1) https://blog.csdn.net/zy_zhengyang/article/details/108603813 Host OS是服务器虚拟化中的一个概念，其中一种虚拟化技术就是在物理机器上安装操作系统，专然后在这个操作系统上安装Hypervisor虚拟化软件，这样就可以在物理机上虚拟化出若干分区，可以分别安装不同的操作系统。那么在这个物理机器上安装的操作系统就叫做Host OS，对应的安装在虚拟分区上的操作系统叫做Guest OS。 2) https://blog.51cto.com/shadowxyj/1762801 Microsoft Azure的计算资源其实可以理解为运行在Azure数据中心中成千上万的Rack。 Rack上的多台物理服务器本身需要运行操作系统，这个操作系统可以理解为Host OS，即物理服务器的操作系统。 物理服务器通过特殊版本的Hyper-V，同时运行多个Azure VM虚拟机，这些虚拟机就是Guest OS，即虚拟机的操作系统。 用户只能够接触到Guest OS而无法接触到Host OS。 Microsoft Azure所有的计算功能都是基于虚拟机完成的，既然是虚拟机那么就会存在一个操作系统版本的文件。目前Microsoft Azure平台提供了一种名为Guest OS的机制来控制虚拟机中所安装的操作系统版本。 我们知道，整个Microsoft Azure数据中心是基于Microsoft Azure Server 2008 R2 Hyper-V构建的。当用户申请了一个计算单元之后，数据中心将按照需求分配一个或多个虚拟机，而每一个虚拟机都会有一个操作系统主版本，目前包括Guest OS 1.x 和 Guest OS 2.x，分别对应Windows Server 2008和Windows Server 2008 R2两大类操作系统。在此基础上，由于Windows 操作系统本身的不断更新， Azure平台也会定期为虚拟机进行操作系统升级，只不过没有普通的Windows 更新那么频繁。一次Azure平台虚拟机的更新会对应出一个新的Guest OS小版本，所以使用者在申请Azure虚拟机的时候可以指定某个版本的Guest OS，也就是安装了某些更新的Windows操作系统；可以指定使用最新版本的Guest OS，即完成了所有更新的Windows系统。对于前者，当平台有新版本Guest OS出现的时候，将会自动为用户升级虚拟机上的操作系统。而对于后者，除非用户指定，否则Azure是不会为用户升级的。 另外需要注意的一点是，Guest OS主版本之间是不会自动升级的。例如当前Guest OS 1.x的最新版本是1.18，并且用户指定其虚拟机使用Guest OS 1.x的最新版本，那么如果出现Azure平台提供了1.19，用户的虚拟机将会自动升级到这个版本。但是如果出现了Guest OS 2.1，由于其主版本不一致，所以用户的虚拟机也不会被升级。 3) https://docs.microsoft.com/en-us/azure/azure-monitor/vm/monitor-vm-azure#virtual-machine-host https://docs.microsoft.com/en-us/azure/azure-monitor/vm/monitor-vm-azure#guest-operating-system Virtual machine host Virtual machines in Azure generate the following data for the virtual machine host the same as other Azure resources as described in Monitoring data. Platform metrics - Numerical values that are automatically collected at regular intervals and describe some aspect of a resource at a particular time. Platform metrics are collected for the virtual machine host, but you require the diagnostics extension to collect metrics for the guest operating system. Activity log - Provides insight into the operations on each Azure resource in the subscription from the outside (the management plane). For a virtual machine, this includes such information as when it was started and any configuration changes. Guest operating system To collect data from the guest operating system of a virtual machine, you require an agent, which runs locally on each virtual machine and sends data to Azure Monitor. Multiple agents are available for Azure Monitor with each collecting different data and writing data to different locations. Get a detailed comparison of the different agents at Overview of the Azure Monitor agents. Log Analytics agent - A

from https://www.serverless360.com/blog/azure-blob-storage-vs-file-storage Microsoft offers several options to store data on the cloud. Each option has its unique purpose for serving different business needs. One of the significant capabilities that Microsoft Azure provides is the agility to migrate to different storage options if required. There are various options available in the Azure Storage Account for storing user data. Blob Storage File Storage Table Storage Queue Storage Disk This blog tries to differentiate between Azure Blob Storage and File Storage which is available in Azure Storage Account. Introduction Blob Storage Azure Blob Storage is an object storage solution for the cloud. Blob Storage allows you to store a massive amount of unstructured data. The unstructured data need not be of the specific data model. File Storage Azure Files offer fully managed File shares in the cloud that are accessible via the industry-standard SMB. Azure File shares can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS. It can be cached on Windows servers with Azure File Sync for faster access. When to Use Blob Storage Azure Blob Storage was designed to serve specific needs. If your business use case needs to store unstructured data like audio, video, images, etc then you should probably go with this option. The objects which are being stored in Blob does not necessarily have an extension. The following points describe the use case scenarios: Serving images or documents directly to a browser Storing Files for distributed access Streaming video and audio Writing to log Files Storing data for backup, restore, disaster recovery and archiving Storing data for analysis…

UPDATE: The code in this article has been updated to reflect changes in more recent versions of Kubernetes.) Watch a recording of author Nick Chase in a webinar on Kubernetes Deployments using YAML. In previous articles, we’ve been talking about how to use Kubernetes to spin up resources. So far, we’ve been working exclusively with the CLI, but there’s an easier and more useful way to do it: creating configuration files using kubernetes YAML. In this article, we’ll look at how YAML works and use it to define first a Kubernetes Pod, and then a Kubernetes Deployment. YAML Basics It’s difficult to escape YAML if you’re doing anything related to many software fields — particularly Kubernetes, SDN, and OpenStack. YAML, which stands for Yet Another Markup Language, or YAML Ain’t Markup Language (depending who you ask) is a human-readable text-based format for specifying configuration-type information. For example, in this article, we’ll pick apart the YAML definitions for creating first a Pod, and then a Deployment. When defining a Kubernetes manifest, YAML gives you a number of advantages, including: Convenience: You’ll no longer have to add all of your parameters to the command line Maintenance: YAML files can be added to source control, such as a Github repository so you can track changes Flexibility: You’ll be able to create much more complex structures using YAML than you can on the command line YAML is a superset of JSON, which means that any valid JSON file is also a valid YAML file. So on the one hand, if you know JSON and you’re only ever going to write your…

In short: Docker service is used mostly when you configured the master node with Docker swarm so that docker containers will run in a distributed environment and it can be easily managed. Docker run: The docker run command first creates a writeable container layer over the specified image, and then starts it using the specified command. That is, docker run is equivalent to the API /containers/create then /containers/(id)/start source: https://docs.docker.com/engine/reference/commandline/run/#parent-command Docker service: Docker service will be the image for

Introduction   Docker privileged is one of many useful features of this powerful virtualization platform. Before you start working in privileged mode, make sure you understand how it works. In this tutorial, you will learn what privileged Docker containers are, when to use them, and whether it is a good option for you. What is Docker Privileged Mode?   Docker privileged mode grants a Docker container root capabilities to all devices on the host system. Running a container in privileged mode gives it the capabilities of its host machine. For example, it enables it to modify App Arm and SELinux configurations. With the host’s kernel features and device access, you can even install a new instance of the Docker platform within the privileged container. Essentially, this mode allows running Docker inside Docker.   Note: Learn more about Docker containers and how they differ from Docker images in Docker Image Vs Container: The Major Differences. How to Check if a Container is Privileged?   To check whether you are running a container in privileged mode, use the command: docker inspect --format='{{.HostConfig.Privileged}}' [container_id] If the container is privileged, the output responds with true, as in the image below.

There are some options to create a Virtual Machine Scale Set with the diagnostics extension to perform in-guest monitoring and collect metrics from inside your virtual machines. On the other hand, if you have an existing Virtual Machine Scale Set without such extension, there’s a way to enable them. This is what I’ll show in this post in a detailed way explaining how to configure each one of the parameters required. How do I know if I have diagnostics extension deployed or not? The first thing to notice if you are looking to monitor your guest VMs in a VM Scale Set is if you already have the extension deployed or not. This is easy to be accomplished by going to the VMSS page in the Azure Portal and clicking on Metrics. If there are no metrics available in the Guest section this means there’s no diagnostic extension installed and only metrics provided at the Host level, captured by the virtualization layer are available. The picture bellow shows this scenario: Checking if guest diagnostics extension is enabled or not So, as there’s no Guest metrics available, we can conclude that the extension is not installed and we can install it. Storage Account To hold diagnostics data we need a storage account provisioned, you can provision a new storage account or use an existing one. Getting the Default Config The first step to work with Azure VM Scale Set diagnostics is to get the default config. This is a template file we use to enable the diagnostics extension and also we can customize…

Lets explore the relationship between the “Container Host” and the “Container OS” and how they differ between Linux and Windows containers. Some Definitions: Container Host: Also called the Host OS. The Host OS is the operating system on which the Docker client and Docker daemon run. In the case of Linux and non-Hyper-V containers, the Host OS shares its kernel with running Docker containers. For Hyper-V each container has its own Hyper-V kernel. Container OS: Also called the Base OS. The base OS refers to an image that contains an operating system such as Ubuntu, CentOS, or windowsservercore. Typically, you would build your own image on top of a Base OS image so that you can take utilize parts of the OS. Note that windows containers require a Base OS, while Linux containers do not. Operating System Kernel: The Kernel manages lower level functions such as memory management, file system, network and process scheduling. Now for some pictures: In the above example The Host OS is Ubuntu. The Docker Client and the Docker Daemon (together called the Docker Engine) are running on the Host OS. Each container shares the Host OS kernel. CentOS and BusyBox are Linux Base OS images. The “No OS” container demonstrates that you do not NEED a base OS to run a container in Linux. You can create a Docker file that has a base image of scratch and then runs a binary that uses the kernel directly. Check out this article for a comparison of Base OS sizes. In the above example The Host OS is Windows 10 or Windows Server. Each container shares…

https://techcommunity.microsoft.com/t5/azure-security-center/validating-azure-key-vault-threat-detection-in-azure-security/ba-p/1220336 Azure Security Center includes advanced threat protection for Azure Key Vault. Security Center detects unusual and potentially harmful attempts to access or exploit Key Vault accounts based on behavior analysis using machine learning. To use this threat detection capability, you need to enable the Key Vault threat bundle in Azure Security Center pricing tier as shown below:     The validation steps that follows are going to help you to simulate an action that will trigger an alert in Azure Security Center. This action may be benign in some cases, but it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. Follow the steps below to perform this simulation:

Key Vault Keys: Keys in Azure Key Vault are 'Cryptographic keys' used to encrypt information without releasing the private key to the consumer(users\Service). It acts like a black box to encrypt and decrypt content using the RSA algotithm. The RSA algorithm, involves a public key and private key. The public key can be known to everyone; it is used to encrypt messages. Messages encrypted using the public key can only be decrypted with the private key. Scenario: Assume you have to store the customer CreditCard, the secure way to keep it in your DB is to store it encrypted, during the software design and business requirements it is perfect clear that you should encrypt it, what most people don't real

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community. At Ignite Azure Security Center team announced many  features and capabilities in the CSPM and the CWPP segments. The entire list can be found in this blog post. One out of many areas that the product team invested a lot of resources and innovation is the containers