You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TODO: fix this messed transcript.
We provide "Usernetes" which is experimental a distribution of rootless kubernetes. Such can be insurable and users home
You can just download binary archive from X DoCoMo's release container as usual it is and just unpack the archive and just
run run to the seeds and you can do kubectl with that miss and we also provide composed of Yammer for demonstrating shoot much of the crust or retrace kubernetes the cluster is composed of dough casinos cryo node and hinari node and the fronted by extra is enabled by . https://www.youtube.com/watch?v=mmbTeRhFlqw&t=882s
TODO:
In the most ideal scenario where we run rootless podman as non-root where both podman is running as an unprivileged user
and the processes running in the container are also running as an unprivileged user.
WARNING: Running pip as root will break packages and permissions. You should install packages reliably by using venv: https://pip.pypa.io/warnings/venv
I think one of the intentions of file system based capabilities was to allow admins to take control of their security risk profile and drop privileges of apps on their system independent of what application developers do. I suspect that the low rate of adoption for dropping privileges is because the old API made it tedious to do any task and therefore app developers just don't use it. How many apps have you seen that says you need to be root to use this program? This is because its just 1 line of code to check if you are the root user. The programmer probably knew that a specific capability was needed, but chose to take the shortcut instead. I wanted to change that by making an easy to use API. Its easier to accept a 3-4 line patch than one that adds some 20 lines of code. https://people.redhat.com/sgrubb/libcap-ng/
I like its compactness (smaller than registry.access.redhat.com/ubi8/ubi-micro:8.4!), glibc support, and most importantly, smaller attack surface for intracontainer attacks. I’d call it "semi-scratch.”
Adapted from: docker-library/official-images#10218 (comment)
The final image is only 155 MB! Also, the attack surface has been reduced. Not even DNF (or microDNF) is installed in the final image.
From: Build smaller containers
We periodically update the base image used for control plane images, but we only prioritize the upgrade for Critical and High severity CVEs.
On this specific CVE, it affects apt, but apt is only run during the image build stage for those images, so this won't affect these images running in production.
Our other significant trouble stemmed from the fact that we are running a ‘distroless’ Nix container on an Amazon Linux 2 host. The NVIDIA container runtime ‘maps’ the driver files into a filesystem location that works for standard Linux distros but not Nix, which roots all system files under /nix/. We had to patch around this by adding /usr/lib64/ to the LD_LIBRARY_PATH variable which otherwise only included /nix/store/ paths. In general, patching around software that isn’t ‘Nix aware’ is a curse of Nix that you tradeoff against Nix’s benefits.
Refs.:
https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/#running-rootless-kubernetes-directly-on-a-host
Akihiro Suda and Giuseppe Scrivano at FOSDEM 2019: Rootless Kubernetes Running Kubernetes and CRI/OCI Runtimes as an unprivileged user
List:
TODO:
https://youtu.be/ZgXpWKgQclc?t=283
Today (05/17/2021) at work:
TODO:
TODO:
About distroless OCI image:
Linux Processes and the proc File System
TODO: create a MWE kubernetes/kubernetes#67014 (comment)
Related: https://github.com/NixOS/nixpkgs/blob/2cbc110abba6712d7a3d133391dfe6acafc14370/nixos/modules/profiles/hardened.nix
The race to secure Kubernetes at run time
The text was updated successfully, but these errors were encountered: