Skip to content

Instantly share code, notes, and snippets.

Avatar

Samuel Ortiz sameo

View GitHub Profile
@sameo
sameo / dice.md
Last active Sep 22, 2022
DICE notes
View dice.md

Terminology

  • UDS: Unique Device Secret. This is a per-device hardware-level secret accessible to the DICE but not accessible after the DICE runs.
  • CDI: Compound Device Identifier. This value represents the hardware/software combination measured by the DICE. This is the DICE output and is passed to the software which has been measured. This is a secret.

Definitions

Hash Function

A hash function (e.g. SHA2-384):

@sameo
sameo / kata_host_cgroup.md
Last active Jul 5, 2021
Kata Containers host cgroups
View kata_host_cgroup.md

sandbox_cgroup_only = false

Sandbox creation

  • No sandbox cgroup manager is created
  • Cgroup for sandbox container is created
  • Takes linux:cgroup_parent as the cgroup root
  • Creates v1 cgroup hierearchy: /sys/fs/cgroup/memory/vc/<linux:cgroup_parent>/kata_<sandbox_id>/, etc
  • Add the process linked to the sandbox container to the cgroups.
  • Only adds the CPU resources at first
View config.json
{
"ociVersion": "1.0.0",
"process": {
"terminal": true,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"/docker-entrypoint.sh",
View config.json
{
"ociVersion": "1.0.0",
"process": {
"terminal": true,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"/docker-entrypoint.sh",
View bpftrace.md
bpftrace -e 'kprobe:nested_vmx_failInvalid { printf("sleep by %d\n", tid); }'
View containerd_shim.md

Overview

containerd defines a simple runtime shim API (v2) for container runtimes (kata, runc, etc) to interface with.

The goal of this API is to abstract container operations from the actual runtime operations, and e.g. avoid assumptions on how containers are going to run (inside a VM vs as a bare metal process for example).

With that architecture, a container runtime becomes a shim v2 implementation, which is a binary that:

  1. Implements the gRPC shim service
  2. Supports 2 commands: delete and start
View account.rs
#[derive(Clone, Debug, Default)]
struct Account {
transactions: Vec<i32>,
balance: i32,
}
impl Account {
fn new() -> Self {
Account {
balance: 0,
View kvm-msr-cpuid.md

MSRs

3 MSRs array:

  • msrs_to_save reflects the capabilities of the host cpu, built on top of the constant msrs_to_save_all array.
  • emulated_msrs MSRs that are kvm-specific are put in emulated_msrs_all; filtering of emulated_msrs may depend on host virtualization features rather than host cpu features.
  • msr_based_features List of msr numbers which are used to expose MSR-based features that can be used by a hypervisor to validate requested CPU features. Built as a filter on top of msr_based_features_all

KVM_GET_MSR_INDEX_LIST

View oci_image.md
skopeo copy docker://sameo/container101:latest oci:container101

Image layout

The OCI image layout in the host filesystem is specified here.

  • oci-layout
  • index.json is the image index.