Skip to content

Instantly share code, notes, and snippets.

View sameo's full-sized avatar

Samuel Ortiz sameo

137 followers · 12 following
View GitHub Profile
@sameo
sameo / busybox-initramfs.md
Last active March 21, 2024 20:53
@sameo
sameo / firecracker-boot-time.md
Last active January 30, 2024 02:15

Measuring Firecracker boot time

Firecracker comes with an internal way of logging a timestamp that measures time elapsed between the very start of the guest VM and the moment a specific IO port has been written to.

That allows for marking specific moment along the boot process by having code writing to this port.

Artifacts build

Here we're going to measure the time it takes for a Firecracker guest VM to reach userspace. To do so we're going to build 3 components:

@sameo
sameo / gist:d49c50772d616ae00e96c9967e676976
Created February 7, 2017 13:57
RSS and PSS, Clean vs Dirty, Private vs Shared
From http://unix.stackexchange.com/questions/33381/getting-information-about-a-process-memory-usage-from-proc-pid-smaps
For a given process in /proc/<pid>/smaps, for a given mapping entry what are:
Shared_Clean
Shared_Dirty
Private_Clean
Private_Dirty
@sameo
sameo / vfio.md
Last active September 28, 2023 03:53

VFIO

Not KVM bound. The VFIO API deconstructs a device into regions, irqs, etc. The userspace application (QEMU, cloud-hypervisor, etc..) is responsible for reconstructing it into a device for e.g. a guest VM to consume.

Boot with intel_iommu=on.

IOMMU groups

Devices are bound together for isolation, IOMMU capabilities and platform topology reasons. It is not configurable.

@sameo
sameo / dice.md
Last active September 22, 2022 17:13
DICE notes

Terminology

  • UDS: Unique Device Secret. This is a per-device hardware-level secret accessible to the DICE but not accessible after the DICE runs.
  • CDI: Compound Device Identifier. This value represents the hardware/software combination measured by the DICE. This is the DICE output and is passed to the software which has been measured. This is a secret.

Definitions

Hash Function

A hash function (e.g. SHA2-384):

@sameo
sameo / kata_create_container.md
Created January 12, 2022 14:25 
func (k *kataAgent) createContainer
@sameo
sameo / cc-crio-k8s.md
Last active November 1, 2021 23:43
Install and run CC with CRI-O for kubernetes, with kubeadm
@sameo
sameo / qboot.md
Last active October 15, 2021 00:59

Description

qboot is a simple x86 firmware that can boot Linux.

It is Paolo Bonzini's answer to the Clear Containers claim that QEMU takes too long to boot a Linux kernel.

qboot only works as a QEMU firmware as it's bound to QEMU's fw_cfg NVRAM firmware configuration device emulation mode.

@sameo
sameo / kata_host_cgroup.md
Last active July 5, 2021 11:36
Kata Containers host cgroups

sandbox_cgroup_only = false

Sandbox creation

  • No sandbox cgroup manager is created
  • Cgroup for sandbox container is created
  • Takes linux:cgroup_parent as the cgroup root
  • Creates v1 cgroup hierearchy: /sys/fs/cgroup/memory/vc/<linux:cgroup_parent>/kata_<sandbox_id>/, etc
  • Add the process linked to the sandbox container to the cgroups.
  • Only adds the CPU resources at first
@sameo
sameo / config.json
Last active June 17, 2021 10:23
Config 2
{
"ociVersion": "1.0.0",
"process": {
"terminal": true,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"/docker-entrypoint.sh",