Difference between OpenVZ and LXC

Background: What’s a container?

Containers have been around for over 15 years, so why is there an influx of attention for containers? As compute hardware architectures become more elastic, potent, and dense, it becomes possible to run many applications at scale while lowering TCO, eliminating the redundant Kernel and Guest OS code typically used in a hypervisor-based deployment. This is attractive enough but also has benefits such as eliminating performance penalties, increase visibility and decrease difficulty of debug and management.

Because containers share the host kernel, binaries and libraries, can be packed even denser than typical hypervisor environments can pack VM’s.

OpenVZ

OpenVZ is a Linux container solution. It was first released in 2005 by SWSoft, now known as Parallels. Though connected to a private, proprietary company, OpenVZ is open source and available for free.

The previously mentioned container projects have been related to BSD. One fundamental difference between BSD and Linux is that Linux is technically just a kernel. All of the tools that make Linux functional are supplemental and from different projects. For example, the chroot command in Ubuntu Linux comes from the GNU coreutils project.

This distinction between BSD and Linux is quite important in the case of OpenVZ. Because containers require kernel level access, the container code needs to be integrated into the kernel. OpenVZ only released its code as a set of patches and custom-compiled Linux kernels they initially never bothered to get their code into the official Linux kernel.

As explained in a recent OpenVZ blog entry, this was a mistake recognized way back in 2005, and the OpenVZ team has been working to get their code integrated into the main Linux kernel since then. This can sometimes be a very slow and painful process. The Xen project went through the same scenario.

OpenVZ has never really gained widespread acceptance in the Linux community. This is unfortunate since it is a very robust project with a large amount of features.

LXC

Finally, there is LXC. Well, before we get into LXC, let us talk about Linux Namespaces. A namespace is another term for segregation. Items in different namespaces are unable to collide or conflict with each other. Chroot can be thought of as a simple filesystem namespace.

As we have seen with all the other container projects, they implement features beyond filesystem segregation: users, processes, and the network are all also segregated.

Starting in 2001, the Linux kernel began supporting a series of namespaces. The first was mount namespaces, which can be thought of as an enhanced filesystem namespace. Since then, Linux has added support for UTS, IPC, PID, user, and network namespaces. This article goes into great detail about each of them.

Next, a quick mention about control groups otherwise known as cgroups. Cgroups limit the amount of resources a certain process can use. For example, a process could be limited to use just 50% of the total CPU on the server.

Between namespaces and cgroups, the Linux kernel has everything it needs to support a modern container system. And that is exactly what LXC is a collection of utilities that interact with namespaces and cgroups.

So, since LXC uses features native to the Linux kernel, this should make it a better choice over OpenVZ, right? I guess that depends on one's opinion of those features.

The Linux namespace and cgroup code is still in development. For example, user namespaces were only finalized a few months ago. Shortly after, they were found to be heavily exploitable.

Security in general is a very subjective and relational topic: what one person is paranoid of can be of no matter to another person. Security has always been a hot topic with LXC. Here are several different articles on the subject.

This part of the series summarized various existing container solutions. You might have noticed the added detail for the Linux-based solutions especially LXC.

2017/12/31 posted in  Network

BitTorrent Traffic Detection with Deep Flow Inspection

1. What is Deep Flow Inspection(DFI)?

As the name implies, the analysis or the classification of P2P traffic is a flow-based, focusing on the connection level patterns of P2P applications. Thus, it does not require any payload analysis, unlike DPI. Because it doesn’t require payload analysis, encrypted data packets can be easily supported. The down side of this approach is that there is an additional step of extracting the connection level pattern for the P2P traffics. And yet, there is no rule of thumb for which network feature should be used in this method.

2. Proposed System

2.1 Training Module

スクリーンショット 2017-12-23 12.36.10
** Figure 1: Proposed system to classify BT packet flows **

2.2

2.2.1 Ground truth generation

The ground truth is the packet flows with known classes. In order to train a classifier, there are two types of packet flows needed to capture, namely the BT and non-BT packet flows. To capture the BT packets, I manually force the BT client to use a single TCP port (i.e. 1200) for data transfer. Thus, all the BT traffic must go through thisTCP port. Then, I start a sample torrent file and the BT client will automatically start downloading/uploading the contents. At the same time, I start my packet capturing program to obtain the packets.Similarly, to capture non-BT packets, I start my packet capturing program while we were creating non-BT network activities including HTTP,FTP and SSH. With the known class of the packets in the PCAP files, I could start training the classifier.

