• http://www.pcworld.com/article/2841873/me
et-systemd-the-controversial-project-taking-
over-a-linux-distro-near-you.html
Example: RedHat Boot Process
/etc/rc.d/
BIOS /etc/inittab
rc3.d
/etc/rc.d/
Linux rc.sysinit RL Specific
GRUB init
Kernel /etc/inittab
/etc/rc.d/rc
Login /etc/rc.d/
Shell rc5.d
Source: http://nmc.nchu.edu.tw/linux/Linux_boot.htm
Example: Redhat Startup Run Levels
RedHat Mode
1 (S) Single user
2 Multiuser (no networking)
3 Full Multiuser
4 Unused
5 X11
6 Reboot
0 Halt
GNU
Internal
Directory? Federation
Services •
Accounts
Authorization
Certificate
Services
• Network • Authentication • Identity
– A collection of Access for
External
• Non-
Repudiation
Active Directory
and Features) used to • Identity
• Access
manage identity and Rights
Management
• Centralized
Management
Lightweight
Directory
access for and to Services Services
• Content • Application
resources on a Security and
Control
Templates
network
Directory data store
• Uses a structured data store as the basis for a logical, hierarchical organization of directory information
• Objects typically include shared resources such as servers, volumes, printers, and the network user and
computer accounts
Security
• Security is integrated with Active Directory through logon authentication and access control to objects in
the directory. With a single network logon, administrators can manage directory data and organization
throughout their network, and authorized network users can access resources anywhere on the network.
Policy-based administration eases the management of even the most complex network.
Active Directory also includes:
• A set of rules, the schema, that defines the classes of objects and attributes contained in the directory,
the constraints and limits on instances of these objects, and the format of their names. For more
information about the schema, see Schema.
• A global catalog that contains information about every object in the directory. This allows users and
administrators to find directory information regardless of which domain in the directory actually contains
the data. For more information about the global catalog, see The role of the global catalog.
• A query and index mechanism, so that objects and their properties can be published and found by
network users or applications. For more information about querying the directory, see Finding directory
information.
• A replication service that distributes directory data across a network. All domain controllers in a domain
participate in replication and contain a complete copy of all directory information for their domain. Any
change to directory data is replicated to all domain controllers in the domain. For more information
about Active Directory replication, see Replication overview.
Active Directory Roles
• AD Domain Services (AD DS)
– Users, Computers, Policies
• AD Certificate Services (AD CS)
– Service, Client, Server and User identification
• AD Federation Services (AD FS)
– Resource access across traditional boundaries
• AD Rights Management Services (AD RMS)
– Maintain security of data
• AD Lightweight Directory Services (AD LDS)
What is AD DS?
Windows
Server
• What is Active Windows
•
•
Mgmt Profile
Network Info Windows
Directory Domain User •
•
Printers
Shares
Client
• Mgmt Profile
• Account
Services? •
Information
Privileges
• Network Info
• Policies
– A directory service is •
•
Profiles
Policies Active Directory
Domain Services
both the directory • Manageability
information source •
•
Security
Interoperability
Email Network
and the service that Servers Devices
(PKI) Repository
End-Entities
(users or
certificates
What does AD CS do?
• AD CS provides customizable services for issuing
and managing digital certificates
– Certification Authorities
– CA Web Enrollment
– Online Responders
– Network Device Enrollment Service (NDES)
– Certificate Enrollment Web Service
– Certificate Enrollment Policy Web Service
What is AD FS?
• Federation AD DS
Services: A
software Web
Server
component Federation Trust
that
facilitates Account Resource
the cross- Federation
Server
Federation
Server
organization
al access of Account Partner Resource Partner
systems and Organization Organization
applications
What does AD FS do?
• The AD FS server role provides simplified,
secured identity federation and Web single sign-
on (SSO) capabilities.
– enables the creation of trust relationships between
two organizations
– provides access to applications between
organizations
– provides Single Sign-on (SSO) between two different
directories for Web-based applications
• AD FS is Microsoft's implementation of the WS-
Federation Passive Requestor Profile protocol
(passive indicates that the client requirements
are just a cookie- and JavaScript-enabled Web
browser)
• AD FS implements the standards based WS-
Federation protocol and Security Assertion
Markup Language (SAML).
