1. The document discusses ZeroVM, an open source secure execution environment for running untrusted user code fast and at scale.
2. ZeroVM uses techniques like statically compiled binaries and Linux namespaces to run isolated processes securely without unnecessary syscalls or ability to coordinate.
3. ZeroVM images are only 75kb in size and can spin up processes in 5-35ms, making it optimized for massively scalable and secure execution across infrastructure.
26. ZeroCloud Use Cases
1. compute on cold files
2. text analysis
3. image & video manipulation
4. auditing
5. embedded
27. environment • NaCL
• run isolated processes, securely
• execution environment
• scale execution
• Linux namespacing (similar to LXC)
• run isolated apps, conveniently
• infrastructure manager
• scale deployment
primary
context
• production
• isolation for restricting things' access to kernel
• deployment
• isolation for layering things on kernel
strengths • determinism
(executables run the same every time)
• isolation from kernel
• disposable processes
• fine-grained metering
• embeddable
• parallelization
• portability
(server templates run the same anywhere)
• ease of use
• ecosystem
• abundance of templates & plugins
• institutional adoption
(Rackspace, New Relic, Google)
28.
29. Constraints
• X86 64
• cross-compile
• C & Python*
• Deterministic
• Single threaded
• MapReduce:
1,000 instances**
32. Image Credits
photos via Flickr under license of
Creative Commons Commercial Use
"Infinite Box" by rumo_der_wolperdinger
"Pink Balloon" by Alan
"Carroll House Shipping Container Home" by Inhabit Blog
"10,000 Shipping Containers Lost At Sea EachYear" by PaulTownsend
"A-salt-ed!" by JD Hancock
"Eggs" by Pietro Izzo
"debug version 2" by Franz & P
"shake your tail feather" by emdot
"MonsterTrucks Live - 29th September 2013" by John5199
"Secure Cloud Computing" by FutUndBeidl
"Door knob with lockbox" by REO
"Engine Arm Aqueduct - BCN Old Main Line - Wolverhampton Level" by Elliott
Brown
"One Set of Building Blocks" by Hans and Carolyn
"The pointed arches of al-As" by Asim Bharwani
"Kacao77 & Persue SeventhLetter Exchange LosAngeles Graffiti Art" by A Sin
"128/365 Chilling on theTrampoline" by LeahTautkute
untitled [Tel N°] by Al King
"NOW!That's What I Call Music." by kozumel
33. Image Credits
from additional sources
"Ketchup" designed byTom Glass, Jr.
from the thenounproject.com
Chromium logo by Logonoid
Manta logo by Joyent
"The dark side in a whole new light: Evil
Star Wars Stormtrooper photographed in
tender scenes with young son" by Kristina
Alexanderson, in the Daily Mail
34. Resource Credits
• "Zerovm background" by Prosunjit
Biswas http://www.slideshare.net/
prosunjit/zerovm-background
• "Docker & Containerization:
"Milliseconds Matter" by Ben Golub
http://cloudcomputing.sys-con.com/
node/3073584
• ZeroVM documentation
http://zerovm.org & http://
docs.zerovm.org/
• "Cluster-wide Java/Scala application
deployments with Docker, Chef and
Amazon OpsWorks" by Adam Warski
http://www.warski.org/blog/2014/06/
cluster-wide-javascala-application-
deployments-with-docker-chef-and-
amazon-opsworks/
Hinweis der Redaktion
Containers are driving down the overhead that has been necessary for traditional virtualization. But there have been serious tradeoffs made with their adoption. Containerization's resource sharing approach is exposing more of the host system. We're treating higher exposure as inevitable tradeoff for lower overhead. In multi-tenant environments, that's a heck of a gamble.
ZeroVM is an open source project sponsored by Rackspace. It's easy to talk about ZeroVM & ZeroCloud as if they're interchangeable terms. They're not. ZeroCloud is converged compute built on capabilities provided by ZeroVM. So let's start with looking at that foundation: ZeroVM is simply a generic technology for [READ]:
Validate code, sandbox application processes, parallelize.
In a nutshell: [read]
We'll be walking through each of these characteristics.
Validate & isolate. Of processes (vs containers isolating apps, or hypervisors isolating OSs).
Validate once, with security guarantees.
NaCl also reduces the number of syscalls available. Then passes off to ZeroVM environment. Essentially ZeroVM is a trampoline. It locks down syscalls down to near-zero, then executes each processes in isolation.
[Vocabulary sidenote on overloading of term]
Over 100 syscalls in Linux, etc. ZeroVM stubs out nearly all. [READ list]
When we talk about virtualization for the cloud, this is one of those attributes. Most of the kernel doesn't need to be exposed, and it's unwise to. e.g. ZeroVMs cannot access host networking.
The runtime provides virtual in-memory file system.You can connect to resources on the host, or other ZeroVM instances, only via declared I/O channels. ZRT throws aways writes unless you declare a channel for them to persist to.
ZeroVM virtualizes, but not in the ways that we conventionally think about.
Rather than trying to force containers to poorly serve that need.
75 kilobytes
5-35 milliseconds
So it's very embeddable. We'll revisit that topic later.
Parallelizes application processes as individual ZeroVM instances.
[READ equation], a baseline technology for [READ title].
I promised that this talk is about fast, secure, and cheap. ZeroVM provides security guarantees. While its light weight enables fast & cheap. Now let's look at how ZeroCloud contributes to these.
Because it's lightweight: execute on the datastore
Because it's secure: execute untrusted user code on datastore.
MapReduce on large datasets becomes trivial.
Swift is so scalable, great API, tremendous community supporting development.
We wrote middleware that uses ZeroVM to turn Swift into converged compute platform. Benefits of converge: no compute cluster, no network, no latency.]
So, ZeroCloud is that integration.
Mapreduce in the object store.
Great for untrusted user code in multi-tenant cloud.
There's one more thing...
ZeroCloud extends Swift's feature set. The middleware adds capabilities that are akin to stored procedures. Which you can write in Python.
That said, running zerovm instances inside a Docker container is potentially a great option for bringing more security to the container.
Isolation, speed, stored procedures, & determinism are the primary distinctions
Hadoop: mapreduce & stored procedures are hard.
Mongo: mapreduce is slow, race conditions, JS
Manta: meters by second. proprietary. PaaS. (otoh, fewer constraints on what executables are possible)
* Python 2.7.3 (core), Lua port, PHP port.
** Each instance can pass around a lot of file descriptors (1,000?)
So for the most part, not legacy apps.
NaCl, ZeroVM, Swift, middleware...they're all building blocks. ZeroCloud is just one combination. I promised "Fast, Secure, or Cheap: Pick Three". But you can pick 2 or 1. They're each incredibly versatile for building on.
e.g. Adapt the middleware. Explore interesting ways to use ZeroVM (e.g. Raspberry pi? Parallelized queues?). Share use cases for converged compute in Swift.