scratch (original) (raw)
why do I have two /sys/fs/cgroup in my container
Posted on 26 January 2024 | 2 minutes |
it happened a few times in the past that users wonder why they see two/sys/fs/cgroup mounts in their unprivileged container.
hide the current process executable file
Posted on 21 December 2022 | 3 minutes |
I have been working on a new functionality for the prctl syscall utility that addresses a common security concern with container runtimes.
the journey to speed up running OCI containers
Posted on 21 September 2022 | 12 minutes |
When I’ve started working on crun, I was looking at a faster way to start up and stop containers by improving the OCI runtime, the component in the OCI stack that is responsible to ultimately talk to the kernel and setting the environment where the container runs.
an interesting issue handling the seccomp listener
Posted on 5 September 2022 | 4 minutes |
an interesting issue was opened for crun a couple of days ago.
composefs - a file system for container images
Posted on 26 October 2021 | 6 minutes |
For the last couple of weeks, I’ve been playing on PoC implementation of a file system for the Linux kernel.
Posted on 30 January 2021 | 5 minutes | Giuseppe Scrivano
seccomp is a kernel feature that restricts what syscalls can be used by a process.
Almost every container runs with seccomp enabled to restrict its access to syscalls.
Posted on 14 August 2020 | 3 minutes | Giuseppe Scrivano
One annoying issue with setting a memory limit for a container is that the OOM killer kernel process can leave the container in an inconsistent state with only some processes terminated.
playing with seccomp notifications in the OCI runtime
Posted on 10 August 2020 | 6 minutes | Giuseppe Scrivano
A couple weekends ago I’ve played with seccomp user notifications and how they can be used in the OCI containers stack.
Seccomp user notifications are a powerful Linux kernel feature, that delegates syscalls handling to a userland program.
avoid a memory page allocation on mount(2)
Posted on 27 December 2019 | 2 minutes | Giuseppe Scrivano
While working on crun, I got surprised by how much time the kernel spent in the copy_mount_options function.
run containers without pulling images
Posted on 24 October 2019 | 2 minutes | Giuseppe Scrivano
CRFS is a Google project that aims at running a container without pre-pulling the image first.