this challenging goal and try to derive lessons for other projects and contributors.

OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...

The Linux Foundation

The members of the Automotive Grade Linux (AGL) project have been developing the Unified Code Base (UCB) distribution for automotive use since 2015. Initially the focus was on In-Vehicle Infotainment systems, but lately the project has turned towards instrument cluster, telematics, heads-up display, and other safety critical systems that require ISO 26262 ASIL-B certification. Car and truck manufacturers are looking for AGL to provide a solution that makes use of AGL in a way that meets the demands of ISO 26262 and is readily available to a broad community. Walt takes a look at what has been done on the AGL community to prepare for this and looks to how AGL can work with the Xen project to make this a reality.

XPDDS19: Using Xen to Enable an Open Source Safety Certifiable Automotive Gra...

The Linux Foundation

Many projects start out with the intention of staying single license FOSS projects. As your project grows, reality hits: some components or files may need to use different licenses than originally anticipated. There are many reasons why this can happen: you may need to interface with projects of another license, you may want to import code from other projects or your developers may not understand the subtleties of the licenses in use. Besides the obvious challenges of managing mixed license FOSS projects, such as license compatibility and tracking what licenses you use, you are running the risk of exposing your project to unintended consequences. This talk will explore unintended consequences, risks and best practices using some examples from the recent history of the Xen Project. In particular we will cover: Refactoring can lead to licensing changes: best practices and unintended consequences when importing code from elsewhere. Making code archeology easy from a licensing perspective and why it is important. A worked example of a license change of a key component: process, pain points, their causes and how they could have been avoided The perils of LGPL/GPL vX (or Later): the unintended consequences of not providing pre-defined copyright headers in your source base We will conclude with a summary of lessons and best practices from both the Xen Project and a quick overview of how usage of SPDX and other tools may help you.

OSSA17 - Mixed License FOSS Projects

The Linux Foundation

Software Guard Extensions (SGX) is Intel's unique security feature which has been present in Intel's processors since Skylake generation. Existing HW/SW solutions hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX solves this by using enclave, which is a protected portion of userspace application where the code/data cannot be accessed directly from outside by any software, including privileged ones, such as BIOS and VMM. This discussion is intended for the deep dive introduction to SGX, and the design discussion of adding SGX virtualization to Xen. We will start with SGX deep dive, and then go into SGX virtualization design, from high level design to details, such as EPC management/virtualization, CPUID handling, interaction with VMX, live migration support, etc.

XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...

The Linux Foundation

Unikernels have produced impressive performance, including fast instantiation times, tiny memory footprints, and high consolidation, plus potentially a reduced attack surface and easier certification. Their main drawback is that they require applications to be manually ported to the underlying minimal OS; this means both expert work and considerable amount of time. In this talk we present Unikraft, an incubator project under the auspices of the Xen Project and the Linux Foundation aimed at automating the process of building customized images tailored to specific applications and thus significantly reducing development time. Unikraft decomposes the OS into elementary pieces (e.g., schedulers, memory allocators, drivers, etc.) that users can pick and choose from. It then builds images tailored to the needs of specific applications as well as the target platform (e.g., KVM, Xen) and architecture (e.g., ARM or x86).

OSSEU18: From Handcraft to Unikraft: Simpler Unikernelization of Your Applica...

The Linux Foundation

Scale 12x Securing Your Cloud with The Xen Hypervisor

The Linux Foundation

Unikernels have good performance and a very tiny footprint. But the process of converting an application to a Unikernel requires expert porting work and a considerable amount of time. Wei will introduce a new Unikernel development model – Unikraft. Unikraft aims to free Unikernels from the fundamental drawback of manual porting costs. Since Unikraft was announced, Wei has been actively working with the community to get involved in this project. In this presentation Wei intends to share some knowledge of Unikraft, including: 1) The concept and architecture of Unikraft, 2) The tool stack and config menu, 3) Features available on Arm, 4) Upcoming features on Arm. Wei also will run a demo on an Arm server showing: 1) Conversion of an application to Unikernel, 2) Configuration of this Unikernel through a menu system, 3) The converted Unikernel running!

XPDDS18: Unikraft: An easy way of crafting Unikernels on Arm - Kaly Xin, ARM

The Linux Foundation

La actualidad más candente (20)

Fosdem 18: Securing embedded Systems using Virtualization

XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...

OSSA17 - Live patch, VMI, Security Mgmt (50 mins, no embedded demos)

Scale17x: Thinking outside of the conceived tech comfort zone

Xen Project 15 Years down the Line

OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...

OSSEU18: NVDIMM and Virtualization - George Dunlap, Citrix

XPDDS19: Xen API Archaeology: Creating a Full-Featured VMI Debugger for the...

XPDDS17: Hypervisor-Based Security: Bringing Virtualized Exceptions Into the ...

2018 Genivi Xen Overview Nov Update

ALSS14: Xen Project Automotive Hypervisor (Demo)

XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...

XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix

OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...

XPDDS19: Using Xen to Enable an Open Source Safety Certifiable Automotive Gra...

OSSA17 - Mixed License FOSS Projects

XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...

OSSEU18: From Handcraft to Unikraft: Simpler Unikernelization of Your Applica...

Scale 12x Securing Your Cloud with The Xen Hypervisor

XPDDS18: Unikraft: An easy way of crafting Unikernels on Arm - Kaly Xin, ARM

Similar a XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerrigan, Assured Information Security, Inc.

DevOpsCon 2015 - DevOps in Mobile Games

Andreas Katzig

CrikeyCon 2015 - iOS Runtime Hacking Crash Course

eightbit

Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.

Security research over Windows #defcon china

Peter Hlavaty

Wahckon[2] - iOS Runtime Hacking Crash Course

eightbit

cadec-2017-golang

TiNguyn863920

Sebastian Dunkel, Autodesk Cloud based web applications running in the browser have fundamental advantages over their desktop based siblings: They run on any device and are not tied to a certain operating system. The transition to web applications can solve many of the deployment problems and facilitates effortless real-time collaboration in a connected world. However, implementing rich browser applications is challenging. Besides general technical limitations, leveraging existing technology is far from trivial. In this presentation we will discuss these and other challenges based on selected browser-based applications developed at Autodesk. Moreover, we will show how Forge technology can help to accelerate application development and improve the development experience.

Forge - DevCon 2016: Implementing Rich Applications in the Browser

Autodesk

13 practical tips for writing secure golang applications

Karthik Gaekwad

Delivering Developer Tools at Scale

Oracle Developers

Gocd – Kubernetes/Nomad Continuous Deployment

Leandro Totino Pereira

Microservices in action at the Dutch National Police

Bert Jan Schrijver

OpenValue meetup October 2017 - Microservices in action at the Dutch National...

Bert Jan Schrijver

JavaZone 2017 - Microservices in action at the Dutch National Police

Bert Jan Schrijver

Here, I am including the experience I had while exploring solutions for developing a mobile cross-platform library, i.e. a single codebase that could be part of mobile apps running under different platforms. It covers my journey from mobile cross-platform developments tools (PhoneGap, Titanium, and the likes), code porting tools, and WebViews that weren't up to the task, to C++ and JavaScript engines that did work. There aren't many resources out there explaining how to approach this problem, so we thought it could be helpful if we shared this experience.

Developing a mobile cross-platform library

Kostis Dadamis

Codeship has been powered by containers from the very beginning. In this talk we will discuss our initial implementation using LXC, how we use it and the limitations that we have encountered. Using the lessons we learned from our first gen implementation, we’ll look at the evolution of our next generation Docker service. We’ll dive into how this implementation works and discover some of the benefits and challenges of using Docker for CI.

A Tail of Two Containers: How docker made ci great again

Kyle Rames

CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police

Bert Jan Schrijver

At the Cloud, Big Data and Internet division of the Dutch National Police, 4 DevOps teams use the latest open source technology to build high tech, cloud native web applications using Spring Boot, Angular 5, Spark, Kafka and Jenkins 2. I'll share our experiences and real-world use cases for microservices. I’ll show how 4 teams work together on one product and I’ll talk about how we apply the principles of DevOps and Continuous Delivery. I’ll show how we handle security, build pipelines, test automation, performance tests, service discovery, automated deployments, monitoring and more!

Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...

Codemotion

Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...

Lean IT Consulting

As modern, agile architects and developers we need to master several different languages and technologies all at once to build state-of-the-art solutions and yet be 100% productive. We define our development environments using Gradle. We implement our software in Java, Kotlin or another JVM based language. We use Groovy or Scala to test our code at different layers. We construct the build pipelines for our software using a Groovy DSL or JSON. We use YAML and Python to describe the infrastructure and the deployment for our applications. We document our architectures using AsciiDoc and JRuby. Welcome to Babel! Making the right choices in the multitude of available languages and technologies is not easy. Randomly combining every hip technology out there will surely lead into chaos. What we need is a customized, streamlined tool chain and technology stack that fits the project, your team and the customer’s ecosystem all at once. This code intense, polyglot session is an opinionated journey into the modern era of software industrialization.

Everything-as-code. A polyglot adventure. #DevoxxPL

Mario-Leander Reimer

Devoxx 2017, Poland: Talk by Mario-Leander Reimer (@LeanderReimer, Principal Software Architect at QAware). Abstract: As modern, agile architects and developers we need to master several different languages and technologies all at once to build state-of-the-art solutions and yet be 100% productive. We define our development environments using Gradle. We implement our software in Java, Kotlin or another JVM based language. We use Groovy or Scala to test our code at different layers. We construct the build pipelines for our software using a Groovy DSL or JSON. We use YAML and Python to describe the infrastructure and the deployment for our applications. We document our architectures using AsciiDoc and JRuby. Welcome to Babel! Making the right choices in the multitude of available languages and technologies is not easy. Randomly combining every hip technology out there will surely lead into chaos. What we need is a customized, streamlined tool chain and technology stack that fits the project, your team and the customer’s ecosystem all at once. This code intense, polyglot session is an opinionated journey into the modern era of software industrialization.

Everything-as-code - A polyglot adventure

QAware GmbH

OSGi offers an excellent service discovery mechanism, but it is limited to services inside the JVM. With Docker nowadays it is trivially easy to deploy all kind of (micro) services, using pretty much any technology stack, so we’d like to discover those as easily as the ones inside the JVM. We will have a look at how we can use the Docker API to discover services in other containers, and how we can use Consul to expand service discovery to other hosts.

ApacheCon Core: Service Discovery in OSGi: Beyond the JVM using Docker and Co...

Frank Lyaruu

Similar a XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerrigan, Assured Information Security, Inc. (20)

DevOpsCon 2015 - DevOps in Mobile Games

CrikeyCon 2015 - iOS Runtime Hacking Crash Course

Security research over Windows #defcon china

Wahckon[2] - iOS Runtime Hacking Crash Course

cadec-2017-golang

Forge - DevCon 2016: Implementing Rich Applications in the Browser

13 practical tips for writing secure golang applications

Delivering Developer Tools at Scale

Gocd – Kubernetes/Nomad Continuous Deployment

Microservices in action at the Dutch National Police

OpenValue meetup October 2017 - Microservices in action at the Dutch National...

JavaZone 2017 - Microservices in action at the Dutch National Police

Developing a mobile cross-platform library

A Tail of Two Containers: How docker made ci great again

CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police

Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...

Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...

Everything-as-code. A polyglot adventure. #DevoxxPL

Everything-as-code - A polyglot adventure

ApacheCon Core: Service Discovery in OSGi: Beyond the JVM using Docker and Co...

Más de The Linux Foundation

Static partitioning is used to split an embedded system into multiple domains, each of them having access only to a portion of the hardware on the SoC. It is key to enable mixed-criticality scenarios, where a critical application, often based on a small RTOS, runs alongside a larger non-critical app, typically based on Linux. The two domains cannot interfere with each other. This talk will explain how to use Xen for static partitioning. It will introduce dom0-less, a new Xen feature written for the purpose. Dom0-less allows multiple VMs to start at boot time directly from the Xen hypervisor, decreasing boot times drastically. It makes it very easy to partition the system without virtualization overhead. Dom0 becomes unnecessary. This presentation will go into details on how to setup a Xen dom0-less system. It will show configuration examples and explain device assignment. The talk will discuss its implications for latency-sensitive and safety-critical environments.

ELC2019: Static Partitioning Made Simple

The Linux Foundation

XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...

The Linux Foundation

This talk will introduce Dom0-less: a new way of using Xen to build mixed-criticality solutions. Dom0-less is a Xen feature that adds a novel approach to static partitioning based on virtualization. It allows multiple domains to start at boot time directly from the Xen hypervisor, decreasing boot times dramatically. Xen userspace tools, such as xl and libvirt, become optional. Dom0-less extends the existing device tree based Xen boot protocol to cover information required by additional domains. Binaries, such as kernels and ramdisks, are loaded by the bootloader (u-boot) and advertised to Xen via new device tree bindings. The audience will learn how to use Dom0-less to partition the system. Uboot and device tree configuration details will be explained to enable the audience to get the most out of this feature. The talk will include a status update and details on future plans.

XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx

The Linux Foundation

As the number of contributions grow, reviewer bandwidth becomes a bottleneck; and maintainers are always asking for more help. However, ultimately maintainers must at least Ack every patch that goes in; so if you're not a maintainer, how can you contribute? Why should anyone care about your opinion? This talk will try to lay out some advice and guidelines for non-maintainers, for how they can do code review in a way which will effectively reduce the load on maintainers when they do come to review a patch.

XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...

The Linux Foundation

This talk is a follow-up to our Summit 2017 presentation in which we covered our plans for Intel VMFUNC and #VE, as well as related use-cases. This year, we will provide a report on what we have accomplished in Xen 4.12, and what remains to be addressed. We will also give a brief status update of VMI on AMD hardware. The session will end with some real-world numbers of the Hypervisor Introspection solution running on Citrix Hypervisor 8.0 with #VE enabled.

XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender

The Linux Foundation

The Arm architecture provides a set of guidelines that any software should abide by when accessing the memory with MMU off and update page-tables. Failing to do so may result in getting TLB conflicts or breaking coherency. In a previous talk ("Keeping coherency on Arm"), we focused on updating safely the stage-2 (aka P2M) page-tables. This talk will focus on the boot code and Xen memory management. During this session, we will introduce some of the guidelines and when they should be used. We will also discuss how Xen boot sequence needs to be reworked to avoid breaking the guidelines.

XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd

The Linux Foundation

For many years the QEMU codebase has contained PV backends for Xen guests, giving them paravirtual access to storage, network, keyboard, mouse, etc. however these backends have not been configurable as QEMU devices as their implementation did not fully adhere to the QEMU Object Model (QOM). Particularly the PV storage backend not using proper QOM devices, or qdevs, meant that the QEMU block layer needed to maintain legacy code that was cluttering up the source. This was causing push-back from the maintainers who did not want to accept any patches relating to that Xen backend until it was 'qdevified'. In this talk, I'll explain the modifications I made to QEMU to achieve 'qdevification' of the PV storage backend, how compatibility with the libxl toolstack was maintained, and what the next steps in both QEMU and libxl development should be.

XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...

The Linux Foundation

PCI is a local computer bus for attaching hardware devices in a computer, and is the main peripheral bus on modern x86 systems. As such, having a proper way to emulate it is crucial for Xen to be able to expose both fully emulated devices or passthrough devices to guests. This talk will focus on the current status of PCI emulation in Xen, how and where it is used, what are its main limitations and future plans to improve it in order to be more robust and modular.

XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D

The Linux Foundation

XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems

The Linux Foundation

Xen is a very powerful hypervisor with a talented and diverse developers community. Despite the fact it's almost everywhere (from the Cloud to the embedded world), it can be difficult to set up and manage as a system administrator. General purpose distros have Xen packages, but that's just a start in your Xen journey: you need some tooling and knowledge to have a working and scalable platform. XCP-ng was built to overcome those issues: by bringing Xen to the masses with a fully turnkey distro with Xen as its core. It's the logical sequel to the XCP project, with a community focus from the start. We'll see how it happened, what we did, and what's next. Finally, we'll see the impact of XCP-ng on the Xen Project.

XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...

The Linux Foundation

XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...

The Linux Foundation

Today Xen is scheduling guest virtual cpus on all available physical cpus independently from each other. Recent security issues on modern processors (e.g. L1TF) require to turn off hyperthreading for best security in order to avoid leaking information from one hyperthread to the other. One way to avoid having to turn off hyperthreading is to only ever schedule virtual cpus of the same guest on one physical core at the same time. This is called core scheduling. This presentation shows results from the effort to implement core scheduling in the Xen hypervisor. The basic modifications in Xen are presented and performance numbers with core scheduling active are shown.

XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE

The Linux Foundation

The use of Virtual GPUs (vGPUs) has widely grown in server farms to give Virtual Machines (VMs) dedicated graphics. Software rendering with virtual CPUs can only take us so far and even with Intel-GVT, which uses integrated graphics, there isn't enough power to do the fun stuff. In this presentation, Jon Farrell will be talking about the process of implementing AMD MxGPU on Xen, challenges that he encountered while doing it, and discussing performance metrics of bare metal and vGPU VM on popular benchmarks like 3D Mark* and The Witcher 3. To wrap up his presentation, Jon will share his thoughts about future research and where this technology can take us.

XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security

The Linux Foundation

Current support of nested virtualization with Xen is limited to fully emulated devices for the L1 hypervisor (L0 hypervisor being the one running on the physical machine). For being able to let L2 dom0 make use of L1 PV devices several new interfaces are needed. In this design session I'll present my ideas how to add support of PV devices for L2 dom0. There are several possibilities how to do the work which I'd like to discuss.

XPDDS19: Support of PV Devices in Nested Xen - Jürgen Groß, SUSE

The Linux Foundation

In today's public and private cloud markets, availability is a very important metric for all cloud service providers. COLO is an ideal Application-agnostic Solution for Non-stop service in the cloud. Our solution can protect user service even from physical network or power interruption. And the the switching process is difficult for users to perceive (TCP connection will not be terminated). Under COLO mode, both primary VM (PVM) and secondary VM (SVM) are running parallel. The COLO has more than ten times performance increase compared with previous solution (like Remus). Current COLO codes has been merged in QEMU community, we can use COLO in upstream without any other addition patches. In this talk, we will talk about the COLO implementation in QEMU and Xen, the new designed COLO-Proxy, discussing on problems we've met while developing COLO. and report the latest progress from Intel.

XPDDS19: Application Agnostic High Availability Solution On Hypervisor Level ...

The Linux Foundation

Xen currently has two major mechanisms to maintain security while hosting untrusted VMs without causing disruption to those guests: live patching, and live migration. We introduce a third method: live updating Xen. A live-update operation involves loading of the newly-staged hypervisor into RAM, the currently-running Xen serializing its state, and then transferring control to the newly-staged Xen, all without disrupting running instances, beyond a little downtime when neither hypervisor is running guest vCPUs. We present a proposal on the design of such a feature, and invite comments and feedback.

XPDSS19: Live-Updating Xen - Amit Shah & David Woodhouse, Amazon

The Linux Foundation

XPDDS19: Secure Unikraft Applications with Solo5 - Haibo Xu, ARM

The Linux Foundation

The Open Source Xen-Blanket software was developed by researchers at IBM and Cornell University, as extensions to the Xen hypervisor and its PV drivers, to enable seamless use of Xen PV drivers in guest VMs of nested Xen deployments. It was presented at the EuroSys 2012 conference, with a paper that has been widely cited since, and deployed in Cornell's SuperCloud. Xen-Blanket has never been presented to the Xen Community and the software left unmaintained. However, recent work by Star Lab has modernized its implementation, aiming to encourage its adoption and incorporation into the Xen Project software. This session will introduce the Xen-Blanket, describing its motivation and features; present the structure of the implementation in the hypervisor and device drivers; outline an example architecture for its deployment; and summarize its current state and plans within the Xen Project.

XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...

The Linux Foundation

Microcode update is used to correct errata by loading an Intel-supplied data block (so-called microcode) into the processor. Especially, late microcode update (aka, load microcode to processors at run-time) avoids system reboot which is necessary in early microcode update and greatly reduces system downtime. But, current late microcode update on Xen may fail in some cases as microcode becomes more complex in order to fix some sophisticated security issues. Chao will introduce his work to improve reliability and efficiency of microcode update.

XPDSS19: Improve the Reliability and Efficiency of Late Microcode Update - Ch...

The Linux Foundation

Unikraft allows developers to build unikernels targeted at specific applications easily. Since Unikraft was announced, Arm has been actively involved to enable it on arm64 kvm platform. In this presentation I intend to share: 1) Features status on arm64, kvm platform(merged and under review) 2) Scalability: multi-thread, SMP support 3) Todo list I will also show some demos on Arm64 among them: 1) 2 veth NIC tx/rx using virtio-mmio bus 2) a lightweight web server

XPDDS19: When Unikraft Meets Arm64 - Jia He, Arm

The Linux Foundation

Más de The Linux Foundation (20)

ELC2019: Static Partitioning Made Simple

XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...

XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx

XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...

XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender

XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd

XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...

XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D

XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems

XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...

XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...

XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE

XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security

XPDDS19: Support of PV Devices in Nested Xen - Jürgen Groß, SUSE

XPDDS19: Application Agnostic High Availability Solution On Hypervisor Level ...

XPDSS19: Live-Updating Xen - Amit Shah & David Woodhouse, Amazon

XPDDS19: Secure Unikraft Applications with Solo5 - Haibo Xu, ARM

XPDDS19: The Xen-Blanket for 2019 - Christopher Clark and Kelli Little, Star ...

XPDSS19: Improve the Reliability and Efficiency of Late Microcode Update - Ch...

XPDDS19: When Unikraft Meets Arm64 - Jia He, Arm

Último

Investing in AI transformation today The modern business advantage: Uncovering deep insights with AI Organizations around the world have come to recognize AI as the transformative technology that enables them to gain real business advantage. AI’s ability to organize vast quantities of data allows those who implement it to uncover deep business insights, augment human expertise, drive operational efficiency, transform their products, and better serve their customers

Microsoft AI Transformation Partner Playbook.pdf

Willy Marroquin (WillyDevNET)

How To Use Server-Side Rendering with Nuxt.js

Andolasoft Inc

In the realm of real-time applications, Large Language Models (LLMs) have long dominated language-centric tasks, while tools like OpenCV have excelled in the visual domain. However, the future (maybe) lies in the fusion of LLMs and deep learning, giving birth to the revolutionary concept of Large Action Models (LAMs). Imagine a world where AI not only comprehends language but mimics human actions on technology interfaces. For example, the Rabbit r1 device presented at CES 2024, driven by an AI operating system and LAM, brings this vision to life. It executes complex commands, leveraging GUIs with unprecedented ease. In this presentation, join me on a journey as a software engineer tinkering with WebRTC, Janus, and LLM/LAMs. Together, we’ll evaluate the current state of these AI technologies, unraveling the potential they hold for shaping the future of real-time applications.

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications

Alberto González Trastoy

Azure Native Qumulo scales elastically for common High Performance Compute (HPC) workloads based on application requirements for: Financial Services, Automotive, Genomics / Life Sciences, Media and Entertainment, Energy, Oil and Gas, etc. Performance can be dialed UP (and back down) much higher than the examples shown here. These slides offer a glimpse into ANQ's HPC capabilities, although at a smaller scale. We invite YOU to do your own testing (with a free ANQ trial) and work with us to test your HPC workloads in Azure.

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf

ryanfarris8

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf

kalichargn70th171

A Secure and Reliable Document Management System is Essential.docx

ComplianceQuest1

Craft an AI & Machine Learning Pitch with our Editable Professional PowerPoint Template. Ignite your AI & Machine Learning pitch with our cutting-edge PowerPoint template tailored for the industry. Perfect for AI conferences, investor presentations, sales pitches to tech-focused companies, training sessions, and educational programs. - 20+ editable slides: Get a variety of options to choose from for your presentation. - Time-saving solution: Download, replace text/images with a few clicks. - User-friendly customization: Easy to use and personalize. - Modern and attractive design: Captivating visuals, sleek layout. - Tailored to your requirements: Fully alterable for customization. - Well-organized slides: Complete control over content. - Thematic specificity: Reflects healthcare industry with relevant graphics. - Showcase your business idea: Communicate value proposition effectively.

AI & Machine Learning Presentation Template

Presentation.STUDIO

10 Trends Likely to Shape Enterprise Technology in 2024

Mind IT Systems

Diamond Application Development Crafting Solutions with Precision

SolGuruz

Define the academic and professional writing..pdf

PearlKirahMaeRagusta1

VTU technical seminar 8Th Sem on Scikit-learn

AmarnathKambale

Test automation is a cornerstone of software development and quality assurance in today's rapidly evolving digital landscape. Its significance cannot be overstated. Businesses can enhance efficiency, productivity, and accelerate software delivery to market through automation, streamlining testing processes effectively. This comprehensive guide addresses the best practices for test automation in 2024. It offers a detailed checklist to empower you to optimize your automation efforts and maintain a competitive edge.

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

kalichargn70th171

At the recent Microsoft Ignite 2023 conference, Microsoft unveiled a groundbreaking strategy that will redefine enterprise work management. The plan involves integrating Microsoft’s key planning tools, Microsoft To Do, Microsoft Planner, and Microsoft Project for the web into a unified experience called “Microsoft Planner.” What does this new strategy from Microsoft mean for current users? Join us and learn how best to take advantage of this announcement while gaining a clear path on how to elevate the current state of Microsoft Planner from a basic task manager to a comprehensive tool for Enterprise Work Management using OnePlan. Learn how OnePlan’s integration with Microsoft Planner allows for strategic alignment with business goals through advanced features like strategic planning, portfolio management, resource management, financial management, and more!

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

OnePlan Solutions

Many specialized tools cater to distinct stages within the software development lifecycle (SDLC). These tools target various aspects of development, delivery, and operations, each with its unique strengths. Uniting these diverse testing needs into a single continuous testing platform presents several challenges. Such a platform must seamlessly integrate with various development tools and environments, accommodate different testing methodologies, and remain flexible to adapt to organizational processes and quality standards.

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...

kalichargn70th171

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf

VishalKumarJha10

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

At TECUNIQUE, we're a stable and steadily growing Indian software services company with over 14 years of industry experience. Specializing in offshore software development and quality assurance services, we've built a reputation for delivering unique and effective solutions to start-ups, software development companies, enterprises, and digital agencies. We pride ourselves on our commitment to excellence and innovation. By blending insightful business domain knowledge with exceptional technical prowess, we craft tailor-made solutions that meet the unique needs of our clients. Our dedicated teams are adept in specific technologies, ensuring seamless integration of skills and delivering reliable, scalable, and high-quality software solutions aligned with our clients' preferences. Bespoke Dedicated Teams: Crafted to meet your specific needs and technology preferences, our dedicated teams are committed to delivering top-notch software solutions. Offshore Software Development: Accelerate your software development and scale up quickly with our 12+ years of expertise in offshore development. Quality Assurance Services: Ensure the quality of your software products with our dedicated teams of experienced QA professionals. IT Staff Augmentation: Overcome skill gaps with our client-centric software team, offering staff augmentation services. Expert Software Services: Unlock our capabilities in custom software development, product development, and quality assurance. Mission and Vision: Our mission at TECUNIQUE is to be the catalyst for our clients' success in the dynamic domain of software development. Rooted in our core values of respect, authenticity, and responsibility, we strive to ease the software outsourcing experience, reducing both time and cost to market for our clients. We envision ourselves as the leading Indian software services company, renowned for our unwavering commitment to excellence and innovation. www.tecunique.com

TECUNIQUE: Success Stories: IT Service provider

mohitmore19

+971565801893 Mtp-Kit (500MG) Prices » Dubai [(+971565801893**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Leen Whatsapp +971565801893 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971565801893''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971565801893' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Clinic in Abu Dhabi, United Arab Emirates.+971565801893

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Health

InShot proinshot.com stands tall among its peers as the ultimate video editing app, offering simplicity, versatility, and power in one package. With its intuitive interface and comprehensive feature set, InShot caters to both beginners and seasoned editors alike. Whether you're creating content for social media, YouTube, or personal projects, InShot empowers you to unleash your creativity and transform your videos into captivating masterpieces. Join the millions of users who trust InShot https://www.proinshot.com/ for all their video editing needs and discover the difference for yourself!

Exploring the Best Video Editing App.pdf

proinshot.com

Unlocking the Future of AI Agents with Large Language Models

aagamshah0812

XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerrigan, Assured Information Security, Inc.

1. Client Virtualization Toolstack in Go Nicholas Rosbrook, Software Engineer, Assured Information Security Brendan Kerrigan, Principal Software Engineer, Assured Information Security

2. Overview • Introduction • Motivation • Evaluation • Redfield and redctl • Libxl Go (Golang) bindings • Questions

3. Introduction • Brendan Kerrigan – Principal Engineer at Assured Information Security, Inc. • Hypervisors • Graphics virtualization • Embedded • Nicholas Rosbrook – Software Engineer at Assured Information Security, Inc. • Cryptography • VPNs and Networking • Go expert

4. Motivation • We do a lot of client virtualization work • Utilizing hypervisors to do end point security • Mostly OpenXT based products now • OpenXT isn’t the easiest project to work on (10 years of development means there are lots of components) • Sometimes key high-security features can be a hindrance to some use cases • Client virtualization is pretty different than server virtualization • Especially when it comes to toolstacks

5. Evaluation • What’s out there we can leverage? • XenMgr • Libvirt (+ qubectl) • What if we had a clean slate?

6. XenMgr • XenMgr is high friction • Haskell • Esoteric • Tough to find developers • Lots of legacy interfaces that are unexercised and unaudited (audit in progress) • A lot of cryptic code that essentially reads a database and writes an xl config and calls exec/fork • Local and remote APIs are different  • The command line tool is great

7. Libvirt • One layer of abstraction too many • XML domain configurations are too complex • Designed to work with several virtualization technologies – KVM, Xen, LXC, etc. • We want to work with Xen and do it well • Does a lot more than we need it to • There is an existing Go package (developed by DigitalOcean)

8. redctl • Introducing redctl, the client toolstack to our Xen distribution, Redfield • The good: • A client toolstack where remote and local management APIs are unified • Utilize gRPC • Don’t dictate transport (IPv4, IPv6, PV channels, Argo, vsock) • Easy to understand and test language (Go) • Make the command line tool awesome (like XenMgr’s) • The bad: • Still doing exec/fork a lot when dealing with libxl…

9. What is cgo? • Cgo enables Go programs to call C code through a pseudo- package, “C” • Allows access of C types, variables, and functions • E.g. C.size_t, C.stdout, C.printf • The “preamble” • A block comment used to include headers, set CFLAGS, LDFLAGS, etc. • Immediately precedes the import “C” statement

10. What is cgo?

11. What is cgo? • C fields that cannot be expressed in Go are omitted • The C type void* is represented by Go’s unsafe.Pointer • Cannot call C function pointers from Go • There are some restrictions on passing pointers between C and Go

12. Writing a Go Package for libxl • Writing the cgo code by hand is tedious • Cgo is simple enough to make code generation easy • We use c-for-go: https://github.com/xlab/c-for-go • Define translation and generation rules with a YAML configuration file • Accept or ignore symbols, rename variables, apply rules to a given scope, and more

13. Writing a Go Package for libxl

14. Writing a Go Package for libxl • Finally, we need some wrappers…

15. Writing a Go Package for libxl • Instead of:

16. Writing a Go Package for libxl • We want:

17. Future Work • Continue writing wrappers • Trim the size of the package • Integrate into redctl • Upstream • Current fork: https://github.com/enr0n/xen/tree/libxl-go

18. Questions? • https://ainfosec.com • https://gitlab.com/redfield

XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerrigan, Assured Information Security, Inc.

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerrigan, Assured Information Security, Inc.

Similar a XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerrigan, Assured Information Security, Inc. (20)

Más de The Linux Foundation

Más de The Linux Foundation (20)

Último

Último (20)

XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerrigan, Assured Information Security, Inc.