Cloud Native and Open Source Liangyu Zhou Senior Software Engineer at Tencent Rich experience in Container and Kubernetes field, promote lots of K8S production practice in Tencent Motivation https:// isolation, but we will focus on pod-to-pod isolation in this talk, AKA Sandbox Isolation. • Container Escape docker.vh.neargle.com:8888/?command_exec=python3 -c "import docker;client = docker.Doc /proc/self/fd/ 4. Linux Kernel Patch Are those enough? NO https://landscape.cncf.io/category=container-runtime&format=card-mode&grouping=category Runtime Landscape cri- containerd runsc+gVisor kubelet

updates to the data? • Try to figure out some networking scenario to pull in the data when needed The STL currently does not have parts requiring networking and we would really like to avoid adding that updates to the data? • Try to figure out some networking scenario to pull in the data when needed The STL currently does not have parts requiring networking and we would really like to avoid adding that

with the cert you specified, common if you want to TLS with service outside mesh apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews spec: host: reviews trafficPolicy: Service ● AUTO_PASSTHROUGH: pass through the TLS traffic purely using SNI without VS apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookinfo-gateway spec: selector: istio:

algorithms and adaptors is in the early prototyping phase. IO schedulers? Simple async socked-based networking?123 ADDITIONAL RESOURCES P2300R2: “std::execution”: https://wg21.link/P2300R2 Libunifex:

Support44  Defined in  New adaptors on top of basic sequence containers  Associative container interface (similar to std::map)  unique keys (flat_map)  fast retrieval of values based on a // "", "c", "d", "e", ""70 Changes to Ranges Library  ranges::to(): Converts a range to a container  E.g.: auto ints = std::views::iota(1, 5) | std::views::transform([](const auto& nts) }; std::print("{}", vec); // [2, 4, 6, 8]71 Changes to Ranges Library  Converts container to container  E.g.: // Convert vector to set with same element type. std::vector vec{ 33, 11, 22 };

Pointer Synchronous Reclamation Beyond Concurrency TS2 – Maged Michael template class Container { struct Obj : hazard_pointer_obj { Key k; /* etc */ }; hazard_pointer_domain dom_; // completion of destruction of Container. • Problem: High setup overhead of constructing/destroying per custom domain hazard pointers. • Even worse if many instances of Container are used by thousands of Pointer Synchronous Reclamation Beyond Concurrency TS2 – Maged Michael template class Container { struct Obj : hazard_pointer_cohort_obj { Key k; /* etc */ }; hazard_pointer_cohort cohort_;

extension)) { continue; } // ... } }15 Erasing Elements16 Container Erasure Strategies • Erasing unwanted elements before C++20: • vector-like: erase-remove idiom 🐞 • Invalidating iterators while looping 🐞 • Skipping elements while looping 🐞17 Uniform Container Erasure • GH-236 and GH-566 implemented by SuperWig #include #include #include value_type • Associative containers have member .erase(key) • Inspects only the key, using the container's predicate • Ordered: "Logarithmic" time, O(K + log N) • Unordered: "Constant" time, average

need… • a Container Management Platform, but to network it I need… • a Service Mesh, but to secure it I need… • an automated Certificate Authority, and for more security I need… • a Container scanning and

Storage Persistence components Local or Remote Storage (block, file, object) Users (GUI/API) Container Schedulers/Runtimes Consumers LDAP/Active Directory Supporting services Harbor Packaging

Practicing Sparrow  https://rust-cloud-native.github.io/  Our new talk "Rust-based Container Runtimes" is coming soon. 2.3 Unified runtime for eBPF and Wasm Summary II. Practicing Sparrow