Note: The following post was authored by Alexander Duyck before leaving Red Hat earlier this month. While Alex will be missed, his work continues in the capable hands of the Networking Services team. To this end, I encourage you to “read on” and learn more about how we’ve turned up the heat on kernel networking with the beta release of Red Hat Enterprise Linux 7.2.
Over the last year I have been working at Red Hat as a part of the Linux Kernel Networking Services Team focused on improving the performance of the kernel networking data path. Prior to working at Red Hat I had worked at Intel as a driver maintainer for their server drivers including ixgbe. This has put me in a unique position to be able to provide tuning advice for both the network stack and the Intel device drivers. Last month, at LinuxCon North America, I gave a presentation that summarizes most of the work that has been done to improve network performance in the last year, and the performance gains as seen by comparing Red Hat Enterprise Linux 7.1 versus an early (alpha) release of Red Hat Enterprise Linux 7.2. The following is a recap of what I covered.
Continue reading “Pushing the Limits of Kernel Networking”
In Architecting Containers Part 1 we explored the difference between user space and kernel space. In this post, we will continue by exploring why the user space matters to developers, administrators, and architects. From a functional perspective, we will explore the connection that both ISV applications and in-house application development have to the user space.
Continue reading “Architecting Containers Part 2: Why the User Space Matters”
Perhaps you’ve been charged with developing a container-based application infrastructure? If so, you most likely understand the value that containers can provide to your developers, architects, and operations team. In fact, you’ve likely been reading up on containers and are excited about exploring the technology in more detail. However, before diving head-first into a discussion about the architecture and deployment of containers in a production environment, there are three important things that developers, architects, and systems administrators, need to know
Continue reading “Architecting Containers Part 1: Why Understanding User Space vs. Kernel Space Matters”
What are user namespaces? Sticking with the apartment complex analogy, the numbering of users and groups have historically been the same in every container and in the underlying host, just like public channel 10 is generally the same in every unit in an apartment building.
But, imagine that people in different apartments are getting their television signal from different cable and satellite companies. Channel 10 is now different for for each person. It might be sports for one person, and news for another.
Historically, in the Linux kernel, there was a single data structure which held users and groups. Starting in kernel version 3.8
Continue reading “What’s Next for Containers? User Namespaces”
In the year since I first wrote about kpatch, Red Hat’s live kernel patching project for Linux, we’ve been very busy. Here are some of the highlights from the last year of live kernel patching development, and some clues about where we may be headed in the future.
Red Hat Enterprise Linux 7 Special Interest Group
In 2014, we kicked off a kpatch Special Interest Group (SIG) for users who are interested in trying out kpatch in a Red Hat Enterprise Linux 7 environment. We’ve delivered kpatch fixes for several kernel CVEs, allowing users to easily apply fixes to their kernels immediately with no disruption or reboots necessary.
If you’re a Red Hat Enterprise Linux customer and are interested in joining the kpatch SIG
Continue reading “Live Kernel Patching Update”
Red Hat’s Performance Engineering team is responsible for the performance of many of Red Hat’s products. We cover existing products such as Red Hat Enterprise Linux, OpenStack Platform, OpenShift and Red Hat Enterprise Virtualization, as well as newer products like Ceph and CloudForms.
Although these days we contribute extensively to Red Hat’s cloud offerings, Red Hat Enterprise Linux remains a core responsibility as the building block for our ecosystem of customers and partners, plus much of Red Hat’s growing product portfolio.
Prior to beginning efforts on Red Hat Enterprise Linux 7 in earnest
Continue reading “Shaping the Performance of a Linux Distro: Inside Red Hat Enterprise Linux 7”
Having access to quality random numbers is essential for correct and secure operation of operating systems. Operating systems need random numbers from an entropy pool for a variety of tasks, like creating secure SSH or GPG/PGP keypairs, generating random PIDs for processes, generating TCP sequence numbers, and generating UUIDs.
With Red Hat Enterprise Linux 7 we introduced the virtio RNG (Random Number Generator) device that provides KVM virtual machines access to entropy from the host machine. Red Hat Enterprise Virtualization starting version 3.5 also has exposed this feature. We have since made improvements to Red Hat Enterprise Linux guests to make the feature easier and more straightforward to use.
A Brief Introduction to virtio and Paravirtualized Devices
virtio is the paravirtualized transport framework for KVM virtual machines. Using the virtio framework, new devices can be
Continue reading “Red Hat Enterprise Linux Virtual Machines: Access to Random Numbers Made Easy”
Red Hat Enterprise Linux 7 Atomic Host Beta is an operating platform that is optimized and minimized to run containers. It packages key components of Red Hat Enterprise Linux 7 such as SELinux, systemd, and tuned with the kernel to facilitate running containers in a secure and optimized manner. It also offers Kubernetes and Docker to facilitate the rapid creation, deployment, and orchestration of containers – simplifying the life cycle management of applications and systems.
Containers allow users to put application and all of their runtime dependencies into secure packages that are both easy to deploy and easy to manage. Containers are also portable and images of a given container can be copied and replicated to other systems. Since containers are isolated from each other and are isolated from the host OS, libraries and application binaries can be updated individually without affecting other containers or the host OS (and vice versa).
The following video (below) mirrors the demo as presented
Continue reading “Performance Testing Red Hat Enterprise Linux 7 Atomic Host Beta on Amazon EC2”
Distributed Denial of Service (DDoS) attacks are becoming increasingly commonplace as business becomes more and more dependent on delivering services over the Internet. One of the most common types of DDoS attacks is the well-known SYN-flood attack. It is a basic end-host resource attack designed to bring your server to its knees. As a result, your server is unable to properly handle any new incoming connection requests.
Recently at DevConf.cz 2014, I gave a talk focusing on how you can survive TCP SYN-flooding attacks by implementing some recently developed kernel level Netfilter/iptables defense mechanisms. In this post I will provide a more condensed version of the talk highlighting how you can use these same techniques to protect your servers running Red Hat Enterprise Linux 7 Beta.
Continue reading “Mitigate TCP SYN Flood Attacks with Red Hat Enterprise Linux 7 Beta”
The advent of any new technology tends to generate a lot of excitement. Over the course of my career, however, I have never experienced “a buzz” like what we are seeing around Linux containers and application packaging and isolation, containerized applications built in the Docker format. From my perspective, the ways in which containers may influence our ever evolving technological ecosystem are, quite possibly, limitless…okay, limitless may be strong, and while “game changing technology” may sound cliche, it’s not far from the truth in this case.
Continue reading “The Application Apartment Complex: Red Hat Enterprise Linux & Linux Containers”