本周是年前的最后一周,假期综合症又再次附体,以至于回家以后,全身浸淫在漫画所带来的“幻想世界”之中。
# Reading
# 圆圈正义
印象最为深刻的属下面这几点:
人类一直都是观念的产物。一种崇高的观念可以将人高举,一种卑下的观念则会降低人的尊严。
心怀永恒,活在当下
“几乎一切罪恶都扎根于未来。感恩是在回顾过去,爱着眼于现在,恐惧、贪婪、色欲和野心都在眺望着未来。”每一个人都被未来这个赝品压得喘不过气,他们饱受未来的折磨,对未来充满忧虑,“把信心建立在一些计划的成败上面,而这些计划的结局可能是他们有生之年无法看到的。他们终其一生在追寻一些海市蜃楼,在当下永远不诚实,永远不善良,永远不快乐,只把现在赋予自己的一切真实恩赐充作燃料,堆积在为未来而设立的祭坛上。”
# Learning
# Rootless Containers
Rootless Containers refers to the ability for an unprivileged user to create, run and otherwise manage containers.
Common Steps:
# Login
Most Rootless Containers implementations need the $XDG_RUNTIME_DIR environmental variable to be set. When the environment variable is not set, features related to systemd and cgroups are unlikely to work properly.
# Configure sysctl
Old versions of Debian, Arch, and RHEL/CentOS are known to require reconfiguration of sysctl to enable User Namespaces.
#
/etc/subuid and /etc/subgid
Rootless Containers implementations mostly expect /etc/subuid to contain at least 65,536 subuids.
# cgroup v2 [optional]
Enabling cgroup v2 is often needed for running Rootless Containers with limiting the consumption of the CPU, memory, I/O, and PIDs resources, e.g. docker run --memory 32m.
If /sys/fs/cgroup/cgroup.controllers is present on your system, you are using v2, otherwise you are using v1.
# user namespace
User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs, the root directory, keys, and capabilities. A process’s user and group IDs can be different inside and outside a user namespace. In particular, a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.
# mount namespace
mount namespace 可隔离出一个具有独立挂载点信息的运行环境,内核知道如何去维护每个 namespace 的挂载点列表。即每个 namespace 之间的挂载点列表是独立的,各自挂载互不影响。
#
/proc/self
Linux 内核提供了一种通过 /proc 文件系统,在运行时访问内核内部数据结构、改变内核设置的机制。proc 文件系统是一个伪文件系统,它只存在内存当中,而不占用外存空间。它以文件系统的方式为访问系统内核数据的操作提供接口。
# Life
放假了,也没有发生什么可歌可叹的事情;借此祝大家新年快乐,阖家幸福。
# Quotation
Cleverness is a gift, kindness is a choice. Gifts are easy — they’re given after all. Choices can be hard. You can seduce yourself with your gifts if you’re not careful, and if you do, it’ll probably be to the detriment of your choices.
聪明是一种天赋,而善良是一种选择。天赋得来很容易——毕竟它们与生俱来。而选择却颇为艰难。如果一不小心,你可能被天赋所诱惑,这可能会损害到你做出的选择。
一个合法性政权必须同时具备这三个条件:一是权力来源的正当性,即由民众或有效代表自由选举产生;二是权力状态的公共性,即暴力、司法、立法、行政等权力不被私有化;三是权力使用的有效性,即公权力对国民利益负责。 【第一第二是内战的源泉,第三是外战的导火索】