In this talk we will discuss how to build and run containers without root privileges. As part of the discussion, we will introduce new programs like fuse-overlayfs and slirp4netns and explain how it is possible to do this using user namespaces. fuse-overlayfs allows to use the same storage model as "root" containers and use layered images. slirp4netns emulates a TCP/IP stack in userland and allows to use a network namespace from a container and let it access the outside world (with some limitations).
We will also introduce Usernetes, and how to run Kubernetes in an unprivileged user namespace
https://sched.co/Jcgg
Cluster-as-code. The Many Ways towards KubernetesQAware GmbH
iSAQB Software Architecture Gathering – Digital 2022, November 2022, Mario-Leander Reimer (@LeanderReimer, Principal Software Architect bei QAware).
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Kubernetes is the de-facto standard when it comes to container orchestration. But why is there is no established, standard and uniform way to spin-up and manage a single or even a whole farm of Kubernetes clusters yet? Instead, a whole bunch of different and mostly incompatible ways towards Kubernetes exist today. Each with its own pros and cons in regards to ease of use, flexibility and many other requirements. In this session we will have a closer look at the different available options to create, manage and operate Kubernetes clusters at scale.
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
https://sched.co/ytpi
It has been very hard to use Mac for developing containerized apps. A typical way is to use Docker for Mac, but it is not FLOSS. Another option is to install Docker and/or Kubernetes into VirtualBox, often via minikube, but it doesn't propagate localhost ports, and VirtualBox also doesn't support the ARM architecture. This session will show how to run containerd and k3s on macOS, using Lima and Rancher Desktop. Lima wraps QEMU in a simple CLI, with neat features for container users, such as filesystem sharing and automatic localhost port forwarding, as well as DNS and proxy propagation for enterprise networks. Rancher Desktop wraps Lima with k3s integration and GUI.
This talk outlines the features in containerd 1.1 smart client: I/O redirection from the client side, containerd namespaces to leverage a single runtime instance with a logical isolation from multiple clients (Kubernetes, Docker Engine, other systems), and containers as types in Golang when using containerd Go client library.
Additionally, it explains all the performance improvements brought by BuildKit, and the capabilities that it opens up because of it's modular architecture, enabling open source developers who create new build systems using BuildKit directly to create new front ends.
Comparing Next-Generation Container Image Building ToolsAkihiro Suda
http://sched.co/EaYe
Until recently, running `docker build` against Dockerfile had been the only way to build container images.
However, lots of opensource software are being proposed as successors/alternatives to `docker build`:
- BuildKit (Moby Project / Docker)
- img (Jessica Frazelle / Microsoft)
- Buildah (Project Atomic / Red Hat)
- umoci & Orca (SUSE)
- Bazel (Google)
- OpenShift S2I (Red Hat)
Akihiro Suda compares these new tools' advantages and disadvantages.
His evaluation basis would include but not be limited to:
- Performance (Cache efficiency, Concurrency, Distributed Execution)
- Secret management, e.g. SSH and AWS keys
- Support for non-Dockerfile
- Non-root execution
- UI & UX
- Governance of the community
He also proposes a unified interface for using these tools with Kubernetes in a vendor-neutral way.
Cluster-as-code. The Many Ways towards KubernetesQAware GmbH
iSAQB Software Architecture Gathering – Digital 2022, November 2022, Mario-Leander Reimer (@LeanderReimer, Principal Software Architect bei QAware).
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Kubernetes is the de-facto standard when it comes to container orchestration. But why is there is no established, standard and uniform way to spin-up and manage a single or even a whole farm of Kubernetes clusters yet? Instead, a whole bunch of different and mostly incompatible ways towards Kubernetes exist today. Each with its own pros and cons in regards to ease of use, flexibility and many other requirements. In this session we will have a closer look at the different available options to create, manage and operate Kubernetes clusters at scale.
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
https://sched.co/ytpi
It has been very hard to use Mac for developing containerized apps. A typical way is to use Docker for Mac, but it is not FLOSS. Another option is to install Docker and/or Kubernetes into VirtualBox, often via minikube, but it doesn't propagate localhost ports, and VirtualBox also doesn't support the ARM architecture. This session will show how to run containerd and k3s on macOS, using Lima and Rancher Desktop. Lima wraps QEMU in a simple CLI, with neat features for container users, such as filesystem sharing and automatic localhost port forwarding, as well as DNS and proxy propagation for enterprise networks. Rancher Desktop wraps Lima with k3s integration and GUI.
