COTS, Hardware, and Cloud Deployment Models

Questions and Answers

A company is developing a warehouse management product with a core software component and customizable modules. To minimize costs, which deployment model would be most suitable?

• In a virtual private cloud instance dedicated to the specific customer, running on a public cloud
• As containers running in a set of servers available on premise in the customer's datacenter
• As VMs running in a set of servers available on premise in the customer's datacenter
• In a way that is not known by the customer; the software will be delivered online, through the Software-as-a-Service (SaaS) model (correct)

What is a characteristic feature of Common-Off-The-Shelf (COTS) hardware?

• Hardware that is used only by normal customers (e.g., individuals), but is not appropriate for cloud workloads
• Hardware that is used in many on-premise data centers, but definitely not appropriate for big hyperscalers (Amazon, Google, Azure, etc.)
• Hardware that is bought in large quantity, standardized, reducing the variety of different hardware present in a datacenter. (correct)
• Hardware that cannot be specialized, e.g., by adding dedicated components such as GPU engines or Infiniband adapters

Which of the following scenarios would most likely benefit from a COTS hardware solution?

• A government agency needing specialized hardware to meet stringent security and regulatory requirements.
• A small startup with limited capital designing specialized network appliances for niche markets.
• A large cloud provider managing massive datacenters that require cost efficiency and easy scalability. (correct)
• A research lab that develops bleeding-edge artificial intelligence models with custom-designed hardware accelerators.

A company wants to minimize the ongoing maintenance and management overhead of their warehouse management software. Which deployment model is most appropriate?

Deploying the software as a SaaS solution managed by the vendor. (C)

What is a key trade-off a company should consider when choosing COTS hardware versus custom-built solutions?

COTS hardware offers lower customization and potentially less tailored performance but at a reduced cost and faster deployment time. (D)

If a Docker container runs an application designed to maximize performance by creating threads equal to the number of available CPU cores, how many threads will it create?

Equal to the number of CPU cores assigned to the Docker container at startup. (A)

What is generally required for a VM running in OpenStack to be reachable from the public Internet?

Explicit configuration of routing and firewalling rules in the OpenStack configuration. (D)

A pod (and its associated service) in a Kubernetes datacenter is exposed to the internet via an Ingress controller. What destination IP address will network packets have when they first enter the datacenter?

The IP address of the Ingress controller. (B)

In a service mesh architecture, how is each microservice typically integrated with the mesh?

Each microservice is automatically started with a sidecar proxy that implements the service mesh functionality. (C)

In computing virtualization, what is the primary function of the Trap-And-Emulate approach?

To intercept and handle privileged and/or sensitive CPU instructions. (D)

In CPU para-virtualization, what is the fundamental approach to improve performance?

Replacing some source code of the GuestOS kernel with the proper equivalent function in the HostOS kernel. (D)

Regarding CPU rings in modern CPUs, what is their primary purpose in the context of virtualization?

They delineate privilege levels, with specific rings dedicated to OS kernels. (A)

What does dynamic binary translation primarily refer to in the context of virtualization?

The translation of instructions executed by the GuestOS kernel. (B)

In a virtualized system, what do VMEntry and VMExit instructions facilitate?

Fast transitions between the GuestOS and HostOS kernels. (A)

Regarding computing virtualization, what is a common characteristic of a hypervisor in terms of device emulation?

It typically emulates a very small number of physical devices. (B)

When considering the image (ISO) of a modern operating system intended for use within a VM, what is typically included in terms of device drivers?

Drivers for many physical devices (e.g., Intel NIC) and a few para-virtualized devices (e.g., VIRTIO). (C)

What is the primary function of Libvirt in the context of virtualization?

Simplifying the interaction with VMs running on different hypervisors (KVM, VMware, etc.). (C)

In Linux-based virtualization, where do QEMU and KVM operate, respectively?

QEMU runs in user space, KVM runs in kernel space. (D)

Implementing a hot migration of a VM to another server requires moving the state of which components?

The entire VM (i.e., applications and GuestOS kernel) plus the state of the hypervisor. (C)

In computing virtualization, what defines a 'sensitive' instruction?

An instruction that may leak information about the current running kernel context. (A)

In which scenario would a 'ClusterIP' service be most appropriate?

Providing internal access to a backend database used by a web server frontend. (A)

What is the primary function of an Ingress controller in Kubernetes?

Enabling multiple HTTP/HTTPS services to be delivered on a single TCP port. (A)

Which Kubernetes service type should you use if you need it to be reachable only from inside the cluster?

ClusterIP (A)

Why is using a Kubernetes Service (e.g., ClusterIP) preferable to directly accessing a pod's IP address?

Services handle pod respawning and provide a single access point for multiple replicas. (C)

Theoretically, how do the memory requirements compare for an application running on bare hardware, in a VM, and in a Docker container?

Memory(VM) > Memory(Docker) = Memory(bare hardware) (C)

From a theoretical standpoint, assuming no layered filesystem advantages, how do disk requirements compare for an application running on bare hardware, in a VM, and in a Docker container?

Disk(VM) = Disk(Docker) > Disk(bare hardware) (A)

To create a webserver that can scale as demand increases, which platform would provide the most scalability by default?

Kubernetes on public cloud (D)

Which of the following capabilities typically requires a service mesh instead of solely relying on a Kubernetes service?

Load balancing based on application-level information (e.g., requested URL). (C)

A university with campuses in Torino and Tashkent needs a real-time videoconferencing service. Which is the MOST suitable option?

Buy Zoom, which is running in multiple cloud locations across the world. (B)

If a Docker container attempts to modify its filesystem by writing a file, where will the file be stored?

In the filesystem of the running Docker container. (B)

In a Docker layered filesystem, when does a new layer get created?

When the Dockerfile executes a command that modifies the current filesystem. (A)

Consider a server with two CPUs (52 cores each) and 512 GB RAM. Which of the following statements is MOST accurate regarding the application's resource usage?

The application's resource usage depends on the Docker container's limits and the host server's available resources. (C)

Compared to traditional VMs, what is a key advantage of containerization regarding resource utilization within a cluster environment?

Containers share the host OS kernel resulting in lower overhead and better density. (D)

An application's Dockerfile includes multiple layers, some large and some small. How does this impact the deployment speed and storage efficiency of the application?

Smaller layers speed up deployment and improve storage efficiency through sharing. (C)

A development team is migrating a monolithic application to a microservices architecture using Kubernetes. Which of these options would be MOST suitable?

Package each microservice into an individual Docker container and orchestrate them using Kubernetes. (D)

What resources would htop report when run inside a Docker container?

The resources assigned to that Docker at startup (e.g., 2 CPU cores and 4GB RAM). (D)

What is the primary purpose of a Dockerfile?

Its main purpose is to define a sort of “recipe” listing the steps required to re-create the container from scratch. (A)

What is the typical use case for a 'daemonset' in Kubernetes?

A pod that must be always running on each Kubernetes node (e.g., to provide network services) (D)

An e-commerce site in Kubernetes is configured as a 'ClusterIP' service. Under what condition(s) might the e-commerce site be reachable from the Internet?

The e-commerce site may be reachable from the Internet depending upon the configuration of the Ingress controller. (B)

What best describes the function of the 'control loop' concept in Kubernetes?

Is implemented by controllers, which watch the state of the resources in your cluster, then make or request changes where needed. (C)

What functionality does a Custom Resource provide in Kubernetes?

Enables the definition of generic objects, even not related to any Kubernetes workflow (B)

What network connectivity guarantees can you expect when connecting VMs/Dockers to a software bridge?

You are NOT able to guarantee full network connectivity to the services running within the VMs/Dockers (A)

What is the most common approach to server selection in a new datacenter?

Are usually all equal (in terms of CPU, memory, disks, etc). (D)

For an e-commerce site using a database-as-a-service in the cloud, what configuration would you choose to achieve 'high-availability'?

In multiple replicas across different Regions. (A)

When deploying an application on a public cloud cluster, what should you keep in mind regarding reliability?

You have to care about reliability, which is not completely guaranteed by the cloud provider. (B)

In which of the following scenarios is the deployment of cloud computing technologies at the network edge most beneficial?

All the other answers. (D)

In what context are technologies for computing virtualization utilized?

Are used whenever strong computing isolation is required. (B)

What is a key aspect of the filesystem within a Docker container?

At startup, it is completely independent from the one present on the hosting machine; however, temporary files created during Docker execution are stored in the filesystem of the hosting machine (e.g., /var/tmp/). (C)

A Docker is running on a server that has 2 CPUs (52 cores each). The Docker is limited to use 20% of the available CPU. After the execution of the pieces of code inside this Docker, which of the following is most likely to happen?

10 cores will be 100% busy; the remaining are idle. (C)

After creating a new Docker image starting from the public image ‘Ubuntu:latest’, I perform the following operations:

1. I create a folder /test
2. I create a text file /test/test.txt
3. I remove the folder /test After this sequence of operations, what is the size of the final Docker image, compared to the original Ubuntu:latest image?

Bigger, as Docker images are immutable, so there will be a layer containing the /test folder and one where that folder has been removed. (C)

In computing virtualization, what does the direct assignment for I/O devices signify?

A real device that is completely controlled by the GuestOS. (A)

When a GuestOS boots in a virtualized environment, what type of devices does it typically detect?

It usually detects a set of virtual devices presented to it by the hypervisor. (D)

What is a key characteristic of a VIRTIO driver regarding system calls and VM exits?

Does not use VMENTRY/VMEXIT operations. (A)

When Linux utilizes the KVM hypervisor, at what CPU ring levels do QEMU and the GuestOS operate?

QEMU runs at ring 3 (VMX root), the GuestOS runs at ring 0 (VMX non-root). (C)

In Linux, what primary function do tools like virsh and virt-manager serve?

Enable users to interact with KVM-based VMs in a user-friendly way. (B)

What constitutes the essential state of a VM that is needed to implement a hot migration?

The content of the entire memory allocated to the VM plus some additional information stored in the hypervisor. (C)

In computing virtualization, what is the specific purpose of the Trap-And-Emulate approach?

Is used to emulate privileged CPU instructions executed at the wrong privilege level. (C)

Under what conditions will an instruction executed at CPU ring 0 (VMX non-root mode) generate a trap?

Will generate a trap if it is either a sensitive or privileged instruction. (B)

How does a VIRTIO driver typically send and receive data in a GuestOS?

Uses mainly bi-directional queues shared with the companion backend driver to send/receive data. (C)

What type of binary instructions does dynamic binary translation specifically act on?

Often translates a binary instruction executed by the GuestOS kernel. (B)

How would you describe the Docker network's capabilities?

It provides a default (simplified) network behavior, but it can also offer high flexibility and customizations such as in a traditional virtualized environment (e.g., KVM). (C)

If Docker1 and Docker2 are running on different servers, how does Docker1 establish a network connection to Docker2?

It must use the IP address of the server, and the public TCP/UDP port published by Docker2. (C)

What components are included in the standard network created by Docker on a server?

It includes a software bridge, plus routing and NAT functions operating on all the traffic generated by the containers and directed outside of the server. (A)

How does a Docker container acquire its IP address within a server environment?

It is 'manually' assigned by the Docker framework to the running container. (C)

If Docker1 and Docker2 are running on the same server, how does Docker1 establish a network connection to Docker2?

It must use the IP address of Docker2, and the actual TCP/UDP port used by the application running in Docker2. (D)

Flashcards

Software-as-a-Service (SaaS)

Delivering software online, customers access it over the internet, without needing to install or manage it on their own systems.

Common-Off-The-Shelf (COTS) Hardware

Standardized hardware purchased in large quantities to reduce variety in a datacenter.

Virtual Machines (VMs) on-premise

Installing copies (VMs) of applications/services on a set of servers available at customer premises.

Containers on-premise

Running applications/services inside containers on servers available at customer premises.

Virtual Private Cloud (VPC)

Installing services/applications in a cloud 'owned' for a single customer.

Kubernetes ClusterIP Service

A service reachable only inside the Kubernetes cluster, often used for backend services.

Kubernetes Ingress Controller

Enables multiple HTTP/HTTPS services to share a single TCP port, like a traffic controller for web requests.

Kubernetes 'ClusterIP'

A Kubernetes service type that exposes the service on a cluster-internal IP. Only reachable from within the cluster.

Why use Kubernetes Service?

Services handle multiple replicas and pod respawning, providing a consistent access point.

