Windows APIs GetWriteWatch() and ResetWriteWatch() are used to get and clear the write-tracking state atomically of any number of pages in memory. Only the kernel can keep track of this state efficiently through the memory management component. Linux Kernel lacked this support.
Soft-dirty PTE flag was used initially. But it had to be left alone because of its short-comings and no way to...
This talk aims to move forward the discussion about an extension of user namespaces that allows the usage of host-isolated (non-mapped) UID/GID. This topic was raised by Stéphane Graber and Christian Brauner originally in [1] and [2]. Stéphane and I would like to share some new results and discuss difficulties with the Linux kernel community.
Some highlights:
- extension of kuid_t/kgid_t...
Building trust in containerized environments requires the measurement and attestation of individual containers. The Linux Integrity Measurement Architecture (“IMA”) collects and stores file integrity measurements in a non-repudiable log. These measurements are used during remote attestation to verify system integrity and extend trust from the kernel to measured files. File measurements cannot,...
During this talk we want to discuss the idea of FUSE API extension that can be useful for fuse mounts healing and Checkpoint/Restore.
Last year I gave a talk [1] about the first steps of making FUSE support in CRIU. This time we want to continue this discussion and cover another (but close) problem. The problem of fuse mount “healing”. It is a very actual problem for the LXC project where...
Enterprise distributions are finally transitioning to cgroup v2 as the default [1][2]. But as has been discussed in previous Linux Plumbers Conferences [3][4], the transition from cgroup v1 to cgroup v2 has not been seamless for userspace applications.
Some (simpler) enterprise applications have been able to utilize Systemd service files to manage their cgroups needs, but larger and more...
With the recent integration of container checkpointing in Kubernetes, it is crucial to protect the captured container state in order to maintain the confidentiality and integrity of application data. In this talk, we are going to discuss a built-in mechanism for providing data security by default through asymmetric encryption of CRIU images. By extending CRIU with encryption capabilities, we...
