Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled...
Transcript of Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled...
![Page 1: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/1.jpg)
Next GenerationCloud-enabled Architectures
2016 New York State Cyber Security Conference
Michael Corley
Sean Bird
Quanterion Solutions Inc. (QSI)
June 8th 2016
![Page 2: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/2.jpg)
Overview
1. What is Cloud? Deployment Types: Public, Private, Hybrid Traditional Service Models: IaaS, PaaS, SaaS Well-known Providers
2. Virtualization – The heart of Infrastructure as a Service (IaaS) Flavors of virtualization
o Challenges and Limitations Hypervisors and Virtualization
OpenStack
3. The Next Generation Cloud Unikernels Containers
Docker Micro-services Orchestration
4. Tools of the Cloud Management and Administration Orchestration Security
5. QSI Cloud Experimentation
6. Questions and Discussion
![Page 3: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/3.jpg)
What is Cloud?
An adoption of Service Oriented Architecture (SOA) principles used to provide and manage computing resources through integrated service layers.
The Traditional Cloud Deployment models
• Public Cloud• Computing resources made available to the public (multiple organizations),
by a 3rd party provider over the Internet (on-demand)
• Security Constraints • Multi-tenant • Limited Control
• Can’t access the hardware, affect performance/storage location, etc.
• Difficult or impossible to achieve compliance requirements (PCI/SOX)
![Page 4: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/4.jpg)
What is Cloud? Cont. Private Cloud Computing resources available to a single organization Dedicated Hardware (single-tenant environment) Security Constraints Better Control Dedicated Resources (on-premises), Performance Customization, Custom remote/local access
Security: Easier to achieve compliance requirements (PCI/SOX)
Goals• Consumer
o Cost Effectiveness, scalability, availability, reliability, etc. o Provider
o Make Profits!
![Page 5: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/5.jpg)
Well Known Providers
There are many…
• Amazon EC2/AWS
• Google Cloud Platform
• Microsoft Azure
• Rackspace OpenStack (leading open source)…
• …
![Page 6: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/6.jpg)
Traditional Cloud Service Models
Traditionally an integrated service stack
• IaaS (Infrastructure as a service)
o Abstraction/management service layer over physical infrastructure. Enabled through multilevel virtualization.
• PaaS (Platform as a service)
o Abstraction/management service layer over the of execution environment. Typically provides a tailored operating system, with development tools, and applications
• SaaS (System as Service)
o Abstraction/management service layer over the infrastructure and the platform. End users gain access tailored to fully managed applications and services.
https://en.wikipedia.org/wiki/Cloud_computing#/media/File:Cloud_computing_layers.png
![Page 7: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/7.jpg)
The Heart of IaaS – Virtualization
• IaaS is achieved with Virtualization (traditionally, virtual machines)
• Hardware Virtualization
o Full Virtualization
• Simulation to allows guest operating systems and software to run unmodified.
o Para-virtualization
• A software interface that approximates the underlying hardware. VM guest is modified to use “hooks” provided the interface to communicate directly with the host to improve performance
o Hardware-assisted virtualization
• Support for virtualization in hardware to improve performance
![Page 8: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/8.jpg)
Virtualization – Hypervisors
Hypervisor (VMM) – software that manages VMs
• Type-1 (Bare metal)
o Allow VM guests run directly on the hardware
• Citrix XenServer, Microsoft Hyper-V, VMware ESX/ESXi
• Type-2 (Hosted)
o VM guests run atop a host operating system
• VMware Workstation, VMware Player, VirtualBox and QEMU
• KVM (kernel virtual machine) turns Linux OS into a hypervisor
![Page 9: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/9.jpg)
OpenStack
Leading open source Cloud solution: Rackspace/NASA (2010)
• Interrelated projects that control pools of processing, storage, and networking resources throughout a data center—which users manage through a web-based dashboard, command-line tools, or a RESTful API [1]
o Nova, Glance, Swift, Horizon, Keystone, Neuron, Cinder
• Widely adopted and supported by more than 500 companies
o AT&T, AMD, Avaya, Canonical, Cisco, Citrix, Dell, Dreamhost, EMC, Ericsson, Fujitsu, Go Daddy, Hewlett-Packard, Huawei, IBM, Intel, Internap, Juniper Networks, Mellanox, Mirantis, NEC, NetApp, Nexenta, Oracle, PLUMgrid, Pure Storage, Qosmos, Red Hat, SolidFire, SUSE Linux, VMware, VMTurbo…
Source: https://en.wikipedia.org/wiki/OpenStack
![Page 10: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/10.jpg)
OpenStack Hypervisor Model
https://platform9.com/blog/guide-to-understanding-openstack-esxi/
• libvirt• Is an open source API, daemon, and
management tool for managing platform virtualization
• Widely used in the orchestration layer of hypervisors in the development of a cloud-based solution
Source: https://en.wikipedia.org/wiki/Libvirt
![Page 11: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/11.jpg)
The Next Steps for Cloud…1. Operating-System-level virtualization!
• Process isolation achieved in the OS kernel instead of VM
o “Containers”, think BSD jails (chroot), LXC, Trusted Zones (Solaris)
• Docker - a full ecosystem around Containers
2. Micro-services concept!
• Containers versus Unikernels
o Unikernel – Specialized (single purpose) OS including ONLY the dependencies of necessary to execute an application
• Rumprun, HalVM, ClickOS, MirageOS
3. Challenges/Risks?
Orchestration (Management) and Security is very different!
![Page 12: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/12.jpg)
What’s a “Container”? “Containers” – conceptually similar to VMs, but focus is shifted to the application!
• Share the Host OS: (no hypervisor, no guest OS), LXC, LibContainer, Etc/
• Uses the native system call interface
• In Linux, process Isolation, resource control is achieved through kernel namespaces and cgroups (control groups)
o Applications run in isolation, but run directly on the Host OS (think BSD jails)
o Chief advantage?
• More efficient, and flexible, leading to cost effectiveness
o Risks/Challenges?
• Administration: (control and security is more complex)
• Abstraction is wonderful, but can difficult to troubleshoot when things go wrong
• IT staff and system developers need to adopt new concepts, and think differently about the approach to DevOps
![Page 13: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/13.jpg)
Container Concept
![Page 14: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/14.jpg)
Docker• Leading (service-oriented) “Container” ecosystem for Linux
o Applications run in containers, built from read only images, and managed in “Git-like” registries.
• Public or private: www.dockerhub.com is the official image registry
• Official, public, and private repositories
• Application and dependencies managed in a service stack (layered images)
• Only concern and dependencies of the application
• Each application represents a separate layer
• Only pull the layers missing or changed
• Greatly simplifies application
distribution and deployment!
• Docker Cloud: IaaS Services based on containers
• CaaS (Containers as a Service)
![Page 15: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/15.jpg)
OpenStack (Nova) “Container” HypervisorOrchestration: (libVirt and Docker)
Source: https://wiki.openstack.org/wiki/Docker
![Page 16: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/16.jpg)
Unikernels: Advantages
Specialized, single-address-space (single purpose) machine images constructed by using library operating systems
• Compile high-level language code directly into a specialized machine image
o Advantages: No general purpose OS, specialized code/image needed for the application
• Reduced code size and resource footprint
• Performance optimization, and fast boot times
• shrink the attack surface, and better security
• Transient micro-services concept
• Run directly on a hypervisor, container, or bare-metal hardware
Open source work on Unikernels:
o Rumprun, Clive, HaLVM, MirageOS, IncludeOS
http://unikernel.org/
![Page 17: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/17.jpg)
Unikernels: Risks and Challenges Security
• micro-services based on unikernels are transient, and minimize code to reduce attack surface area, however…
Some unikernels run in privileged mode: (ring 0)
No user/kernel boundary as with traditional OS
May rely on the hypervisor for multi-tenacy
A good choice might be to run unikernels in “Containers”*
*http://www.linuxjournal.com/content/unikernels-docker-and-why-you-should-care
![Page 18: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/18.jpg)
Unikernels: Risks and Challenges Administration and management is difficult!
1. Transience (“Hello?? Are you alive?)
• System instance exists only long enough to service a request!
• Affects current administration practices/ policy implementation.
• e.g. patch the webserver! But wait…webserver only exists long enough to service a single request!!
• Need for Orchestration!!!
• Lots of approaches for provisioning the appropriate Orchestration/management layers.
• Challenge?
• Visibility! Higher layers can’t see problems at lower layers
![Page 19: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/19.jpg)
The Toolbox
• Amazon ECS
• Azure Container Service
• Diego
• CoreOS Fleet
• Docker Swarm
• Google Container Engine
• Kubernetes
• Mesospehere
• Nomad
• Universal Control Plane
• Kitematic
• Weave
• Powerstrip
• Flocker
• Helios
• Rkt
• LXD
• Mesos
• Deis
• Osv
• OpenStack
• Marathon
• Shipyard
• GCE
• DNT
• Libnetwork
• wagl
Many disparate tools and approaches for the achieving the management and control required for containers and micro-service based applications to operate reliably in Cloud deployments.
![Page 20: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/20.jpg)
Tools – The Legos of the Cloud
Mike Metral https://getcarina.com/docs/best-practices/container-technologies-orchestration-clusters/
![Page 21: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/21.jpg)
Container Engines
Docker (from Docker)
• Most widely used
Rocket ( from CoreOS)
• Aimed to be “more secure” – Signed images, User/root separation
• Uses existing init systems
LXD (From Canonical)
• REST API access
• More “VM Like” - OS container vs Application container
o Docker container hosts
![Page 22: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/22.jpg)
OrchestrationMain goal: To provide automated container management as well as guarantees for multi-container services and container engines.
Marathon with Apache Mesosphere(Scheduler) and DC/OS
• Multiple physical node scaling (treated as one machine)
Kubernetes (Google Inc.)
• Large scale service oriented design
• “Self-Healing” services and Load balancing
Swarm (Docker)
• Standard basic clustering tool
• Native Docker API for third party tool integration
https://docs.mesosphere.com/overview/https://github.com/coreos/fleet/blob/master/Documentation/fleet-k8s-compared.md
![Page 23: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/23.jpg)
Rancher/RancherOS
Host-Cluster Management
“Service” Management
• Orchestration inside orchestration
• Rancher Cattle, Docker Swarm, Kubernetes, Apache Mesos
Security Management
• Access Control
o Active Dir, OpenLDAP, GitHub, Rancher local
• Certificate management
Log Management
Registry Management
![Page 24: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/24.jpg)
![Page 25: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/25.jpg)
Security Inherited risks with chroot
• Secondary chroots back into main filesystem
• Privilege escalations (breaking out of jail)
o Docker Daemon runs as root
o Spawning processes with root privileges from within chroot “jail”
• Local network access
• Arbitrary code execution
Linux capabilities
• Allow granular specification of user abilities
o Example: use of CAP_NET_BIND_SERVICE to bind to TCP port 80
• Containers <= half of root capabilities
• Bound to application needs
https://access.redhat.com/blogs/766093/posts/1975883https://en.wikipedia.org/wiki/Chroot#Limitationshttps://www.blackhat.com/docs/eu-15/materials/eu-15-Bettini-Vulnerability-Exploitation-In-Docker-Container-Environments.pdf
![Page 26: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/26.jpg)
Security Continued
Uses Linux namespaces and cgroups to mandate resource constraints
• Docker creates a set of namespaces for each container, isolating it from all the other running applications
• Uses cgroups to limit resource consumption/access
Container image validation
• Images decompress as root process
• No current security check of official/non-official images by Dockers (as of yet)
