scratch

GitChronicler: write commit messages with AI

Wed, 30 Apr 2025 16:12:00 +0200

I started working on GitChronicler mostly to learn how I could integrate AI into my workflow in a way that would actually spare me doing boring stuff, like writing the git commit message.

why do I have two /sys/fs/cgroup in my container

Fri, 26 Jan 2024 14:12:00 +0200

it happened a few times in the past that users wonder why they see two /sys/fs/cgroup mounts in their unprivileged container.

hide the current process executable file

Wed, 21 Dec 2022 22:15:00 +0200

I have been working on a new functionality for the prctl syscall utility that addresses a common security concern with container runtimes.

the journey to speed up running OCI containers

Wed, 21 Sep 2022 16:30:00 +0200

When I’ve started working on crun, I was looking at a faster way to start up and stop containers by improving the OCI runtime, the component in the OCI stack that is responsible to ultimately talk to the kernel and setting the environment where the container runs.

an interesting issue handling the seccomp listener

Mon, 05 Sep 2022 21:59:12 +0200

an interesting issue was opened for crun a couple of days ago.

composefs - a file system for container images

Tue, 26 Oct 2021 16:02:56 +0200

For the last couple of weeks, I’ve been playing on PoC implementation of a file system for the Linux kernel.

seccomp made easy

Sat, 30 Jan 2021 21:10:14 +0200

seccomp is a kernel feature that restricts what syscalls can be used by a process.

Almost every container runs with seccomp enabled to restrict its access to syscalls.

cgroup v2 OOM group

Fri, 14 Aug 2020 19:49:32 +0200

One annoying issue with setting a memory limit for a container is that the OOM killer kernel process can leave the container in an inconsistent state with only some processes terminated.

playing with seccomp notifications in the OCI runtime

Mon, 10 Aug 2020 10:40:19 +0200

A couple weekends ago I’ve played with seccomp user notifications and how they can be used in the OCI containers stack.

Seccomp user notifications are a powerful Linux kernel feature, that delegates syscalls handling to a userland program.

avoid a memory page allocation on mount(2)

Fri, 27 Dec 2019 16:16:33 +0000

While working on crun, I got surprised by how much time the kernel spent in the copy_mount_options function.

run containers without pulling images

Thu, 24 Oct 2019 18:37:23 +0000

CRFS is a Google project that aims at running a container without pre-pulling the image first.

crun moved to github.com/containers

Mon, 12 Aug 2019 09:54:25 +0000

the giuseppe/crun github project was moved under https://github.com/containers/crun.

Similarly libocispec, used internally by crun for parsing the OCI configuration file was moved to https://github.com/containers/libocispec

rootless resources management with Podman on Fedora 30

Sun, 12 May 2019 20:36:59 +0000

I have finally opened some PRs for conmon and libpod that enable resources management for Podman rootless containers on Fedora 30 when using crun.

resources management with rootless containers and cgroups v2

Tue, 26 Feb 2019 21:22:10 +0000

cgroups v2 will finally allow unprivileged users to manage a cgroup hierarchy in a safe manner without requiring any additional permission.

rootless containers @ devconf.cz

Sun, 24 Feb 2019 22:26:15 +0000

The video is finally available on YouTube.

https://www.youtube.com/watch?v=jMOHfCw0DV8

If you are interested in the slides, they are available here:

https://www.slideshare.net/AkihiroSuda/rootless-containers

SUID binaries from a user namespace

Thu, 10 Jan 2019 21:49:30 +0000

Additional IDs that are allocated to a user through /etc/subuid and /etc/subgid must be considered as permanently allocated and never reused for any other user.

Even if the container/user namespace where they are used is destroyed, it is possible to forge a SUID binary that will keep access to any ID present in the user namespace.

This simple C program is enough to keep access to an UID that was allocated to a user namespace:

disposable rootless sessions

Wed, 09 Jan 2019 22:01:08 +0000

would be nice to have a way to “fork” the current session and be able to revert all the changes done, without any leftover on the file system.

Playing with fuse-overlayfs, a FUSE implementation of the overlay file system and thus usable by rootless users, I realized how that is so easy to achieve, just by setting the overlay lowerdir to ‘/’ and using a temporary directory for the upper dir.

An Emacs mode for rust

Tue, 18 Dec 2018 20:57:11 +0000

I was looking for an Emacs mode that could help me to hack on rust.

Rust-mode itself has not enough features to help me with a language I am not really proficient with yet.

rootless podman from upstream on Centos 7

Fri, 12 Oct 2018 09:14:21 +0000

this is the recipe I use to build podman from upstream on Centos 7 and use rootless containers. We need an updated version of the shadow utils as newuidmap and newgidmap are not present on Centos 7. Using make install is not the correct way to install packages, and it will also overwrite existing The shadow utils are installed using “make install” which is not the clean way to install packages and it also overwrite the existing binaries, but it is fine on a development system. Podman is already present on Centos 7 and in facts we install it so we don’t have to worry about conmon and other dependencies.

network namespaces for unprivileged users

Sun, 05 Aug 2018 13:54:44 +0000

a couple of weekends ago I’ve played with libslirp and put together slirp-forwarder.

