<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Uncategorized on *scratch*</title>
    <link>https://www.scrivano.org/categories/uncategorized/</link>
    <description>Recent content in Uncategorized on *scratch*</description>
    <generator>Hugo</generator>
    <language>en</language>
    <lastBuildDate>Sat, 06 Jun 2026 10:03:54 +0000</lastBuildDate>
    <atom:link href="https://www.scrivano.org/categories/uncategorized/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Run containers without pulling images</title>
      <link>https://www.scrivano.org/2019/10/24/run-containers-without-pulling-images/</link>
      <pubDate>Thu, 24 Oct 2019 18:37:23 +0000</pubDate>
      <guid>https://www.scrivano.org/2019/10/24/run-containers-without-pulling-images/</guid>
      <description>&lt;p&gt;CRFS is a Google project that aims at running a container without pre-pulling the image first. The key insight is that in practice a container process only accesses a small fraction of the files in its image, so fetching the entire image before startup wastes both time and disk space. CRFS achieves this through the stargz (Seekable tar.gz) format, which restructures each compressed layer so that individual files can be fetched on demand rather than requiring the entire tarball to be downloaded and extracted upfront.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Crun moved to github.com/containers</title>
      <link>https://www.scrivano.org/2019/08/12/crun-moved-to-github-com-containers/</link>
      <pubDate>Mon, 12 Aug 2019 09:54:25 +0000</pubDate>
      <guid>https://www.scrivano.org/2019/08/12/crun-moved-to-github-com-containers/</guid>
      <description>&lt;p&gt;The giuseppe/crun github project was moved under &lt;a href=&#34;https://github.com/containers/crun&#34;&gt;https://github.com/containers/crun&lt;/a&gt;. Moving to the containers organization means the project is no longer a personal experiment but a community-maintained component of the container stack, alongside tools like Podman, Buildah, and fuse-overlayfs. This makes it easier to coordinate changes across the ecosystem and signals that crun is a supported alternative OCI runtime for production use.&lt;/p&gt;&#xA;&lt;p&gt;Similarly libocispec, used internally by crun for parsing the OCI configuration file was moved to &lt;a href=&#34;https://github.com/containers/libocispec&#34;&gt;https://github.com/containers/libocispec&lt;/a&gt;&lt;/p&gt;</description>
    </item>
    <item>
      <title>Rootless resources management with Podman on Fedora 30</title>
      <link>https://www.scrivano.org/2019/05/12/rootless-resources-management-with-podman-on-fedora-30/</link>
      <pubDate>Sun, 12 May 2019 20:36:59 +0000</pubDate>
      <guid>https://www.scrivano.org/2019/05/12/rootless-resources-management-with-podman-on-fedora-30/</guid>
      <description>&lt;p&gt;I have finally opened some PRs for conmon and libpod that enable resources management for Podman rootless containers on Fedora 30 when using crun. This builds on the cgroups v2 delegation support added to crun earlier: Fedora 30 ships a kernel and systemd new enough to support the unified cgroup hierarchy, so with a single kernel command-line option and a small systemd drop-in, unprivileged users can now set memory and CPU limits on their containers without root access.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Resources management with rootless containers and cgroups v2</title>
      <link>https://www.scrivano.org/2019/02/26/resources-management-with-rootless-containers/</link>
      <pubDate>Tue, 26 Feb 2019 21:22:10 +0000</pubDate>
      <guid>https://www.scrivano.org/2019/02/26/resources-management-with-rootless-containers/</guid>
      <description>&lt;p&gt;cgroups v2 will finally allow unprivileged users to manage a cgroup hierarchy in a safe manner without requiring any additional permission. In the cgroups v1 model, writing to cgroup control files requires root, which means rootless containers cannot enforce memory limits or CPU quotas. The unified cgroups v2 hierarchy introduces a delegation mechanism where systemd can hand ownership of a subtree to a user process, enabling the OCI runtime to configure resource limits directly without any privileged helper.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Rootless containers @ devconf.cz</title>
      <link>https://www.scrivano.org/2019/02/24/rootless-containers-devconf-cz/</link>
      <pubDate>Sun, 24 Feb 2019 22:26:15 +0000</pubDate>
      <guid>https://www.scrivano.org/2019/02/24/rootless-containers-devconf-cz/</guid>
      <description>&lt;p&gt;The video of the rootless containers talk from Devconf.cz 2019 is finally available on YouTube. The talk covers how user namespaces, fuse-overlayfs, and slirp4netns come together to allow running containers entirely as an unprivileged user, without any setuid helpers beyond newuidmap and newgidmap, and discusses the remaining challenges around cgroup resource management and overlay storage performance that still need to be addressed for rootless containers to reach full feature parity.&lt;/p&gt;</description>
    </item>
    <item>
      <title>SUID binaries from a user namespace</title>
      <link>https://www.scrivano.org/2019/01/10/suid-binaries-from-a-user-namespace/</link>
      <pubDate>Thu, 10 Jan 2019 21:49:30 +0000</pubDate>
      <guid>https://www.scrivano.org/2019/01/10/suid-binaries-from-a-user-namespace/</guid>
      <description>&lt;p&gt;Additional IDs that are allocated to a user through /etc/subuid and /etc/subgid must be considered as permanently allocated and never reused for any other user. The reason is that a setuid binary created inside a user namespace can retain access to any UID that was mapped in that namespace, even after the namespace is destroyed. If the same UID range is later assigned to a different user, that new user would inherit access to files owned by the old user&amp;rsquo;s containers.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Disposable rootless sessions</title>
      <link>https://www.scrivano.org/2019/01/09/disposable-rootless-sessions/</link>
      <pubDate>Wed, 09 Jan 2019 22:01:08 +0000</pubDate>
      <guid>https://www.scrivano.org/2019/01/09/disposable-rootless-sessions/</guid>
      <description>&lt;p&gt;Would be nice to have a way to “fork” the current session and be able to revert all the changes done, without any leftover on the file system. With fuse-overlayfs, a user-space overlay filesystem that unprivileged users can mount, this turns out to be surprisingly straightforward: mount the entire root filesystem as the lower layer of an overlay, point the upper layer at a temporary directory, and every write is captured there and can be discarded at the end of the session, leaving the underlying system untouched.&lt;/p&gt;</description>
    </item>
    <item>
      <title>An Emacs mode for Rust</title>
      <link>https://www.scrivano.org/2018/12/18/an-emacs-mode-for-rust/</link>
      <pubDate>Tue, 18 Dec 2018 20:57:11 +0000</pubDate>
      <guid>https://www.scrivano.org/2018/12/18/an-emacs-mode-for-rust/</guid>
      <description>&lt;p&gt;I was looking for an Emacs mode that could help me to hack on Rust. The built-in rust-mode provides syntax highlighting and basic indentation, but for a language with a complex type system and borrow checker it is useful to have editor integration that can navigate to definitions, show type information, and offer completions. This post covers setting up racer-mode, which drives the racer code-completion engine to provide those features inside Emacs.&lt;/p&gt;&#xA;&lt;p&gt;Rust-mode itself has not enough features to help me with a language I am not really proficient with yet.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Rootless Podman from upstream on CentOS 7</title>
      <link>https://www.scrivano.org/2018/10/12/rootless-podman-from-upstream-on-centos-7/</link>
      <pubDate>Fri, 12 Oct 2018 09:14:21 +0000</pubDate>
      <guid>https://www.scrivano.org/2018/10/12/rootless-podman-from-upstream-on-centos-7/</guid>
      <description>&lt;p&gt;This is the recipe I use to build podman from upstream on Centos 7 and use rootless containers. We need an updated version of the shadow utils as newuidmap and newgidmap are not present on Centos 7. The shadow utils are installed using “make install” which is not the clean way to install packages and it also overwrites the existing binaries, but it is fine on a development system. Podman is already present on Centos 7 and in facts we install it so we don’t have to worry about conmon and other dependencies.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Network namespaces for unprivileged users</title>
      <link>https://www.scrivano.org/2018/08/05/network-namespaces-for-unprivileged-users/</link>
      <pubDate>Sun, 05 Aug 2018 13:54:44 +0000</pubDate>
      <guid>https://www.scrivano.org/2018/08/05/network-namespaces-for-unprivileged-users/</guid>
      <description>&lt;p&gt;A couple of weekends ago I’ve played with libslirp and put together &lt;a href=&#34;https://github.com/giuseppe/slirp-forwarder&#34;&gt;slirp-forwarder&lt;/a&gt;. The challenge with network namespaces for unprivileged users is that creating TAP or TUN devices requires privileges in the host network namespace. SliRP sidesteps this by emulating a full TCP/IP stack entirely in user space, so the helper process can forward traffic to the outside world using only normal socket operations, without needing any elevated capability.&lt;/p&gt;&#xA;&lt;p&gt;SliRP emulates in userspace a TCP/IP stack. It can be used to circumvent the limitation of creating TAP/TUN devices in the host namespace for an unprivileged user. The program could run in the host namespace, receive messages from the network namespace where a TAP device is configured, and forward them to the outside world using unprivileged operations such as opening another connection to the destination host. Privileged operations are still not possible outside of the emulated network, as the helper program doesn’t gain any additional privilege that running as an unprivileged user.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Become-root in a user namespace</title>
