While working on crun, I got surprised by how much time the kernel
spent in the copy_mount_options function.
run containers without pulling images
CRFS is a Google project that aims at running a container without pre-pulling the image first.
[Read More]crun moved to github.com/containers
the giuseppe/crun github project was moved under https://github.com/containers/crun.
Similarly libocispec, used internally by crun for parsing the OCI configuration file was moved to https://github.com/containers/libocispec
rootless resources management with Podman on Fedora 30
I have finally opened some PRs for conmon and libpod that enable resources management for Podman rootless containers on Fedora 30 when using crun.
[Read More]resources management with rootless containers and cgroups v2
cgroups v2 will finally allow unprivileged users to manage a cgroup hierarchy in a safe manner without requiring any additional permission.
[Read More]rootless containers @ devconf.cz
The video is finally available on YouTube.
https://www.youtube.com/watch?v=jMOHfCw0DV8
If you are interested in the slides, they are available here:
SUID binaries from a user namespace
Additional IDs that are allocated to a user through /etc/subuid and /etc/subgid must be considered as permanently allocated and never reused for any other user.
Even if the container/user namespace where they are used is destroyed, it is possible to forge a SUID binary that will keep access to any ID present in the user namespace.
This simple C program is enough to keep access to an UID that was allocated to a user namespace:
[Read More]
disposable rootless sessions
would be nice to have a way to “fork” the current session and be able to revert all the changes done, without any leftover on the file system.
Playing with fuse-overlayfs, a FUSE implementation of the overlay file system and thus usable by rootless users, I realized how that is so easy to achieve, just by setting the overlay lowerdir to ‘/’ and using a temporary directory for the upper dir.
[Read More]
An Emacs mode for rust
I was looking for an Emacs mode that could help me to hack on rust.
Rust-mode itself has not enough features to help me with a language I am not really proficient with yet.
[Read More]rootless podman from upstream on Centos 7
this is the recipe I use to build podman from upstream on Centos 7 and use rootless containers. We need an updated version of the shadow utils as newuidmap and newgidmap are not present on Centos 7. Using make install is not the correct way to install packages, and it will also overwrite existing The shadow utils are installed using “make install” which is not the clean way to install packages and it also overwrite the existing binaries, but it is fine on a development system.
[Read More]