automatically with Istio identity 1) Apply peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati on Using ingress port and ingress host to send request: can access reviews-v1, reviews-v2 reviews-v3 can reach v2 as peer-authentication only defines behavior of server side and auto-mTLS is on by default Access productpage 1) Apply peer-authentication to enable server side mTLS mTLS rule to enable client side mTLS mTLS in Istio - Destination rule Using ingress port and ingress host to send request: can access reviews-v1, reviews-v3 can not access reviews-v2 since we have enabled

pod/chi-demo-01-demo-0-0-0 1/1 Running NAME TYPE CLUSTER-IP service/chi-demo-01-demo-0-0 ClusterIP None service/clickhouse-demo-01 LoadBalancer 10 pod/chi-demo-01-demo-1-0-0 1/1 Running NAME TYPE CLUSTER-IP service/chi-demo-01-demo-0-0 ClusterIP None service/chi-demo-01-demo-1-0 ClusterIP None configuration: users: demo/password: secret demo/profile: default demo/networks/ip: "::/0" clusters: - name: "demo-01" layout: shardsCount: 2 replicasCount:

• Introduction • Memory • Host vs Device Functions • Return on Investment • Concluding remarks Outline 2 |• I work the RiskLab team at CSIRO on applied mathematics for Financial Risk. • The aim of pointer. The key is that the system automatically migrates data allocated in Unified Memory between host and device...” -- https://developer.nvidia.com/blog/unified-memory-in-cuda-6/ Unified Memory System pointer. The key is that the system automatically migrates data allocated in Unified Memory between host and device….” -- https://developer.nvidia.com/blog/unified-memory-in-cuda-6/ Unified Memory System

FROM sbtest1 WHERE id BETWEEN 3 AND 102","user":"sbtest[sbtest] @ localhost []","host":"localhost","os_user":"","ip":"","db":"sbtest"}} © 2018 Percona. 19 Percona Server Configuration • Install Audit clicktail.mysql_slow_log © 2018 Percona. 27 Additional Parser Configurarion [MySQL Parser Options] Host = localhost:3306 ; or @unix(/var/run/mysqld/mysqld.sock) User = username Pass = userpass © 2018

Linux x86_64, macOS x86_64 ,Wi ndows x86_64, … cargo build —target wasm- unknown-unknown waPC Host (Go) waPC Guest Rust • Read wasm file • Select engine • Wazero • Wasmer-go • Wasmertime-go • Define Operation 是我们要在 wasm 里注册 命名 • 以数据的长度，设置 wasm 的 linear memory 的指针 • Guest 可执行任务 • Guest 也可返回请求 host Invoke(ctx,operation,payload) WAPC 流程 • Uses Length of response and error to return result res Register_function cannot be called inside ping • _start is meant to support tinygo’s wasm • waPC host will still run both "wapc_init" and "_start" during intialization waPC Guest Rust waPC • Use

bypass conntrack (con.) • Egress • Original way • Nf local-out -> ip_output nf post-route -> ip_finish_output • The new way • Call ip_finish_output directly Pre-route Conntrack Pre-route route IPVS eBPF map id is passed to IPVS module • Ip_vs_new_conn() inserts eBPF map • Key: (protocol, cip:cport , rsip:rsport) • Value: (protocol, lip:lport, rsip:rsport) • Ip_vs_conn_unlink() deletes entries in https://careers.tencent.com/home.html Bugs solved – 1/2 • IPVS conn_reuse_mode=1 low cps Ip_vs_conn nf_conn New ip_vs_conn Bugs solved – 2/2 • DNS resolution delays for 5s Iptables SNAT Conntrack insert

这是 CUDA 的一大好处， CUDA 和 C++ 的关 系就像 C++ 和 C 的关系一样，大部分都兼容 ，因此能很方便地重用 C++ 现有的任何代码库 ，引用 C++ 头文件等。 • host 代码和 device 代码写在同一个文件内，这 是 OpenCL 做不到的。 编写一段在 GPU 上运行的代码 • 定义函数 kernel ，前面加上 __global__ 修 饰符，即可让他在 用，可以有参数，不可以有返回值。 • 而 __device__ 则用于定义设备函数，他在 GPU 上执行，但是从 GPU 上调用的，而 且不需要三重尖括号，和普通函数用起来一 样，可以有参数，有返回值。 • 即： host 可以调用 global ； global 可以调 用 device ； device 可以调用 device 。 声明为内联函数 • 注意， inline 在现代 C++ 中的效果是声明一个函数为 __device__ 将函数定义在 GPU 上，而 __host__ 则相反，将函数定义在 CPU 上。 定义在 CPU 上的主机函数 • CUDA 完全兼容 C++ ，因此任何函数如 果没有指明修饰符，则默认就是 __host__ ，即 CPU 上的函数。 同时定义在 CPU 和 GPU 上 • 通过 __host__ __device__ 这样的双重修 饰符，可以把函数同时定义在

io/crates/sqlx • RPC: https://crates.io/crates/arrow-flight https://crates.io/crates/tonic • Authentication: https://crates.io/crates/jsonwebtoken • Data structure: • Arrow: https://crates.io/crates/arrow

Seccomp, AppArmor, Capabilities, Cgroup 3. Intrusion Detection - Monitor suspicious read/write to host files. For example, containerd-shim/busybox/docker-runc ， /usr/bin/docker-runc /bin/bash /bad_init we need to implement Elastic Kubernetes Service (EKS) Architecture QEMU QEMU containerd + mVMd Host Kernel MicroVM/Pod container Guest Kernel container EKS TencentCloud API eklet MicroVM/Pod kvm-ioctls vm-virtio vsock net VFIO APIC vhost Cloud Hypervisor KVM File System Device Driver Host Linux Kernel vCPU block Memory Guest VM containerd + Kata-runtime create start VM start proxy

• 用户只需要简单选择机房和 镜像填写模型名即可完成 Serving 服务创建 自有模型 • 用户只需要填写模型地址即 可 GPU 监控 • 容器监控服务，自适 应 GPU 容器，可根据 容器 IP 查询记录 , 便 于用户查看服务状态 ，亦可作为 HPA 的数 据源 • 采集项 name,index,fan.speed,te mperature.gpu,pstate,po wer.draw