Building labs.iximiuz.com - a place to help you learn Containers and Kubernetes the fun way 🚀
DevOps Challenge of the Week - Issue #3
Hey hey!
Are you ready for your next DevOps challenge?
Last week, we all witnessed yet another terrifying cyber-security event, and this time, it was a direct hit - researchers from Snyk discovered a way to break out of containers! 🤯
The vulnerability was found in the fundamental component of the containerization ecosystem - the most popular implementation of the (low-level) OCI container runtime - runc.
Notice how, on the diagram above, most high-level container runtimes actually rely on the same low-level component. Shout-out to Podman for using an alternative implementation (crun) 💪
Unfortunately, Kubernetes and its derivatives are impacted, too. Containers on the cluster nodes are managed by a CRI implementation, and unless you live in the Red Hat universe (CRI-O), it likely means the same containerd ↔ runc joint.
The problem is that even though all of us have heard of Docker, Kubernetes, and some even about containerd, runc often remains a secret hero.
The widespreadness on the one hand and the lack of awareness on the other make the Leaky Vessels breakout vulnerability particularly dangerous.
People need to know their heroes, in particular, to be aware of their weaknesses. Hence, this week's challenge - Go learn what runc is used for in the containerization ecosystem 🧐
Good luck!
Ivan Velichko
Building labs.iximiuz.com - a place to help you learn Containers and Kubernetes the fun way 🚀
Hello 👋 Ivan's here with a slightly delayed September roundup of all things Linux, Containers, Kubernetes, and Server Side 🧙 What I was working on This month, I worked on an assorted set of topics. Skill Paths First off, the skill paths! I finally finished the underlying machinery, and now iximiuz Labs supports a new type of content - short roadmaps that you can use to develop or improve a specific skill: how to debug distroless containers, how to copy images from one repository to another,...
Hello friends! Ivan's here with another monthly roundup of all things Linux, Containers, Kubernetes, and Server Side 🧙 The issue's main topic is iximiuz Labs' largest-ever upgrade: Fresher and more streamlined look of the frontend UI 💙 A new 5.10 Linux kernel built with nftables support (finally, we can try out kube-proxy's nftables mode). New default playground user - laborant (yep, rootless containers learning for). New playgrounds: Ubuntu 24.04, Debian Trixie, Fedora, and Incus (yay! more...
Hello friends! Ivan's here with a slightly delayed July roundup of all things Linux, Containers, Kubernetes, and Server Side 🧙 What I was working on This month, I got nerd-sniped by cgroups. It all started when I ran into a pretty significant difference in how Docker and Kubernetes handle the OOM events. When you limit the memory usage of a multi-process Docker container, the OOM killer often terminates only one of the processes if the container runs out of memory. If this process is not the...