What is AD RMS?
• Active Directory
Rights Management
Services: is an RMS
Server
information
protection
technology that
works with
applications to
safeguard digital
Information
Author
Recipient
information
What does AD RMS do?
• Allows individuals and administrators to specify
access permissions to documents, workbooks,
and presentations
– prevent sensitive information from being printed,
forwarded, or copied by unauthorized people
– access and usage restrictions are enforced no matter
where the information is located
What is AD LDS?
• AD LDS is a Lightweight Windows Network
Devices
User
Directory Access Protocol • Account
• Config
(LDAP) directory service that Information
• QoS Policy
• Privileges
provides flexible support for • Profiles
• Security
Policy
Policies
directory-enabled •
ESE
AD LDS Schema defines the types of objects and data that can be created and stored
in an AD LDS instance using object classes and attributes
Directory objects
Definition for an
based on the
automobile object
automobile object
class
class
Directory objects
Definition for a user based on the user
object class object class
AD LDS Users and Groups
• Why is it Important?
– SAML abstracts the security away from platform
architectures and vendor implementations.
SAML 2.0 Anatomy
• Protocols
– Assertion Query and Request Protocols
– Authentication Request Protocol
– Artifact Resolution Protocol
– Name Identifier Management Protocol
– Single Logout Protocol
• Bindings
– SAML SOAP Binding
– Reverse SOAP Binding
– HTTP Artifact Binding
– SAML URI Binding
• Profiles
– SSO Profile – Most important
How Web Services Interact
• Web Service Choreography
– Relationships between web services are dynamic
– Decisions are made between individual web services
– No single web service is in control
– Typically used when web services share information
between domains
FILESYSTEMS
Different types of file systems
• Local file systems
– Stored data on local hard drives, SSDs, floppy drives, optical
disks or etc.
– Examples: NTFS, EXT4, HFS+, ZFS
• Network/distributed file systems
– Stored data on remote file server(s)
– Example: NFS, CIFS/Samba, AFP, Hadoop DFS, Ceph
• Pseudo file systems
– Example: procfs, devfs, tmpfs
• “List of file systems”
– http://en.wikipedia.org/wiki/List_of_file_systems
Overall Architecture of Linux file
system components
Acknowledge to:
General Optimizations
• Based on two principles:
– RAM access is much faster than the access on disk
– Sequential IOs is much faster than random IOs on disk
• So we design file systems that
– Largely utilizes CPU/RAM to reduce IO to disks
(various caches/write buffers)
– Prefers sequential IOs
• Computes disk layout to arrange related data sequentially
located on disks
Dcache
• Dentry cache (dcache)
– Directories are stored as files on disks.
– For each file lookup, we want obtain the inode from the
given full file path
• OS looks the dentries from the root to all parent directories in the
path.
– E.g. for looking up file “/Users/john/Documents/course.pdf”, OS needs
traverse the dentries that presents “/”, “Users”, “john”, “Documents”,
and “course.pdf”
– To accelerate this:
• We use a global hash table (dcache) to map “file path” -> dentry
• A two-list solution: one for active dentries, and one for “recent
unused dentries” (LRU).
Inode cache
• Similar to the dcache,
OS maintains a cache P1 P2 P10 Processes
Dentry 20
evicted
Page Cache
• …a “transparent” buffer for disk-backed pages kept in RAM
for fast access… [wikipedia]
– A write-back cache
– Main purpose: reducing the # of IOs to disks
– Access based on page (usually 4KB).
• Page cache is per-file based.
• A Redix-tree in inode object.
• Prefetch pages to serve future read
• Absorb writes to reduce # of IOs
– The dirty pages (modified) are flushed to disks for : 1) each 30s
or 5s, or 2) OS wants to reclaim RAMs
• Also can be forced to flush by calling “fsync()” system call
Examples
• Several concrete file system designs
– Ext4, classic UNIX-like file system concepts
– NTFS, advanced Windows file system
– ZFS, “the last word of file system”
– NFS, a standard network file system
– Google File System, a special distributed file
system for special requirements
Ext4
• The latest version of the
“extended file system”
(Ext2/3/4)
– The standard Linux file
system for a long time
– Inspired from UFS from
BSD/Solaris
– Group files to block groups
• Keep file data near to
inodes
Ack: http://bit.ly/tjipWY
NTFS
• “New Technology File
System” (NTFS)
– The standard file system
in Windows world.
– A Master File Table
(MFT) contains all
metadata.
• Directory is also a file
ZFS
• ZFS: “the last word of file system”
– The most advanced local file system in production
– 128 bits space (2128 bytes in theory)
• larger the # of sand in the earth…
– A lot of advanced features:
• E.g. transactional commits, end-to-end integration,
snapshot, volume management and much more…
– Will never lose data and always be consistent.
• Every OS community wants to clone or copy its features…
– Btrfs on Linux, ReFS on Windows, ZFS on FreeBSD
NFS
• “Network File System
(NFS)”
– A protocol developed by
SUN in 1984
• A set of RPC calls
– IETF standard
• Supported by all major
OSs
– Simple and efficient
Google File System (GFS)
• A large distributed file
system specially designed
for MapReduce framework
– High throughput
– High availability
– Special designed. Not
compatible to VFS/POSIX API.
• Requires clients linked to the
GFS library.
• Hadoop DFS clones the
concepts of GFS
More File Systems
• Interesting file systems that are worth to explore
– Btrfs (B-tree FS) from oracle, expected to be the next
standard Linux file system. Many concepts are shared with
ZFS.
– ReFS: The file system for Windows 8 (from Microsoft).
Many concepts are shared with ZFS (too!).
– WAFL (Write Anywhere File Layout) file system from
NetApp.
– FUSE (Filesystem in Userspace): a cross-platform library
that allows developers to write file system running in user
mode
Fiber (or Fibre) Channel
SAN
vSAN
Security
STORAGE NETWORKING
Glossary of Terms
• SAN – Storage Area Network. A network of switches, typically fibre channel used for carrying SCSI or
FICON traffic
• FC – Fibre Channel. A protocol used to carry SCSI or FICON packets containing IO commands from a
server to a storage array
• SCSI – Small Computer System Interface. A bus based system or protocol used to carry block based
storage commands
• iSCSI – An IP based protocol capable of carrying SCSI commands to and from storage devices
• FICON – The protocol used to carry mainframe based IO
• MDS – The Cisco family of datacenter switches capable of carrying fiber channel traffic
• VSAN – Virtual SANs. A feature capable of creating logical SANs on a physical SAN infrastructure
• FCIP – Fibre Channel over IP. The protocol used to tunnel fiber channel packets over an IP
infrastructure. Used for extending a Fibre Channel SAN over long distances
What Is Fiber Channel?
• SCSI is a standard that defines an
interface between an initiator
Applications
(usually a computer) and a target Half-Duplex
(usually a storage device such as a File System I/O Channel
hard disk)
Block Device
SCSI
NIC Driver Adapter Driver
SCSI I/O channel provides half-
duplex pipe for SCSI command, NIC Adapter SCSI Adapter
data, and status
• SCSI I/O channel can be internal or
external to host SCSI
Initiator
• Multiple SCSI I/O channels can SCSI
exist within host Target
What Is a SAN?
The SCSI I/O Channel - Starting Point
• SCSI is a standard that defines an
interface between an initiator
Applications
(usually a computer) and a target Half-Duplex
(usually a storage device such as a File System I/O Channel
hard disk)
Block Device
SCSI
NIC Driver Adapter Driver
SCSI I/O channel provides half-
duplex pipe for SCSI command, NIC Adapter SCSI Adapter
data, and status
• SCSI I/O channel can be internal or
external to host SCSI
Initiator
• Multiple SCSI I/O channels can SCSI
exist within host Target
Storage Area Network (SAN)
• Same SCSI protocol carried over a Clients
network transport via serial
implementation
• Transport must not jeopardize SCSI LAN
payload (security, integrity, latency)
• Two primary transports to choose
from today, namely IP and Fibre Servers
Channel
• Fibre Channel provides high-speed Fibre
transport for SCSI payload via Host Channel
Bus Adapter (HBA) SAN
Stacks
Fleet
Containers
UCP
OCI
OS
CONTAINERS: DOCKER
• What is Docker?
Docker is an open-source project
that automates the deployment
of applications inside software
containers, by providing an
additional layer of abstraction and
automation of operating system–
level virtualization on Linux.
[Source: en.wikipedia.org]
80
• Docker [www.docker.com]
Source: leo.org
81
• Docker vs. Virtual Machine
Source: https://www.docker.com/whatisdocker/
82
• Docker Technology
[Source: https://docs.docker.com/terms/layer/]
83
Run Platforms
Hello world
https://docs.docker.com/engine/tutorials/dockerizing/
85
Terminology - Image
• Persisted snapshot that can be run
– images: List all local images
– run: Create a container from an image and execute a
command in it
– tag: Tag an image
– pull: Download image from repository
– rmi: Delete a local image
This will also remove intermediate images if no longer used
86
Terminology - Container
• Runnable instance of an image
– ps: List all running containers
– ps –a: List all containers (incl. stopped)
– top: Display processes of a container
– start: Start a stopped container
– stop: Stop a running container
– pause: Pause all processes within a container
– rm: Delete a container
– commit: Create an image from a container
87
Image vs. Container
Base Image run Container
ubuntu:latest cid1
88
Dockerfile
89
Dockerfile Example
• Dockerfile:
– FROM ubuntu
ENV DOCK_MESSAGE Hello World
ADD dir /files
CMD ["bash", “myScript"]
• docker build [DockerFileDir]
• docker inspect [imageId]
90
Docker Tools & Ecosystem
• Docker Images: Docker Hub
• Docker Swarm/Compose:
App/Cluster integration
• Kubernates: Automated container
deployment, scaling, and
management
• Vagrant: VM lifecycle
management
• Automated Setup
– Puppet, Chef, Ansible, ...
• Docker Ecosystem
– skydock/skydns: Service
discovery via DNS for docker
91
Docker Hub
Docker Hub is a cloud-based registration
service
• Online code repositories
• Build your images and test them
• Stores manually pushed images, and
links to Docker Cloud(deploy and
manage Dockerized applications)
• Centralized resource for:
– Container image discovery
– Distribution
– Change management
– User and team collaboration
– Workflow automation throughout
the development pipeline
92
Docker Use Cases
• Development Environment
• Environments for Integration Tests
• Quick evaluation of software
• Microservices
• Multi-Tenancy
• Unified execution environment (dev test
prod (local, VM, cloud, ...)
93
PUPPET/CHEF/ANSIBLE
Configuration Management Tools
What are Puppet and Chef?
hsrp_priority: 100
https://github.com/jedelman8/nxos-ansible
Declarative vs Imperative
Puppet (declarative) Shell script (imperative)
if [ "$USERGROUPNAME" != "sysadmin" ]
then
echo "Primary group of user chris is not sysadmin,
updating"
usermod --gid sysadmin chris
fi
Why Automation?
• Tasks in code
• Collaboration
• Eliminate errors
• Write once
• Laziness
• Etc….
Why Ansible
• It is a free open source application
• Agent-less – No need for agent installation and management
• Phython/yaml based
• Highly flexible and configuration management of systems.
• Large number of ready to use modules for system management
• Custom modules can be added if needed
• Configuration roll-back in case of error
• Simple and human readable
• Self documenting
Ansible Architecture
Installation of Ansible
• Once you have entered the Gen Key command, you will get a few
more questions:
• Enter file in which to save the key (/home/test/.ssh/id_rsa):
• Enter no password for the next prompt
• Copy the Public Key
ssh-copy-id test@192.168.85.135
• Repeat the same process for other machines you wish to login
automatically with.
• Ensure the test username has sudo access to the remote clients
Configuration of ansible
• Do the following on the Server machine
• Create the list of client machines you wish to access via this server
• vi /etc/ansible/hosts ( And enter the following lines and save file)
[Servers]
<Address #1>
<Address #2>
• Run the ping command below to see if indeed you are reaching
both client nodes
ansible -m ping all
Examples of ansible commands
• The output show ping result success as shown
below
Examples of ansible commands (Cnt)
• How to run commands to fetch hard drives utilization
• ansible -m command -a 'df -h' Servers
NIST (National Institute for Standards and Technology), Guide to Secure Web Services
http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf