secure async execution
play

Secure Async Execution @ Brennan Saeta The Beginnings 2012 1 - PowerPoint PPT Presentation

Feb 15, 2024 •22 likes •922 views

ECS & Docker: Secure Async Execution @ Brennan Saeta The Beginnings 2012 1 million 4 10 learners courses partners worldwide Education at Scale 18 million 140 1,800 learners courses partners worldwide Outline Evolution

  1. ECS & Docker: Secure Async Execution @ Brennan Saeta

  3. The Beginnings — 2012 1 million 4 10 learners courses partners worldwide

  4. Education at Scale 18 million 140 1,800 learners courses partners worldwide

  5. Outline • Evolution of Coursera’s nearline execution systems • Next-generation execution framework: Iguazú • Iguazú application deep dive: GrID — evaluating programming assignments

  6. Key Takeaways • What is nearline execution, and why it is useful • Best practices for running containers in production in the cloud • Hardening techniques for securely operating container infrastructure at scale

  7. A history of nearline execution

  9. Coursera Architecture (2012) PHP Monolith

  10. Early days - Requirements • Video re-encoding for distribution • Grade computation for 100,000+ learners • Pedagogical data exports for courses

  11. Coursera Architecture (2012) PHP Monolith

  12. Cascade Architecture Cascade PHP PHP Monolith Monolith

  13. Cascade Architecture Cascade Queue PHP PHP Monolith Monolith

  14. Upgrading to Scala Re-architecting delayed execution for our 2 nd generation learning platform.

  15. Upgrading to the JVM • Leverage mature Scala & JVM ecosystems for code sharing • JVM much more reliable (no memory leaks) • New job model: scheduled recurring jobs. • Named: Saturn

  16. Saturn Architecture Online Serving Scala/micro-service architecture Service A Service B Service C C* C*

  17. Saturn Architecture Online Serving Scala/micro-service architecture Service A Saturn Service B Service C C* C*

  18. Saturn Architecture Service A Saturn ZK Ensemble Service B Service C C* C*

  19. Saturn Architecture Service A Saturn Leader ZK Ensemble Service B Service C C* C*

  20. Problems with Saturn • Single master meant naïve implementation ran all jobs in same JVM • Huge CPU contention @ top of the hour • OOM Exceptions & GC issues

  21. Enter: Docker Containers allow for resource isolation! CC-by-2.0 https://www.flickr.com/photos/photohome_uk/1494590209

  22. Supported Features Platform Amazon Iguazú Saturn Docker ECS ✅ ✅ ✅ ✅ Run code ❌ ✅ ✅ ✅ Resource Isolation ☑︐ ❌ ✅ ✅ Clusters / HA Great ✅ ❌ ❌ ✅ developer workflow ✅ ❌ ❌ ✅ Scheduled Jobs

  23. Supported Features Platform Amazon Iguazú Saturn Docker ECS ✅ ✅ ✅ ✅ Run code ❌ ✅ ✅ ✅ Resource Isolation ✅ ❌ ✅ ✅ Clusters / HA Great ✅ ❌ ❌ ✅ developer workflow ✅ ❌ ❌ ✅ Scheduled Jobs

  24. Supported Features Platform Amazon Iguazú Saturn Docker ECS ✅ ✅ ✅ ✅ Run code ❌ ✅ ✅ ✅ Resource Isolation ✅ ❌ ✅ ✅ Clusters / HA Great ✅ ❌ ❌ ✅ developer workflow ✅ ❌ ❌ ✅ Scheduled Jobs

  25. Supported Features Platform Amazon Iguazú Saturn Docker ECS ✅ ✅ ✅ ✅ Run code ❌ ✅ ✅ ✅ Resource Isolation ✅ ❌ ✅ ✅ Clusters / HA Great ✅ ❌ ❌ ✅ developer workflow ✅ ❌ ❌ ✅ Scheduled Jobs

  26. Supported Features Platform Amazon ??? Saturn Docker ECS ✅ ✅ ✅ ✅ Run code ❌ ✅ ✅ ✅ Resource Isolation ✅ ❌ ✅ ✅ Clusters / HA Great ✅ ❌ ❌ ✅ developer workflow ✅ ❌ ❌ ✅ Scheduled Jobs

  27. Solution: Iguazú Marissa Strniste (https://www.flickr.com/photos/mstrniste/5999464924) CC-BY-2.0

  28. Solution: Iguazú • Framework & service for asynchronous execution • Optimized Scala developer experience for Coursera • Unified scheduler supports: • Immediate execution (nearline) • Scheduled recurring execution (cron-like) • Deferred execution (run once @ time X) Marissa Strniste (https://www.flickr.com/photos/mstrniste/5999464924) CC-BY-2.0

  29. Iguazú Architecture ECS API Iguazú Admin SQS Iguazú Devs Scheduler Iguazú Backend Iguazú Frontend Iguazú Workers Services Services Cassandra Users

  30. Iguazú Architecture ECS API Iguazú SQS Admin Queue Iguazú Devs Scheduler Iguazú Backend Iguazú Frontend Iguazú Workers Services Services Cassandra Users

  31. Iguazú Architecture ECS API Iguazú SQS Admin Queue Iguazú Devs Scheduler Iguazú Backend Iguazú Frontend Iguazú Workers Services Services Cassandra Users

  32. Iguazú Architecture ECS API ZK Ensemble Iguazú SQS Admin Queue Iguazú Devs Scheduler Iguazú Backend Iguazú Frontend Iguazú Workers Services Services Cassandra Users

  33. Iguazú Architecture ECS API ZK Ensemble Iguazú SQS Admin Queue Iguazú Devs Scheduler Iguazú Backend Iguazú Frontend Iguazú Workers Services Services Cassandra Users

  34. Autoscale, autoscale, autoscale!

  35. Autoscaling ⇄ Iguazú ⇆ ECS Shutdown Lifecycle Poll Worker Notification Job Status Iguazu Autoscaling ECS API All finished Proceed Term- inate EC2 EC2 EC2 Worker Worker Worker

  36. Failure in Nearline Systems • Most jobs are non-idempotent • Iguazú: At most once execution • Time-bounded delay • Future: At least once execution • With caveats

  37. Iguazú adoption by the numbers >1000 runs >100 different job ~100 jobs in per day schedules production

  38. Iguazú Applications Nearline Jobs Scheduled Recurring Jobs • Pedagogical Instructor • Course Reminders • System Integrations Data Exports • System Integrations • Payment reconciliation • Course translations • Course Migrations • Housekeeping • Build artifact archival • A/B Experiments

  39. While containers may help you on your journey, they are not themselves a destination. CC-by-2.0 https://www.flickr.com/photos/usoceangov/5369581593

  40. Writing an Iguazu Job class AbReminderJob @Inject() (abClient: AbClient, email: EmailAPI) extends AbstractJob { override val reservedCpu = 1024 // 1 CPU core override val reservedMemory = 1024 // 1 GB RAM def run(parameters: JsValue) = { val experiments = abClient.findForgotten() logger.info(s"Found ${experiments.size} forgotten experiments.") experiments.foreach { experiment => sendReminder(experiment.owners, experiment.description) } } }

  41. Writing an Iguazu Job class AbReminderJob @Inject() (abClient: AbClient, email: EmailAPI) extends AbstractJob { override val reservedCpu = 1024 // 1 CPU core override val reservedMemory = 1024 // 1 GB RAM def run(parameters: JsValue) = { val experiments = abClient.findForgotten() logger.info(s"Found ${experiments.size} forgotten experiments.") experiments.foreach { experiment => sendReminder(experiment.owners, experiment.description) } } }

  42. Writing an Iguazu Job class AbReminderJob @Inject() (abClient: AbClient, email: EmailAPI) extends AbstractJob { override val reservedCpu = 1024 // 1 CPU core override val reservedMemory = 1024 // 1 GB RAM def run(parameters: JsValue) = { val experiments = abClient.findForgotten() logger.info(s"Found ${experiments.size} forgotten experiments.") experiments.foreach { experiment => sendReminder(experiment.owners, experiment.description) } } }

  43. Writing an Iguazu Job class AbReminderJob @Inject() (abClient: AbClient, email: EmailAPI) extends AbstractJob { override val reservedCpu = 1024 // 1 CPU core override val reservedMemory = 1024 // 1 GB RAM def run(parameters: JsValue) = { val experiments = abClient.findForgotten() logger.info(s"Found ${experiments.size} forgotten experiments.") experiments.foreach { experiment => sendReminder(experiment.owners, experiment.description) } } }

  44. Writing an Iguazu Job class AbReminderJob @Inject() (abClient: AbClient, email: EmailAPI) extends AbstractJob { override val reservedCpu = 1024 // 1 CPU core override val reservedMemory = 1024 // 1 GB RAM def run(parameters: JsValue) = { val experiments = abClient.findForgotten() logger.info(s"Found ${experiments.size} forgotten experiments.") experiments.foreach { experiment => sendReminder(experiment.owners, experiment.description) } } }

  45. Testing an Iguazu job

  46. The Hollywood Principle applies to distributed systems. CC-by-2.0 https://www.flickr.com/photos/raindog808/354080327

  47. Deploying a new Iguazu Job • Developer • merge into master… done • Jenkins Build Steps • Compile & package job JAR • Prepare Docker image • Pushes image into registry • Register updated job with Amazon ECS API

  48. Invoking an Iguazú Job // invoking a job with one function call // from another service via REST framework RPC val invocationId = iguazuJobInvocationClient .create(IguazuJobInvocationRequest( jobName = "exportQuizGrades", parameters = quizParams))

  49. A clean environment increases reliability. CC-by-2.0 https://www.flickr.com/photos/raindog808/354080327

  50. Evaluating Programming Assignments An application of Iguazú

  53. Design Goals Elastic No Near Real-time Secure Infrastructure Maintenance Infrastructure

  54. Design Goals Elastic No Near Real-time Secure Infrastructure Maintenance Infrastructure

  55. Design Goals Elastic No Near Real-time Secure Infrastructure Maintenance Infrastructure

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

and Subsystems A follow up session on UE4s async execution model Michele Mischitelli Main

and Subsystems A follow up session on UE4s async execution model Michele Mischitelli Main

Unreal Engine 4: Delegates, Async and Subsystems A follow up session on UE4s async execution model Michele Mischitelli Main topics of this meetup Delegates Asynchronous Subsystems execution Data types that Strategies and classes

1.1k views • 27 slides
Async execution with workqueues Bhaktipriya Shridhar About me $whoami Outreachy Intern at the

Async execution with workqueues Bhaktipriya Shridhar About me $whoami Outreachy Intern at the

Async execution with workqueues Bhaktipriya Shridhar About me $whoami Outreachy Intern at the Linux Kernel with Tejun Heo as my mentor. Working on updating Legacy workqueue interface users in the Linux Kernel . Also, a 3rd year

613 views • 49 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
std::async Standard C++ function template Supposed to make threads (easier) Already

std::async Standard C++ function template Supposed to make threads (easier) Already

a sync m agic (en)light e ning talk trieger@informatik.hu-berlin.de async as a code reordering specifier Everything else is just multithreading EuroLLVM14 Tobias Rieger 1 std::async Standard C++ function template Supposed to make

244 views • 7 slides
Async & JS A walkthrough common asynchronous patterns for the client, the server and the

Async & JS A walkthrough common asynchronous patterns for the client, the server and the

Async & JS A walkthrough common asynchronous patterns for the client, the server and the Internet Of Things by Andrea Giammarchi @WebReflection quick story about me Created first offline HTML5 Map navigation in 2011 ( async WebSQL based

826 views • 54 slides
Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic

Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic

Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic Information Flow Tracking Tracking G. Edward Suh Suh, , Jae Jae W. Lee, David W. Lee, David G. Edward Zhang, Srinivas Srinivas Devadas Devadas

