One annoying issue with setting a memory limit for a container is that the OOM killer kernel process can leave the container in an inconsistent state with only some processes terminated.
[Read More]playing with seccomp notifications in the OCI runtime
A couple weekends ago I've played with seccomp user notifications and how they can be used in the OCI containers stack.
Seccomp user notifications are a powerful Linux kernel feature, that delegates syscalls handling to a userland program.
[Read More]avoid a memory page allocation on mount(2)
While working on crun, I got surprised by how much time the kernel
spent in the copy_mount_options function.
run containers without pulling images
CRFS is a Google project that aims at running a container without pre-pulling the image first.
[Read More]crun moved to github.com/containers
the giuseppe/crun github project was moved under https://github.com/containers/crun.
Similarly libocispec, used internally by crun for parsing the OCI configuration file was moved to https://github.com/containers/libocispec
rootless resources management with Podman on Fedora 30
I have finally opened some PRs for conmon and libpod that enable resources management for Podman rootless containers on Fedora 30 when using crun.
[Read More]resources management with rootless containers and cgroups v2
cgroups v2 will finally allow unprivileged users to manage a cgroup hierarchy in a safe manner without requiring any additional permission.
[Read More]rootless containers @ devconf.cz
The video is finally available on YouTube.
https://www.youtube.com/watch?v=jMOHfCw0DV8
If you are interested in the slides, they are available here:
SUID binaries from a user namespace
Additional IDs that are allocated to a user through /etc/subuid and /etc/subgid must be considered as permanently allocated and never reused for any other user.
Even if the container/user namespace where they are used is destroyed, it is possible to forge a SUID binary that will keep access to any ID present in the user namespace.
This simple C program is enough to keep access to an UID that was allocated to a user namespace:
[Read More]
disposable rootless sessions
would be nice to have a way to “fork” the current session and be able to revert all the changes done, without any leftover on the file system.
Playing with fuse-overlayfs, a FUSE implementation of the overlay file system and thus usable by rootless users, I realized how that is so easy to achieve, just by setting the overlay lowerdir to ‘/’ and using a temporary directory for the upper dir.
[Read More]