For the last couple of weeks, I've been playing on PoC implementation of a file system for the Linux kernel.
[Read More]seccomp made easy
seccomp is a kernel feature that restricts what syscalls can be used by a process.
Almost every container runs with seccomp enabled to restrict its access to syscalls.
[Read More]cgroup v2 OOM group
One annoying issue with setting a memory limit for a container is that the OOM killer kernel process can leave the container in an inconsistent state with only some processes terminated.
[Read More]playing with seccomp notifications in the OCI runtime
A couple weekends ago I've played with seccomp user notifications and how they can be used in the OCI containers stack.
Seccomp user notifications are a powerful Linux kernel feature, that delegates syscalls handling to a userland program.
[Read More]avoid a memory page allocation on mount(2)
While working on crun, I got surprised by how much time the kernel
spent in the copy_mount_options function.
run containers without pulling images
CRFS is a Google project that aims at running a container without pre-pulling the image first.
[Read More]crun moved to github.com/containers
the giuseppe/crun github project was moved under https://github.com/containers/crun.
Similarly libocispec, used internally by crun for parsing the OCI configuration file was moved to https://github.com/containers/libocispec
rootless resources management with Podman on Fedora 30
I have finally opened some PRs for conmon and libpod that enable resources management for Podman rootless containers on Fedora 30 when using crun.
[Read More]resources management with rootless containers and cgroups v2
cgroups v2 will finally allow unprivileged users to manage a cgroup hierarchy in a safe manner without requiring any additional permission.
[Read More]rootless containers @ devconf.cz
The video is finally available on YouTube.
https://www.youtube.com/watch?v=jMOHfCw0DV8
If you are interested in the slides, they are available here: