ericsmalling

#!/bin/bash

# Set the IFS variable to a newline character
IFS=$'\n'

# Get the list of docker images
images=$(docker images -a)

# Loop through the list of images
for image in $images; do

johnfosborneiii

Container Images

Kubernetes

Verify single image

$ cosign verify registry.k8s.io/kube-apiserver-amd64:v1.25.2

Get and Verify All Kubernetes Images

$ version=v1.25.0
curl -Ls https://sbom.k8s.io/v1.25.0/release \

Dentrax

In containerd, there is actually a garbage collector which can be found here: https://github.com/containerd/containerd/blob/master/docs/garbage-collection.md. In the cleanup phase, only objects that are not associated (i.e. have no image reference) are removed - those marked as "dirty" are kept. To clean up unused images and running/stopped containers, this can be used.

While not yet production-ready, the tool at https://github.com/Azure/eraser could be used to achieve this. However, it may be difficult and complex to run this on all nodes. Descheduler cannot solve this problem as it does not run as a daemonset, but kubelet garbage collection can be used instead (checking if it is enabled in the current configs): https://kubernetes.io/docs/concepts/architecture/garbage-collection/#containers-images.

It seems that containerd does not support log rotation. I found a solution that involves using kubelet (as described in containerd/containerd#3351 (comment), also pr: https

tuananh

package:
  name: kubevela
  version: 1.7.0
  epoch: 0
  description: KubeVela is a modern application delivery platform that makes deploying and operating applications across today's hybrid, multi-cloud environments easier, faster and more reliable
  target-architecture:
    - all
  copyright:
    - license: Apache-2.0
      paths:

Dentrax

Abstract

Bolt operations are copy-on-write. When a page is updated, it is copied to a completely new page. The old page is added to a "freelist", which Bolt refers to when it needs a new page. This means that deleting large amounts of data will not actually free up space on disk, as the pages are instead kept on Bolt's freelist for future use. In order to free up this space to disk, you will need to perform a defrag.

The process of defragmentation releases this storage space back to the file system. Defragmentation is issued on a per-member so that cluster-wide latency spikes may be avoided.

Algorithm

1. lock batchTx to ensure nobody is using previous tx, and then close previous ongoing tx.
2. lock database after lock tx to avoid deadlock.

scottrigby

1. setup

   $ kind create cluster

2. install zot with minimal image for security-minded dist-spec-only

   $ helm upgrade zot zot/zot --set image.repository=ghcr.io/project-zot/zot-minimal-linux-amd64

saschagrunert

#!/usr/bin/env bash
set -euox pipefail

TAG=v1.26.0-rc.1
URL=https://dl.k8s.io/release/$TAG/bin/linux/amd64
BIN=kubectl

for EXT in "" .sig .cert; do
    FILE=$BIN$EXT
    curl -sSfL --retry 3 --retry-delay 3 $URL/$FILE -o $FILE

Dentrax

Kubernetes OIDC Flow - Sig-Auth

Got some answers from #sig-auth: https://kubernetes.slack.com/archives/C0EN96KUY/p1667201299188199

• OIDC generally, it's not good practice to contact the IdP on every request
• Token:

{
  "iss": "https://idp.example",
 "aud": "some-audience",

devenes

brew install cosign

brew install crane

kind create cluster --image=kindest/node:v1.24.0

Dentrax

Stargz Study Notes

idea

• proposed by bradfitz for acceralating the CI of the Go lang project
• x/build: speed up large container start-up times without pre-pulling containers into VMs (CRFS): golang/go#30829
• • motivation: Our current situation (building a container, pushing to gcr.io, then automating the creation of a COS-like VM images that has the image pre-pulled) is pretty gross and tedious.
• • initial: https://github.com/google/crfs (read-only FUSE filesystem that lets you mount a container image, served directly from a container registry)

crfs