Jarkko Sakkinen
jarkko
The update I 'm still fine-tuning for dhowell's patch set is not just respin but is actually conceptually different.
I.e. from being task_struct centered into nsproxy centered, and repeated spawning that Eric Biedermann complained about (for legit reasons) is being addressed.
Containers are 1st class namespace now members managed by nsproxy to address the need of not wanting to use namespaces ;-)
I.e. from being task_struct centered into nsproxy centered, and repeated spawning that Eric Biedermann complained about (for legit reasons) is being addressed.
Containers are 1st class namespace now members managed by nsproxy to address the need of not wanting to use namespaces ;-)
0
0
0
Jarkko Sakkinen
jarkko
Edited 3 months ago
Getting there: https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/?h=container
# /usr/lib/kselftests/run_kselftest.sh -t containers:run.sh
TAP version 13
1..1
# timeout set to 45
# selftests: containers: run.sh
# create: alpha: pass
# create: beta: pass
# list/json: fetch: pass
# list/json: has alpha: pass
# list/json: has beta: pass
# list/json: has ready state: pass
# ps/json: fetch: pass
# ps/json: has alpha: pass
# ps/json: has beta: pass
# create: reject invalid name: pass
# run: no procfs without --proc: pass
# run: procfs with --proc: pass
# wait: observes termination: pass
# stop: SIGTERM exits init: pass
# stop: fails when TERM ignored: pass
# kill: SIGKILL exits init when TERM ignored: pass
# run: non-zero exit fails: pass
ok 1 selftests: containers: run.sh
# /usr/lib/kselftests/run_kselftest.sh -t containers:run.sh
TAP version 13
1..1
# timeout set to 45
# selftests: containers: run.sh
# create: alpha: pass
# create: beta: pass
# list/json: fetch: pass
# list/json: has alpha: pass
# list/json: has beta: pass
# list/json: has ready state: pass
# ps/json: fetch: pass
# ps/json: has alpha: pass
# ps/json: has beta: pass
# create: reject invalid name: pass
# run: no procfs without --proc: pass
# run: procfs with --proc: pass
# wait: observes termination: pass
# stop: SIGTERM exits init: pass
# stop: fails when TERM ignored: pass
# kill: SIGKILL exits init when TERM ignored: pass
# run: non-zero exit fails: pass
ok 1 selftests: containers: run.sh
1
0
0
Jarkko Sakkinen
jarkko
Opaque container objects can be sealed better or that can be tuned very far at least.
This has the advantage when you actually want bare metal + containers instead of bare metal + vm wrapping the containers.
I mean when you want that in *production* and don't want to worry too much of security aspects.
One example use case is to maximize the throughput in video streaming service for each node. This is the "Netflix use case" (they use FreeBSD).
This has the advantage when you actually want bare metal + containers instead of bare metal + vm wrapping the containers.
I mean when you want that in *production* and don't want to worry too much of security aspects.
One example use case is to maximize the throughput in video streaming service for each node. This is the "Netflix use case" (they use FreeBSD).
1
0
0
Jarkko Sakkinen
jarkko
A new git tidbit learned: git branch --edit-description
Read:
git config --get branch.container.description
Now git-format-patch will import it as the body of the cover-letter:
git format-patch --cover-letter master
Read:
git config --get branch.container.description
Now git-format-patch will import it as the body of the cover-letter:
git format-patch --cover-letter master
0
2
8
Jarkko Sakkinen
jarkko
I'm worried that it will be a murder to send container object patch set tbh. We'll see. Everytime I think it is ready I see something that makes me unhappy.
And even if it was right technical sense it is not high odds patch set by definition.
Especially trying to nail Al Viro's and Eric W. Biedermann's feedback to previous iteration from 2019 but I'm sure I'll miss some detail, ugh :-)
And even if it was right technical sense it is not high odds patch set by definition.
Especially trying to nail Al Viro's and Eric W. Biedermann's feedback to previous iteration from 2019 but I'm sure I'll miss some detail, ugh :-)
0
0
0
Jarkko Sakkinen
jarkko
I'm trying to figure out a name for C file containing minimal container manager (or distantly a container manager). All I can make up is kontainer.c :-/ I guess I have to fix to that then. This is for kselftest.
2
0
0
@kernellogger I was thinking first to give a shot with SGX because I know the opcodes really well but since I have already this crate [1] and TPM2 affects my life more than SGX ATM, let's try that at first :-)
[1] https://crates.io/crates/tpm2-protocol
[1] https://crates.io/crates/tpm2-protocol
0
0
0
@kernellogger For TPM2 type of devices having Rust to manage emulation is quite essential given the combination of structural complexity and cryptography in the binary protocol.
I could imagine that Rust could be also a great angle to deliver confidential computing opcodes for QEMU.
I could imagine that Rust could be also a great angle to deliver confidential computing opcodes for QEMU.
1
0
1
@kernellogger Not as many may know this but QEMU also has a nice Rust integration these days.
I implemented a feature for integrated TPM chip emulations in QEMU, and have a profile for Infienon SLB 9672 in progress. It's a half-C-half-Rust feature and so far progress has been smooth. VM sees my chip etc. and the developer experience has been surprisingly smooth :-)
I implemented a feature for integrated TPM chip emulations in QEMU, and have a profile for Infienon SLB 9672 in progress. It's a half-C-half-Rust feature and so far progress has been smooth. VM sees my chip etc. and the developer experience has been surprisingly smooth :-)
1
0
7
Jarkko Sakkinen
repeated
repeated
Thorsten Leemhuis (acct. 1/4)
kernellogger@hachyderm.ioThe #Rust support in the #Linux #kernel is now officially a first class citizen and not considered experimental any more:
https://git.kernel.org/torvalds/c/9fa7153c31a3e5fe578b83d23bc9f185fde115da; for more details, see also: https://lwn.net/Articles/1050174/
This is one of the highlights from the main #RustLang for #LinuxKernel 7.0 that was merged a few hours ago ; for others, see https://git.kernel.org/torvalds/c/a9aabb3b839aba094ed80861054993785c61462c
2
15
1
Jarkko Sakkinen
jarkko
Edited 3 months ago
I'll replace the test-container.c from the original patch set with kcontainer.c, which is a stripped down container manager, and a shell script containing the test cases.
It's really just a wrapper for container_* but should demonstrate with reasonable realism the capabilities of the kernel feature.
It's really just a wrapper for container_* but should demonstrate with reasonable realism the capabilities of the kernel feature.
0
0
0
Jarkko Sakkinen
jarkko
A new Git subcommand I was not aware of: git range-diff. It compares two versions of branch.
This came up now that I forked dhowell's container object patch set.
E.g.,
git range-diff refs/remotes/fs/container...container
This came up now that I forked dhowell's container object patch set.
E.g.,
git range-diff refs/remotes/fs/container...container
0
1
2