a year of container kernel work
play

A Year of Container Kernel work Past, Present, and Future of - PowerPoint PPT Presentation

Mar 23, 2024 •681 likes •810 views

A Year of Container Kernel work Past, Present, and Future of Container Kernel Features FOSDEM, 2019 Brussels, Belgium Christian Brauner christian@brauner.io christian.brauner@ubuntu.com @brau_ner https://brauner.io/ 4.15: Bump Limit of

  1. A Year of Container Kernel work Past, Present, and Future of Container Kernel Features FOSDEM, 2019 Brussels, Belgium Christian Brauner christian@brauner.io christian.brauner@ubuntu.com @brau_ner https://brauner.io/

  2. 4.15: Bump Limit of Allowed User Namespace Mappings from 5 to 340 - aa4bf44dc851c6bdd4f7b61b5f2c56c84dfe2ff0 - 6397fac4915ab3002dc15aae751455da1a852f25 - 11a8b9270e16e36d5fb607ba4b60db2958b7c625 - 3edf652fa16562fb57a5a4b996ba72e2d7cdc38b - d5e7b3c5f51fc6d34e12b6d87bfd30ab277c4625 - ece66133979b211324cc6aff9285889b425243d2 - 3fda0e737e906ce73220b20c27e7f792d0aac6a8

  3. 4.15: Bump Limit of Allowed User Namespace Mappings from 5 to 340 #define UID_GID_MAP_MAX_EXTENTS 5 struct uid_gid_extent { u32 first; u32 lower_first; u32 count; }; struct uid_gid_map { /* 64 bytes -- 1 cache line */ u32 nr_extents; union { struct uid_gid_extent extent[UID_GID_MAP_MAX_EXTENTS]; struct { struct uid_gid_extent *forward; struct uid_gid_extent *reverse; }; }; };

  4. 4.15: Bump Limit of Allowed User Namespace Mappings from 5 to 340 | # MAPPINGS | PATCH-V1 | PATCH-NEW | |--------------|------------|-----------| | 0 mappings | 158 ns | 158 ns | | 1 mappings | 164 ns | 157 ns | | 2 mappings | 170 ns | 158 ns | | 3 mappings | 175 ns | 161 ns | | 5 mappings | 187 ns | 165 ns | | 10 mappings | 218 ns | 199 ns | | 50 mappings | 528 ns | 218 ns | | 100 mappings | 980 ns | 229 ns | | 200 mappings | 1880 ns | 239 ns | | 300 mappings | 2760 ns | 240 ns | | 340 mappings | not tested | 248 ns |

  5. 4.18: Mounting *Interesting* Filesystem in non-initial User Namespaces - aa4bf44dc851c6bdd4f7b61b5f2c56c84dfe2ff0 - 6397fac4915ab3002dc15aae751455da1a852f25 - 11a8b9270e16e36d5fb607ba4b60db2958b7c625 - 3edf652fa16562fb57a5a4b996ba72e2d7cdc38b - d5e7b3c5f51fc6d34e12b6d87bfd30ab277c4625 - ece66133979b211324cc6aff9285889b425243d2 - 3fda0e737e906ce73220b20c27e7f792d0aac6a8 dbf107b2a7f36fa635b40e0b554514f599c75b33 - c9582eb0ff7d2b560be60eafab29183882cdc82b - 8cb08329b0809453722bc12aa912be34355bcb66 - 73f03c2b4b527346778c711c2734dbff3442b139 - 57b56ac6fecb05c3192586e4892572dd13d972de - 593d1ce854dff93b3c9066e897192eb676b09c46 - 55956b59df336f6738da916dbb520b6e37df9fbd <- kernel regression - 0031181c49ca94b14b11f08e447f40c6ebc842a4 - bc6155d1326092f4c29fe05a32b614249620d88e - b1d749c5c34112fab5902c43b2a37a0ba1e5f0f1 - f3f1a18330ac1b717cd7a32adff38d965f365aa2 - e45b2546e23c2d10f8585063a15c745a7603fac9 - 4ad769f3c346ec3d458e255548dec26ca5284cf6

  6. 4.17: Uevent Injection - 94e5e3087a67c765be98592b36d8d187566478d5 - 692ec06d7c92af8ca841a6367648b9b3045344fd - 26045a7b14bc7a5455e411d820110f66557d6589 - a3498436b3a0f8ec289e6847e1de40b4123e1639 - 90d52d4fd82007005125d9a8d2d560a1ca059b9d - 9d3df886d17b5ef73d4018841ef0a349fcd109ea

  7. 5.0: Seccomp Trap To Userspace - db5113911abaa7eb20cf115d4339959c1aecea95 - a5662e4d81c4d4b08140c625d0f3c50b15786252 - 6a21cc50f0c7f87dae5259f6cfefe024412313f6 - fec7b6690541b8128663a13c9586b1daf42b0a6c

  8. At some point: New Mount API - Al Viro’s kernel.org repo - David Howells’ kernel.org repo - Range of proposed new syscalls: - fspick(int dfd, const char path, unsigned int flags) - fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags) - fsconfig(int fd, unsigned int cmd, const char _key, const void _value, int aux) - fsopen(const char _fs_name, unsigned int flags) - move_mount(int from_dfd, const char *from_pathname, int to_dfd, const char *to_pathname, unsigned int flags) - open_tree(int dfd, const char *filename, unsigned flags) - ...

  9. At some point: Restricting Path Resolution - Aleksa’s Github repo New flags for open{at}() to restrict path resolution: - - O_XDEV - O_NOMAGICLINKS - O_NOSYMLINKS - O_BENEATH - O_THISROOT

  10. 5.0: Android binderfs Filesystem - 3ad20fe393b31025bebfc2d76964561f65df48aa - 3fdd94acd50d607cf6a971455307e711fd8ee16e - b6c770d7c9dc7185b17d53a9d5ca1278c182d6fa - 849d540ddfcd4f232f3b2cf40a2e07eccbd6212c - c13295ad219d8bb0e47942d4cfc8251de449a67e - 36bdf3cae09df891b191f3955c8e54a2e05d67d0 - 7fefaadd6a962987baac50e7b3c4c3d5ef9b55c6 - 7e7ca7744a539f1a172e3b81c29d000787e3d774 - 6fc23b6ed8fa0ba6cc47b2f8756df1199abc3a5c - 7d0174065f4903fb0ce0bab3d5047284faa7226d - 7c4d08fc4d5aca073bd4ebecbb9eda5e4d858b71 - e98e6fa18636609f14a7f866524950a783cf4fbf - 36975fc3e5f241cc4f45df4ab4624d7d5199d9ed - 01b3f1fc568352a1ffdcd3ee82a0297f16cc9bd9 - 4198479524aeccaf53c3a4cc73784982535573fa - 29ef1c8e16aed079ac09989d752e38d412b6e1a8 - 01684db950ea2b840531ab9298a8785776b6f6e8

  11. At some point: File Descriptors for Processes - My kernel.org repo - First proposed syscall: - pidfd_send_signal(int, pidfd, int sig, siginfo_t info, unsigned int flags)

  12. A Year of Container Kernel work Past, Present, and Future of Container Kernel Features FOSDEM, 2019 Brussels, Belgium Christian Brauner christian@brauner.io christian.brauner@ubuntu.com @brau_ner https://brauner.io/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide

State of SELinux Paul Moore September 2017 Kernel Changes Obligatory Container Slide Individual file labeling for cgroup, cgroup2, and tracefs Allows for labels unique to each container, enabling SELinux enforced separation for these

482 views • 16 slides
Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container

Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container

Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container runs its own kernel uses the host kernel user-space user-space vm user-space container user-space vm kernel host kernel host kernel

833 views • 26 slides
Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers

Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers

Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers 2019, Lisbon, Portugal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 1 / 29 Overview 1 Background 2 Deploying fast datapaths fast

831 views • 53 slides
DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x Galley Container 1x Medical Container 1x Feed Water Container 1x Water Treatment Container 2x Generator Container 1x

569 views • 8 slides
Optimization Models for Container Inspection Endre Boros RUTCOR, Rutgers University Joint work

Optimization Models for Container Inspection Endre Boros RUTCOR, Rutgers University Joint work

Container Inspection Optimization Models for Container Inspection Endre Boros RUTCOR, Rutgers University Joint work with L. Fedzhora and P.B. Kantor (Rutgers), and K. Saeger and P. Stroud (LANL) Container Inspection Container Inspection

609 views • 27 slides
Bare Metal Container National Institute of Advanced Industrial Science and Technology(AIST)

Bare Metal Container National Institute of Advanced Industrial Science and Technology(AIST)

Bare Metal Container National Institute of Advanced Industrial Science and Technology(AIST) Kuniyasu Suzaki 1 Contents Background of BMC Drawbacks of container, general kernel, and accounting. What is BMC? Current

837 views • 34 slides
Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Introduction Container Library Container Tools FUSE Container File System Evaluation Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene Michael Kuhn Parallele und Verteilte Systeme Institut f ur

353 views • 22 slides
SHIP-TO-SHORE @ Durban Container Terminal EDITION 1 - DECEMBER 2012 A year of innovation,

SHIP-TO-SHORE @ Durban Container Terminal EDITION 1 - DECEMBER 2012 A year of innovation,

SHIP-TO-SHORE @ Durban Container Terminal EDITION 1 - DECEMBER 2012 A year of innovation, evolution and improvement. Welcome to the fjrst edition of Ship-to-Shore, Durban Container Terminals new online newsletter. Well be using

891 views • 3 slides
Container Deposits The story so far, and why doesn t everyone do this? Container Deposit

Container Deposits The story so far, and why doesn t everyone do this? Container Deposit

Plastic Bags Ban and Container Deposits The story so far, and why doesn t everyone do this? Container Deposit Legislation Remember 1975? Source: Adelaide Now Adelaide Oval Cricket test 1973 Football Grand Final 1973Adelaide Cans