Memory Usage: VM vs Docker

VM memory > Docker memory = bare hardware memory. VMs have overhead.

Disk Usage: VM vs Docker

VM disk = Docker disk > bare hardware disk. Docker shares the host OS kernel.

Best Scalable Web Server?

Kubernetes on a public cloud offers resources that can scale almost without limit.

Service Mesh Function

Load balancing based on requested URL requires a service mesh.

Managed Videoconferencing Service

Provides students from multiple locations with live, low-latency video conferencing.

Docker Filesystem changes

Changes are written to the Docker's filesystem, inside its container.

Docker Layer Creation

A new layer is created when a Dockerfile command modifies the filesystem during image build.

ClusterIP Reachability

A Kubernetes ClusterIP service is only reachable from inside the cluster.

Service Mesh HTTP/HTTPS load balancing

Service Mesh provides load balancing based on application layer data, enabling finer control

Service Advantage

Kubernetes services abstract the underlying pods, handling their potential respawn on another server.

Advantages of Docker Layered File System

The copy-on-write mechanism shares filesystem layers among docker images.

Docker Resource Reporting

Shows resources assigned at startup.

Dockerfile Purpose

A 'recipe' listing steps to re-create a container.

Kubernetes 'Daemonset'

Ensures a pod runs on every Kubernetes node for services.

ClusterIP Service Reachability

Reachability depends on Ingress controller configuration.

Kubernetes 'Control Loop'

Controllers watch resources and make/request changes.

Kubernetes 'Custom Resource'

Enables definition of generic objects.

Software Bridge Connectivity

You're NOT able to guarantee full network connectivity to the services running within the VMs/Dockers.

Datacenter Server Homogeneity

Servers are usually all equal (CPU, memory, disks).

Database-as-a-Service High Availability

Multiple replicas across different Regions.

Cloud Application Reliability

You have to care about reliability, which is not completely guaranteed by the cloud provider.

Edge Computing Usefulness

All the other answers.

Computing Virtualization Technologies

Are used whenever strong computing isolation is required.

Filesystem Isolation in Docker

At startup, it is completely independent from the one present on the hosting machine; however, temporary files created during Docker execution are stored in the filesystem of the hosting machine (e.g., /var/tmp/).

Docker CPU Threads

Equals the number of CPU cores assigned to the Docker at startup.

OpenStack VM Reachability

Must be explicitly enabled in the OpenStack VM configuration, including routing and firewall rules.

Kubernetes Ingress Traffic

Network packets entering the data center will have the Pod IP as the destination IP address.

Service Mesh Micro-service

Is automatically started with a sidecar that implements the service mesh.

Trap-And-Emulate

Can be used to emulate all the instructions that generate a trap.

CPU Para-Virtualization

Replaces some source code of the GuestOS kernel with the proper equivalent function in the HostOS kernel.

Modern CPU Rings

Have many CPU rings, and 2 of them are intended for executing OS kernels.

Dynamic Binary Translation

Can refer to an instruction executed by GuestOS kernel.

VMEntry/VMExit Instructions

Enable fast transitions between GuestOS and HostOS kernels.

Hypervisor Device Emulation

Is usually able to emulate a very small number of physical devices.

Modern OS Image (ISO)

Usually includes drivers for many physical devices (e.g., Intel NIC), and a few para-virtualized devices (eg., VIRTIO).

Libvirt

Simplifies the interaction with VMs running on different hypervisors (KVM, Vmware, etc).

QEMU and KVM in Linux

QEMU runs in user space, KVM runs in kernel space.

Hot Migration of a VM

The entire VM (i.e., applications and GuestOS kernel), plus some additional data kept in the hypervisor.

Sensitive Instruction

Is an instruction that may leak information about the current running kernel context.

Direct assignment for I/O devices

A real device directly managed by the GuestOS, bypassing the HostOS.

GuestOS device detection

The GuestOS detects a set of virtual devices presented by the hypervisor during boot.

VIRTIO driver characteristic

It avoids VMENTRY/VMEXIT operations for efficiency.

KVM hypervisor rings

QEMU operates in ring 3 (VMX root), while the GuestOS runs in ring 0 (VMX non-root).

virsh and virt-manager function

They enable user-friendly interaction with KVM-based VMs.

