Blog Atom Feed

Inside these pages you will find a collection of my personal ramblings (including security disclosures, my thoughts on various topics, and anything else that I feel like writing about). All of the opinions stated here are solely my own, and are released under the Creative Commons BY-SA 4.0 license.

The Road to OCIv2 Images: What's Wrong with Tar? Aleksa Sarai, 21 January 2019.

The need for a better container image format has been fairly self-apparent for a long time, but there hasn't been a solid effort to redesign how container images should operate. Most container image formats are based on tar, which at first glance may seem like a reasonable choice. In this first part of a series of articles that outline the design of "OCIv2 images", I hope to dissuade you of this notion.

containers oci ociv2-images rant

Generating Coverage Profiles for Golang Integration Tests Aleksa Sarai, 12 April 2017.

While Go's system for unit tests is very seamless and full-featured, allowing for coverage reports to be generated as well as various other cool features, the integration testing story is far less full-featured. In particular, most projects don't use go test for integration tests and thus don't have a full picture of how their entire test suite stands in terms of code coverage.

free software golang testing

umoci: a New Tool for OCI Images Aleksa Sarai, 29 November 2016.

Very recently, I've been working on implementing the required tooling for creating and modifying Open Container Initiative images without needing any external components. The tool I've written is called umoci and is probably one of the more exciting things I've worked on in the past couple of months. In particular, the applications of umoci when it comes to SUSE tooling like the Open Build Service or KIWI is what really makes it exciting.

containers free software kiwi oci suse

Adventures into ptrace(2) Hell Aleksa Sarai, 03 July 2016.

As part of my work on rootless containers, I found that many tools try to drop privileges. This makes those tools break inside rootless containers, so I spent a week or two working on a tool that allows users to shim out all of the "drop privileges" syscalls. Here is documented the pain that I went through while figuring out how ptrace(2) is meant to work.

containers free software rant runc suse

Rootless Containers with runC Aleksa Sarai, 27 June 2016.

There has been a lot of work within the runC community recently to get proper "rootless containers". I've been working on this for a couple of months now, and it looks like it's ready. This will be the topic of my talk at ContainerCon Japan 2016.

containers free software runc suse

Debugging why ping was Broken in Docker Images Aleksa Sarai, 04 March 2016.

All complicated bugs start with the simplest of observations. I recently was assigned a bug on our openSUSE Docker images complaining that ping didn't work. After a couple of days of debugging, I was taken into a deep and dark world where ancient Unix concepts, esoteric filesystem features and new kernel privilege models culminate to produce this bug. Strap yourself in, this is going to be a fun ride.

bugs docker free software kernel kiwi suse

Dockerinit and Dead Code Aleksa Sarai, 21 January 2016.

After running into insane amounts of very weird issues with gccgo with Docker, some of which were actual compiler bugs, someone on my team at SUSE asked the very pertinent question "just exactly what is dockerinit, and why are we packaging it?". I've since written a patch to remove it, but I thought I'd take the time to talk about dockerinit and more generally dead code (or more importantly, code that won't die).

docker free software programming suse

Docker Internals and Implementing Rebase Aleksa Sarai, 12 December 2015.

SUSE's semi-annual Hackweek was last week and I decided to work on implementing docker rebase, mainly to learn about the internal image format of Docker and see whether it was possible to improve how the updating of Docker images works in practice (either rebuilding or zypper-docker).

docker free software hackweek suse

Android Compilation Headaches Aleksa Sarai, 28 November 2015.

I've spent the last week of my life trying to build TWRP, which requires having a full, and working Android build environment. With the emphasis on working, I've had just about enough of the stupidity of the Android build system. Every guide is incomplete or out of date, the build system is broken in every possible way and nobody can explain what is going on. Here's my experience with trying to build Android and hopefully will help somebody realise the futility of trying to build a project with such a complicated build system.

android free software rant

Tuple Unpacking Oddness Aleksa Sarai, 01 September 2015.

While working on tutoring the NCSS Challenge, I found a very interesting oddity of Python's tuple unpacking execution order. While it turns out this is very well documented, it isn't very intuitive (as with most edge cases in languages).

programming python