seccomp is a kernel feature that restricts what syscalls can be used by a process.
Almost every container runs with seccomp enabled to restrict its access to syscalls.
[Read More]seccomp is a kernel feature that restricts what syscalls can be used by a process.
Almost every container runs with seccomp enabled to restrict its access to syscalls.
[Read More]One annoying issue with setting a memory limit for a container is that the OOM killer kernel process can leave the container in an inconsistent state with only some processes terminated.
[Read More]A couple weekends ago I've played with seccomp user notifications and how they can be used in the OCI containers stack.
Seccomp user notifications are a powerful Linux kernel feature, that delegates syscalls handling to a userland program.
[Read More]While working on crun, I got surprised by how much time the kernel
spent in the copy_mount_options
function.
CRFS is a Google project that aims at running a container without pre-pulling the image first.
[Read More]the giuseppe/crun github project was moved under https://github.com/containers/crun.
Similarly libocispec, used internally by crun for parsing the OCI configuration file was moved to https://github.com/containers/libocispec
I have finally opened some PRs for conmon and libpod that enable resources management for Podman rootless containers on Fedora 30 when using crun.
[Read More]cgroups v2 will finally allow unprivileged users to manage a cgroup hierarchy in a safe manner without requiring any additional permission.
[Read More]The video is finally available on YouTube.
https://www.youtube.com/watch?v=jMOHfCw0DV8
If you are interested in the slides, they are available here: