vpsAdminOS

Video thumbnail (Frame 0) Video thumbnail (Frame 10436) Video thumbnail (Frame 12695) Video thumbnail (Frame 23085) Video thumbnail (Frame 33475) Video thumbnail (Frame 34234) Video thumbnail (Frame 35079) Video thumbnail (Frame 36018) Video thumbnail (Frame 36884) Video thumbnail (Frame 37893) Video thumbnail (Frame 38635) Video thumbnail (Frame 39266) Video thumbnail (Frame 40617) Video thumbnail (Frame 43103) Video thumbnail (Frame 43906) Video thumbnail (Frame 45368)
Video in TIB AV-Portal: vpsAdminOS

Formal Metadata

Title
vpsAdminOS
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Description:Building a lightweight hypervisor for Linux system containers on top of NixOS and not-os. How we adopted Nix ecosystem to allow migration of our production infrastructure from OpenVZ to LXC. --- Bio: Opensource software and hardware hacker
Group action System administrator Set (mathematics) Medical imaging Roundness (object) Spherical cap Semiconductor memory Kernel (computing) Core dump Encryption Process (computing) Information security Physical system Mapping Namespace Keyboard shortcut Virtualization Bit Digital rights management Process (computing) Repository (publishing) Self-organization Website MiniDisc Configuration space Right angle Encryption Freeware Physical system Spacetime Point (geometry) Digital filter Backup Server (computing) Service (economics) Open source Virtual machine Ultraviolet photoelectron spectroscopy Product (business) Revision control Congruence subgroup Read-only memory Hacker (term) MiniDisc Booting Backup Addition Distribution (mathematics) Server (computing) Expression Projective plane Limit (category theory) Configuration management System call Word Kernel (computing) Software Video game
Medical imaging Theory of relativity Software Repository (publishing) Compiler Mixed reality Computer-generated imagery Water vapor Graph coloring Booting Physical system
Demon Group action Distribution (mathematics) Code Multiplication sign View (database) System administrator Open set Mereology Dressing (medical) Medical imaging Mathematics Component-based software engineering Human migration Hypermedia Different (Kate Ryan album) Computer configuration Oval Netzwerkverwaltung Repository (publishing) Matrix (mathematics) Cloning Physical system Social class Service (economics) Link (knot theory) Electric generator Mapping Namespace Structural load Moment (mathematics) Sound effect Bit Mereology Control flow Type theory Category of being Digital rights management Sample (statistics) Repository (publishing) Internet service provider Bridging (networking) Configuration space Website MiniDisc Right angle Physical system Booting Laptop Web page Game controller Server (computing) Backup Service (economics) Link (knot theory) Patch (Unix) Computer-generated imagery Virtual machine Login Shareware Template (C++) Product (business) Revision control Profil (magazine) Bridging (networking) Intrusion detection system Gastropod shell Utility software Software testing MiniDisc Digital rights management Booting Address space Compilation album Routing User interface Default (computer science) Netbook Demon Polygon mesh Graph (mathematics) Content (media) Group action Template (C++) Shareware Human migration Kernel (computing) Software Integrated development environment Mixed reality Netzwerkverwaltung Revision control Table (information) Library (computing) Cloning
Digital rights management Shareware
Keyboard shortcut
Repository (publishing) Software repository Analog-to-digital converter Utility software
Overlay-Netz Computer file Analog-to-digital converter Revision control Software testing Modul <Datentyp> Gastropod shell Configuration space Repetition Musical ensemble Default (computer science)
Module (mathematics) Reading (process) Asynchronous Transfer Mode Analog-to-digital converter Revision control Energy level Directory service Software testing Modul <Datentyp> Default (computer science)
Radical (chemistry) Asynchronous Transfer Mode Escape character Kernel (computing) Moment (mathematics) Revision control Login Personal area network Booting Physical system
Sine Principal ideal domain Distribution (mathematics) Server (computing) Computer file State of matter Password Database Perturbation theory Login Local Group Writing Data mining Dynamic Host Configuration Protocol Escape character Internetworking Network socket Software System programming Revision control Source code Personal area network Configuration space Information
Server (computing) Principal ideal domain Distribution (mathematics) Password Database Web 2.0 Writing Source code Integrated development environment Configuration space Information Local ring Service (economics) Server (computing) State of matter Login Partition (number theory) Dynamic Host Configuration Protocol Sample (statistics) Internetworking Analog-to-digital converter Network socket Mixed reality Revision control System programming Configuration space Software testing Modul <Datentyp> Energy level Key (cryptography) Physical system Local ring Booting
Server (computing) Distribution (mathematics) Distribution (mathematics) Principal ideal domain Server (computing) State of matter Content (media) Login Directory service Computer network Database Web 2.0 Dynamic Host Configuration Protocol Internetworking Network socket System programming Revision control Rootkit Source code Configuration space Information
Serial port Real number Graph (mathematics) Virtual machine Control flow Prototype Error message Causality Personal digital assistant Bridging (networking) Computer hardware Software testing Physical system Default (computer science)
Serial port Asynchronous Transfer Mode Building Inheritance (object-oriented programming) Software developer Password Login Control flow Medical imaging Error message Military operation Rootkit Configuration space Video game console Cycle (graph theory) Booting Programmschleife Physical system Library (computing) Data type
Point (geometry) Structural load Multiplication sign Virtual machine Interactive television Primitive (album) Average Mereology Proof theory Computer hardware Matrix (mathematics) Source code Video game Modul <Datentyp> Gastropod shell Electronic visual display Default (computer science)
