*scratch*

seccomp made easy

Posted on 30 January 2021 | 5 minutes | Giuseppe Scrivano

seccomp is a kernel feature that restricts what syscalls can be used by a process.

Almost every container runs with seccomp enabled to restrict its access to syscalls.

cgroup v2 OOM group

Posted on 14 August 2020 | 3 minutes | Giuseppe Scrivano

One annoying issue with setting a memory limit for a container is that the OOM killer kernel process can leave the container in an inconsistent state with only some processes terminated.

[Read More]

playing with seccomp notifications in the OCI runtime

Posted on 10 August 2020 | 6 minutes | Giuseppe Scrivano

A couple weekends ago I've played with seccomp user notifications and how they can be used in the OCI containers stack.

Seccomp user notifications are a powerful Linux kernel feature, that delegates syscalls handling to a userland program.

[Read More]

avoid a memory page allocation on mount(2)

Posted on 27 December 2019 | 2 minutes | Giuseppe Scrivano

While working on crun, I got surprised by how much time the kernel spent in the copy_mount_options function.

[Read More]

run containers without pulling images

Posted on 24 October 2019 | 2 minutes | Giuseppe Scrivano

CRFS is a Google project that aims at running a container without pre-pulling the image first.

[Read More]

crun moved to github.com/containers

Posted on 12 August 2019 | 1 minutes | Giuseppe Scrivano

the giuseppe/crun github project was moved under https://github.com/containers/crun.

Similarly libocispec, used internally by crun for parsing the OCI configuration file was moved to https://github.com/containers/libocispec

rootless resources management with Podman on Fedora 30

Posted on 12 May 2019 | 1 minutes | Giuseppe Scrivano

I have finally opened some PRs for conmon and libpod that enable resources management for Podman rootless containers on Fedora 30 when using crun.

[Read More]

resources management with rootless containers and cgroups v2

Posted on 26 February 2019 | 3 minutes | Giuseppe Scrivano

cgroups v2 will finally allow unprivileged users to manage a cgroup hierarchy in a safe manner without requiring any additional permission.

[Read More]

rootless containers @ devconf.cz

Posted on 24 February 2019 | 1 minutes | Giuseppe Scrivano

The video is finally available on YouTube.

https://www.youtube.com/watch?v=jMOHfCw0DV8

If you are interested in the slides, they are available here:

https://www.slideshare.net/AkihiroSuda/rootless-containers

SUID binaries from a user namespace

Posted on 10 January 2019 | 1 minutes | Giuseppe Scrivano

Additional IDs that are allocated to a user through /etc/subuid and /etc/subgid must be considered as permanently allocated and never reused for any other user. Even if the container/user namespace where they are used is destroyed, it is possible to forge a SUID binary that will keep access to any ID present in the user namespace. This simple C program is enough to keep access to an UID that was allocated to a user namespace: [Read More]