This talk outlines the features in containerd 1.1 smart client: I/O redirection from the client side, containerd namespaces to leverage a single runtime instance with a logical isolation from multiple clients (Kubernetes, Docker Engine, other systems), and containers as types in Golang when using containerd Go client library.
Additionally, it explains all the performance improvements brought by BuildKit, and the capabilities that it opens up because of it's modular architecture, enabling open source developers who create new build systems using BuildKit directly to create new front ends.
Comparing Next-Generation Container Image Building ToolsAkihiro Suda
http://sched.co/EaYe
Until recently, running `docker build` against Dockerfile had been the only way to build container images.
However, lots of opensource software are being proposed as successors/alternatives to `docker build`:
- BuildKit (Moby Project / Docker)
- img (Jessica Frazelle / Microsoft)
- Buildah (Project Atomic / Red Hat)
- umoci & Orca (SUSE)
- Bazel (Google)
- OpenShift S2I (Red Hat)
Akihiro Suda compares these new tools' advantages and disadvantages.
His evaluation basis would include but not be limited to:
- Performance (Cache efficiency, Concurrency, Distributed Execution)
- Secret management, e.g. SSH and AWS keys
- Support for non-Dockerfile
- Non-root execution
- UI & UX
- Governance of the community
He also proposes a unified interface for using these tools with Kubernetes in a vendor-neutral way.
Short Introduction to Docker. These slides show the basic idea behind the container technology Docker. The slides present the basic features for the daily use with Docker, Docker Compose, Docker Machine and Docker Swarm.
Docker is specially important for DevOps, because it gives Software Developers more control about their dependencies in different environments.
In this talk, Vladi looks at the new Volume encryption option (due in CloudStack 4.18). He presents the new ability to use encrypted root and data volumes on different storage types, the benefits and the current limitations of the implementation.
Vladimir Petrov is a QA engineer with more than 20 years of experience in the IT field. He is using and testing Apache CloudStack for almost 3 years now. Currently working as a QA Engineer in ShapeBlue.
-----------------------------------------
CloudStack Collaboration Conference 2022 took place on 14th-16th November in Sofia, Bulgaria and virtually. The day saw a hybrid get-together of the global CloudStack community hosting 370 attendees. The event hosted 43 sessions from leading CloudStack experts, users and skilful engineers from the open-source world, which included: technical talks, user stories, new features and integrations presentations and more.
[KubeCon NA 2020] containerd: Rootless Containers 2020Akihiro Suda
Rootless Containers means running the container runtimes (e.g. runc, containerd, and kubelet) as well as the containers without the host root privileges. The most significant advantage of Rootless Containers is that it can mitigate potential container-breakout vulnerability of the runtimes, but it is also useful for isolating multi-user environments on HPC hosts. This talk will contain the introduction to rootless containers and deep-dive topics about the recent updates such as Seccomp User Notification. The main focus will be on containerd (CNCF Graduated Project) and its consumer projects including Kubernetes and Docker/Moby, but topics about other runtimes will be discussed as well.
https://sched.co/fGWc
P2P Container Image Distribution on IPFS With containerd and nerdctlKohei Tokunaga
Talked at FOSDEM 2022 about IPFS-based P2P image distribution with containerd and nerdctl (Feburary 6, 2022).
https://fosdem.org/2022/schedule/event/container_ipfs_image/
nerdctl is a Docker-compatible CLI of containerd, developed as a subproject of containerd. nerdctl recently added support of P2P image distribution on IPFS. This enables to share container images among hosts without hosting or relying on the registry.
In this session, Kohei, one of the maintainers of nerdctl, will introduce IPFS-based P2P image distribution with containerd and nerdctl. This session will also show the combination of IPFS-based distribution with the existing image distribution techniques, focusing on lazy pulling (eStargz) and image encryption (OCIcrypt). The status of integration work with other tools including Kubernetes will also be shared.
Related blog post: "P2P Container Image Distribution on IPFS With Containerd" . https://medium.com/nttlabs/nerdctl-ipfs-975569520e3d
GitFlow is a branching model for Git, created by Vincent Driessen. It has attracted a lot of attention because it is very well suited to collaboration and scaling the development team
Monitoring, Logging and Tracing on KubernetesMartin Etmajer
In this presentation, I'll describe a variety of tools, like the Kubernetes Dashboard, Heapster, Grafana, Fluentd, Elasticsearch, Kibana, Jolokia and OpenTracing to bring Monitoring, Logging and Tracing to the Kubernetes container platform.
Kubernetes supports several security mechanisms such as Seccomp, Apparmor, SELinux, and runAsUser for protecting the hosts from container-breakout attacks. However, these mechanisms are not sufficient for the security demand because Kubelet and CRI/OCI runtimes require the root privileges on the hosts, and these components are seriously bug-prone. The dependency on the root privileges has been also problematic for promoting Kubernetes to the HPC world, where users are often disallowed to install software as the root.
In this talk, Akihiro and Giuseppe will show the community’s ongoing work for making Kubernetes deployable and runnable as a non-root user, by using User Namespaces. The main topics of discussion will be UID/GID mapping, unprivileged Copy-on-Write filesystems, Usermode networking (Slirp), and Cgroups.
https://fosdem.org/2019/schedule/event/containers_k8s_rootless/
Short Introduction to Docker. These slides show the basic idea behind the container technology Docker. The slides present the basic features for the daily use with Docker, Docker Compose, Docker Machine and Docker Swarm.
Docker is specially important for DevOps, because it gives Software Developers more control about their dependencies in different environments.
In this talk, Vladi looks at the new Volume encryption option (due in CloudStack 4.18). He presents the new ability to use encrypted root and data volumes on different storage types, the benefits and the current limitations of the implementation.
Vladimir Petrov is a QA engineer with more than 20 years of experience in the IT field. He is using and testing Apache CloudStack for almost 3 years now. Currently working as a QA Engineer in ShapeBlue.
-----------------------------------------
CloudStack Collaboration Conference 2022 took place on 14th-16th November in Sofia, Bulgaria and virtually. The day saw a hybrid get-together of the global CloudStack community hosting 370 attendees. The event hosted 43 sessions from leading CloudStack experts, users and skilful engineers from the open-source world, which included: technical talks, user stories, new features and integrations presentations and more.
[KubeCon NA 2020] containerd: Rootless Containers 2020Akihiro Suda
Rootless Containers means running the container runtimes (e.g. runc, containerd, and kubelet) as well as the containers without the host root privileges. The most significant advantage of Rootless Containers is that it can mitigate potential container-breakout vulnerability of the runtimes, but it is also useful for isolating multi-user environments on HPC hosts. This talk will contain the introduction to rootless containers and deep-dive topics about the recent updates such as Seccomp User Notification. The main focus will be on containerd (CNCF Graduated Project) and its consumer projects including Kubernetes and Docker/Moby, but topics about other runtimes will be discussed as well.
https://sched.co/fGWc
P2P Container Image Distribution on IPFS With containerd and nerdctlKohei Tokunaga
Talked at FOSDEM 2022 about IPFS-based P2P image distribution with containerd and nerdctl (Feburary 6, 2022).
https://fosdem.org/2022/schedule/event/container_ipfs_image/
nerdctl is a Docker-compatible CLI of containerd, developed as a subproject of containerd. nerdctl recently added support of P2P image distribution on IPFS. This enables to share container images among hosts without hosting or relying on the registry.
In this session, Kohei, one of the maintainers of nerdctl, will introduce IPFS-based P2P image distribution with containerd and nerdctl. This session will also show the combination of IPFS-based distribution with the existing image distribution techniques, focusing on lazy pulling (eStargz) and image encryption (OCIcrypt). The status of integration work with other tools including Kubernetes will also be shared.
Related blog post: "P2P Container Image Distribution on IPFS With Containerd" . https://medium.com/nttlabs/nerdctl-ipfs-975569520e3d
GitFlow is a branching model for Git, created by Vincent Driessen. It has attracted a lot of attention because it is very well suited to collaboration and scaling the development team
Monitoring, Logging and Tracing on KubernetesMartin Etmajer
In this presentation, I'll describe a variety of tools, like the Kubernetes Dashboard, Heapster, Grafana, Fluentd, Elasticsearch, Kibana, Jolokia and OpenTracing to bring Monitoring, Logging and Tracing to the Kubernetes container platform.
Kubernetes supports several security mechanisms such as Seccomp, Apparmor, SELinux, and runAsUser for protecting the hosts from container-breakout attacks. However, these mechanisms are not sufficient for the security demand because Kubelet and CRI/OCI runtimes require the root privileges on the hosts, and these components are seriously bug-prone. The dependency on the root privileges has been also problematic for promoting Kubernetes to the HPC world, where users are often disallowed to install software as the root.
In this talk, Akihiro and Giuseppe will show the community’s ongoing work for making Kubernetes deployable and runnable as a non-root user, by using User Namespaces. The main topics of discussion will be UID/GID mapping, unprivileged Copy-on-Write filesystems, Usermode networking (Slirp), and Cgroups.
https://fosdem.org/2019/schedule/event/containers_k8s_rootless/
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
A Docker security talk that Salman Baset and Phil Estes presented at the Tokyo OpenStack Summit on October 29th, 2015. In this talk we provided an overview of the security constraints available to Docker cloud operators and users and then walked through a "lessons learned" from experiences operating IBM's public Bluemix container cloud based on Docker container technology.
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
Как быстро и легко настраивать/обновлять окружения для кросскомпиляции проектов под различные платформы(на основе docker), как быстро переключаться между ними, как используя эти кирпичики организовать CI и тестирование(на основе GitLab и Docker).
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
In this presentation, we will:
- Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code
- Discuss how to mitigate those risks
- Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
A conference talk at ContainerCon Europe in Berlin, Germany, given on October 5th, 2016. This is a slightly modified version of my talk first used at Docker London in July 2016.
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
https://dockercon19.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=281879
Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode. He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.
DCSF19 Hardening Docker daemon with Rootless modeDocker, Inc.
Akihiro Suda, NTT Corporation
Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way.
Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users.
In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode.
He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.
Virtual machines are generally considered secure. At least, secure enough to power highly multi-tenant, large-scale public clouds, where a single physical machine can host a large number of virtual instances belonging to different customers. Containers have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting a new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
We will show techniques to harden Linux Containers; including kernel capabilities, mandatory access control, hardened kernels, user namespaces, and more, and discuss the remaining attack surface.
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
Rootless mode is a technique to harden containers by running the container engine as a non-root user. The support for rootless mode has been merged into Docker since v19.03 (2019) and in Kubernetes since v1.22 (2021). However, setting up Rootless Kubernetes has been more challenging than setting up Rootless Docker due to its complexity. This session presents Usernetes Generation 2, a Kubernetes distribution that wraps Kubernetes in Rootless Docker for ease of setting up multi-node Rootless Kubernetes clusters. Unlike the original Usernetes (Generation 1) that was based on "Kubernetes The Hard Way", Usernetes Generation 2 supports kubeadm. Usernetes Generation 2 is similar to `kind` and `minikube`, however, unlike them Usernetes Generation 2 supports forming real multi-node clusters using Flannel (VXLAN) and it can be potentially used for production clusters. https://github.com/rootless-containers/usernetes
Container Security: How We Got Here and Where We're GoingPhil Estes
A talk given on Wednesday, Nov. 16th at DefragCon (DefragX) on a historical perspective on container security with a look to where we're going in the future.
Running services in virtualized systems provides many benefits, but has often presented performance and flexibility drawbacks. This has become critical when managing large databases, where resource usage and performance are paramount. We will explore a case study in the use of Docker to roll out multiple database servers distributed across multiple physical servers.
présentation de l'utilisation de Docker, du niveau 0 "je joue avec sur mon poste" au niveau Docker Hero "je tourne en prod".
Ce talk fait suite à l'intro de @dgageot et ne comporte donc pas l'intro "c'est quoi Docker ?".
https://github.com/rootless-containers/usernetes
Usernetes (Gen2) deploys a Kubernetes cluster inside Rootless Docker, so as to mitigate potential container-breakout vulnerabilities.
Usernetes (Gen2) is similar to Rootless kind and Rootless minikube, but Usernetes (Gen 2) supports creating a cluster with multiple hosts.
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...Akihiro Suda
Images maintained by a reputable organization or an individual are often considered to be trustworthy; however, it is hard to deny the possibility that they might have silently injected malicious codes that are not present in the source repo. Also, even if they have no malicious intent, their images can still be compromised on an accidental leakage of registry credentials.
The latest release of BuildKit solves this supply chain security concern with reproducible builds. Reproducible builds is a technique to ensure that a bit-for-bit identical image can be reproduced from its source code, by anybody, at any time. When multiple actors can attest to an image's reproducibility, it signifies that the image contains no code of a secret origin.
Audiences of this talk will learn how they can and how sometimes they cannot make their images reproducible to improve their trust.
