Architecture, grid, cloud, emulation, virtualisation
See also deployment solutions.
Contents
Enterprise Architecture
Basics
Enterprise Architecture examples
- NAF - NATO Architecture Framework
- NL NORA - NL overheid architectuur
Architecture of Open Source
- AOSAbook - the architecture of open source - great stuff
REST
Basics
Technologies (queues, brokers)
Message queues
Enterprise Service Bus ESB
Context brokers
Grid
Service Oriented Architecture (SOA), Microservices Architecture (MSA) and Service Mesh patterns
SOA and MSA
On the surface, Microservices and SOA are similar. The architecture consists of a set of services. However ...
- SOA Manifesto- Ali Arsanjani, Grady Booch, ...
- SOA- Wikipedia
- SOA can be seen as part of the continuum which ranges from the older concept of distributed computing[6][9] and modular programming, through SOA, and on to current practices of mashups, SaaS, and cloud computing (which some see as the offspring of SOA)
- There are no industry standards relating to the exact composition of a service-oriented architecture, although many industry sources have published their own principles
- Microservices - Wikipedia
- MSA is SOA without the baggage of web service specifications (WS‑*) and an Enterprise Service Bus (ESB), favoring simpler, lightweight protocols
such as REST, rather than WS‑*.
- MSA avoid using ESBs and instead implement ESB‑like functionality in the microservices themselves
- Each service has its own database, a service can use a type of database that is best suited to its needs (polyglot persistence)
- Eclipse Foundation has published a specification for developing microservices, Eclipse MicroProfile
- Microservices.io - Chris Richardson
Service Mesh
- Service Mesh- Wikipedia
- Each service instance is paired with an instance of a reverse proxy server, called a service proxy, sidecar proxy, or sidecar
- Service instance and sidecar proxy share a container, and the containers are managed by a container orchestration tool such as Kubernetes
- Service proxies are responsible for communication with other service instances and can support capabilities
such as service (instance) discovery, load balancing, authentication and authorization, secure communications etc
- Service instances + their sidecars are said to make up the data plane, which includes not only data management but also request processing and response
- There is also a control plane for managing the interaction between services, mediated by their sidecar proxies
- Options include Istio (a joint project among Google, IBM, and Lyft), Linkerd (CNCF project led by Buoyant) etc
Emulation
QEMU
For installation of QEMU refer to LTK.
- QEMU - Quick Emulator
- QEMU’s Tiny Code Generator (TCG) provides the ability to emulate a number of CPU architectures on any supported host platform. Both System Emulation and User Mode Emulation are supported depending on the guest architecture.
- QEMU - Wikipedia
- System emulation: emulates a full computer system, including peripherals, can be used to provide virtual hosting of several virtual computers on a single computer. QEMU can boot many guest operating systems, including Linux, Solaris, Microsoft Windows, DOS, and BSD. It supports emulating several instruction sets, including x86, MIPS, 32-bit ARMv7, ARMv8, PowerPC, RISC-V, SPARC, ETRAX CRIS and MicroBlaze.
- User-mode emulation: runs single Linux/Darwin/macOS programs compiled for a different instruction set. System calls are thunked for endianness and for 32/64 bit mismatches. Fast cross-compilation and cross-debugging are the main targets for user-mode emulation.
- Hypervisor Support: either acts as either a Virtual Machine Manager (VMM) or as a device emulation back-end for virtual machines running under a hypervisor. The most common is the Linux's KVM but the project supports a number of hypervisors including Xen, Apple's HVF, Window's WHPX and NetBSD's nvmm.
- QEMU documentation
- QEMU download for Linux : apt-get install qemu-system
For local info refer to LTK.
Virtualisation
A hypervisor (or virtual machine monitor, VMM, virtualizer) is a kind of emulator; it is computer software, firmware or hardware that creates and runs multiple virtual machines (VM). A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine.
Virtual Machines
VM solutions
Virtual machines (VMs) are an abstraction of physical hardware turning one server into many servers. Each VM includes a full copy of an operating system, the application, necessary binaries and libraries.
- IBM VM - the roots of VM
- Virtual Box - by Oracle, x86 and AMD64/Intel64,
- VMware - part of EMC/Dell
- VMware's most notable products are its hypervisors. VMware became well known for its first type 2 hypervisor known as GSX. This product has since evolved into two hypervisor product lines:
VMware's type 1 hypervisors running directly on hardware and their hosted type 2 hypervisors.
- Type 1: ESXi is a bare-metal hypervisor that runs directly on server hardware without requiring an additional underlying operating system.
- Type 2: managed by e.g. the VMware Tools. These services start when the guest operating system starts.
The service passes information between host and guest operating systems.
- Hyper-V - Microsoft
- KVM (for Kernel-based Virtual Machine) - Linux
- virtualisation on x86 hardware containing virtualisation extensions (Intel VT or AMD-V)
- consists of a loadable kernel module, kvm.ko, that provides the core virtualization infrastructure and a processor specific module, kvm-intel.ko or kvm-amd.ko
VM security
In 2016, AMD introduced Secure Encrypted Virtualization (SEV), the first x86 technology designed to isolate virtual machines (VMs) from the hypervisor.
In 2017, AMD introduced the SEV-ES (Encrypted State) feature which added additionalprotection for CPU register state. In SEV-ES, the VM register state is encrypted on each hypervisor transitionso thatthe hypervisor cannotsee the data actively being used by the VM.
SEV-Secure Nested Paging (SNP) adds strong memory integrity protection tohelp prevent malicious hypervisor-based attacks like data replay, memory re-mapping, and more in order to create an isolated execution environment.
- AMD SEV - secure encrypted virtualization
Platforms
Containers are an abstraction at the app layer that packages code and dependencies together.
Multiple containers can run on the same machine and share the OS kernel with other containers, each running as isolated processes in user space.
Docker
Installation: see LTK.html.
- Docker - container management
- uses OS-level virtualization to deliver software in packages called containers
- what is a container (on Docker.com)
- Docker Compose (on docs.docker.com)
- A tool for defining and running multi-container Docker applications where a YAML file configures the application’s services
- All the services from a configuration can then be started at once
- Three-step process:
- Define app’s environment with a Dockerfile, which defines a Docker image that contains all the dependencies the application requires
- Define the services that make up the app in 'docker-compose.yml' (this defines the services that need to be activated)
- Run 'docker-compose up' and Compose starts and runs the app
- Docker itself is written in Go, originally it used LinuX Containers (LXC) later switched to runC (libcontainer), which runs in the same operating system as its host (allows it to share a lot of host OS resources)
Uses a layered filesystem (AuFS) and manages networking
- containers are isolated from one another and bundle their own software, libraries and configuration files
- communication via bridge, overlay, host, macvlan or additional network plugins, the default is via enabling the default bridge
- main components:
- SaaS version consists of server and client:
- dockerd is a persistent process that manages Docker containers and handles container objects, listens for requests
sent via the Docker Engine API - the names engine and dockerd seem to be used interchangeable
- docker (client) provides CLI to interact with daemons
- Docker objects are entities used to assemble an application in Docker (containers (environment that runs applications), services (scaling, creation of swarm), and images (template to build containers))
- Docker registry is a repository for Docker images, clients download ("pull") images for use or upload ("push") images that they have built
- Swarm: turns a pool of Docker hosts into a virtual, single host
Kubernetes
RBAC approach.
- Kubernetes - k8s - management of containerized applications
- Kubernetes - Wikipedia - management of containerized applications
- open-source container-orchestration system for automating application deployment, scaling, and management
- designed by Google, maintained by the Cloud Native Computing Foundation
- works with a range of container tools, including Docker
- building blocks:
- Master/control plane - controller manager, etcd data store, API server, scheduler
- Nodes - Kubelet, Kube-proxy, cAdvisor and pods (where workload runs)
- Helm - packages related sets of Kubernetes resources into 'charts', which are collections of files that describe a related set of Kubernetes resources. A single chart might be used to deploy something simple, like a memcached pod, or something complex, like a full web app stack with HTTP servers, databases, caches, and so on.