547 views • 26 slides
Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique

Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique

Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique Devriese, Frank Piessens (K.U.Leuven) Secure Multi-Execution May 14, 2010 1 / 24 Secure Multi-Execution Outline Secure Multi-Execution

622 views • 29 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute of Technology Thanks to Roberto Guanciale, Musard Balliu, Christoph Baumann, Hamed Nemati, Oliver Schwarz, Victor Do, Christian Gehrmann, Jonas

1.41k views • 114 slides
CaSE: Cache-Assisted Secure Execution on ARM Processors N1 N1NG NG ZHA ZHANG , KUN SUN, WENJING

CaSE: Cache-Assisted Secure Execution on ARM Processors N1 N1NG NG ZHA ZHANG , KUN SUN, WENJING

CaSE: Cache-Assisted Secure Execution on ARM Processors N1 N1NG NG ZHA ZHANG , KUN SUN, WENJING LOU, TOM HOU Talk Outline Motivation and Background Why this work ? Threat Model What are we defending against ? CaSE:

248 views • 21 slides
System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario Werner May 7, 2020 Graz University of Technology Why do we care about code? www.tugraz.at 10:20 July 18 W i r e l e s s - G A D S L G

599 views • 49 slides
SKEE: A Lightweight Secure Kernel level Execution Environment for ARM Ahmed M Azab, Kirk

SKEE: A Lightweight Secure Kernel level Execution Environment for ARM Ahmed M Azab, Kirk

SKEE: A Lightweight Secure Kernel level Execution Environment for ARM Ahmed M Azab, Kirk Swidowski, Rohan Bhutkar, Jia Ma, Wenbo Shen, Ruowen Wang, Peng Ning Samsung KNOX R&D, Samsung Research America Motivation Operating system kernels

543 views • 25 slides
CoSMIX: A Compiler-based System for Secure Memory Instrumentation and Execution in Enclaves Meni

CoSMIX: A Compiler-based System for Secure Memory Instrumentation and Execution in Enclaves Meni

CoSMIX: A Compiler-based System for Secure Memory Instrumentation and Execution in Enclaves Meni Orenbach (Technion), Yan Michalevsky (Anjuna), Christof Fetzer (TU Dresden, Scone), Mark Silberstein (Technion) Published in USENIX ATC19

744 views • 24 slides
The Talk youve been .await-ing for @steveklabnik async fn foo(s: String) -> i32 { //

The Talk youve been .await-ing for @steveklabnik async fn foo(s: String) -> i32 { //

The Talk youve been .await-ing for @steveklabnik async fn foo(s: String) -> i32 { // } fn foo(s: String) -> impl Future<Output=i32> { // } Stuff were going to talk about async/await and Futures Generators:

873 views • 73 slides
Linux Kernel Crypto API Herbert Xu Red Hat Inc. Current State Async + sync cipher interface.

Linux Kernel Crypto API Herbert Xu Red Hat Inc. Current State Async + sync cipher interface.

Linux Kernel Crypto API Herbert Xu Red Hat Inc. Current State Async + sync cipher interface. Async + sync hash interface. AEAD interface. Compress-as-you-go interface. RNG interface. Current State A handful of async PCI

970 views • 7 slides
Clemmys Towards Secure Remote Execution in FaaS Bohdan Trach , Oleksii Oleksenko, Franz Gregor,

Clemmys Towards Secure Remote Execution in FaaS Bohdan Trach , Oleksii Oleksenko, Franz Gregor,

Clemmys Towards Secure Remote Execution in FaaS Bohdan Trach , Oleksii Oleksenko, Franz Gregor, Pramod Bhatotia, Christof Fetzer ACM SYSTOR 2019 FaaS Paradigm of Cloud Computing Function Runtime Guest OS Function Hypervisor Host OS FaaS

1.34k views • 98 slides
MANAGEMENT AND SPATIAL PLANNING IN THE COASTAL ZONE OF THE CHEBOKSARY RESERVOIR Inna Nikonorova