The internals and the latest trends of container runtimesAkihiro Suda
Containers are a set of various lightweight methods to isolate filesystems, CPU resources, memory resources, system permissions, etc. Containers are similar to virtual machines in many senses, but they are more efficient and often less secure. This talk roughly consists of the following three parts:
1. Introduction to containers and how they spread in the last decade
2. Internals of container runtimes: namespaces, cgroups, capabilities, seccomp, etc.
3. Latest trends: Non-Docker containers, User Namespaces, Rootless Containers, Kata Containers, gVisor, WebAssembly, etc.
http://www.cce.i.kyoto-u.ac.jp/danwa23.html
[Container Plumbing Days 2023] Why was nerdctl made?Akihiro Suda
nerdctl (contaiNERD CTL) was made to facilitate development of new technologies in the containerd platform.
Such technologies include:
- Lazy-pulling with Stargz/Nydus/OverlayBD
- P2P image distribution with IPFS
- Image encryption with OCIcrypt
- Image signing with Cosign
- “Real” read-only mounts with mount_setattr
- Slirp-less rootless containers with bypass4netns
- Interactive debugging of Dockerfiles, with buildg
nerdctl is also useful for debugging Kubernetes nodes that are running containerd.
Through this session, the audiences will learn these functionalities of nerdctl, relevant projects, and the roadmap for the future.
https://containerplumbing.org/sessions/2023/why_was_nerdctl_
[KubeCon EU 2021] Introduction and Deep Dive Into ContainerdAkihiro Suda
Join containerd maintainers and reviewers in a combined introduction and deep dive session. They will discuss the overview and the recent updates of containerd as well as how it is being used by Kubernetes, Docker and other container-based systems. The brief introduction about its architecture and service design will be included. The talk will also deep dive into how to leverage contained by extending and customizing it for your use case with low-level plugins like remote snapshotters, as well as by implementing your own containerd client. Upcoming features and recent discussion in containerd community will also be covered.
- - -
https://kccnceu2021.sched.com/event/iE6v/introduction-and-deep-dive-into-containerd-kohei-tokunaga-akihiro-suda-ntt-corporation?iframe=no
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
In the ever-evolving landscape of technology, enterprise software development is undergoing a significant transformation. Traditional coding methods are being challenged by innovative no-code solutions, which promise to streamline and democratize the software development process.
This shift is particularly impactful for enterprises, which require robust, scalable, and efficient software to manage their operations. In this article, we will explore the various facets of enterprise software development with no-code solutions, examining their benefits, challenges, and the future potential they hold.
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
2. Who are we?
Akihiro Suda
• Software Engineer at NTT
(the largest telco in Japan)
• Maintainer of Moby (former
Docker Engine), BuildKit,
containerd, and etc...
Giuseppe Scrivano
• Software Engineer at
Red Hat
• Works on Podman, Buildah,
CRI-O
2
5. Rootless Containers
• “Rootless containers refers to the ability for an unprivileged
user (i.e. non-root user) to create, run and otherwise manage
containers.” (https://rootlesscontaine.rs/ )
• Not just about running containers as an unprivileged user
• Also entails running container runtimes and orchestrators
as an unprivileged user
5
6. Don’t confuse with..
• docker run --user foo
– Executes the process in the container as a non-root
– dockerd, containerd, and runc still running as the root
• USER instruction in Dockerfile
– same as above
– Notably you can’t RUN dnf install ...
6
7. Don’t confuse with..
• usermod -aG docker foo
– Allows a non-root user to connect to
/var/run/docker.sock
– Equivalent to allow the user to gain the root!
(docker run --privileged -v /:/host …)
• sudo docker or chmod +s dockerd
– Nope!
7
8. Don’t confuse with..
• dockerd --userns-remap
– Execute containers as a non-root user (dockremap),
using user namespaces
• Inside the containers, dockremap can behave as if it
were the root
– Most similar to Rootless Containers, but still requires
dockerd, containerd, and runc to run as the root
8
9. Motivation of Rootless Containers
• To mitigate potential vulnerability of container runtimes and
orchestrator (the primary motivation)
• To allow users of shared machines (e.g. HPC) to run
containers without the risk of breaking other users
environments
• To isolate nested containers, e.g. “Docker-in-Docker”
9
10. Runtime vulnerabilities
• Docker “Shocker” (2014)
– A malicious container was allowed to access the host file system,
as CAP_DAC_READ_SEARCH was effective by default
• Docker CVE-2014-9357
– A malicious docker build container could run arbitrary binary on
the host as the root due to an LZMA archive issue
• containerd #2001 (2018)
– A malicious container image could remove /tmp on the host when
the image was pulled (not when actually launched!)
