Ivan Velichko

DevOps Challenge of the Week - Issue #3

Published 2 months ago • 1 min read

Hey hey!

Are you ready for your next DevOps challenge?

Last week, we all witnessed yet another terrifying cyber-security event, and this time, it was a direct hit - researchers from Snyk discovered a way to break out of containers! 🤯

The vulnerability was found in the fundamental component of the containerization ecosystem - the most popular implementation of the (low-level) OCI container runtime - runc.

Notice how, on the diagram above, most high-level container runtimes actually rely on the same low-level component. Shout-out to Podman for using an alternative implementation (crun) 💪

Unfortunately, Kubernetes and its derivatives are impacted, too. Containers on the cluster nodes are managed by a CRI implementation, and unless you live in the Red Hat universe (CRI-O), it likely means the same containerd ↔ runc joint.

The problem is that even though all of us have heard of Docker, Kubernetes, and some even about containerd, runc often remains a secret hero.

The widespreadness on the one hand and the lack of awareness on the other make the Leaky Vessels breakout vulnerability particularly dangerous.

People need to know their heroes, in particular, to be aware of their weaknesses. Hence, this week's challenge - Go learn what runc is used for in the containerization ecosystem 🧐

Good luck!

Ivan Velichko

Software Engineer at day. Tech Storyteller at night. Helping people master Containers.

Read more from Ivan Velichko

Hello friends! Ivan's here - with a well overdue February roundup of all things Linux, Containers, Kubernetes, and Server-Side craft 🧙 What I was working on A lot of stuff on the dev side - not so much on the content side. But things are soon to reverse 🤞 Announcing labCTL - the long-awaited iximiuz Labs CLI A dozen people have asked me over the past year-ish if there'll be access to the playgrounds from the local terminal and not only from the browser. And while I myself wanted this feature...

about 1 month ago • 7 min read

Hello there! 👋 Debugging containerized applications is... challenging. Debugging apps that use slim variants of container images is double challenging. And debugging slim containers in hardened production environments is often close to impossible. Before jumping to the DevOps problems that I prepared for you this week, let's review a few tricks that can be used to troubleshoot containers. If the container has a shell inside, running commands in it with docker exec (or kubectl exec) is...

about 2 months ago • 1 min read

Hello friends! Ivan's here - with my traditional monthly roundup of all things Linux, Containers, Kubernetes, and Server-Side craft 🧙 What I was working on After my announcement of the iximiuz Labs GA earlier this month, the platform's usage has more than doubled, so I had to focus on the system's stability and UX. As a result, I increased observability and test coverage, added one more bare-metal server, streamlined a bunch of use cases, and fixed a few bugs. The most notable user-facing...

2 months ago • 3 min read
Share this post