Software Engineer at day. Tech Storyteller at night. Helping people master Containers.
Hi friends!
It's Ivan again, with my traditional roundup of all things around iximiuz.com.
This month was mostly about container images and container runtimes. Here is what I've got for you:
Let's get started!
SPONSORED Packages and software supply chains get compromised more and more often. So, everyone these days should be a security expert. I already confined every my project to a separate VM, but how can I know if there is some malicious activity happening inside? Learn how to use the Linux audit system in this practical post by Teleport (no marketing fluff).
β
While preparing for one of the workshops, I came up with the following visual explanation of the low-level container runtime:
If this topic sounds interesting, you can find a few useful links in this Twitter thread.
β
Might be not fully accurate, but this explanation could help get through a popular misconception:
September 24th 2022
|
β
To improve your container game π
Since (a very recent) discovery, this trick has saved me hours! Turns out, you can exec, stop, kill, remove, etc docker containers using just a short prefix of their IDs! Instead of typing (or rather copy-pasting):
docker rm b5758e341c2a
...you can just go with:
docker rm b5
Credit goes to Michael Irwin!
β
Another Docker trick that I learned on Twitter (thanks to Chris Guest). Turns out, the buildx plugin supports this for quite a while:
docker buildx build -o <some-dir> .
This is pretty powerful since it allows you to use Docker as a build system. You can find more details here (bake is the keyword to look for).
Not so much about containers, but I must share them:
β
This is a new (and quite challenging) category for me, but I'm glad I gave it a try:
β
On the blog, Twitter, ...and GitHub!
A yet another awesome list of resources? Nope, it's a list of awesome resources!
I started this GitHub project to collect links to (and thoughts about):
And I'm hoping for your contribution!
Over the past few months, I spent quite some time researching the topic of how to create decent container images. Distroless (1.0) is one of the ways. You can learn more about the limitations of the scratch base images and the pros and cons of the distroless (aka "scratch for everyone else") base images in the below Twitter thread or in a long-form write-up on my blog - What's Inside Of a Distroless Container Image: Taking a Deeper Look:
September 5th 2022
|
β
Collected a bunch of receipts in this blog article.
...is another popular misconception. Intrigued? Then read on!
For the digital archeologists (like myself), I called out on Twitter asking folks if the Docker's history is documented somewhere. The thread received lots of great replies (with some of them coming from people who are/were directly involved), shedding light on Docker's original architecture (monolith written in Go, essentially just a UX layer on top of LXC), its evolution (LXC's functionality got re-implemented in Go giving birth to, first, libcontainer, and then runc) and reshaping (containerd being factored out). Go check it out π
β
And that's all the links for today!
β
Well, I thought the previous one was big... I should probably start doing this newsletter twice a month, what do you think? Hit reply and let me know :)
β
Cheers
Ivan Velichko
β
Software Engineer at day. Tech Storyteller at night. Helping people master Containers.
Hello friends! Ivan's here - with a well overdue February roundup of all things Linux, Containers, Kubernetes, and Server-Side craft π§ What I was working on A lot of stuff on the dev side - not so much on the content side. But things are soon to reverse π€ Announcing labCTL - the long-awaited iximiuz Labs CLI A dozen people have asked me over the past year-ish if there'll be access to the playgrounds from the local terminal and not only from the browser. And while I myself wanted this feature...
Hello there! π Debugging containerized applications is... challenging. Debugging apps that use slim variants of container images is double challenging. And debugging slim containers in hardened production environments is often close to impossible. Before jumping to the DevOps problems that I prepared for you this week, let's review a few tricks that can be used to troubleshoot containers. If the container has a shell inside, running commands in it with docker exec (or kubectl exec) is...
Hey hey! Are you ready for your next DevOps challenge? Last week, we all witnessed yet another terrifying cyber-security event, and this time, it was a direct hit - researchers from Snyk discovered a way to break out of containers! π€― The vulnerability was found in the fundamental component of the containerization ecosystem - the most popular implementation of the (low-level) OCI container runtime - runc. Notice how, on the diagram above, most high-level container runtimes actually rely on the...