spec
runc
spec | runc | |
---|---|---|
4 | 32 | |
1,286 | 11,441 | |
1.1% | 0.8% | |
4.6 | 9.3 | |
16 days ago | 2 days ago | |
Makefile | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
spec
-
RSE Rave Recurrence
I had a really (what I thought at the time) cool idea for a new Kubernetes storage driver, so I implemented the basic version in an evening. That's the first "rave-worthy" event - the architecture of these drivers is fairly complex and there are many ways to do it (see https://github.com/container-storage-interface/spec/blob/master/spec.md) so getting something working as I imagined it, knowing nothing beforehand, was the first moment of joy. The next day (after sharing in a few slacks) I got a DM from a tech lead at and he was really excited about the idea! That second affirmation that someone was excited about the project and wanted to brainstorm with me was my second moment of joy. And then for the third, last night and (some of today, still going to do more after dinner soon!) I've been doing detail work, and learning a ton, debugging, learning, making it slowly better... that flow state (often with music) is probably the closest thing to the idea of a rave. Anyway, that's my story! I love learning Kubernetes stuff, I'm so grateful I've been able to in my current role.
- Docker 23.0.0 is out
-
Infrastructure Engineering — Deployment Strategies
But if all of these are not an issue, then Containers and an orchestration system like Kubernetes can always take care of workload portability especially with OCI now in place for containers and CSI, CNI, CRI, SMI for storage, networking, runtime and service mesh respectively creating a healthy standards based ecosystem for all thereby enabling workload portability without lock-in since for a workload to be truly portable, all the underlying resources should be portable without any/very limited changes.
-
Infrastructure Engineering - Diving Deep
CSI (Container Storage Interface) is a standard which helps establish interoperability between multiple storage providers avoiding the need to have in-tree plugins within the core. So, any storage provider who supports CSI can work with Kubernetes without any issues. You can find a complete list of providers supporting CSI here
runc
-
Nanos – A Unikernel
I can speak to this. Containers, and by extension k8s, break a well known security boundary that has existed for a very long time - whether you are using a real (hardware) server or a virtual machine on the cloud if you pop that instance/server generally speaking you only have access to that server. Yeh, you might find a db config with connection details if you landed on say a web app host but in general you still have to work to start popping the next N servers.
That's not the case when you are running in k8s and the last container breakout was just announced ~1 month ago: https://github.com/opencontainers/runc/security/advisories/G... .
At the end of the day it is simply not a security boundary. It can solve other problems but not security ones.
- Several container breakouts due to internally leaked fds
- Container breakout through process.cwd trickery and leaked fds
-
US Cybersecurity: The Urgent Need for Memory Safety in Software Products
It's interesting that, in light of things like this, you still see large software companies adding support for new components written in non-memory safe languages (e.g. C)
As an example Red Hat OpenShift added support for crun(https://github.com/containers/crun) this year(https://cloud.redhat.com/blog/whats-new-in-red-hat-openshift...), which is written in C as an alternative to runc, which is written in Go(https://github.com/opencontainers/runc)...
-
Run Firefox on ChromeOS
Rabbit hole indeed. That wasn't related to my job at the time, lol. The job change came with a company-provided computer and that put an end to the tinkering.
BTW, I found my hacks to make runc run on Chromebook: https://github.com/opencontainers/runc/compare/main...gabrys...
-
Crun: Fast and lightweight OCI runtime and C library for running containers
being the main author of crun, I can clarify that statement: I am not a fan of Go _for this particular use case_.
Using C instead of Go avoided a bunch of the workarounds that exists in runc to workaround the Go runtime, e.g. https://github.com/opencontainers/runc/blob/main/libcontaine...
-
Best virtualization solution with Ubuntu 22.04
runc
-
Bringing Memory Safety to sudo and su - with Ferrous Systems and Tweedegolf
Not OP, but if I had to guess, a lot of this can be picked up by just observing common security issues in the Linux space, since similar mistakes and oversights have caused quite a few real-world CVEs in the past, e.g. this random example of a TOCTTOU vulnerability in runc.
- Containers - entre historia y runtimes
- [email protected]+incompatible with ubuntu 22.04 on arm64 ?
What are some alternatives?
cri-api - Container Runtime Interface (CRI) – a plugin interface which enables kubelet to use a wide variety of container runtimes.
crun - A fast and lightweight fully featured OCI runtime and C library for running containers
community - Kubernetes community content
Moby - The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
kubefed - Kubernetes Cluster Federation
youki - A container runtime written in Rust
swarmkit - A toolkit for orchestrating distributed systems at any scale. It includes primitives for node discovery, raft-based consensus, task scheduling and more.
podman - Podman: A tool for managing OCI containers and pods.
virtual-kubelet - Virtual Kubelet is an open source Kubernetes kubelet implementation.
containerd - An open and reliable container runtime
cni - Container Network Interface - networking for Linux containers
conmon - An OCI container runtime monitor.