https://access.redhat.com/blogs/766093/posts/1975883https://en.wikipedia.org/wiki/Chroot#Limitationshttps://www.blackhat.com/docs/eu-15/materials/eu-15-Bettini-Vulnerability-Exploitation-In-Docker-Container-Environments.pdf
![Page 27: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/27.jpg)
Experimentation with Containers (QSI)
![Page 28: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/28.jpg)
Rancher vs Rancher OS
Linux System Kernel
User Container
s
System Docker Engine
User Docker Engine
RancherManager User
Container
s
User Container
s
User Container
s
User Container
s
User Container
s
System Container
System Container
System Container
Physical Machine 2
Xen Hypervisor
Linux Virtual Machine
Docker Engine
RancherManager
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Container Environment
Physical Machine 1
![Page 29: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/29.jpg)
Rancher Orchestration (Elasticsearch)
Xen Hypervisor
Linux Virtual Machine
Docker Engine
RancherManager
Container Environment
Physical Machine 1
Xen Hypervisor
Linux Virtual Machine
Docker Engine
RancherManager
Container Environment
Physical Machine 2
Managed Rancher Network
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elastic
Elasticsearch Cluster
![Page 30: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/30.jpg)
Hardware
Xen (Type-1) HypervisorPhysical Location #1
Hardware
Xen (Type-1) Hypervisor(Physical Location #2
E E EE E
E E EE E
E E EE E
E E EE E
E E EE E
E E EE E
E E EE E
E E EE E
EE E EE
EE E EE
Xen Center (Resource Pool Interface)
Rancher(Orchestration / Control Point)
Overlay Network
Linux VM Linux VM Linux VM Linux VM Linux VM DDDDD
D -- Docker daemon
E -- Elasticsearch instance QSI Cloud Experiments
![Page 31: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/31.jpg)
![Page 32: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/32.jpg)
![Page 33: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/33.jpg)
VM_NET (eth0)
Virtual Machine (VM) Node: Mint 17.1
X
Xtap0
X NIC (ethO)
X X X X X X X XXbridge0
Container 1
Container 9
Container 5Container 4Container 3Container 2
Container 6 Container 7 Container 8
Physical interface
Ubuntu 14.04base image
Base image: Ubuntu 14.04
Layer 1: Qemu
Layer 2: Windows 7Windows
image Base image: Ubuntu 14.04
Layer 1: Firebox Firefox image
![Page 34: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/34.jpg)
Virtualization Inception
XContainer 1
XX
eth0 tap0
VM_NET (eth0)
X XX
eth0 tap0
br0
QEMU QEMU
Hardware Emulation (x86 Intel) X
Container 2
X
Virtual Machine (VM) Host
X
X
X
br0
tap0
br0 Xtap1
E1000 NIC NIC
XNIC (eth0)
qemu-system-x86_64 -m 8192 -vnc :2 –net nic,vlan=0,macaddr=00:80:7F:31:41:72,model=e1000 -net tap,vlan=0,ifname=tap0,script=/etc/qemu-ifup -usbdevice tablet [windows-image.qcow2] | [android-image.qcow2]
Hardware Emulation (x86 Intel)
Hypervisor
![Page 35: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/35.jpg)
XContainer 1
XX
eth0 tap0
VM_NET (eth0)
X XX
eth0 tap0
br0
Container 3
Virtual Machine (VM) Host
X
X
X
br0
tap0
br0Xtap1
XNIC (eth0)
X tap0XX
eth0
br0
X
Container 2
![Page 36: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/36.jpg)
Applications as a Stack of Layers
XenServer Hypervisor
Linux Virtual Machine
Docker Engine
Base Image: Bins/Libs /Dependencies
QEMU (Bin)
Windows OS Guest
Image Layers
QEMU: Machine Hardware Configuration 1
Mac OS Guest
QEMU: Machine Hardware Configuration 2
• Update respective layers to extend new machine hardware and Operating System type
• Running container instance: build from image
• Shares host OS with other containers
![Page 37: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/37.jpg)
![Page 38: Next Generation Cloud-enabled Architectures 2016 · PDF fileNext Generation Cloud-enabled Architectures 2016 New York State Cyber Security Conference. Michael Corley. Sean Bird. Quanterion](https://reader031.fdocuments.in/reader031/viewer/2022022502/5aae8b707f8b9adb688c823b/html5/thumbnails/38.jpg)
Thank You!Questions and Discussion?