SliRP emulates in userspace a TCP/IP stack. It can be used to circumvent the limitation of creating TAP/TUN devices in the host namespace for an unprivileged user. The program could run in the host namespace, receive messages from the network namespace where a TAP device is configured, and forward them to the outside world using unprivileged operations such as opening another connection to the destination host. Privileged operations are still not possible outside of the emulated network, as the helper program doesn’t gain any additional privilege that running as an unprivileged user.

become-root in an user namespace

Thu, 19 Jul 2018 08:28:06 +0000

I’ve cleaned up some C files I was using locally for hacking with user namespaces and uploaded them to a new repository on github: https://github.com/giuseppe/become-root.

Creating an user namespace can be easily done with unshare(1) and get the current user mapped to root with unshare -r COMMAND but it doesn’t support the mapping of multiple uids/gids. For doing that it is necessary to use the suid newuidmap and newgidmap tools, that allocates multiple uids/gids to unprivileged users accordingly to the configuration files:

fuse-overlayfs moved to github.com/containers

Fri, 13 Jul 2018 22:00:59 +0000

The project I was working on in the last weeks was moved under the github.com/containers umbrella.

With Linux 4.18 it will be possible to mount a FUSE file system in an user namespace. fuse-overlayfs is an implementation in user space of the overlay file system already present in the Linux kernel, but that can be mounted only by the root user. Union file systems were around for a long time, allowing multiple layers to be stacked on top of each other where usually the last one is the only writeable.
Overlay is an union file system widely used for mounting OCI image. Each OCI image is made up of different layers, each layer can be used by different images. A list of layers, stacked on each other gives the final image that is used by a container. The last level, that is writeable, is specific for the container. This model enables different containers to use the same image that is accessible as read-only from the lower layers of the overlay file system.

Current status (and problems) of running Buildah as non root

Sun, 25 Feb 2018 13:59:14 +0000

Having Buildah running in an user namespace opens the possibility of building container images as a not root user. I’ve done some work to get Buildah running in an user container.

There are still some open issues to get it fully working. The biggest open one is that overlayfs cannot be currently used as non root user. There is some work going on, but this will require changes in the kernel and the way extended attributes work for overlay. The alternative is far from ideal and it is to use the vfs storage driver, but it is a good starting point to get things moving and see how far we get. (Another possibility that doesn’t require changes in the kernel would be an OSTree storage for Buildah, but that is a different story).

New COPR repository for crun

Wed, 15 Nov 2017 19:25:46 +0000

I made a new COPR repository for CRUN so that it can be easily tested on Fedora:

https://copr.fedorainfracloud.org/coprs/gscrivano/crun/

To install crun on Fedora, it is enough to:

a recent change in the atomic tool, which didn’t still get into a release, allows to easily override the OCI runtime for system containers. Assuming you are using atomic from the upstream repository, you can use crun as:

C is a better fit for tools like an OCI runtime

Mon, 23 Oct 2017 21:21:19 +0000

I’ve spent some of the last weeks working on a replacement for runC, the most used/known OCI runtime for running containers. It might not be very well known, but it is a key component for running containers. Every Docker container ultimately runs through runC.

Having containers running through some common specs allow some pieces to be replaced without having any difference in behavior.

The OCI runtime specs describe how a container looks like once it is running, for instance it lists all the mount points, the capabilities left to the process, the process that must be executed, the namespaces to create and so on.

OpenShift on system containers

Thu, 23 Feb 2017 18:26:43 +0000

It is still an ongoing work not ready for production, but the upstream version of OpenShift origin has already an experimental support for running OpenShift Origin using system containers. The “latest” Docker image for origin, node and openvswitch, the 3 components we need, are automatically pushed to docker.io, so we can use these for our test. The rhel7/etcd system container image instead is pulled from the Red Hat registry.

This demo is based on these blog posts www.projectatomic.io/blog/2016/12/part1-install-origin-on-f25-atomic-host/ and www.projectatomic.io/blog/2016/12/part2-install-origin-on-f25-atomic-host/ with some differences for the provision of the VMs and obviously running system containers instead of Docker containers.

System containers presentation

Mon, 30 Jan 2017 18:41:37 +0000

Here the slides for the Atomic System Containers talk I gave at Devconf.cz 2017:

http://scrivano.org/static/system-containers-demo/

If you are interested in the video, it is on YouTube:

https://www.youtube.com/watch?v=yQZiRWWEPYo

Facebook detox?

Tue, 27 Dec 2016 20:52:47 +0000

I have been using Facebook for the last years to fill every dead time:waiting for the bus, ads on TV, compiling, etc. The quality of the information coming from Facebook is inferior to any other social network, at least to my experience (it can be I follow/know the wrong people), though the part of the brain that controls procrastination seems addicted to this lower quality information and the chattering there. Also, I don’t want to simply delete my Facebook account and move on, most of the people I know are present only there, neither I want to be more “asocial”.

use bubblewrap as an unprivileged user to run systemd images

Sat, 22 Oct 2016 13:21:25 +0000

bubblewrap is a sandboxing tool that allows unprivileged users to run containers. I was recently working on a way to allow unprivileged users, to take advantage of bubblewrap to run regular system images that are using systemd. To do so, it was necessary to modify bubblewrap to keep some capabilities in the sandbox.

