For the last couple of weeks, I've been playing on PoC implementation of a file system for the Linux kernel.[Read More]
seccomp made easy
seccomp is a kernel feature that restricts what syscalls can be used by a process.
Almost every container runs with seccomp enabled to restrict its access to syscalls.[Read More]
cgroup v2 OOM group
One annoying issue with setting a memory limit for a container is that the OOM killer kernel process can leave the container in an inconsistent state with only some processes terminated.[Read More]
playing with seccomp notifications in the OCI runtime
A couple weekends ago I've played with seccomp user notifications and how they can be used in the OCI containers stack.
Seccomp user notifications are a powerful Linux kernel feature, that delegates syscalls handling to a userland program.[Read More]
avoid a memory page allocation on mount(2)
While working on crun, I got surprised by how much time the kernel
spent in the
run containers without pulling images
CRFS is a Google project that aims at running a container without pre-pulling the image first.[Read More]
crun moved to github.com/containers
rootless resources management with Podman on Fedora 30
I have finally opened some PRs for conmon and libpod that enable resources management for Podman rootless containers on Fedora 30 when using crun.[Read More]
resources management with rootless containers and cgroups v2
cgroups v2 will finally allow unprivileged users to manage a cgroup hierarchy in a safe manner without requiring any additional permission.[Read More]
rootless containers @ devconf.cz
The video is finally available on YouTube.
If you are interested in the slides, they are available here: