Cyphar's Bloghttps://www.cyphar.com/blog/tag/suse/posts.atom2016-12-20T19:20:00ZAleksa SaraiThe wild ramblings of Aleksa Sarai.Copyright (C) 2014-2020 Aleksa Sarai. Licensed under CC-BY-SA 4.0.Werkzeugumoci: a New Tool for OCI Imageshttps://www.cyphar.com/blog/post/20161129-umoci-new-oci-image-tool2016-12-16T18:15:00Z2016-11-29T15:30:00ZAleksa Sarai<p>Very recently, I've been working on implementing the required tooling for creating and modifying <a href="https://www.opencontainers.org/">Open Container Initiative</a> images without needing any external components. The tool I've written is called <code>umoci</code> and is probably one of the more exciting things I've worked on in the past couple of months. In particular, the applications of <code>umoci</code> when it comes to SUSE tooling like the <a href="http://openbuildservice.org/">Open Build Service</a> or <a href="https://suse.github.io/kiwi/">KIWI</a> is what really makes it exciting.</p>Adventures into ptrace(2) Hellhttps://www.cyphar.com/blog/post/20160703-remainroot-ptrace-hell2016-07-03T19:00:00Z2016-07-03T19:00:00ZAleksa Sarai<p>As part of my work on <a href="/blog/rootless-containers-with-runc">rootless containers</a>, I found that many tools try to drop privileges. This makes those tools break inside rootless containers, so I spent a week or two working on a tool that allows users to shim out all of the "drop privileges" syscalls. Here is documented the pain that I went through while figuring out how <code>ptrace(2)</code> is meant to work.</p>Rootless Containers with runChttps://www.cyphar.com/blog/post/20160627-rootless-containers-with-runc2016-06-27T17:00:00Z2016-06-27T21:05:00ZAleksa Sarai<p>There has been a lot of work within the runC community recently to get proper "rootless containers". I've been working on this for a couple of months now, and it looks like it's ready. This will be the topic of my talk at ContainerCon Japan 2016.</p>Debugging why ping was Broken in Docker Imageshttps://www.cyphar.com/blog/post/20160304-docker-broken-ping2016-12-20T19:20:00Z2016-03-04T21:05:00ZAleksa Sarai<p>All complicated bugs start with the simplest of observations. I recently was assigned a bug on our openSUSE Docker images complaining that <code>ping</code> didn't work. After a couple of days of debugging, I was taken into a deep and dark world where ancient Unix concepts, esoteric filesystem features and new kernel privilege models culminate to produce this bug. Strap yourself in, this is going to be a fun ride.</p>Dockerinit and Dead Codehttps://www.cyphar.com/blog/post/20160121-dockerinit-and-dead-code2016-01-21T17:30:00Z2016-01-21T17:30:00ZAleksa Sarai<p>After running into insane amounts of very weird issues with <code>gccgo</code> with Docker, some of which were actual compiler bugs, someone on my team at SUSE asked the very pertinent question "just exactly what is dockerinit, and why are we packaging it?". I've since written a patch to remove it, but I thought I'd take the time to talk about <code>dockerinit</code> and more generally dead code (or more importantly, code that won't die).</p>Docker Internals and Implementing Rebasehttps://www.cyphar.com/blog/post/20151212-hackweek-13-docker-rebase2015-12-12T22:30:00Z2015-12-12T22:30:00ZAleksa Sarai<p><a href="https://hackweek.suse.com/">SUSE's semi-annual Hackweek</a> was last week and I decided to work on implementing <code>docker rebase</code>, mainly to learn about the internal image format of Docker and see whether it was possible to improve how the updating of Docker images works in practice (either rebuilding or <a href="https://github.com/SUSE/zypper-docker">zypper-docker</a>).</p>