Featured image of post Weekly Report 2022.05

Weekly Report 2022.05










Rootless Containers

Rootless Containers refers to the ability for an unprivileged user to create, run and otherwise manage containers.

Common Steps:


Most Rootless Containers implementations need the $XDG_RUNTIME_DIR environmental variable to be set. When the environment variable is not set, features related to systemd and cgroups are unlikely to work properly.

Configure sysctl

Old versions of Debian, Arch, and RHEL/CentOS are known to require reconfiguration of sysctl to enable User Namespaces.

/etc/subuid and /etc/subgid

Rootless Containers implementations mostly expect /etc/subuid to contain at least 65,536 subuids.

cgroup v2 [optional]

Enabling cgroup v2 is often needed for running Rootless Containers with limiting the consumption of the CPU, memory, I/O, and PIDs resources, e.g. docker run --memory 32m.

If /sys/fs/cgroup/cgroup.controllers is present on your system, you are using v2, otherwise you are using v1.

user namespace

User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs, the root directory, keys, and capabilities. A process’s user and group IDs can be different inside and outside a user namespace. In particular, a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.

mount namespace

mount namespace 可隔离出一个具有独立挂载点信息的运行环境,内核知道如何去维护每个 namespace 的挂载点列表。即每个 namespace 之间的挂载点列表是独立的,各自挂载互不影响


Linux 内核提供了一种通过 /proc 文件系统,在运行时访问内核内部数据结构、改变内核设置的机制。proc 文件系统是一个伪文件系统,它只存在内存当中,而不占用外存空间。它以文件系统的方式为访问系统内核数据的操作提供接口。




Cleverness is a gift, kindness is a choice. Gifts are easy — they’re given after all. Choices can be hard. You can seduce yourself with your gifts if you’re not careful, and if you do, it’ll probably be to the detriment of your choices.


一个合法性政权必须同时具备这三个条件:一是权力来源的正当性,即由民众或有效代表自由选举产生;二是权力状态的公共性,即暴力、司法、立法、行政等权力不被私有化;三是权力使用的有效性,即公权力对国民利益负责。 【第一第二是内战的源泉,第三是外战的导火索】



Licensed under CC BY-NC-SA 4.0
Last updated on Sep 08, 2022 09:07 CST
The older I get, the more I realize that most of life is a matter of what we pay attention to, of what we attend to [with focus].
Built with Hugo
Theme Stack designed by Jimmy