-
### Description
Last year, Intel published a whitepaper on their new TDX "Trust Domain Extensions" technology for better securing virtual machines. TDX is built using a combination of VMX & MKTME tec…
-
Checkpoint/Restore (aka Save/Restore) is only supported for a single container.
There are a few things required to enable multi-container from the top of my head:
- It's not possible to save conta…
-
Hi,
I am running k-rail on my kubernetes cluster combined with linkerd as service mesh to ensure mTLS communication between pods.
linkerd will automatically inject further (init-)containers into m…
-
### Description
I am trying to use [podman](https://github.com/containers/podman) to start runsc but failed. Here is the error I got with using either systemd or cgroupfs as the cgroup manager.
```
…
-
```jsx
I ns: dispatch: fds: stop: eve(290) tun(279); err?
I proxy: exit: dial(tcp) to 31.13.79.2:443; err?
I tcp: new conn 1c16cd09a06f03c2 via proxy(Exit); src(10.111.222.1:48486) -> dst(31.13.7…
-
### Description
Setting SO_BINDTODEVICE on a bound TCP socket does not restrict the routes considered when initiating a connection with that socket.
With two interfaces set up with routes to the s…
-
Calling execve on a binary with execute permissions but no read permissions is allowed. However, the resulting task is marked non-dumpable[1] by the kernel.
This affects __ptrace_may_access[2], which…
-
-
The `Recv` function in `derphttp_client.go` is called after client creation which waits for `NotePreferred` to be sent if applicable.
https://github.com/tailscale/tailscale/blob/2b892ad6e741a9ab694…
-
### Description
gvisor supports [IO/CPU/Memory accounting](https://github.com/google/gvisor/blame/bb4410f44e3291f7aa34a2655cd683cac7d149cb/runsc/cgroup/systemd.go#L108) but does not support IP acco…