      <link>https://www.scrivano.org/2018/07/19/become-root-in-an-user-namespace/</link>
      <pubDate>Thu, 19 Jul 2018 08:28:06 +0000</pubDate>
      <guid>https://www.scrivano.org/2018/07/19/become-root-in-an-user-namespace/</guid>
      <description>&lt;p&gt;I’ve cleaned up some C files I was using locally for hacking with user namespaces and uploaded them to a new repository on github: &lt;a href=&#34;https://github.com/giuseppe/become-root&#34;&gt;https://github.com/giuseppe/become-root&lt;/a&gt;. The tool creates a new user namespace and maps the caller to UID 0 inside it, while also mapping additional UIDs and GIDs from the ranges allocated in &lt;em&gt;/etc/subuid&lt;/em&gt; and &lt;em&gt;/etc/subgid&lt;/em&gt;. This is the foundation needed for rootless containers, which require a full UID/GID mapping — not just the single-UID mapping that &lt;em&gt;unshare -r&lt;/em&gt; provides — to correctly represent file ownership inside container images.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Fuse-overlayfs moved to github.com/containers</title>
      <link>https://www.scrivano.org/2018/07/13/fuse-overlayfs-moved-to-github-com-containers/</link>
      <pubDate>Fri, 13 Jul 2018 22:00:59 +0000</pubDate>
      <guid>https://www.scrivano.org/2018/07/13/fuse-overlayfs-moved-to-github-com-containers/</guid>
      <description>&lt;p&gt;The fuse-overlayfs project I was working on in the last weeks was moved under the &lt;a href=&#34;https://github.com/containers&#34;&gt;github.com/containers&lt;/a&gt; umbrella. fuse-overlayfs is a user-space implementation of the overlay filesystem that can be mounted without root privileges, which is essential for rootless containers. With Linux 4.18 introducing the ability to mount FUSE filesystems inside user namespaces, this makes overlay-based storage finally usable by unprivileged container runtimes such as Podman.&lt;/p&gt;&#xA;&lt;p&gt;With Linux 4.18 it will be possible to mount a FUSE file system in an user namespace. fuse-overlayfs is an implementation in user space of the overlay file system already present in the Linux kernel, but that can be mounted only by the root user. Union file systems were around for a long time, allowing multiple layers to be stacked on top of each other where usually the last one is the only writeable.&lt;br&gt;&#xA;Overlay is an union file system widely used for mounting OCI image. Each OCI image is made up of different layers, each layer can be used by different images. A list of layers, stacked on each other gives the final image that is used by a container. The last level, that is writeable, is specific for the container. This model enables different containers to use the same image that is accessible as read-only from the lower layers of the overlay file system.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Current status (and problems) of running Buildah as non root</title>
      <link>https://www.scrivano.org/2018/02/25/current-status-problems-running-buildah-non-root/</link>
      <pubDate>Sun, 25 Feb 2018 13:59:14 +0000</pubDate>
      <guid>https://www.scrivano.org/2018/02/25/current-status-problems-running-buildah-non-root/</guid>
      <description>&lt;p&gt;Having Buildah running in a user namespace opens the possibility of building container images as a non-root user. I’ve done some work to get &lt;a href=&#34;https://github.com/projectatomic/buildah&#34;&gt;Buildah&lt;/a&gt; running inside a user container, where it can still create and modify container images without any elevated privileges on the host. This is useful for CI environments and shared systems where granting root or setuid access is not acceptable.&lt;/p&gt;&#xA;&lt;p&gt;There are still some open issues to get it fully working. The biggest open one is that &lt;em&gt;overlayfs&lt;/em&gt; cannot be currently used as non root user. There is some work going on, but this will require changes in the kernel and the way extended attributes work for overlay. The alternative is far from ideal and it is to use the &lt;em&gt;vfs&lt;/em&gt; storage driver, but it is a good starting point to get things moving and see how far we get. (Another possibility that doesn’t require changes in the kernel would be an OSTree storage for Buildah, but that is a different story).&lt;/p&gt;</description>