VM state for hot migration

The VM's memory content and some hypervisor-stored info.

Trap-And-Emulate approach

Emulating privileged CPU instructions at the wrong privilege level.

Instruction at CPU ring 0 (VMX non-root)

It will trap if the instruction is sensitive or privileged.

VIRTIO driver data transfer

It uses bi-directional queues shared with the backend driver to send/receive data.

Dynamic binary translation in virtualization

Often translates instructions executed by the GuestOS kernel.

Docker network flexibility

Docker networking provides both simplified default behavior and customizable options like KVM.

Docker network connection across servers

It must use the server's IP address and the published TCP/UDP port of Docker2.

Docker standard network

It includes a software bridge, plus routing and NAT for external traffic.

Docker IP address assignment

It's manually assigned by the Docker framework.

Docker network connection within same server

It must use Docker2's IP address and the application's actual TCP/UDP port.

Study Notes

Product Deployment Options

• Software can be delivered online through the Software-as-a-Service (SaaS) model, which is not known by the customer.

Common-Off-The-Shelf (COTS) Hardware

• COTS hardware is standardized and bought in large quantities, reducing hardware variety in a data center.

Kubernetes "ClusterIP" Service

• A "ClusterIP" service is used for services reachable only inside the cluster, such as a backend database consumed by a web server frontend.

Kubernetes Ingress Controller

• An Ingress controller in Kubernetes enables multiple HTTP/HTTPS services to be delivered on a single TCP port through service multiplexing.

Kubernetes Service for Internal Reachability

• A Kubernetes "ClusterIP" service is used to create a service only reachable from inside a Kubernetes cluster.

Purpose of Kubernetes Service

• A Kubernetes Service (e.g., Cluster IP) handles cases with multiple replicas and pod respawning, unlike direct pod IP addressing.

Memory Requirements

• Memory requirements theoretically compare as: Memory(VM) > Memory(Docker) = Memory(bare hardware).

Disk Requirements

• Disk requirements theoretically compare as: Disk(VM) = Disk(Docker) > Disk(bare hardware), assuming no layered file system advantages.

Scalable Web Server

• Kubernetes on a public cloud is the best choice for creating a web server that scales endlessly.

Service Mesh Functionality

• Load balancing incoming HTTP/HTTPS connections to different service instances based on application-level information (e.g., requested URL) requires a "service mesh" software instead of a Kubernetes "service".

Real-Time Video Conferencing

• Buying a managed service (e.g., Zoom) running in multiple cloud locations across the world is the best option for setting up a real-time video conferencing service.

Docker Filesystem Modification

• A file is written in the file system of the running Docker when a Docker running in a server tries to modify its filesystem.

Docker Layered Filesystem

• The layered file system in Docker builds a new layer each time the Dockerfile executes a command that modifies the current filesystem.

Docker Resource Availability

• A Docker reports 104 CPU cores and 512 GB RAM if the server has 2 CPUs (52 cores each) and 512 GB RAM.

Purpose of Dockerfile

• The Dockerfile defines a "recipe" listing the steps to re-create the container from scratch.

Kubernetes "daemonset"

• A “daemonset” in Kubernetes is used for a pod that must always be running on each Kubernetes node to provide network services.

Kubernetes Cluster with "ClusterIP" Service

• An e-commerce site in a Kubernetes cluster with the web frontend configured as a "ClusterIP" service may be reachable from the Internet depending upon the configuration of the Ingress controller.

Kubernetes "Control Loop"

• The “control loop” concept in Kubernetes is implemented by controllers, which watch the state of the resources in the cluster, then make or request changes where needed.

Kubernetes Custom Resource

• A Custom Resource in Kubernetes enables the definition of generic objects, even not related to any Kubernetes workflow.

VM/Docker Network Connectivity

• By connecting a set of VMs/Dockers to a software bridge, you are NOT able to guarantee full network connectivity to the services running within the VMs/Dockers.

Data Center Servers

• Servers in a new data center are usually all equal in terms of CPU, memory, disks, etc.

High-Availability Database-as-a-Service

• For high-availability, an e-commerce site that leverages a database-as-a-service from the cloud provider should be set up in multiple replicas across different Regions.

