run containers without pulling images

CRFS is a Google project that aims at running a container without pre-pulling the image first. ...

24 October 2019 · Giuseppe Scrivano

crun moved to github.com/containers

the giuseppe/crun github project was moved under https://github.com/containers/crun. Similarly libocispec, used internally by crun for parsing the OCI configuration file was moved to https://github.com/containers/libocispec

12 August 2019 · Giuseppe Scrivano

rootless resources management with Podman on Fedora 30

I have finally opened some PRs for conmon and libpod that enable resources management for Podman rootless containers on Fedora 30 when using crun. ...

12 May 2019 · Giuseppe Scrivano

resources management with rootless containers and cgroups v2

cgroups v2 will finally allow unprivileged users to manage a cgroup hierarchy in a safe manner without requiring any additional permission. ...

26 February 2019 · Giuseppe Scrivano

rootless containers @ devconf.cz

The video is finally available on YouTube. https://www.youtube.com/watch?v=jMOHfCw0DV8 If you are interested in the slides, they are available here: https://www.slideshare.net/AkihiroSuda/rootless-containers

24 February 2019 · Giuseppe Scrivano

SUID binaries from a user namespace

Additional IDs that are allocated to a user through /etc/subuid and /etc/subgid must be considered as permanently allocated and never reused for any other user. Even if the container/user namespace where they are used is destroyed, it is possible to forge a SUID binary that will keep access to any ID present in the user namespace. This simple C program is enough to keep access to an UID that was allocated to a user namespace: ...

10 January 2019 · Giuseppe Scrivano

disposable rootless sessions

would be nice to have a way to “fork” the current session and be able to revert all the changes done, without any leftover on the file system. Playing with fuse-overlayfs, a FUSE implementation of the overlay file system and thus usable by rootless users, I realized how that is so easy to achieve, just by setting the overlay lowerdir to ‘/’ and using a temporary directory for the upper dir. ...

9 January 2019 · Giuseppe Scrivano

An Emacs mode for rust

I was looking for an Emacs mode that could help me to hack on rust. Rust-mode itself has not enough features to help me with a language I am not really proficient with yet. ...

18 December 2018 · Giuseppe Scrivano

rootless podman from upstream on Centos 7

this is the recipe I use to build podman from upstream on Centos 7 and use rootless containers. We need an updated version of the shadow utils as newuidmap and newgidmap are not present on Centos 7. Using make install is not the correct way to install packages, and it will also overwrite existing The shadow utils are installed using “make install” which is not the clean way to install packages and it also overwrite the existing binaries, but it is fine on a development system. Podman is already present on Centos 7 and in facts we install it so we don’t have to worry about conmon and other dependencies. ...

12 October 2018 · Giuseppe Scrivano

network namespaces for unprivileged users

a couple of weekends ago I’ve played with libslirp and put together slirp-forwarder. SliRP emulates in userspace a TCP/IP stack. It can be used to circumvent the limitation of creating TAP/TUN devices in the host namespace for an unprivileged user. The program could run in the host namespace, receive messages from the network namespace where a TAP device is configured, and forward them to the outside world using unprivileged operations such as opening another connection to the destination host. Privileged operations are still not possible outside of the emulated network, as the helper program doesn’t gain any additional privilege that running as an unprivileged user. ...

5 August 2018 · Giuseppe Scrivano