-
The [gVisor project](https://github.com/google/gvisor) implements a user-space Kernel, and its implementation performance-sensitive, which forces a manual avoidance of the netpoller by avoiding certai…
-
Identified as a **medium** severity finding in the December 2020 Workstation audit report (`TOB-SDW-026`), the auditors recommend hardening the applications to leverage Linux native isolation and sand…
-
With our rootfs implementation, we need to support path canonicalization with explicit support for the rootfs as the root directory.
Then on top of that a regular canonicalize that treats `/` as a ro…
-
`runsc debug` could add a option to enable/disable strace from the sentry. Right now it's enabled with a command-flag, which makes it hard to trace specific parts of applications, without generating a…
-
- [ ] kata-containers (https://github.com/kata-containers/kata-containers/releases/download/2.4.3/kata-static-2.4.3-x86_64.tar.xz)
```yaml
- name: kata-containers
hidden: true
versio…
-
https://github.com/majek/slirpnetstack
-
(https://gvisor.dev/docs/architecture_guide/security/)
> A sandbox is not a substitute for a secure architecture.
save-cloud services should either be able to authorize against each other (includi…
-
-
# ls -l /proc/sys/net/
total 0
dr-xr-xr-x 1 root root 0 Mar 25 09:22 core
dr-xr-xr-x 1 root root 0 Mar 25 09:22 ipv4
#
There are many parts of ipv6 that need this to control…
-
### Description
Opening this mostly to avoid spending too much time reverse engineering Docker, runc, nvidia-container-runtime and gVisor behaviors. 😄
Since we don't use Docker to run our contain…
jseba updated
4 months ago