runtime
amicontained
Our great sponsors
runtime | amicontained | |
---|---|---|
4 | 4 | |
2,095 | 947 | |
- | 1.5% | |
8.3 | 0.0 | |
almost 3 years ago | over 3 years ago | |
Go | Go | |
Apache License 2.0 | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
runtime
-
AER: Error of this Agent is Reported First
Let me give you an example. [Here's one of the best questions I've ever asked on the internet.]https://github.com/kata-containers/runtime/issues/2795) I've seen many better questions asked, but this is the best I've been able to manage. I provided a decent description of the problem, a test-case that allowed other people to reproduce it as well (not relevant in your case), what I tried that didn't work, and the exact log messages and system information that indicated the problem. I then followed up with the people who were helping me and the problem was resolved.
-
Set *minimum* CPU allocation for a service
in parts of prod we use a combination of cgroups (mentioned in the thread already), taskset https://man7.org/linux/man-pages/man1/taskset.1.html, and in other cases (HPC workloads on large clusters) Kata Containers to isolate and optimize application resources: https://katacontainers.io/
-
Docker for Mac M1 RC
It might use a hypervisor though, as the pendulum swings back
https://katacontainers.io/
-
Building a secure/sandboxed environment for executing untrusted code
Kata Containers
amicontained
-
Is there a trick to know we're in a container?
If you want a tool based solution to this, tools like amicontained can tell you that in a container and some information about the sandbox.
-
Ask r/kubernetes: What are you working on this week?
I'm looking into SECCOMP profiles as well, but so far is seems a lot of pain for little gain. This series by Paulo Gomes is my starting point. part2 part3 testing-container.
-
Container capabilities
If you want to check the exact syscalls and caps in a container, getting a shell and using something like amicontained https://github.com/genuinetools/amicontained is a good option.
-
Hardening Docker and Kubernetes with seccomp
We made a few changes here. Namely, we changed seccompProfile section where we specify RuntimeDefault type and we also changed the image to amicontained which is a container introspection tool that will tell us which syscalls are blocked, as well as some other interesting security info.
What are some alternatives?
wsl-vpnkit - Provides network connectivity to WSL 2 when blocked by VPN
Lean and Mean Docker containers - Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
for-mac - Bug reports for Docker Desktop for Mac
kubernetes-ingress - NGINX and NGINX Plus Ingress Controllers for Kubernetes
singularity - Singularity has been renamed to Apptainer as part of us moving the project to the Linux Foundation. This repo has been persisted as a snapshot right before the changes.
labs - This is a collection of tutorials for learning how to use Docker with various tools. Contributions welcome.
kubernetes-goat - Kubernetes Goat is a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground 🚀
UBUNTU20-CIS - Ansible role for Ubuntu 2004 CIS Baseline
microshift - A small form factor OpenShift/Kubernetes optimized for edge computing
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
kubescape - Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.
img - Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.