Working with type systems and communications can be very difficult. In Haskell, messages between threads are usually conveyed through channels that only accept a single type, and as a result are not very versatile. In networked systems, a stream of bytes is sent that hopefully conforms to one of many protocols including TCP, UDP, and HTTP, and hopefully both parties agree on what is sent and when. Session Types are a way to bridge the gap between these systems, as they can capture complicated protocols, and be properly type checked. There are many ways that Session Types are notated and…
In 2016, Docker has officially updated their image specification from V1 to V2, adopting a more sophisticated scheme that is inline with OCI Container Image Specification. There are only a few minor differences between Docker's image spcification V2 and OCI image specification (See Compatibility Matrix). Here we will discuss some of the major changes from V1 and V2, and why Docker has moved towards these changes. Image vs Container Docker images contain the underlying changes in the root filesystem, and the execution parameters of a container. When we write a Dockerfile, the FROM clause bring in a base image from…
The Matrix AI team has been developing Polykey, a distributed peer-to-peer secret sharing system. It is intended to manage secrets, passwords, API keys for both humans and machines. Many secret management systems have been designed either only for humans, or only for machines. We think this is unnecessary and intend Polykey to work in both cases. However for this article, we'll focus solely on what Polykey provides to the Matrix infrastructure. Matrix Automatons may require secrets in order to communicate to an external API. There are several challenges to managing infrastructural secrets: How to automatically deploy software which relies on…
TCP/IP networking relies on IP addresses mapped to a machine to facilitate routing through the Border Gateway Protocol (BGP). This mapping is usually done through the DNS, which maps human-readable names ("cats.com") to IP addresses. Service centric networks are an alternative/extension to DNS, where the host maintains their own table of mappings from service names to tuples of IP address and port number, but with additional capabilities to control the routing of data. This additional flexibility is usually referenced in the literature as separating the control plane and data plane. The key advantage provided by…
The fundamental isolation technology supporting containers on Linux are Linux namespaces. Namespaces provide isolation of global resources in a way that is transparent to the processes within the namespace. There are currently 7 different namespaces that are supported: Cgroups, IPC, Network, Mount, PID, User, UTS. Today we will be looking at the network namespace. The network namespace can be thought of as a copy of the network stack. It provides isolation in network interfaces, routes, and firewall rules. In this article we will be using the tools from iproute2 to demonstrate. First let's create a new network namespace to play…