2.2.2 Study of DFI classifier accuracy

スクリーンショット 2017-12-23 12.38.56
** Figure 2: Classifier accuracy with different training samples **
Figure 2 shows the classifier accuracy with increasing number of BT packet flows used to train the classifier. The classifier was first trained with a set of BT samples, and then it was tested against with some otherBT packet flows to observe the accuracy. This experiment gives us some clues about the number of packet flows should be used in order train a reliable classifier for the DFI module.As expected, the moreBT packets are used to train the classifier, the better the accuracy is. However, as the number of the BT packets increase, the classifier will be saturated at some point. After that, even more packets is provided, the accuracy does not increase significantly.

2.2 Source code:

https://github.com/itsuwari/BitTorrent-Traffic-Detection-with-Deep-Flow-Inspection/

2017/12/23 posted in  Network

Thoughts on the Nintendo Switch

This past weekend marked the first time the public got their hands on the newest console coming from Nintendo, the Nintendo Switch. The Switch’s first look and other imagery has shown what looks like an older target audience than kids and families, a switch (no pun intended) from Nintendo’s other consoles. So will it make a good family console, like the Wii U?

I had a chance to get my hands on it and I’m convinced the Switch will be our next must-have console for the entire family. “Nintendo Switch is for everyone,” Cindy Gordon, Nintendo’s VP of Corporate Affairs told me. Here are a few reasons why you should consider picking it up for family.

The game line-up is as great as you’d expect — and more.

There are some things you can anticipate when a new Nintendo console is announced — a new Legend of Zelda, a new Mario adventure, and memorable party games are just a few of Nintendo’s area of expertise that gamers have come to expect, and the Switch will deliver on all of those. (Super Mario Odyssey is such a big adventure, however, that it won’t be available until later in the year.)

But the Nintendo Switch is also branching out into new games and franchises that have never been on a Nintendo system before. The Elder Scrolls: Skyrim, FIFA, and NBA 2K are also headed to the Switch, and Nintendo is committed to working with third-party developers for an even more diverse offering of games.

The Switch is incredibly portable.

Easily the most appealing part of the Nintendo Switch is the hassle-free portability. The screen quickly and simply undocks from the console, the Joy-Con controllers attach to the side, and you instantly have a portable game with high-quality graphics that look just as good as they do on the TV.

If you’ve ever dreamed about playing Skyrim during a long flight or the kids having Splatoon battles in the backseat on the way to Grandma’s, the Switch is about to make that a reality–without any cords or mess, said Gordon. Battery life ranges from two-and-a-half to six-and-a-half hours, depending on the game. The Legend of Zelda: Breath of the Wild will last about three hours before needing to recharge, estimated Gordon.

The controllers are made for hands of all sizes.

The Switch’s controllers, known as Joy-Con, are surprisingly small and can fit hands of all sizes and ages. “Joy-Con are little technological feats of innovation that pack a powerful punch,” Gordon said.

The innovative design allows different ways to play depending on the game you’re playing. Attach it to the sides of the screen for gaming on the go, use it as a traditional controller, or pull the two pieces apart and use them similar to Wiimotes. Kids and adults alike will appreciate the flexibility.

When separated, you can also turn the Joy-Con horizontally and use it in a style similar to the original NES controller. I had the chance to play Mario Kart 8 Deluxe with it in that manner, however, and even my small hands started to cramp a little due to the tiny controller. Parents may want to pick up the Pro Controller if they’ll be doing just as much gaming as the kids.

Parental controls are built in.

You know.

2017/12/19 posted in  Offtopics

Free Alternatives to Gaussian

'Free software' here not means 'libre software'.

1. GAMESS

Most similar to Gaussian, and code is really clean and easy to read, even have documents for developers.

Opensource License
Yes BSD

2. PSI

An Open-Source electronic structure program emphasizing automation, advanced libraries, and interoperability.

Opensource License
Yes GNUv3

3. LAMMPS

Has potentials for solid-state materials (metals, semiconductors) and soft matter (biomolecules, polymers) and coarse-grained or mesoscopic systems. It can be used to model atoms or, more generically, as a parallel particle simulator at the atomic, meso, or continuum scale.

Opensource License
Yes GPLv3

4. CASTEP

Specializes in periodic systems with plane wave basis sets.

Opensource License
No commercial

5. ACES

Opensource License
Yes GPLv3

Specializes in high level quantum chemistry calculations.

Taken the best features of parallel implementations of quantum chemistry methods for electronic structure.

6.DIRAC

Opensource License
No Unknown

Oriented towards relativistic quantum chemistry problems.

7. NWChem

Opensource License
Yes ECL

Can calculate a smaller set of properties but it can handle mixed QM/MM calculations and periodic systems like solids.

2017/11/11 posted in  Material