    </item>
    <item>
      <title>New COPR repository for crun</title>
      <link>https://www.scrivano.org/2017/11/15/new-copr-repository-crun/</link>
      <pubDate>Wed, 15 Nov 2017 19:25:46 +0000</pubDate>
      <guid>https://www.scrivano.org/2017/11/15/new-copr-repository-crun/</guid>
      <description>&lt;p&gt;I made a new COPR repository for crun so that it can be easily tested on Fedora without having to build from source. crun is a lightweight OCI container runtime written in C, intended as a faster and lower-overhead alternative to runC. The COPR repository tracks the upstream development branch, making it straightforward to try out new features and report issues before they land in a distribution package.&lt;/p&gt;&#xA;&lt;p&gt;&lt;a href=&#34;https://copr.fedorainfracloud.org/coprs/gscrivano/crun/&#34;&gt;https://copr.fedorainfracloud.org/coprs/gscrivano/crun/&lt;/a&gt;&lt;/p&gt;&#xA;&lt;p&gt;To install crun on Fedora, it is enough to:&lt;/p&gt;</description>
    </item>
    <item>
      <title>System containers presentation </title>
      <link>https://www.scrivano.org/2017/01/30/system-containers-presentation/</link>
      <pubDate>Mon, 30 Jan 2017 18:41:37 +0000</pubDate>
      <guid>https://www.scrivano.org/2017/01/30/system-containers-presentation/</guid>
      <description>&lt;p&gt;Here are the slides for the Atomic System Containers talk I gave at Devconf.cz 2017. System containers are a way to run infrastructure services — such as etcd and Flannel — outside of Docker, managed directly by runc and systemd, which removes the circular dependency that arises when a container runtime depends on components that must themselves be running inside containers.&lt;/p&gt;&#xA;&lt;p&gt;&lt;a href=&#34;http://scrivano.org/static/system-containers-demo/&#34;&gt;http://scrivano.org/static/system-containers-demo/&lt;/a&gt;&lt;/p&gt;&#xA;&lt;p&gt;If you are interested in the video, it is on YouTube:&lt;/p&gt;</description>
    </item>
    <item>
      <title>Facebook detox? </title>
      <link>https://www.scrivano.org/2016/12/27/facebook-detox/</link>
      <pubDate>Tue, 27 Dec 2016 20:52:47 +0000</pubDate>
      <guid>https://www.scrivano.org/2016/12/27/facebook-detox/</guid>
      <description>&lt;p&gt;I have been using Facebook for the last years to fill every dead time:waiting for the bus, ads on TV, compiling, etc.  The quality of the information coming from Facebook is inferior to any other social network, at least to my experience (it can be I follow/know the wrong people), though the part of the brain that controls procrastination seems addicted to this lower quality information and the chattering there.  Also, I don’t want to simply delete my Facebook account and move on, most of the people I know are present only there, neither I want to be more “asocial”.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Refactoring a function name across several patches with git rebase</title>
      <link>https://www.scrivano.org/2016/04/22/rename-symbol-across-several-git-patches/</link>
      <pubDate>Fri, 22 Apr 2016 17:32:23 +0000</pubDate>
      <guid>https://www.scrivano.org/2016/04/22/rename-symbol-across-several-git-patches/</guid>
      <description>&lt;p&gt;&lt;em&gt;git rebase&lt;/em&gt; is one of my favorite git commands. It allows to update a set of local patches against another git branch and also to rework, through the &lt;em&gt;-i&lt;/em&gt; flag, some previous patches. A lesser-known capability is the &lt;em&gt;&amp;ndash;exec&lt;/em&gt; flag, which runs an arbitrary shell command after each patch is applied during the rebase. Combined with the &lt;em&gt;-X theirs&lt;/em&gt; merge strategy to silently resolve conflicts, this makes it straightforward to apply mechanical transformations — such as a symbol rename — across an entire patch series without manual intervention.&lt;/p&gt;</description>
    </item>
    <item>
      <title>System containers for Atomic</title>
      <link>https://www.scrivano.org/2016/03/24/system-containers-for-atomic/</link>
      <pubDate>Thu, 24 Mar 2016 15:41:50 +0000</pubDate>
      <guid>https://www.scrivano.org/2016/03/24/system-containers-for-atomic/</guid>
      <description>&lt;p&gt;The main reason behind system containers was the inability to run Flannel in a Docker container as Flannel is required by Docker itself. CoreOS solved this chicken and egg problem by using another instance of Docker (called early-docker) that is used to setup only Etcd and Flannel. Atomic system containers take a different approach: instead of a second Docker daemon, they are managed directly by runc and systemd, so the dependency on Docker is removed entirely and the chicken-and-egg problem simply does not arise.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