MANAGEMENT AND SPATIAL PLANNING IN THE COASTAL ZONE OF THE CHEBOKSARY RESERVOIR Inna Nikonorova

MANAGEMENT AND SPATIAL PLANNING IN THE COASTAL ZONE OF THE CHEBOKSARY RESERVOIR Inna Nikonorova niko-inna@yandex.ru Chuvash state university 428015, Russia, Cheboksary, Moskovsky av., 15 Lowland hydroelectric reservoir created as a complex,

322 views • 17 slides
117 Things to Know... Monday, May 24, 2010 117 Things to Know... Monday, May 24, 2010 1 The

117 Things to Know... Monday, May 24, 2010 117 Things to Know... Monday, May 24, 2010 1 The

117 Things to Know... Monday, May 24, 2010 117 Things to Know... Monday, May 24, 2010 1 The same substance always has the same density. Monday, May 24, 2010 2 As pressure increases, density increases Monday, May 24, 2010 3 As

1.68k views • 108 slides
of a Clamp Band Fastening System MID/BCS Characterization of a Clamp Band Fastening System,

of a Clamp Band Fastening System MID/BCS Characterization of a Clamp Band Fastening System,

Characterization of a Clamp Band Fastening System MID/BCS Characterization of a Clamp Band Fastening System, Forum CADFEM 08/09/2015 Content Description & Applications of a Clamp Band Load Cases Classical Dimensioning Procedure

451 views • 34 slides
Investor Presentation Table of Contents I EXECUTIVE SUMMARY 1 II MINERAL DRILLING MARKET 3

Investor Presentation Table of Contents I EXECUTIVE SUMMARY 1 II MINERAL DRILLING MARKET 3

C O N F I D E N T I A L FORACO Investor Presentation Table of Contents I EXECUTIVE SUMMARY 1 II MINERAL DRILLING MARKET 3 III FORACO BUSINESS OVERVIEW 9 IV HISTORICAL KEY FINANCIALS 18 V STRATEGY GOING FORWARD 22 I Executive

619 views • 30 slides
Donwell House Care Home Fire Investigation, Fire Safety Investigation, Prosecution & Legal

Donwell House Care Home Fire Investigation, Fire Safety Investigation, Prosecution & Legal

Donwell House Care Home Fire Investigation, Fire Safety Investigation, Prosecution & Legal Support Sensitive Material Incident Details Donwell House Care Home, Donwell Village Centre, Washington, 2 storey, 63 residents Formally 2

554 views • 39 slides
Queen Elizabeth II Conference Centre London March 23, 2012 Dr. Chris Kacher Managing Director

Queen Elizabeth II Conference Centre London March 23, 2012 Dr. Chris Kacher Managing Director

Traders Expo 2012 Queen Elizabeth II Conference Centre London March 23, 2012 Dr. Chris Kacher Managing Director Virtue of Selfish Investing, LLC www.selfishinvesting.com www.mokainvestors.com Chart Notes Moving Averages: Magenta =

1.22k views • 65 slides
W50 New W50 Motors The WEG W50 motor line is a product designed for industrial applications

W50 New W50 Motors The WEG W50 motor line is a product designed for industrial applications

New WMO s Engineered Industrial Motors Platform W50 New W50 Motors The WEG W50 motor line is a product designed for industrial applications featuring high performance and reliable for the most severe operating conditions. Intensive

535 views • 10 slides
Welc on e! CAMPUS MAP G o n Aareongebude Downtown s e H e g e l s t r a s s e

Welc on e! CAMPUS MAP G o n Aareongebude Downtown s e H e g e l s t r a s s e

Welc on e! CAMPUS MAP G o n Aareongebude Downtown s e H e g e l s t r a s s e n h e i m H H BKM-Gebude Int. Studien- und Sprachenkolleg (ISSK) Kantstrae H S a a r s t r a e Autobahn A 60 d t I

354 views • 10 slides

More recommend