I recently used melange and apko to build a from scratch image. The result was a set of auditable and easy to use container and apk repository. The toolkit reduces the work need to make from scratch images with minimal work on the actual docker container(which can be quite painful if you've tried making a from scratch image on your own).
Idea is to predefine a set of security policies for popular container applications just for example MySQL, Nginx etc..., with these predefined security policies, users can just download unpack it to use. No need to worry too much about detailed security settings/configurations for this application container. The policies could be any policies that Kubernetes supported and/or NeuVector supported.
Imagine this, you are managing your infrastructure for your lab or server farm using the popular NetBox tool. Everytime you install a new machine you connect to it and collect all the system's information to enter into NetBox. Including stuff like system resources, architecture, vendor, type and all the network interfaces. Tedious isn't it?
Kanidm is a identity management system (a store of accounts, groups and more) that supports authentication to opensuse, web sites, networks, and more. The project has a focus on respect of humans, correctness, simplicity and performance. In previous hackweeks we have implemented cryptographic authentication (webauthn), wasm based web UI, replication foundations and more.
The Entity Component System is Data-driven architectural pattern, using composition over inheritance (contrary to Object Oriented programming). It is used in complex systems such as simulators, games, and Fintech; where the projects specify an array of complex systems that are loosely coupled. Projects where one needs to horizontally expand and change the behavior of a small subset of systems knowing that there will be no unwanted behavioral change carried to others, while at the same time provide a way to expand functionality that can be reused by a big number of the systems.
Harvester CLI is a command line interface tool written in Go, designed to simplify interfacing with a Harvester cluster as a user. It is especially useful for testing purposes as you can easily and rapidly create VMs in Harvester by providing a simple command such as:
When we experience a early boot crash, we are not able to analyze the kernel dump, as user-space wasn't able to load the crash system. The idea is to make the crash system compiled into the host kernel (think of initramfs) so that we can create a kernel dump really early in the boot process.
BPF verifier plays a crucial role in securing the system (though less so now that unprivileged BPF is disabled by default in both upstream and SLES), and bugs in the verifier has lead to privilege escalation vulnerabilities in the past (e.g. CVE-2021-3490).