Medical imaging Serial port Server (computing) Software Internetworking Weight Virtual machine MiniDisc Login Information Booting
hey you see you're gonna you're gonna get two rounds of applause okay so next up is is Richard and Richard is going to talk about his project called VP as admin OS and it's a lightweight hypervisor for Linux system space on an Express and I'm looking forward to hear about it so another round of applause for Richard okay thank you very much no come to my talk so my name is Richard keyboard so a few words about me I'm a software another hacker you can find me on github some of you might know me as Sergey on IRC so related to our nonprofit organization called DPS free so we are based in czech republic we offer virtual private servers for other members we started with openvz in 2009 and you can find the site of the organization and the ps3 the orc so currently we have one thousand and three hundred members we are running nearly one thousand and nine hundred containers typically these are eight cores four gigs of memory and 20 weeks of disk space right because you can work with that if you need more basically this is hosted on much larger machines with like currently and we host these all these containers only on 22 servers whose pass-through storage nodes so what's the deal about open busy open easy is problematic for us we are learning sitting on busy 6 which is going to be abundant very so soon vzzt is already abundant which is a tool to basically configure containers from user space also cap now is going to reach out quite soon now the kernel is 2 point 6 point something very very very old and the open bt 7 is also problematic for us because there is no process transparency is not like open bc6 anymore like not the community and there are no sources it's based on 2007 and we don't want it so another issues we're starting hitting with these old kernel is that for example some distributions started to be problematic to upgrade because of some system D hardening for example we had to remove for example system core filter or memory Danny right execute from from stance every services so the distributions can still can boot and work again also mixes on other production note is also stuck in 1709 that's also because of system Li and I think you deaf as well coughing vile people are debugging this I realized it with mixes you can actually get B sex life running container alive running system which is like wow crazy and I've actually managed to find the commit sometimes you hit the convinced they're not buildable but let's try the rare and I didn't automatically but you can like mark the revision manually and you arrive at the commit which actually breaks everything so we started searching for replacement I recognize been now full VM lugan fill like other containers not like containers with only one process but we are running a full system inside so we also need a reliable is a isolation due to security so other people don't see other people stuff don't see also they shouldn't be able to do anything to hosts we also need resource isolation so to apply some limits for example CP or networking limits if you are over doing something also we need powerful storage we are a ZFS house we have people that Andy has an administration so for landline Linux user namespace is a must for us what it does is basically dream ups your bit one in a container to some other bit which is not bit one on a host system and we also apply some additional protection layers there you can choose bit Alex II can choose between apparmor and as a Linux I selenium describe problematic because you need the policies for that and there is only few reference policies and I think gen 2 has some policy with a partner that's situations situation is quite easier so we chose that and we also run second if Alex see as well to limit some syscalls so we use Alexei Alexei is quite bare bones he knows how to start the container but you need to configure all the stuff manually basically you need to set user mappings you need to manage networking simony to manage C groups it's quite hard to manage by hand so also powerful storage is I said we are ZFS soul house and I've used it because it's like most I hope solution we don't like to lose data we we have backups but you know if ZFS is much better also with new ZFS there's support for native encryption and we use send and receive for backups heavily so is the administration currently our systems like our managed if salt there are these that's basically sent of six nodes running openvz we decided that we want to go some more pure way I think I don't remember the right bird didn't like the congruent configuration management the machines we build the life images you don't have any surprises you know what's running is basically what's written in the repository so looking for something foundation to build upon and heading so minimize miss
Nick's OS sorry for the colors of the water I will skip that I made this we
can build our own software we don't need for our companies to do that for us thanks to mixes and so we also not quite
based the system on mixes it's also based on mixes and also based on notarized thanks to clever I have the chance to meet you already so thank you very much for your support for for examples of like how to like make your own OS on top of mix big packages so basically when people ask about relations to mix notarize I told them the the mix is basically one a huge repository of packages and so notice not OS actually uses that as I said it's made by was made by clever apart from the small run it based system that compounds down to 50 megabytes costs image it also supports booting from a pixie actually signed I pick C which is quite nice and clever has some examples
quite similar to notice we also run it obvious mainline Linux Alexei Alexei FS and so critical thing for us was that we they need to be able to alter any component easily quickly elderly have some patches on top of Colonel on top of phallic CFS and also from on top of CFS currently each note has basically image built from single mix-up suppository this is deployed with netboot server which hosts all the images for every note we also support its own imagery so you can also boot from any of the other media if you don't want to run the full-fledged like deployment and reuse mix-ups in full control we had some issues I'm actually quite heavy user of mix-ups now we have some patches there are mostly collected community patches for example dress patch that we can mix two versions of nick's bok-goo so we can basically deploy machines you can deploy mixes machines and you can also deploy VPS at minimize meshes from one repository and the most important part is the management utility written by our colleague writer which is very powerful manages all the stuff we actually you actually need for running containers mainly user name space up or control group management content management itself you can manage devices for example you can add KVM or top devices also we added recently added a partner profile generation and management so we can have different apparmor profiles depending on watch this important for example some people are asking about Dockers or for example docker is quite hard to run on this old colonel on open bc 6 so people were running it on in KVM basically QA more inside there you can do whatever you want because if you need new kernel there's like no other option also and do network management we have two types of network configurations simple bridge networking and routing networking it also handles migrations so if you have older configuration of your containers it can during update it can update and migrate these configurations because we need to be able to run the machines for example for half a year without the reboot we also provide template Reaper histories I will show this in demo so kickstart for example when you boot the OS right quick way to actually the container is these few comments I will leave this exercise for either a first command basically in its initializes your ZFS pool then you need to create a user this mapping means user and group ID is maps to ID 5 no no I know the actual user I think that's IDs these IDs are 5000 and there are actually offset it by the six six six thousand offset which means that if you look at the container or from the host site you will see that it's it's start at six six six thousand but from the inside you have a bit one you still have bit one so when you have your user you can start the container for example table mixes and what's missing is you want probably contiguous networking the simplest way is to use provided bridge or we stop Alex CBR 0 by default this runs DHCP so by running because this simple net if Newbridge command I missed important thing I don't have to repeat the OS CDL over and over again you can like skip it and called sub commands we found that over and over again I recently added I recently added tap compilation so this is also quite pleasant to use and also there's a way to configure routed networking which we actually use in production to be able to assign like public addresses public ipv4 to containers so what's cool as well is that we can do blasting galaxy so we can run contenders in containers in containers or for example we can run KVM even fully built inside containers so there's basically endless possibilities can you do there's also an example how to basically pass a device to a container this example it just passes the AVM and after that so always like some batteries included : our syslog and tcp forwarding use Greylock to collect these logs it's quite nice because after the national site we also use node exporter and clematis in graph ala bird for routing and FS for to be able to mount net regular storage only for time and also that's also quite useful because when you have like a note and you need to find some piece of software is missing you can just enter the next shell and after the shell we can just go a code collect garbage and the system is like before there's no craft left so this is all nice but we won't view
like to migrate the volkl Astra and we need some notes that will actually have some persistence because you can rely like chicken egg problem we can netboot when you don't have a netbook so our storage nodes will actually be installed we actually recycled quite quite large parts of mixes generate config and mixes install is like actually I'd interesting that you can take these things and they just really small small changes you can optionally install this to disk and also as I said we need to be able to update the machines not only reboot them because people if there are like hundreds running on them so you implement it ever all I switch the configuration not sure which one is the configuration but this thing also handles run it restarting running services or reloading running services and important most importantly it reloads Alex TFS which can be like signal and the load its new library without actually destroying all your Alex EFS also if you have the nation' installed you can manage is just like mixes and generic to rebuild which this cry - no - mixes rebuilds also we have our own version of the quality of containers these are different to mixes the quality of content is that they are imported by the OSS ETL demon on boot actually syntax is quite like similar you can actually define a user as well which the container is running Andra and how it works that it actually the images are part of the image that machine boots and on boots they are actually in copies to ZFS pools and started so oh it's what I want to say that's different to n spawn basically declarative containers that it's not shared with the host but there's also a way to update all the containers NYX machinery and so if you build a new version and you want to update your content as you can do that but they are persisted on ZFS pool so you can have backups I would actually want to this feature mainly for testing so I don't have to like start the containers manually on testing stuff so this is quite handy are just a few containers defined and so you can try it quite easily make you a new is just a wrapper for next build just a moment we actually have our own for govern expect G's but that currently contains one cosmetic page which adds RB man pages basically there were like five patches on top of mix producer most of them there are upstream now I wish we could read the last page so you can build the upstream expect G's as well and some links rest very nice documentation only PS at minimus org you can find all these little things how to set up your machine out means to manage containers you can check out other repository actually actual OSS under the O / OS and you can talk to us on mixes channels or VPS of my newest channels and also recently I've also added images so these are also build with the netboot images for nodes public-facing website and all the required node images for plaster so to sum it up in production currently we have CentOS 6 with this old kernel and the environment account click on staging his VPS of mineralized links or 18 of we call it staging but we currently treated like production and I think that next year we'll start migrating quite heavily actually the missing feature is that we actually don't manage we don't use our CTL to create full-fledged admin panel for that and that's kind of future work basically to be able to deploy that as well so it basically talks to a demon and when user creates web interface you can create this new container define all the properties networking thank you are used to called providers and missing feature is actually the cloning between the old environments to the new one which is going to be probably troublesome but since these are only rodi effects images should be writable so also I mentioned this already all old class that was managed by salt salt I don't know I feel like it's like unsupportive templating I think that no no comment I actually actually use mix-ups and note exporter and dramatist there's one missing thing I don't like about this matrix based monitoring system is that they scrape the nation periodically but there is no way to get actual wife matrix to your laptop so
find the correct place
my manager
since Thursday
presentation on
nevermind so I won't show you how to actually
yes I have to use like external keyboard and also this or impress is throwing me now quite heavily
No oh yeah there we go okay so this is
the repository it actually is like kind of mono repo it contains all the utilities in always subfolder there's
actually OS and also OS CTL which is a command line to link to which talks to or SCT I'll be these things are written in Ruby here heavy users of bandings as well there are some tooling basically make file only reps Nick's or bandits we also have SVC TL 2 which is
Aden recently for managing run intern levels OS sub folder it's quite similar to not OS we've added a bunch of modules we reused bunch of modules from mixes
for example we need get these we need BAM for example and all these batteries included stuff I mentioned so let's just run it you can build
and after it your boot in a moment
yeah so you can see it boot now I'd be autumn outwardly new so we made it try to make it easy for people to actually just run make um ooh and get the running system to be able to hack on it right SSH into it because of the terminal is
quite bad never mind
stop trolling me today and mine I will
use this so I have two declarative
containers that they're defined in a
configuration actually looks he has some
impurity called config local mix which you can just load
it with your custom configuration as you can see it imports few containers which
one one is simple is called web server
so I don't have to create create any
there's actually motd so you can just copy paste this well there you can see that we have running web server and some simple content both these are mixed so yeah I'll switch to some more other
death note which there are some more stuff running you can see that you can run basically any distribution we try to support these most popular distribution and especially mixes for example you can enter the container yep
yeah this one is not running let's find some
what's this Alpine yeah so what I want to show you actually use
hi dries well wait for some system you need to link and and the QA moon is just too good for some reason and when you actually test stuff on the real hardware stuff breaks and there are some race causation graphs and corner cases so what I'm trying to do it is like to create some like of virtual laboratory where you have machines actually take note is connected to UART to another machine which runs like some I won't go into details TCP to Syria bridge so I can just use this combo remotely and it's not all I can run on automation doing for that this is a prototype which will actually deploy use mix-ups to deploy others like
development configuration and then it will actually cycle to know to write the reboot the console whoa whoa boot basically I think I could denote this as well one minute I'm not sure if that's if question or not yeah I'll just run this
I hope it's not gonna build squash FS images again buddy and one last thing yeah this now it's
running Nick sobs after it's done it will switch to another the second part which is sexual interaction with machine yeah it'll take some time but meanwhile
yep no mind don't mind the name naming problem is quite hard but the point is that this is able to scrape the matrix from from primitives it's proof of concept I rely on some pre-made tools basically so this is life this is actually over HTTP currently but I want to use another back-end for that which I have developed it's called the SATA II some of you might know they know it yeah so that's pretty much it I leave
this running so you can see how it works and how we reboot that allows me basically to deploy software on drives nodes and they will I think [Applause] yes and thank you indeed and who has got questions no yes hi very interesting stuff so you told that you're generating a pixie image and booting the servers essentially just over the net in an immutable mode but after that you told us about partitioning the disk and installing the OS anyway so what is the advantage of installing when you thought about that the real advantage is about not installing Hey I mean it's to solve this to collect problem because if you have a cluster like you need some machine which actually hosts the network server right now but you can use live images you can actually plug on some USB stick to to do that for you and that's quite that that's why we like want to have like installation so we can install the OS on two storage nodes for example and that will host the that boot images for the rest of the cluster and if other questions do we have questions from the internet I love saying that okay so I think you really very much more interesting talk thank you [Applause]
Feedback