10
11. Runtime vulnerabilities
• runc #1962 (2019, found by Akihiro, analyzed and fixed by Giuseppe)
– A malicious container could gain the write access to /proc and /sys
when the host root filesystem is initrd (DOCKER_RAMDISK)
• Results in arbitrary command execution as the root on the host,
via /proc/sys/kernel/core_pattern or
/sys/kernel/uevent_helper
– Minikube is known to be affected (fixed in v0.33.1)
11
$ kubectl run -it --image busybox foo
# unshare -mrfp
# mount -t proc none /proc
12. Other vulnerabilities
• Kubernetes CVE-2017-1002101, CVE-2017-1002102
– A malicious container was allowed to access the host filesystem via
vulnerabilities related to volumes
• Kubernetes CVE-2018-1002105
– A malicious API call could be used to gain cluster-admin (and
hence the root privileges on the nodes)
• Git CVE-2018-11235 (affected Kubernetes gitRepo volumes)
– A malicious repo could execute an arbitrary binary as the root when
it was cloned
12
13. Play-with-Docker.com vulnerability
• Play-with-Docker.com: Online Docker playground,
implemented using Docker-in-Docker with custom
AppArmor profiles
• Malicious kernel module was loadable due to AppArmor
misconfiguration (revealed on Jan 14, 2019)
– Not really an issue of Docker
13https://www.cyberark.com/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host/
14. Caveat: Not a panacea
• Although Rootless Containers could mitigate these
vulnerabilities, it is not a panacea , especially it is powerless
against kernel (and hardware) vulnerabilities
– CVE 2013-1858, CVE-2015-1328, CVE-2018-18955
• Castle approach : it should be used in conjunction with
other security layers such as seccomp and SELinux
14
16. User Namespaces
• The key component of rootless containers.
– Map UIDs/GIDs in the guest to different UIDs/GIDs on
the host.
– Unprivileged users can have (limited) root inside a user
namespace!
• Root in a user namespace has UID 0 and full capabilities,
but obvious restrictions apply.
– Inaccessible files, inserting kernel modules, rebooting, ...
16
17. User Namespaces
• To allow multi-user mappings, shadow-utils provides newuidmap and
newgidmap (packaged by most distributions).
– SETUID binaries writing mappings configured in /etc/sub[ug]id
/etc/subuid:
1000:420000:65536
/proc/42/uid_map:
0 1000 1
1 420000 65536
Provided by the admin (real root)
User can configure map UIDs after
unsharing a user namespace
17
18. User Namespaces
Problems:
• SETUID binary can be dangerous
– newuidmap & newgidmap had two CVEs so far:
• CVE-2016-6252 (CVSS v3: 7.8): integer overflow issue
• CVE-2018-7169 (CVSS v3: 5.3): supplementary GID issue
• Hard to maintain subuid & subgid
– Having 65536 sub-IDs should be ok for most cases, but to allow
nesting user namespaces, an enormous number of sub-IDs would
be needed
• Potential sub-ID starvation
18
19. User Namespaces
Alternative way: Single-mapping mode
• Single-mapping mode does not require
newuidmap/newgidmap
• There is only one UID/GID available in the container
Limit the privileges of newuidmap/newgidmap
• Install them using file capabilities rather than SETUID bit
– Only CAP_SETUID and CAP_SETGID are needed
19
20. Network Namespaces
• An unprivileged user can create network namespaces along
with user namespaces
• With network namespaces, the user can
– create iptables rules
– isolate abstract (pathless) UNIX sockets
– set up overlay networking with VXLAN
– run tcpdump
– ...
20
21. Network Namespaces
• But an unprivileged user cannot set up veth pairs across
the host and namespaces, i.e. No internet connection
21
The Internet
Host
UserNS + NetNS
22. Network Namespaces
Prior work: LXC uses SETUID binary (lxc-user-nic) for
setting up the veth pair across the the host and containers
Problem: SETUID binary can be dangerous!
• CVE-2017-5985 (CVSS v3: 3.3): netns privilege escalation
• CVE-2018-6556 (CVSS v3: 3.3): arbitrary file open(2)
22
23. Network Namespaces
Our approach: use completely unprivileged usermode network
(“Slirp”) with a TAP device
TAP
“Slirp” TAPFD
send fd as SCM_RIGHTS cmsg via an UNIX socket
The Internet
Host
UserNS + NetNS
24. Network Namespaces
Benchmark of several “Slirp” implementations:
• slirp4netns (our own implementation based on QEMU Slirp) is the
fastest because it avoids copying packets across the namespaces
MTU=1500 MTU=4000 MTU=16384 MTU=65520
vde_plug 763 Mbps Unsupported Unsupported Unsupported
VPNKit 514 Mbps 526 Mbps 540 Mbps Unsupported
slirp4netns 1.07 Gbps 2.78 Gbps 4.55 Gbps 9.21 Gbps
cf. rootful veth 52.1 Gbps 45.4 Gbps 43.6 Gbps 51.5 Gbps
Benchmark: iperf3 (netns -> host), measured on Travis CI. See rootless-containers/rootlesskit#12 24
25. Port forwarding
• Usermode port forwarder (inbound connection) can be
implemented independently of Slirp (outbound connection)
• slirp4netns: 7.01 Gbps (still has extra packet copy)
• socat+nsenter: 9.64 Gbps
• Our WIP implementation with SCM_RIGHTS optimization:
28.5 Gbps (still flaky)
25
https://github.com/rootless-containers/rootlesskit/pull/33#issuecomment-448992291
https://github.com/rootless-containers/slirp4netns/pull/29#issuecomment-449626896
26. Multi-node networking
• Flannel VXLAN is known to work
– Encapsulates Ethernet packets in UDP packets
– Provides L2 connectivity across rootless containers on
different nodes
• Other protocols should work as well, except ones that
require access to raw Ethernet
26
27. Root Filesystems
Your container root filesystem has to live somewhere. Many filesystem
features used by “rootful” container runtimes aren’t available.
• Ubuntu allows overlayfs in a user namespace, but this isn't supported
upstream (due to security concerns).
• Btrfs allows unprivileged subvolume management, but requires
privileges to set it up beforehand.
• Devicemapper is completely locked away from us.
27
28. Root Filesystems
A “simple” work-around is to just extract images to a directory!
• It works … but people want storage deduplication.
Alternatives:
• Reflinks to a "known good" extracted image (inode exhaustion).
– (Can use on XFS, btrfs, ... but not ext4.)
• Unprivileged userspace overlayfs using FUSE (Kernel 4.18+).
28
29. fuse-overlayfs
● Overlayfs implementation using FUSE
● Layers deduplication as for root containers
● Fast setup for a new container
● Built-in support for shifting UIDs/GIDs
● Adds complexity
● Temporary solution until unprivileged users can safely use overlay
29
30. fuse-overlayfs UIDs/GIDs shifting
● When creating a user namespace, we must ensure proper ownership of
the files in the RO layers.
● the file system “lies” about the owner, so that it has the correct UID/GID
in the user namespace and the same layer on disk can be used by
different user namespaces.
● Less expensive alternative to cp -r and chown’ing the entire image
and layers.
30
31. cgroups
/sys/fs/cgroup is a roadblock to many features we want in rootless
containers (accounting, pause and resume, even getting a list of PIDs!).
• By default completely owned by root (and managed by systemd).
Some workarounds:
• LXC’s pam_cgfs requires installation of a PAM module (and only works
for logged-in users). It needs to be used carefully as it gives cgroupv1
write access to unprivileged users.
• cgroup namespaces (with nsdelegate) only work in cgroupv2.
31
33. runc
• Supports rootless mode since 1.0.0-rc4 (merged March
2017).
• Since 1.0.0-rc5 (Feb 2018):
– /sys/fs/cgroup can be used if they are set up to be
writable.
– Multi-user mappings are supported if they are set up
with /etc/sub[ug]id.
33
34. • Podman, daemonless alternative to Docker:
– Uses slirp4netns
– Uses fuse-overlayfs
– rootless storage under the user home directory
– No CLI differences between root and rootless mode
34
35. Podman containers
• When running directly a container, each container runs in its
own user namespace.
• No mounts/resources leak in the host
• A container cannot join namespaces of another container
as they are owned by different user namespaces
35
36. Podman pods
• Similar concept to Kubernetes pods
• A group of containers that share resources
• Deploy as a single unit
• Rootless containers in a Pod share the same user
namespace
36
37. Docker
• Docker v19.03 is likely to support Rootless mode
– PR: #38050
• Unlike Podman, fuse-overlayfs is not yet supported
37
38. LXC
• Supports unprivileged (what we call “Rootless”) containers
since 2013
• Unlike our work, a SETUID binary is required for setting up
network namespaces
• LXD still requires the daemon to be executed as the root
38
39. Singularity
• Popular in HPC community, as it supports Rootless mode
– Default configuration uses a SETUID helper (which we
don’t call “Rootless”), but Rootless mode (--userns)
can be enabled optionally
• Unlike our work, Rootless mode does not support creating
network namespaces (with Internet connection)
39
40. CloudFoundry Garden
• Supports rootless mode using runc
• Unlike our work, SETUID binaries are required for setting up
network namespaces
40https://github.com/cloudfoundry/garden-runc-release/blob/master/docs/articles/rootless-containers.md
41. runROOTLESS and umoci
• runROOTLESS: runc-based OCI runtime (Akihiro’s work)
• umoci: OCI image manipulation tool
• No subuid/subgid configuration is needed
– Emulates subuid/subgid with ptrace and xattr
– Suitable for LDAP environments
• Current implementation has significant overhead due to ptrace
– Future work: replace ptrace with Tycho Andersen’s new seccomp
framework (Kernel 5.X ?)
41
42. udocker
• Docker-like CLI
• Supports both ptrace mode and runc mode
– Unlike runROOTLESS, ptrace mode lacks support for
persistent chown (also, ptrace mode isn’t used in
conjunction with runc)
42
44. • Buildah: daemonless tool for building OCI images
– User namespaces for rootless mode or root in a not
privileged container
– Uses slirp4netns
– dnf/yum/apt/apk works
– Can use fuse-overlayfs
– Share configuration and storage with Podman
– Different isolation modes
44
45. Buildah isolation modes
• Can be controlled with --isolation=ISOLATION
– OCI (default): OCI compatible configuration
– rootless: It is similar to OCI but uses a configuration that
is usable for non privileged users
– chroot: creates an environment that looks more like a
chroot than a container.
45
46. BuildKit and img
• BuildKit: modern backend for docker build
– Integrated to Docker since v18.06, but can be also used
as a standalone and rootless daemon
– Rootless BuildKit has been used in OpenFaaS cloud
• img: Jessie Frazelle’s image builder based on BuildKit
– Same as BuildKit but daemonless
46
47. BuildKit and img
• Rootless BuildKit/img can be launched as an unprivileged user on the host
without any extra configuration
• However, containerized deployment of rootless BuildKit/img had required
securityContext.procMount=Unmasked
– Unmask /proc/* (e.g. kcore) so that build containers can mount
procfs with dedicated PID namespaces
– Not real concern as long as running in rootless mode
– BuildKit v0.4+ no longer requires securityContext configuration
• But no PID namespace isolation across the BuildKit daemon
container and build containers
47
48. Kaniko
• Google’s unprivileged container image builder
• Different from our approach
– Kaniko itself needs to be executed in a container
(No securityContext configuration needed)
– Dockerfile RUN instructions are executed without creating nested
containers inside the Kaniko container
• A RUN instruction gains the root in the Kaniko container
• Seems inappropriate for malicious Dockerfiles due to the lack of isolation
– Potential cloud credential leakage: #106
48
49. Makisu
• Uber’s unprivileged container image builder
• Same design as Kaniko, with regard to unprivileged
execution
49
51. Kubernetes
• kubelet and kube-proxy require a bunch of hacks for running
without cgroups and sysctl
– No hack needed for kube-apiserver and kube-scheduler
– POC available; Planning to propose KEP to SIG-node soon
– Future work: kubeadm integration
• CRI: Both CRI-O and containerd supports rootless mode
• CNI: Flannel VXLAN is known to work without any modification
51
52. “Usernetes”
Experimental binary distribution of rootless Kubernetes,
installable under $HOME without mess
https://github.com/rootless-containers/usernetes
$ tar xjvf usernetes-x86_64.tbz
$ cd usernetes
$ ./run.sh
$ ./kubectl.sh run -it --image..
52
53. “Usernetes”
• docker-compose.yml is included for demonstrating
pseudo multi-node cluster POC
– Mix of dockershim + CRI-O + containerd
– Flannel VXLAN is enabled by default
– FIXME: TLS is not enabled yet (contribution wanted!)
• Usernetes-on-Kubernetes YAML is coming soon
53