BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Pentabarf//Schedule 0.3//EN CALSCALE:GREGORIAN METHOD:PUBLISH X-WR-CALDESC;VALUE=TEXT:Containers devroom X-WR-CALNAME;VALUE=TEXT:Containers devroom X-WR-TIMEZONE;VALUE=TEXT:Europe/Brussels BEGIN:VEVENT METHOD:PUBLISH UID:10255@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T103000 DTEND:20200201T105000 SUMMARY:Podman - The Powerful Container Multi-Tool DESCRIPTION:
Podman is the container management tool of your choice when it comes to boostingday-to-day development tasks around containers. The journey of Podman started asa drop-in replacement for docker, but nowadays it’s even more than just that.For example, Podman is capable of managing pods, running containers withoutbeing root and supports fine granular configuration possibilities.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_podman/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Sascha Grunert":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10316@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T105500 DTEND:20200201T111500 SUMMARY:Lazy distribution of container images DESCRIPTION:The biggest problem of the OCI Image Spec is that a container cannot be started until all the tarball layers are downloaded, even though more than 90% of the tarball contents are often unneeded for the actual workload.
This session will show state-of-the-art alternative image formats, which allow runtime implementations to start a container without waiting for all its image contents to be locally available.
Especially, this session will put focus on CRFS/stargz and its implementation status in containerd (https://github.com/containerd/containerd/issues/3731).The plan for BuildKit integration will be shown as well.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_lazy_image_distribution/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Akihiro Suda":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10501@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T112000 DTEND:20200201T115000 SUMMARY:BPF as a revolutionary technology for the container landscape DESCRIPTION:BPF as a foundational technology in the Linux kernel provides a powerful tool for systems developers and users to dynamically reprogram and customize the kernel to meet their needs in order to solve real-world problems and without having to be a kernel expert. Thanks to BPF we have come to the point to overcome having to carry legacy accumulated over decades of development grounded in a more traditional networking environment that is typically far more static than your average Kubernetes cluster. In the age of containers, they are no longer the best tool for the job, especially in terms of performance, reliability, scalability, and operations. This talk provides a few examples on how BPF allows to rethink container networking based on recent work we did in Cilium. Among others, the audience will learn about running a fully functioning Kubernetes cluster without iptables, Netfilter and thus without kube-proxy in a scalable and secure way with the help of BPF and Cilium.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_bpf/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Daniel Borkmann":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10335@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T115500 DTEND:20200201T121500 SUMMARY:Kata Containers on openSUSE DESCRIPTION:Kata Containers provide a secure container runtime offering an experience close to that of native containers, while providing stronger workload isolation and host infrastructure security by using hardware virtualization technology. This is particularly useful when containers are used to host and run third-party applications. In this presentation, after a short intro to Kata, we will demonstrate how easy it is to install and use on openSUSE. We will show it in action both as part of a podman setup as well as within a full-featured Kubernetes environment.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_kata/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Ralf Haferkamp":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10418@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T122000 DTEND:20200201T125000 SUMMARY:Evolution of kube-proxy DESCRIPTION:Kube-proxy enables access to Kubernetes services (virtual IPs backed by pods) by configuring client-side load-balancing on nodes. The first implementation relied on a userspace proxy which was not very performant. The second implementation used iptables and is still the one used in most Kubernetes clusters. Recently, the community introduced an alternative based on IPVS.This talk will start with a description of the different modes and how they work. It will then focus on the IPVS implementation, the improvements it brings, the issues we encountered and how we fixed them as well as the remaining challenges and how they could be addressed. Finally, the talk will present alternative solutions based on eBPF such as Cilium.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_k8s_kube_proxy/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Laurent Bernaille":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:9288@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T125500 DTEND:20200201T131500 SUMMARY:Container Live Migration DESCRIPTION:The difficult task to checkpoint and restore a process is used in many container runtimes to implement container live migration. This talk will give details how CRIU is able to checkpoint and restore processes, how it is integrated in different container runtimes and which optimizations CRIU offers to decrease the downtime during container migration.
In this talk I want to provide details how CRIU checkpoints and restores a process. Starting from ptrace() to pause the process, how parasite code is injected into the process to checkpoint the process from its own address space. How CRIU transforms itself to the restored process during restore. How SELinux and seccomp is restored.
I want to end this talk with an overview about how CRIU is integrated in different container runtimes to implement container live migration.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_live_migration/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Adrian Reber":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10542@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T132000 DTEND:20200201T134000 SUMMARY:Supervising and emulating syscalls DESCRIPTION:Recently the kernel landed seccomp support for SECCOMPRETUSER_NOTIF which enables a process (supervisee) to retrieve a fd for its seccomp filter. This fd can then be handed to another (usually more privileged) process (supervisor). The supervisor will then be able to receive seccomp messages about the syscalls having been performed by the supervisee.
We have integrated this feature into userspace and currently make heavy use of this to intercept mknod(), mount(), and other syscalls in user namespaces aka in containers.For example, if the mknod() syscall matches a device in a pre-determined whitelist the privileged supervisor will perform the mknod syscall in lieu of the unprivileged supervisee and report back to the supervisee on the success or failure of its attempt. If the syscall does not match a device in a whitelist we simply report an error.
This talk is going to show how this works and what limitations we run into and what future improvements we plan on doing in the kernel.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_syscall_emulation/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Christian Brauner":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10149@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T134500 DTEND:20200201T140500 SUMMARY:Below Kubernetes: Demystifying container runtimes DESCRIPTION:Today, the task of running containers involves a lot of technologies and levels of abstraction, and it can be difficult to understand, or just to keep up. How do CRI-O and containerd overlap ? Does Kata containers compete with Firecracker ? Is there any relationship between OCI and CRI ? How many different meanings can "container runtime" have ?
In this talk, we will navigate this treacherous sea of overlapping technologies and acronyms that take care of running container workloads, below Kubernetes all the way down to the Linux kernel. We will present at a high-level how these technologies, interfaces and levels of abstraction combine and overlap, and hopefully clarify which are spec vs. implementation, which are complementary, and which are alternative solutions.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_k8s_runtimes/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Thierry Carrez":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:9662@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T141000 DTEND:20200201T144000 SUMMARY:Linux memory management at scale DESCRIPTION:Memory management is an extraordinarily complex and widely misunderstood topic. It is also one of the most fundamental concepts to understand in order to produce coherent, stable, and efficient systems and containers, especially at scale. In this talk, we will go over how to compose reliable memory heavy, multi container systems that can withstand production incidents, and go over examples of how Facebook is achieving this in production at the cutting edge. We'll also go over the open-source technologies we're building to make this work at scale in a density that has never been achieved before.
We will go over widely-misunderstood Linux memory management concepts which are important to site reliability and container management with an engineer who works on the Linux kernel's memory subsystem, busting commonly held misconceptions about things like swap and memory constraints, and giving advice on key and bleeding-edge kernel concepts like PSI, cgroup v2, memory protection, and other important container-related topics along the way.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_memory_management/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Chris Down":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10578@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T144500 DTEND:20200201T150500 SUMMARY:Running full Linux systems in containers, at scale DESCRIPTION:LXD is a system container manager, its goal is to safely run full Linux systems at very high density and low overhead.Containers may be created from pre-made images, covering most Linux distributions, or by importing an existing virtual machine or physical system.
Advanced resource control and device passthrough is available to expose as much or as little system resources to those containers.Snapshot and backup tooling is available to safeguard those containers and data.Storage pools and networks can be used to offer a variety of storage and network options to the containers.
Management happens through a REST API with a default CLI client.LXD has built-in support for clustering which makes it trivial to scale a deployment to dozens of servers, all acting as one virtual LXD server.
In this presentation, we'll go over LXD's main features through a demonstration including usage of LXD's clustering abilities, running a variety of Linux distributions and converting existing systems to containers.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_lxd/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Stéphane Graber":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10424@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T151000 DTEND:20200201T154000 SUMMARY:How (Not) To Containerise Securely DESCRIPTION:This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_k8s_security/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Andrew Martin":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10138@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T154500 DTEND:20200201T161500 SUMMARY:Using crio-lxc with Kubernetes DESCRIPTION:Running application containers within Kubernetes presents a challenge to the operator for quickly handling security updates - every container must be patched, rebuilt and re-tested, and then updated separately. The slowest dev turnaround of all your containers is the fastest you can fully update your cluster.
However, for many fixes, the application likely will not care which compatible version of a system library it is using.Using AtomFS, operators can update individual libraries inside app containers without a rebuild. Containers using an AtomFS storage backend can simply be restarted after a fix is applied, and they will see it reflected in their filesystems.
The AtomFS storage backend requires minor changes to your container runtime, and we demonstrate it with the LXC runtime and crio-lxc, an adapter to enable using LXC-based containers in Kubernetes using CRI-O.
In this talk Tycho will cover how AtomFS works, what changes are needed to make application container builds work with AtomFS, and fix an exploit live without a rebuild.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_k8s_crio_lxc/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Tycho Andersen":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Mike McCracken":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10338@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T162000 DTEND:20200201T164000 SUMMARY:Containers and Steam DESCRIPTION:The availability of namespaces inside user sessions is increasing, and Valve's Steam game distribution platform is taking advantage of this for better gaming on Linux.
A recent beta of Steam for Linux adds pressure-vessel, an experimental mechanism developed by Collabora to put games in containers. This gives the game partial isolation from various aspects of the host system, and in particular allows it to use a runtime library stack that is not entangled with the host's, with different games using different runtimes.
Meanwhile, the unofficial Steam Flatpak app distributed on Flathub puts the entire Steam client and all of its games in a container. This gives the Steam client more thorough isolation from the host system, but all the games have to share that single container.
In this talk, pressure-vessel developer and Flatpak contributor Simon McVittie will compare the two approaches and the challenges they encounter, and look at where Steam containers might go in the future.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_steam/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Simon McVittie":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10187@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T164500 DTEND:20200201T171500 SUMMARY:Distributed HPC Applications with Unprivileged Containers DESCRIPTION:We will present the challenges in doing distributed deep learning training at scale on shared heterogeneous infrastructure. At NVIDIA, we use containers extensively in our GPU clusters for both HPC and deep learning applications. We love containers for how they simplify software packaging and enable reproducibility without sacrificing performance. Docker is a popular tool for running application containers on Linux, and while it is possible to enable container workflows for users by granting them access to the docker daemon, the security impact needs to be carefully considered, especially in a shared environment. Relying on docker for the container runtime also requires a large amount of complicated boilerplate code to start multi-node jobs using the Message Passing Interface (MPI) for communication. In this presentation, we will introduce a new lightweight container runtime inspired from LXC and an associated plugin for the Slurm Workload Manager. Together, these two open-source projects enable a more secure architecture for our clusters, while also enabling a smoother user experience with containers on multi-node clusters.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_hpc_unprivileged/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Felix Abecassis":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Jonathan Calmels":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:9091@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T172000 DTEND:20200201T174000 SUMMARY:Kubernetes on ARM64 DESCRIPTION:Building a Kubernetes cloud using Raspberry PI 4.The RPI4/4G offers enough memory and cpu to build an educative Kubernetes cluster.The presentation will show how to put the pieces togother to get an Apache Tomcatoperator to deploy a small web application in the build RPI4 Kubernetes cloud.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_k8s_arm64/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Jean-Frederic Clere":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10400@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T174500 DTEND:20200201T180500 SUMMARY:Inspektor Gadget and traceloop DESCRIPTION:I will present Inspektor Gadget and traceloop, a tracing tool to trace system calls in cgroups or in containers using BPF and overwritable ring buffers.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_bpf_tracing/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Alban Crequy":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10222@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T181000 DTEND:20200201T183000 SUMMARY:Extending and embedding: containerd project use cases DESCRIPTION:Over the past year, projects looking to extend and embed core container runtime functionality have looked to containerd and its clean API and extension points as a valuable resource. In this talk we'll look at the projects which have extended or embedded containerd for specific use cases and how containerd has enabled these uses via its design. We will also do a brief project update for the broader container ecosystem and community.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_containerd/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Phil Estes":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:9386@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T183500 DTEND:20200201T190000 SUMMARY:CANCELLED A way of GPU virtualization for container DESCRIPTION:Please note that this talk has been cancelled as the speaker is unfortunately unable to attend FOSDEM.
Containers are widely used in clouds due to their lightweight and scalability. GPUs have powerful parallel processing capabilities that are adopted to accelerate the execution of applications. In a cloud environment, containers may require one or more GPUs to fulfill the resource requirement of application execution, while on the other hand exclusive GPU resource of a container usually results in underutilized resource. Therefore, how to share GPUs among containers becomes an attractive problem to cloud providers. In this presentation, we propose an approach, called vCUDA, to sharing GPU memory and computing resources among containers. vCUDA partitions physical GPUs into multiple virtual GPUs and assigns the virtual GPUs to containers as request. Elastic resource allocation and dynamic resource allocation are adopted to improve resource utilization. The experimental results show that vCUDA only causes 1.015% of overhead by average and it effectively allocates and isolates GPU resources among containers.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2020/schedule/2020/schedule/event/containers_gpu_virtualization/ LOCATION:UD2.208 (Decroly) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Shengbo Song":invalid:nomail END:VEVENT END:VCALENDAR