BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Pentabarf//Schedule 0.3//EN CALSCALE:GREGORIAN METHOD:PUBLISH X-WR-CALDESC;VALUE=TEXT:Virtualization and IaaS devroom X-WR-CALNAME;VALUE=TEXT:Virtualization and IaaS devroom X-WR-TIMEZONE;VALUE=TEXT:Europe/Brussels BEGIN:VEVENT METHOD:PUBLISH UID:11315@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210206T100000 DTEND:20210206T104500 SUMMARY:KubeVirt opinionated deployment via Hyperconverged Cluster Operator DESCRIPTION:
KubeVirt enables developers to run Containerized Application and Virtual Machines in a common, shared Kubernetes/OKD/OpenShift environment.An Operator is a method of packaging, deploying and managing a Kubernetes/Openshift application.The Hyperconverged Cluster Operator is an unified operator deploying and controlling KubeVirt and several adjacent operators in a controlled and opinionated way.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Virtualization and IaaS URL:https:/fosdem.org/2021/schedule/2021/schedule/event/vai_kubevirt_hco/ LOCATION:D.virtualization ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Simone Tiraboschi":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11054@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210206T104500 DTEND:20210206T113000 SUMMARY:KubeVirt: privilege dropping one capability at a time DESCRIPTION:KubeVirt's architecture is composed of two main components: virt-handler, a trusted DaemonSet, running in each node, which operates as the virtualization agent,and virt-launcher, an untrusted Kubernetes pod encapsulating a single libvirt + qemu process.
To reduce the attack surface of the overall solution, the untrusted virt-launcher component should run with as little linux capabilities as possible.
The goal of this talk is to explain the journey to get there, and the steps taken to drop CAP NET ADMIN, and CAP NET RAW fromthe untrusted component.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Virtualization and IaaS URL:https:/fosdem.org/2021/schedule/2021/schedule/event/vai_kubevirt_privilege/ LOCATION:D.virtualization ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Miguel Barroso":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11070@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210206T113000 DTEND:20210206T121500 SUMMARY:Leveraging virtio-vsock in the cloud and containers DESCRIPTION:VM sockets (vsock) enable communication between hosts and VMs. The vsock use cases have grown over the recent years to also cover cloud and containers projects. Andra and Stefano will walk through the details of a set of projects focused on isolation that use vsock as a communication channel. Then they will present debugging tools and further work items for improving and adding new features for vsock.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Virtualization and IaaS URL:https:/fosdem.org/2021/schedule/2021/schedule/event/vai_virtio_vsock/ LOCATION:D.virtualization ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Andra Paraschiv":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Stefano Garzarella":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11229@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210206T121500 DTEND:20210206T130000 SUMMARY:ML inference acceleration for lightweight VMMs DESCRIPTION:The debate on how to deploy applications, monoliths or micro services, is infull swing. Part of this discussion relates to how the new paradigmincorporates support for accessing accelerators, e.g. GPUs, FPGAs. That kind ofsupport has been made available to traditional programming models the lastcouple of decades and its tooling has evolved to be stable and standardized(eg. CUDA, OpenCL/OpenACC, Tensorflow etc.).
On the other hand, what does it mean for a highly distributed applicationinstance (i.e. a Serverless deployment) to access an accelerator? Should thefunction invoked to classify an image, for instance, link against the wholeacceleration runtime and program the hardware device itself? It seems quitecounter-intuitive to create such bloated functions.
Things get more complicated when we consider the low-level layers of theservice architecture. To ensure user and data isolation, infrastructureproviders employ virtualization techniques. However, generic hardwareaccelerators are not designed to be shared by multiple untrusted tenants.Current solutions (device passthrough, API-remoting) impose inflexible setups,present security trade-offs and add significant performance overheads.
To this end, we introduce vAccel, a lightweight framework to expose hardwareacceleration functionality to VM tenants. Our framework is based on a thinruntime system, vAccelRT, which is, essentially, an acceleration API: it offerssupport for a set of operators that use generic hardware accelerationframeworks to increase performance, such as machine learning and linear algebraoperators. vAccelRT abstracts away any hardware/vendor-specific code byemploying a modular design where backends implement bindings for popularacceleration frameworks and the frontend exposes a function prototype for eachavailable acceleration function. On top of that, using an optimized paravirtualinterface, vAccelRT is exposed to a VM’s user-space, where applications canbenefit from hardware acceleration via a simple function call.
In this talk we present the design and implementation of vAccel on two KVMVMMs: QEMU and AWS Firecracker. We go through a brief design description andfocus on the key aspects of enabling hardware acceleration for machine learninginference for ligthweight VMs both on x86_64 and aarch64 architectures. Ourcurrent implementation supports jetson-inference & TensorRT, as well as GoogleCoral TPU, while facilitating integration with NVIDIA GPUs (CUDA) and IntelIris GPUs (OpenCL).
Finally, we present a demo of vAccel in action, using a containerized environmentto simplify configuration & deployment
Operator SDK is a solid foundation for building robust applications for Kubernetes; one of such applications is the VM import operator (https://github.com/kubevirt/vm-import-operator) allowing Kubernetes administrators to easily import their oVirt-managed virtual machines to KubeVirt.In this talk, the speaker will show how his team used Operator SDK to build the VM import operator and how that operator can be used.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Virtualization and IaaS URL:https:/fosdem.org/2021/schedule/2021/schedule/event/vai_operator_sdk/ LOCATION:D.virtualization ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Jakub Dżon":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10914@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210206T134500 DTEND:20210206T143000 SUMMARY:oVirt monitoring with Grafana & advanced options DESCRIPTION:In this session, participants will get an overview of the new oVirt monitoring feature with its data warehouse (DWH) and Grafana, architecture and demo.The session will also cover the option of creating new dashboards based on the oVirt DWH schema.For creating new dashboards, attendees should be familiar with SQL querying.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Virtualization and IaaS URL:https:/fosdem.org/2021/schedule/2021/schedule/event/vai_ovirt_monitoring/ LOCATION:D.virtualization ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Shirly Radco":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Aviv Litman":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:11152@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210206T143000 DTEND:20210206T151500 SUMMARY:Serverless Computing with OpenNebula DESCRIPTION:OpenNebula has recently incorporated a new supported hypervisor: Firecracker. This next generation virtualization technology was launched by AWS in late 2018 and is designed for secure multi-tenant container-based services. This integration provides an innovative solution to the classic dilemma between using containers—lighter but with weaker security—or Virtual Machines—with strong security but high overhead.
Firecracker is an open source technology that makes use of KVM to launch lightweight Virtual Machines—called micro-VMs—for enhanced security, workload isolation, and resource efficiency. It is widely used by AWS as part of their Fargate and Lambda services. Firecracker opens up a whole new world of possibilities as the foundation for serverless offerings that need to deploy containerized critical applications nearly instantly while keeping them in isolation.
OpenNebula is a simple, yet robust, open source platform for building Enterprise Clouds and managing Data Center virtualization. Its integration with public cloud providers offers additional flexibility in creating True Hybrid and Edge infrastructures. By incorporating Firecracker, OpenNebula now provides users with a powerful solution for serverless computing and an alternative, native model for secure container orchestration.
In this talk we will explain the technical details of this integration and will show a live demo on how to easily deploy and orchestrate a composition of Docker Hub images running as Firecracker microVMs on a distributed bare-metal Edge infrastructure.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Virtualization and IaaS URL:https:/fosdem.org/2021/schedule/2021/schedule/event/vai_serverless_opennebula/ LOCATION:D.virtualization ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Christian Gonzalez":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10896@FOSDEM21@fosdem.org TZID:Europe-Brussels DTSTART:20210206T151500 DTEND:20210206T160000 SUMMARY:Severely Debloating Cloud Images with Unikraft DESCRIPTION:Cloud computing has revolutionized the way we think about IT infrastructure: Another web server? More database capacity? Resources for your artificial intelligence use case? Just spin-up another instance and you are good to go. While most cloud images (e.g., AMIs on Amazon EC2) are meant to run a single service (e.g., nginx), for convenience these tend to be built on top of general-purpose OSes and full distributions, often resulting in GB-sized images that sometimes only need to perform a simple task such as serving static web pages. One of the main contributing factors to this status quo is the myriad kernel inter-dependencies, rendering debloating of a Linux kernel image far from trivial. In this talk we will show results from a proof-of-concept deployment on Amazon EC2 using Unikraft, a fully modular library OS that makes it easy to remove unneeded components, and to optimize the remaining ones. On EC2, a Unikraft nginx image is able to outperform an nginx Debian image by 2x in terms of requests/sec when serving static content, all the while consuming 1/6 of the memory (we will show a brief Unikraft demo). Unikraft is an open source Xen Project incubator under the auspices of the Linux Foundation.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Virtualization and IaaS URL:https:/fosdem.org/2021/schedule/2021/schedule/event/vai_cloud_images_unikraft/ LOCATION:D.virtualization ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Simon Kuenzer":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="sharan":invalid:nomail END:VEVENT END:VCALENDAR