Description
The Containers micro-conference at LPC is the opportunity for runtime maintainers, kernel developers and others involved with containers on Linux to talk about what they are up to and agree on the next major changes to kernel and userspace.
-
Stéphane Graber (Canonical Ltd.)13/11/2018, 09:00
-
Joel Nider (IBM), Mike Rapoport (IBM)13/11/2018, 09:15
As a part of ongoing research project we have added several features to CRIU: post-copy memory migration, post-copy migration over RDMA and support from cross-architecture checkpoint-restore.
The "plain" post-copy migration is already upstream and, up to hiccups that regularily show up in CI, it can be considered working so there is not much to discuss about it.
The post-copy migration over...
Go to contribution page -
Casey Schaufler (Intel), John Johansen (Canonical)13/11/2018, 09:50
Last year we discussed the efforts to bring stacking and namespacing to the LSM subsystem. Over the last year several of the outstanding issues have been resolved (if not always in the most satisfactory way). The path forward for upstreaming stacking is now clear.
This presentation will discuss solutions to outstanding problems and the current direction for upstreaming LSM stacking. As well...
Go to contribution page -
Kamil Yurtsever (Google), Shakeel Butt (Google)13/11/2018, 10:10
Google has a large cgroup v1 deployment and have begun planning our migration to cgroup v2. This migration has proven difficult because of our extensive use of cgroup v1 features.
Go to contribution page
Among the most challenging issues are the transition from multiple hierarchies to a unified one, migration of users who create their own cgroups, custom threaded cgroup management and the lack of ability to... -
Andrei Vagin, Dmitry Safonov (Arista Networks)13/11/2018, 11:00
Discussions around time namespace are there for a long time. The first attempt to implement it was in 2006. From that time, the topic appears on and off in various discussions.
There are two main use cases for time namespace:
1. change date and time inside a container;
2. adjust clocks for a container restored from a checkpoint.“It seems like this might be one of the last major obstacles...
Go to contribution page -
Christian Brauner (Canonical)13/11/2018, 11:35
Currently, container runtimes are faced with a large attack surface when it comes to a malicious container guest. This most obvious attack surface is the filesystem, and the wide variety of filesystem races and other such tricks that can be used to trick a container runtime into accessing files they shouldn't. To tackle this, most container runtimes have come up with necessary userspace hacks...
Go to contribution page -
Adrian Reber (Red Hat)13/11/2018, 11:55
Linux Plumbers Conference being the place where most CRIU developers and users regularly meet and exchange news and ideas, traditionally had an overview talk about what has happened in and around CRIU since the previous Linux Plumbers Conference.
As the checkpoint and restore micro conference is now part of the containers micro conference we still want to keep this 'tradition' as it gives us...
Go to contribution page -
Christian Brauner (Canonical), Ram Pai (IBM)13/11/2018, 14:00
The pivot_root() operation is an essential step in virtualizing a
Go to contribution page
container's root directory. Current pivot_root() semantics require that a mountpoint is not a shared mountpoint. If it is, the pivot_root() operation will not be allowed. However, some containers need to have a virtualized root directory while at the same time have the root directory be a shared mountpoint. This is necessary... -
Andy Tucker (Google)13/11/2018, 14:35
This talk focuses on our use of CRIU for transparent checkpoint/restore task migrations within Google's shared compute infrastructure. This project began as a means to simplify user applications and increase utilization in our clusters. We've now productionized a sizable deployment of our CRIU-based task migration infrastructure. We'll present our experiences using CRIU at Google, including...
Go to contribution page -
Rahul Yadav (Oracle)13/11/2018, 14:55
System resource information, like memory, network and device statistics, are crucial for system administrators to understand the inner workings of their systems, and are increasingly being used by applications to fine tune performance in different environments.
Getting system resource information on Linux is not a straightforward affair. The best way is to collect the information from procfs...
Go to contribution page -
Radoslaw Burny (Google)13/11/2018, 15:15
While deploying a CRIU-based transparent checkpoint/restore task migration infrastructure at Google, one of the toughest challenges we faced was security. The infrastructure views the applications it runs as inherently untrusted, yet CRIU requires expansive privileges at times in order to successfully checkpoint and restore workloads. We found many cases where malignant workloads could trick...
Go to contribution page -
Seth Forshee (Canonical)13/11/2018, 16:00
-
Tom Hromatka (Oracle)13/11/2018, 16:25
Several in-house Oracle customers have identified that their large seccomp filters are slowing down their applications. Their filters largely consist of simple allow/deny logic for many syscalls (306 in one case) and for the most part don't utilize argument filtering.
Currently libseccomp generates an if-equal statement for each syscall in the filter. Its pseudocode looks roughly like...
Go to contribution page -
Christian Brauner13/11/2018, 16:45
On non-embedded systems device management in Linux is a task split between kernelspace and userspace. Since the implementation of the devtmpfs pseudo filesystem the kernel is solely responsible for creating device nodes while udev in userspace is mainly responsible for consistent device naming and permissions. The devtmpfs filesystem however is not namespace aware. As such devices always...
Go to contribution page -
Stéphane Graber (Canonical Ltd.)13/11/2018, 17:20
