cyphar
Docker: Image Rebasing
an invention by cyphar
git rebase
is a very useful construct in source control management, as it allows you to re-apply your changes atop a different branch of the same repository. While this concept transitions perfectly to container management (updating a container could be as easy as a docker rebase
), and the Docker client is inspired by the git
semantics, Docker has no such feature (in fact, Solomon Hykes used rebase
and merge
as examples of things "that we don't want"). Currently, zypper-docker
works by applying an updated layer on top of an existing image. While this does work quite well, it separates the process of updating the base image and updating all of your derivative images (you need to re-download new packages for each derivative image).
Add PIDs cgroup support to runC and Docker
an invention by cyphar
Currently, dealing with forkbombs and similar issues with Docker and runC is not very nice (you have to set a global limit for all Docker processes or you have to limit kernel memory which isn't very practical). I'm going to work on getting [some][1] [patches][2] merged into runC and Docker to enable PIDs support for Docker.
Rootless Containers
an invention by cyphar
In many cases, people want to start containers on a system where the administrator is not happy about granting privileges to users or installing any new software. For example, when I was a researcher and wanted to run Python 3 on a computing cluster it was not possible to get the administrator to install Docker or Python 3.
OCI Image Distribution with RPMs
a project by cyphar
Currently the Open Container Initiative doesn't specify a distribution protocol or system, and the current "standard" format is the Docker registry protocol. Aside from technical reservations with Docker registry, it is also not an OCI-compliant system and will require a lot of work to integrate it into all of the openSUSE/SUSE tooling.
orca: build OCI images from Dockerfiles
a project by cyphar
Currently the main complaint people have about OCI tooling is the lack of a transition from Docker to OCI. With umoci you have a lot of low-level image configuration abilities, and skopeo and runC cover the other major parts of the picture, but you need something to tie them together.
libpathrs
a project by cyphar
The plan is to implement a safe path resolution library for Linux to avoid the plentiful numbers of security vulnerabilities that have been seen in the wild related to path resolution race conditions and various other attacks. I've been working on kernel-space solutions but even if they were merged, it is difficult to use them safely directly. So this library intends to provide simple wrappers that everyone can use.
paperback
a project by cyphar
Very often people find themselves wanting to store secrets in a way that either they can recover even if (for instance) their house burns down, or allow friends and family to recover if they pass away. Existing solutions to this problem are:
Looking for projects around:
Nothing at the moment
Activity