- Vagrant - provisions working environments on top of VirtualBox, VMware, AWS, etc
using provisioning tools such as shell scripts, Chef, or Puppet
- Ansible -open-source software provisioning, configuration management, and application-deployment tool (sponsored by Red Hat)
- AWS ECR - Elastic Container Registry
Cloud
Open source
NextCloud
- NextCloud - German - host your own cloud - suggested by Detlef H as wallet model as well
OpenStack/OpenDev
- OpenDev - a space for collaborative Open Source software development
- Open Stack - from here on most commercial cloud providers spawn their product
- Began in 2010 as a joint project of Rackspace Hosting and NASA. As of 2012, it is managed by the OpenStack Foundation, a non-profit corporate entity established in September 2012.
- Components include
<
- Compute (Nova)
- Networking (Neutron)
- Block storage (Cinder)
- Identity (Keystone)
- Image (Glance)
- Object storage (Swift)
- Dashboard (Horizon)
- Orchestration (Heat)
- Workflow (Mistral)
- Telemetry (Ceilometer)
- Database (Trove)
- Elastic map reduce (Sahara)
- Bare metal (Ironic)
- Messaging (Zaqar)
- Shared file system (Manila)
- DNS (Designate)
- Search (Searchlight)
- Key manager (Barbican) - https://wiki.openstack.org/wiki/Barbican
- Container orchestration (Magnum)
- Root Cause Analysis (Vitrage)
- Rule-based alarm actions (Aodh)
Gluster
- Gluster - GlusterFS
- open source, scalable, distributed file system that aggregates disk storage resources from multiple servers into a single global namespace
- POSIX compatible, accessible via NFS and SMB
- GlusterFS is a userspace filesystem (getting modules into linux kernel is a long and difficult process). Being a userspace filesystem, to interact with kernel VFS, GlusterFS makes use of FUSE (File System in Userspace).
- Supports five types of volumes:
- Distributed Glusterfs Volume
- Replicated Glusterfs Volume
- Distributed Replicated Glusterfs Volume
- Striped Glusterfs Volume
- Distributed Striped Glusterfs Volume
- inter-node connection protected by built-in firewall
- Gluster SSL for TLS authentication
- Gluster ACL Access Control Lists
Commercial
Terraform and related
- Terraform - by HashiCorp - multicloud deployment
- Terraform.io
- Uses a declarative language, HashiCorp Configuration Language (HCL) or JSON
- verbs: init, plan, apply, destroy
- ...
- Terraform Language doc
- Terraform registry
- Terraform registry AWS modules (set of config files) - VPC, S3 bucket, ...
- Terraform Wikipedia
- Terragrunt
- Install Terraform and Terragrunt
- Put your Terragrunt configuration in a terragrunt.hcl file
- Instead of running terraform directly, you run the same commands with terragrunt (terragrunt plan, terragrunt apply, terragrunt output, terragrunt destroy)
- Terragrunt will forward almost all commands, arguments, and options directly to Terraform, but based on the settings in your terragrunt.hcl file
OVH
European cloud service provider
AWS
AWS basics
- Amazon AWS - the company providing S3 and EC2 etc
- Amazon AWS - Wikipedia
- Amazon S3- Simple Storage Service - Wikipedia
- Amazon EBS- Elastic Block Storage - Wikipedia
- Amazon Lambda- spawns microVM (Firecracker) to execute event-based workloads - Wikipedia (acts as event-triggered external library)
- Run code without provisioning or managing infrastructure. Simply write and upload code as a .zip file or container image
- Firecracker - by AWS
- Amazon EC2- Elastic Compute Cloud - Wikipedia
- allows users to rent virtual computers on which to run their own computer applications
- encourages scalable deployment of applications by providing a web service through which a user can boot an Amazon Machine Image (AMI) to configure a virtual machine ("instance") containing any software
- a user can create, launch, and terminate server-instances as needed, paying by the second
- the elastic IP address feature allows a user to map an elastic IP address to any virtual machine instance without a network administrator's help and without having to wait for DNS to propagate the binding (in this sense an Elastic IP Address belongs to the account and not to a virtual machine instance, existing until it is removed, and remaining associated with the account even while it is associated with no instance
- initially relied on XEN, later on KVM, and its own Nitro
- resources are created through CloudFormation, using templates (JSON or YAML) describing your AWS resources, and CloudFormation provisions and configures those resources
- CloudFormation templates can provision the same resources multiple times, whether in the same Region and account or in multiple Regions and accounts
- CloudFormation resource types - reference, e.g. EIP (elastic IP), Instance, Host (a fully dedicated physical server)
- Amazon DNS Route 53 - DNS services
- connects user requests to infrastructure running in AWS (EC2, Elastic Load Balancing load balancers, or S3 buckets) and can route users to infrastructure outside of AWS
- Amazon VPC - Virtual Private Cloud
- define and launch AWS resources in a logically isolated virtual network
- VPC security groups - act as a virtual firewall for EC2 instances to control inbound and outbound traffic
- AWS Elasticbeanstalk - automated deployment
- AWS SSM - Systems Manager
- AWS Athena - SQL query service for S3
AWS security
AWS terminology (infrastructure):
- When you create your environment, you get a set of AWS managed policies (less than perfect), you can add your own ('customer managed')
- A policy contains resources, actions (grants right to eg put or delete) and effects (allow/deny)
- A policy can be at different levels:
- account level (for users)
- resource level (for instances such as eg S3)
- 'inline' level (combination of both)
- Organisational SCP (for introducing organisational boundaries, permission boundaries)
- ACL's
- A service consumer (a user, an instance) is attached to a role which is attached to a policy. So a policy is in fact a set of permissions.
At application level, for IAM AWS uses OAuth 2.0. Application level is ABAC.
For analysis: use Steampipe or Turbot.
- Amazon security workshops
- AWS Well-Architected - guidance including on security
- MITRE cloud attack framework
- Mozilla on AWS security
- AWS Perspective - build network diagrams of your cloud
- Amazon security including
- Nitro enclaves - TEE
- AWS Identity & Access Management - Manage User Access and Encryption Keys
- AWS Cognito user sign-up, sign-in, and access control to your web and mobile apps
- Main components: user pools and identity pools.
- A user pool is user directory in Amazon Cognito. With a user pool, users can sign in to web/mobile app through Amazon Cognito. Users can also sign in through social identity providers and through SAML identity providers. All members of the user pool have a directory profile that you can access through a Software Development Kit (SDK).
- After successfully authenticating a user, Cognito issues JWTs that you can use to secure and authorize access to your own APIs, or exchange for AWS credentials.
- Identity pools provide AWS credentials to grant users access to other AWS services. An identity pool exchanges user pool tokens for AWS credentials.
- AWS Single Sign-On - Cloud Single Sign-On (SSO) Service
- AWS Directory Service- Host and Manage Active Directory
- AWS Resource Access Manager - Simple, secure service to share AWS resources
- Amazon Inspector - Analyze Application Security
- AWS Macie discover sensitive data in S3
- AWS Security Hub - allows to centralise all security tool results and analysis
- AWS Artifact - On-demand access to AWS compliance reports
- AWS Secrets Manager (for infrastructure/code secrets) - Rotate, Manage, and Retrieve Secrets - through metadata 169.254.169.254
- Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
Also, you can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones.
- AWS IMDSv2 - Instant Metadata Service
- AWS CloudHSM - Hardware-based Key Storage for Regulatory Compliance
- AWS Certificate Manager - Provision, Manage, and Deploy SSL/TLS Certificates
- AWS Guardduty - Managed Threat Detection Service - effective but not for free
- Alternatives: Microsoft Azure Sentinel (even for AWS), DataDog
- AWS Shield - DDoS Protection
- AWS Firewall Manager - Central Management of Firewall Rules
- AWS WAF - Filter Malicious Web Traffic
- AWS cryptographic services
- CloudHSM provides HSMs to store a variety of cryptographic keys, including master keys and data keys
- Key Management Service (KMS) provides tools for generating master and data keys, interacts with other AWS services to encrypt their data
- Encryption SDK provides a client-side encryption library for implementing encryption and decryption operations on all types of data
- DynamoDB Encryption Client provides a client-side encryption library for encrypting data tables before sending them to a database service,
such as Amazon DynamoDB
MSFT
Google
Less commercial
Cloud security