Capabilities are the way, since Linux 2.2, that the kernel uses to split the root power into a finer grained set of permissions that each thread can have. Together with Linux namespaces it is fine to leave unprivileged users the possibility to use some of them. To give an example, CAP_SETUID, which allows the calling process to make manipulations of process UIDs, is fine to be used in a new user namespace as the set of permitted UIDs is restricted to those UIDs that exist in the new user namespace.

Brainfucd brainfk

Wed, 11 May 2016 21:15:43 +0000

Every programmer at some point gets in touch with the Brainfuck programming language and how surprising is that very few instructions are needed to have a Turing complete language, 6 is the case of Brainfuck (plus other 2 for I/O operations).

I have recently found an old project of mine that I have used to learn how to write a GCC frontend, it took a while to adapt it to work with a newer GCC version. The code is available on github. The only positive side of this project, if any, is that it can be easily used as a starting point on how to add a frontend to GCC, or in this case, to compile a Brainfuck interpreter written in Brainfuck!

Refactoring a function name across several patches with git rebase

Fri, 22 Apr 2016 17:32:23 +0000

git rebase is one of my favorite git commands. It allows to update a set of local patches against another git branch and also to rework, trough the -i flag some previous patches.

The problem I had to deal with was quite simple, rename a function called notProperPythonCode to proper_python that was defined in the first patch and be sure that all other patches are using the correct name. The –exec flag allows to run a custom script after each patch is applied, so that I could run sed to process the Python files and replace the old function name with the new one. The process is quite simple, except that such changes would trigger a lot of merge conflicts, trivial to solve but quite annoying.
Fortunately git rebase allows to choose what merge strategy must be adopted for solving conflicts, the theirs strategy in case of a conflict, will take the previous version of the patch and silently use it. That is fine for this simple substitution case, where we process each file ending by *.py in the repository.

System containers for Atomic

Thu, 24 Mar 2016 15:41:50 +0000

The main reason behind system containers was the inability to run Flannel in a Docker container as Flannel is required by Docker itself. CoreOS solved this chicken and egg problem by using another instance of Docker (called early-docker) that is used to setup only Etcd and Flannel.

Differently, Atomic system containers will be managed by runc and systemd.

The container images, even though being served through the Docker v2 registry, are slighty different than a regular Docker container in order to be used by Atomic. The installer expects that some files are present in the container rootfs under /exports, the OCI spec file for running the Runc container and the unit file for Systemd. Both these files are templates and some values are replaced by the installer.
The communication with the Docker registry is done through Skopeo, that is used internally by the atomic cli tool.

ostree-docker-builder

Wed, 30 Sep 2015 13:25:56 +0000

rpm-ostree, used together with OStree, is a powerful tool to generate immutable images for .rpm based systems, why not to use it for generating Docker images as well?

rpm-ostree already supports the generation of a Docker container tree, that can be feed to Docker almost as it is; ostree-docker-builder instead is a new tool to make this task simpler.

The following JSON description is enough to create an Emacs container using rpm-ostree based on Fedora-22.

Summer of Code 2015 for wget

Thu, 30 Apr 2015 21:40:25 +0000

coming as a surprise, this year we have got 4 students to work full-time during the summer on wget. More than all the students who have ever worked for wget before during a Summer of Code!

The accepted projects cover different areas: security, testing, new protocols and some speed-up optimizations. Our hope is that we will be able to use the new pieces as soon as possible, this is why we ask students to keep their code always rebased on top of the current wget development version.

Create a QCOW2 image for Fedora 22 Atomic

Mon, 20 Apr 2015 15:50:30 +0000

This tutorial shows how to create a QCOW2 image that can directly imported via virt-install to test out Fedora 22 Atomic starting from a custom OStree repo.

To create the image, we are going to use both rpm-ostree and rpm-ostree-toolbox. Ensure they are installed as well as Docker, libvirtd and Vagrant-libvirt.

The first phase consists in generating the OStree repo that is going to be used by the image. We can use directly the files from the fedora-atomic project as:

How to deploy a WordPress Docker container using docker-compose

Sun, 19 Apr 2015 23:25:49 +0000

These are the steps to setup the current website in a Docker container:

wget -O- https://github.com/docker/compose/releases/download/1.2.0/docker-compose-`uname -s`-`uname -m` &gt; /usr/local/bin/docker-compose

mkdir wordpress
cd wordpress

db:
  image: mysql:5.5
  environment:
    MYSQL_ROOT_PASSWORD: "A VERY STRONG PASSWORD"
web:
  image: wordpress:latest
  ports:
    - "80:80"
  links:
    - db:mysql

`1`	`/usr/local/bin/docker-compose up`

*scratch*