Application Deployment

• An application deployment on a cluster in public cloud requires care about reliability, which is not completely guaranteed by the cloud provider.

Edge Computing

• The deployment of cloud computing technologies at the edge of the network is useful with applications that cannot afford network problems, require very low latency, and need to keep some data local, or that need to reduce the data volume before sending it to the cloud.

Computing Virtualization Technologies

• Technologies for computing virtualization are used whenever strong computing isolation is required.

Docker Filesystem

• The filesystem in a Docker at startup is completely independent from the one present on the hosting machine; however, temporary files created during Docker execution are stored in the filesystem of the hosting machine (e.g., /var/tmp/).

Docker CPU Cores

• A Docker running on a server that has 2 CPUs (52 cores each) will create 104 threads.

VM Reachability in OpenStack

• The reachability of a VM running in OpenStack from a customer connected to the Internet must be explicitly enabled in the OpenStack configuration of the VM.

TCP Connection

• When a client (on the Internet) establishes a TCP connection toward a pod/service: Two cascading TCP connections must be established to allow the client to connect to the pod.

Micro-service in a service mesh

• In a service mesh, each micro-service is automatically started with a sidecar that implements the service mesh.

Trap-And-Emulate Approach

• In computing virtualization, the Trap-And-Emulate approach can be used to emulate all the instructions that generate a trap.

CPU Para-virtualization

• Replaces some source code of the GuestOS kernel with the proper equivalent function in the HostOS kernel.

Modern CPUs

• Have many CPU rings, and 2 of them are intended for executing OS kernels.

Dynamic Binary Translation

• Can refer to an instruction executed by GuestOS kernel.

VMEntry and VMExit Instructions

• Enable fast transitions between GuestOS and HostOS kernels.

Computing Virtualization Hypervisor

• Is usually able to emulate a very small number of physical devices.

Operating System Image in a VM

• Usually includes drivers for many physical devices (e.g., Intel NIC), and a few para-virtualized devices (eg., VIRTIO).

Libvirt

• Simplifies the interaction with VMs running on different hypervisors (KVM, Vmware, etc).

Linux

• QEMU runs in user space, KVM runs in kernel space.

Hot Migration

• Implementing a hot migration of a VM to another server requires moving the state of The entire VM (i.e., applications and GuestOS kernel), plus some additional data kept in the hypervisor.

Sensitive Instruction in Computing Virtualization

• Is an instruction that may leak information about the current running kernel context

CPU ring 0

• Can generate a trap if it is a privileged instruction.

VMX root/non-root modes

• Is more efficient when handling system calls.

Userland Program Trap-And-Emulate

• We experience two transitions: User space --> HostOS kernel --> GuestOS kernel.

Direct Assignment for I/O Devices

• A real device that is completely controlled by the GuestOS.

GuestOS in a Virtualized Environment

• It usually detects a set of virtual devices presented to it by the hypervisor.

A VIRTIO Driver

• Does not use VMENTRY/VMEXIT operations.

KVM Hypervisor

• QEMU runs at ring 3 (VMX root), the GuestOS runs at ring 0 (VMX non-root).

Linux Tools virsh and virt-manager

• Enable users to interact with KVM-based VMs in a user-friendly way.

The state of a VM

• The content of the entire memory allocated to the VM plus some additional information stored in the hypervisor.

Computing Virtualization, Trap-And-Emulate approach

• Is used to emulate privileged CPU instructions executed at the wrong privilege level.

Instructions Executed on the CPU

• Will generate a trap if it is either a sensitive or privileged instruction.

VIRTIO

• Uses mainly bi-directional queues shared with the companion backend driver to send/receive data.

Dynamic binary translation

• Often translates a binary instruction executed by the GuestOS kernel.

Docker Network

• Provides a default (simplified) network behavior, but it can also offer high flexibility and customizations such as in a traditional virtualized environment (e.g., KVM).

Docker Network Connection

• Must use the IP address of the server, and the public TCP/UDP port published by Docker2.

Standard Docker Network

• It includes a software bridge, plus routing and NAT functions operating on all the traffic generated by the containers and directed outside of the server.

Docker IP address

• It is "manually" assigned by the Docker framework to the running container.

Network Connection

• It must use the IP address of Docker2, and the actual TCP/UDP port used by the application running in Docker2.