#IstioCon Security Architecture #IstioCon Bookinfo architecture without service mesh ● Reviews-v1 ○ doesn’t call the ratings service. ● Reviews-v2 ○ calls ratings, black stars ● Reviews-v3 ○ calls services with istio sidecar without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2 service without istio sidecar （ kubectl label namespace default istio-injection=disabled/enabled ） Initializing services with istio sidecar without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2 service without istio sidecar （ kubectl label namespace default istio-injection=disabled/enabled ） http

problem, Bottleneck in sentry mVMd + QEMU + eklet is what we need to implement Elastic Kubernetes Service (EKS) Architecture QEMU QEMU containerd + mVMd Host Kernel MicroVM/Pod container Guest Kernel love Rust-VMM? Rust-VMM is an open-source project that empowers the community to build custom Virtual Machine Monitors (VMMs) and hypervisors. It abstracts the common virtualization components which and safety, especially safe concurrency. empty • vmm-vcpu: a hypervisor-agnostic abstraction for Virtual CPUs (vCPUs). rust-vmm • event-manager: abstractions for implementing event based systems. • linux-loader:

// Type-erased receiver waiting for a keyclick: struct pending_completion { virtual void complete(char) = 0; virtual ~pending_completion() {} }; // Global registration of next completion: std::a 3: Model Ctrl-C as a sender103 struct ctrl_c_handler { struct pending { virtual void complete() = 0; virtual ~pending() {} }; static inline std::atomic pending_{nullptr}; static pending_completion { virtual void complete(char) = 0; virtual ~pending_completion() {} }; struct pending_completion { virtual void complete(char) = 0; virtual void cancel() = 0; virtual ~pending_completion()

Capture  Templated Lambda Expressions  Pack Expansion in Lambda Captures  constexpr Changes  virtual functions  union, try/catch, dynamic_cast, typeid  allocations  constexpr string & vector args...); }; } Allowed in C++20 //  ✔ well- formed:constexpr Changes32 constexpr  constexpr virtual functions  constexpr functions can now:  use dynamic_cast() and typeid  do dynamic memory allocations Capture  Templated Lambda Expressions  Pack Expansion in Lambda Captures  constexpr Changes  virtual functions  union, try/catch, dynamic_cast, typeid  allocations  constexpr string & vector

*/ data_t get_data_from(size_t dev); class dev_t { public: /* Get data from this device. */ virtual data_t get_data_from() = 0; }; Assuming callee cleanup and focusing on data_t, is its return location

html 1.5 Renode Overview I. Background  https://renode.io/ Antmicro's virtual development framework for complex embedded systems.  https://github.com/lowrisc I

for associative • Avoids potential confusion41 Continuous Integration • Scripts prepare Azure Virtual Machine Scale Sets • Currently up to 12 VMs, each with 16 cores • VMs install VS (with Clang, CMake

(*func)(int x); 则对他的调用 (*func)(42); 会得到： • mov edi, 42 • call [func] 热知识： C++ 的虚函数就是函数指针 • 通过 virtual 关键字给类定义一个虚函数，他其实就是在类成员里加了一个函数指针。 • 而在构造函数里，会把当前类重载过的虚函数，赋予给那个函数指针，实现多态。 • 虚函数是 C++ 的语法糖，纯 C 的 Linux

Zookeeper-2 Zookeeper-1 Replica Service Load Balancer Service Shard 1 Replica 2 Shard 2 Replica 1 Shard 2 Replica 2 Replica Service Replica Service Replica Service User Config Map Common Config Running NAME TYPE CLUSTER-IP service/chi-demo-01-demo-0-0 ClusterIP None service/clickhouse-demo-01 LoadBalancer 10.98.143.187 NAME TYPE CLUSTER-IP service/chi-demo-01-demo-0-0 ClusterIP None service/chi-demo-01-demo-1-0 ClusterIP None service/clickhouse-demo-01 LoadBalancer 10.98.143

Zhiguohong (honkiko@github) Bypassing conntrack: Optimizing K8s Service By Enhancing IPVS with eBPF Agenda 目录 01 Problems with K8s Service How to optimize 02 Comparison with industry Performance measurement measurement 03 04 Future work 05 06 Lessons from eBPF What is K8s Service • It exposes a set of pods via VIP using a load balancer • Two types • ClusterIP provides in-cluster access • NodePort not use DPDK? • DPDK performs busy polling even when network is idle. • Why not use a pure eBPF service? • Not mature enough eBPF brief • Write C • Compile into eBPF assembly code • Inject to kernel