658 views • 18 slides
A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the

A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the

A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the speakers and team Follow along - @sargun @tomaszbak_ca @fabiokung @aspyker @amit_joshee @anwleung 2 Netflixs container management platform

808 views • 44 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

240 views • 5 slides
our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can make us way more efficient containers can save us money on hosting containers sound interesting company founded in 2013

848 views • 30 slides
Mini-Bulk/IBC Pesticide Container Collection Program EPA Sponsored California San Joaquin Valley

Mini-Bulk/IBC Pesticide Container Collection Program EPA Sponsored California San Joaquin Valley

Mini-Bulk/IBC Pesticide Container Collection Program EPA Sponsored California San Joaquin Valley Jim Bise Director of Sales Myers Container/CMS jbise@myerscontainer.com 1 Myers Container Myers Container Myers Container, LLC has been

635 views • 8 slides
menu del dia learning (7 slides) purushottam kar (iit kanpur) accelerated kernel learning

menu del dia learning (7 slides) purushottam kar (iit kanpur) accelerated kernel learning

accelerated kernel learning 1 purushottam kar department of computer science and engineering indian institute of technology kanpur november 27, 2012 1 joint work with harish c. karnick purushottam kar (iit kanpur) accelerated kernel learning

2.17k views • 175 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Overview Preliminaries Kernel ridge regression Kernel -means clustering

476 views • 25 slides
CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988

CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988

CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988 Impact of Configuration Errors on DNS Robustness V. Pappas, Z. Xu, S. Lu, D. Massey, A. Terzis, and L. Zhang, 2004 Spring 2013 The Story So Far .

481 views • 29 slides
Scaling choice models of relational social data Jan Overgoor Stanford University SIAM-NS July

Scaling choice models of relational social data Jan Overgoor Stanford University SIAM-NS July

Scaling choice models of relational social data Jan Overgoor Stanford University SIAM-NS July 09, 2020 Slides: bit.ly/c2g-venmo Joint work with George Pakapol Supaniratisai (Stanford) &amp; Johan Ugander (Stanford) Events on networks

561 views • 27 slides
Accuracy Enhancements of the 802.11 Model and EDCA QoS Extensions in ns-3 Timo Bingmann

Accuracy Enhancements of the 802.11 Model and EDCA QoS Extensions in ns-3 Timo Bingmann

Accuracy Enhancements of the 802.11 Model and EDCA QoS Extensions in ns-3 Timo Bingmann Decentralized Systems and Network Services Research Group Institute of Telematics, University of Karlsruhe February 6, 2009 Roadmap 1 ns-3 Basics

765 views • 51 slides
W orkload Generation for ns Sim ulations of Wide Area Net w orks and the

W orkload Generation for ns Sim ulations of Wide Area Net w orks and the

W orkload Generation for ns Sim ulations of Wide Area Net w orks and the In ternet y z z y M Y uksel B Sikdar K S V astola and B Szymanski y Departmen t of Computer Science z

409 views • 15 slides
Unified memory Talk outline [28 slides] GPGPU 2015: High Performance Computing with CUDA

Unified memory Talk outline [28 slides] GPGPU 2015: High Performance Computing with CUDA

Unified memory Talk outline [28 slides] GPGPU 2015: High Performance Computing with CUDA University of Cape Town (South Africa), April, 20 th -24 th , 2015 1. State of art of technology [12] 2. Programming with unified memory [4] 3. Examples

544 views • 9 slides
The he Par Partial ial Loss ss of f Referential rential Nul ull l Su Subj bjects ects an

The he Par Partial ial Loss ss of f Referential rential Nul ull l Su Subj bjects ects an

Univ iver ersi sity ty of Texas xas Austin stin Virtual LSRL@50, July 1-3 &amp; 6-8, 2020 The he Par Partial ial Loss ss of f Referential rential Nul ull l Su Subj bjects ects an and Free Inv nver ersion sion in n Braz

663 views • 17 slides
Visualization of DNS Dependencies and More Casey Deccio Brigham Young University Graph-Based

Visualization of DNS Dependencies and More Casey Deccio Brigham Young University Graph-Based

Visualization of DNS Dependencies and More Casey Deccio Brigham Young University Graph-Based Visualization as a Tool Visual Awareness Humans see trends or more clearly identify problems Data Structures Graphical data structures

310 views • 11 slides
Roadmap 1 Thesis Objectives 2 Enhancements Propagation Loss Models Reception Criteria Frame

Roadmap 1 Thesis Objectives 2 Enhancements Propagation Loss Models Reception Criteria Frame

Accuracy Enhancements of the 802.11 Model and EDCA QoS Extensions in ns-3 Completion Talk Timo Bingmann Decentralized Systems and Network Services Research Group Institute of Telematics, University of Karlsruhe June 26, 2009 Roadmap 1 Thesis

436 views • 10 slides

More recommend