Session
FOSDEM Schedule 2021
Virtualization and IaaS

KubeVirt: privilege dropping one capability at a time

D.virtualization
Miguel Barroso
<p>KubeVirt's architecture is composed of two main components: virt-handler, a trusted DaemonSet, running in each node, which operates as the virtualization agent, and virt-launcher, an untrusted Kubernetes pod encapsulating a single libvirt + qemu process.</p> <p>To reduce the attack surface of the overall solution, the untrusted virt-launcher component should run with as little linux capabilities as possible.</p> <p>The goal of this talk is to explain the journey to get there, and the steps taken to drop CAP<em>NET</em>ADMIN, and CAP<em>NET</em>RAW from the untrusted component.</p>

This talk will encompass changes in KubeVirt and Libvirt, and requires some general prior information about networking (dhcp / L2 networking).

Additional information

Type devroom

More sessions

2/6/21
Virtualization and IaaS
Simone Tiraboschi
D.virtualization
<p>KubeVirt enebles developers to run Containerized Application and Virtual Machines in a common, shared Kubernetes/Openshift environment. An Operator is a method of packaging, deploying and managing a Kubernetes/Openshift application. The Hyperconverged Cluster Operator is unified operator deploying and controlling KubeVirt and several adjacent operators in a controlled and opinionated way.</p>
2/6/21
Virtualization and IaaS
D.virtualization
<p>VM sockets (vsock) enable communication between hosts and VMs. The vsock use cases have grown over the recent years to also cover cloud and containers projects. Andra and Stefano will walk through the details of a set of projects focused on isolation that use vsock as a communication channel. Then they will present debugging tools and further work items for improving and adding new features for vsock.</p>
2/6/21
Virtualization and IaaS
Anastassios Nanos
D.virtualization
<p>The debate on how to deploy applications, monoliths or micro services, is in full swing. Part of this discussion relates to how the new paradigm incorporates support for accessing accelerators, e.g. GPUs, FPGAs. That kind of support has been made available to traditional programming models the last couple of decades and its tooling has evolved to be stable and standardized (eg. CUDA, OpenCL/OpenACC, Tensorflow etc.).</p> <p>On the other hand, what does it mean for a highly distributed ...
2/6/21
Virtualization and IaaS
Jakub Dżon
D.virtualization
<p>Operator SDK is a solid foundation for building robust applications for Kubernetes; one of such applications is the VM import operator (https://github.com/kubevirt/vm-import-operator) allowing Kubernetes administrators to easily import their oVirt-managed virtual machines to KubeVirt. In this talk, the speaker will show how his team used Operator SDK to build the VM import operator and how that operator can be used.</p>
2/6/21
Virtualization and IaaS
Shirly Radco
D.virtualization
<p>In this session, participants will get an overview of the new oVirt monitoring feature with its data warehouse (DWH) and Grafana, architecture and demo. The session will also cover the option of creating new dashboards based on the oVirt DWH schema. For creating new dashboards, attendees should be familiar with SQL querying.</p>
2/6/21
Virtualization and IaaS
Christian Gonzalez
D.virtualization
<p>OpenNebula has recently incorporated a new supported hypervisor: Firecracker. This next generation virtualization technology was launched by AWS in late 2018 and is designed for secure multi-tenant container-based services. This integration provides an innovative solution to the classic dilemma between using containers—lighter but with weaker security—or Virtual Machines—with strong security but high overhead.</p> <p>Firecracker is an open source technology that makes use of KVM to ...
2/6/21
Virtualization and IaaS
Simon Kuenzer
D.virtualization
<p>Cloud computing has revolutionized the way we think about IT infrastructure: Another web server? More database capacity? Resources for your artificial intelligence use case? Just spin-up another instance and you are good to go. While most cloud images (e.g., AMIs on Amazon EC2) are meant to run a single service (e.g., nginx), for convenience these tend to be built on top of general-purpose OSes and full distributions, often resulting in GB-sized images that sometimes only need to perform a ...