Skip to content

Instantly share code, notes, and snippets.

Avatar

Samuel Ortiz sameo

116 followers · 12 following
View GitHub Profile
@sameo
sameo / dice.md
Last active September 22, 2022 17:13
DICE notes
View dice.md

Terminology

  • UDS: Unique Device Secret. This is a per-device hardware-level secret accessible to the DICE but not accessible after the DICE runs.
  • CDI: Compound Device Identifier. This value represents the hardware/software combination measured by the DICE. This is the DICE output and is passed to the software which has been measured. This is a secret.

Definitions

Hash Function

A hash function (e.g. SHA2-384):

@sameo
sameo / kata_create_container.md
Created January 12, 2022 14:25
View kata_create_container.md 
func (k *kataAgent) createContainer
@sameo
sameo / kata_host_cgroup.md
Last active July 5, 2021 11:36
Kata Containers host cgroups
View kata_host_cgroup.md

sandbox_cgroup_only = false

Sandbox creation

  • No sandbox cgroup manager is created
  • Cgroup for sandbox container is created
  • Takes linux:cgroup_parent as the cgroup root
  • Creates v1 cgroup hierearchy: /sys/fs/cgroup/memory/vc/<linux:cgroup_parent>/kata_<sandbox_id>/, etc
  • Add the process linked to the sandbox container to the cgroups.
  • Only adds the CPU resources at first
@sameo
sameo / config.json
Last active June 17, 2021 10:23
Config 2
View config.json
{
"ociVersion": "1.0.0",
"process": {
"terminal": true,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"/docker-entrypoint.sh",
@sameo
sameo / config.json
Created June 17, 2021 09:55
Config
View config.json
{
"ociVersion": "1.0.0",
"process": {
"terminal": true,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"/docker-entrypoint.sh",
@sameo
sameo / bpftrace.md
Created May 17, 2021 08:16
View bpftrace.md 
bpftrace -e 'kprobe:nested_vmx_failInvalid { printf("sleep by %d\n", tid); }'
@sameo
sameo / containerd_shim.md
Last active May 5, 2021 08:34
View containerd_shim.md

Overview

containerd defines a simple runtime shim API (v2) for container runtimes (kata, runc, etc) to interface with.

The goal of this API is to abstract container operations from the actual runtime operations, and e.g. avoid assumptions on how containers are going to run (inside a VM vs as a bare metal process for example).

With that architecture, a container runtime becomes a shim v2 implementation, which is a binary that:

  1. Implements the gRPC shim service
  2. Supports 2 commands: delete and start
@sameo
sameo / account.rs
Created April 29, 2021 21:44
View account.rs
#[derive(Clone, Debug, Default)]
struct Account {
transactions: Vec<i32>,
balance: i32,
}
impl Account {
fn new() -> Self {
Account {
balance: 0,
@sameo
sameo / kvm-msr-cpuid.md
Created March 2, 2021 15:14
View kvm-msr-cpuid.md

MSRs

3 MSRs array:

  • msrs_to_save reflects the capabilities of the host cpu, built on top of the constant msrs_to_save_all array.
  • emulated_msrs MSRs that are kvm-specific are put in emulated_msrs_all; filtering of emulated_msrs may depend on host virtualization features rather than host cpu features.
  • msr_based_features List of msr numbers which are used to expose MSR-based features that can be used by a hypervisor to validate requested CPU features. Built as a filter on top of msr_based_features_all

KVM_GET_MSR_INDEX_LIST

@sameo
sameo / oci_image.md
Last active October 19, 2020 10:10
OCI Image
View oci_image.md 
skopeo copy docker://sameo/container101:latest oci:container101

Image layout

The OCI image layout in the host filesystem is specified here.

  • oci-layout
  • index.json is the image index.