Containers

Idmapped Mounts

Flexible file ownership
D.containers
Christian Brauner
On most POSIX systems including Linux file ownership can only be changed globally, i.e. for all users through the chown*() syscall family. In this talk we will introduce idmapped mounts. Idmapped mounts allow to change the ownership of files under the mounts they appear in.
File ownership is a global property on most systems that have a uid and gid concept. On POSIXy systems the chown*() syscall family allows to change the owner of a file or directory. If the ownership of a file is changed it will be changed for each user on the systems equally. But various use-cases exist where this can be problematic: - Portable home directories that are used on different computers where the user is assigned a different uid and gid. - Filesystems that allow to merge or unionize multiple filesystems are often shared between different users. - On Linux user namespaces used in containers also affect file ownership. - Chowning files on really large filesystems is costly. Idmapped mounts solve these problems and others by allow bind-mounts to specify idmappings allowing to change file ownership on a per-mount point basis. In this talk we will take a close look technical at the idmapped mount patchset, the use-cases it is intended to solve, and we will demo it's capabilities.

Additional information

Type devroom

More sessions

2/7/21
Containers
Daniel Borkmann
D.containers
BPF is becoming ubiquitous in today's modern container environments and thanks to the fast pace of innovations from Linux kernel developers in the BPF subsystem, cloud native networking software such as Cilium is able to bring these extensions to a mainstream user base for improving throughput, latency and reliability of workloads and services. This talk provides a deep dive on recently added BPF kernel as well as Cilium extensions for Kubernetes environments which significantly reduce ...
2/7/21
Containers
Jakub Dżon
D.containers
Operator SDK is a solid foundation for building robust applications for Kubernetes; one of such applications is the VM import operator (https://github.com/kubevirt/vm-import-operator) allowing Kubernetes administrators to easily import their oVirt-managed virtual machines to KubeVirt. In this talk, the speaker will show how his team used Operator SDK to build the VM import operator and how that operator can be used.
2/7/21
Containers
Viktor Farcic
D.containers
What are we going to do without Docker inside Kubernetes clusters?
2/7/21
Containers
Vlad Bogolin
D.containers
Containers are a central point for the MariaDB buildbot (buildbot.mariadb.org). In fact, almost all our builds run in Docker containers. In this short presentation, I will talk about the container environment used in order to build MariaDB from source both on Linux and Windows. Then, I will present some of the challenges associated with running Windows in a Docker container and finally I will focus on some of the advantages of having a container based continuous integration infrastructure.
2/7/21
Containers
Peter Zaitsev
D.containers
DBaaS is the fastest growing way to deploy databases. It is fast and convenient and it helps to reduce toil a lot, yet it is typically done using proprietary software and tightly coupled to the cloud vendor. We believe Kubernetes finally allows us to build fully OpenSource DBaaS Solution capable to be deployed anywhere Kubernetes runs - on the Public Cloud or in your private data center. In this presentation, we will describe the most important user requirements and typical problems you would ...
2/7/21
Containers
Marco Mancini
D.containers
Although Kubernetes is the leading container orchestration solution, it does not necessarily solve all container management-related challenges that one might face. Leaving fashions aside, some other technologies may actually be a better solution for some use cases and projects. Kubernetes is actually a very complex technology, with limited support for multi-tenancy and lacking secure isolation between tenants. Kubernetes does not offer cloud-like self-service provision features for users either. ...
2/7/21
Containers
Alban Crequy
D.containers
Until now, you could define seccomp policies in Kubernetes to allow or deny system calls but not much more. The new Seccomp Notify feature in Linux 5.9 will enable more complex policies and the ability to write your own agents to handle new use cases in Kubernetes. Attend to find out why and how!