Building labs.iximiuz.com - a place to help you learn Containers and Kubernetes the fun way 🚀
DevOps Challenge of the Week - Issue #3
Hey hey!
Are you ready for your next DevOps challenge?
Last week, we all witnessed yet another terrifying cyber-security event, and this time, it was a direct hit - researchers from Snyk discovered a way to break out of containers! 🤯
The vulnerability was found in the fundamental component of the containerization ecosystem - the most popular implementation of the (low-level) OCI container runtime - runc.
Notice how, on the diagram above, most high-level container runtimes actually rely on the same low-level component. Shout-out to Podman for using an alternative implementation (crun) 💪
Unfortunately, Kubernetes and its derivatives are impacted, too. Containers on the cluster nodes are managed by a CRI implementation, and unless you live in the Red Hat universe (CRI-O), it likely means the same containerd ↔ runc joint.
The problem is that even though all of us have heard of Docker, Kubernetes, and some even about containerd, runc often remains a secret hero.
The widespreadness on the one hand and the lack of awareness on the other make the Leaky Vessels breakout vulnerability particularly dangerous.
People need to know their heroes, in particular, to be aware of their weaknesses. Hence, this week's challenge - Go learn what runc is used for in the containerization ecosystem 🧐
Good luck!
Ivan Velichko
Building labs.iximiuz.com - a place to help you learn Containers and Kubernetes the fun way 🚀
Hey there 👋 I spent a few weeks deep diving into cgroup v2, and I'm happy to share my findings with you! Everyone knows that Docker and Kubernetes use cgroups to limit the resources of containers and Pods. But did you know that it's very easy to run an arbitrary Linux process in a cgroup using much more basic tools? The only kernel's interface for cgroups is the virtual filesystem called cgroupfs typically mounted at /sys/fs/cgroup. Creating folders there and writing to files in them is...
Hello friends! Ivan's here with the June roundup of all things Linux, Containers, Kubernetes, and Server-Side craft 🧙 What I was working on The first two lessons (and a few challenges) of my "Alternative Introduction to Dagger" course have not sparked much interest among my students, so I had to put this work on pause. With a heavy heart, though, because I do like Dagger, and I was enjoying working on the content about it. But no interest means fewer iximiuz Labs Premium subscribers, and I...
Hello friends! It's time for my traditional monthly roundup of all things Linux, Containers, Kubernetes, and Server-Side craft 🧙 Before we get started, I want you to know that this newsletter's previous issue (dispatched mid-May) was delivered to only about 1/5th of my usual email audience due to an unfortunate DNS misconfiguration. The good news is that you can still find it and all previous issues on newsletter.iximiuz.com. Also, if you reply to this email, it'd help to restore the domain's...