Posts List

A new contribution policy for runj

In March, I open-sourced runj, an experimental OCI-compatible runtime for FreeBSD jails. I started runj in order to teach myself more about FreeBSD in general and jails in particular, and the initial contribution policy I set was designed to give me the space to learn at my own pace. However, as I wrote in that first blog post, the amount of attention runj received on its first day really surprised me. The attention since then has continued, and I’ve had the opportunity to connect with members of the FreeBSD community who have shared my excitement about connecting FreeBSD with the broader container ecosystem. Everyone I’ve spoken with has been incredibly kind and respectful of the space I requested, which did give me the opportunity to learn on my own. I really appreciate their kindness, and now that I’ve achieved the first part of my learning goal I’m ready to move forward and work together rather than working alone.

Joining the containerd and Moby projects

Joining the containerd and Moby projects

This past September, I joined the containerd project as a security advisor. In March, I increased my involvement as a reviewer. And this week, I joined the Moby project as a maintainer. My colleague Kazuyoshi Kato wrote about joining containerd on his blog and I’ve been wanting to do that too.

Running FreeBSD jails with containerd 1.5

Running FreeBSD jails with containerd 1.5

containerd 1.5.0 was released today and now works on a new operating system: FreeBSD! This new release includes a series of patches (1, 2, 3, 4, 5, 6, 7, 8, 9, 10) which allow containerd to build, enable the native and zfs snapshotters, and use a compatible runtime like runj. I’m really excited about this! It’s awesome that only a small amount of work was needed to make containerd compatible with FreeBSD and that so much of it worked straight out of the box. And with a runtime for jails, containerd’s powerful APIs can now be used to manage FreeBSD’s native process isolation capability. In the rest of the post, we can take a look at how to use containerd on FreeBSD!

runj: a new OCI Runtime for FreeBSD Jails

Today, I open-sourced runj, a new experimental, proof-of-concept OCI-compatible runtime for FreeBSD jails. For the past 6.5 years I’ve been working on Linux containers, but never really had much experience with FreeBSD jails. runj (pronounced “run jay”) is a vehicle for me to learn more about FreeBSD in general and jails in particular. With my position on the Technical Oversight Board of the Open Containers Initiative, I’m also interested in understanding how the OCI runtime specification can be adapted to other operating systems like FreeBSD.

Bottlerocket: a Special-Purpose Container Operating System

Note: This post was originally published on the AWS Containers Blog. On March 10, 2020, we introduced Bottlerocket, a new special-purpose operating system designed for hosting Linux containers. In this post, I want to take you through some of the goals we started with, engineering choices we made along the way, and our vision for how the OS will continue to evolve in the future.

Anatomy of CVE-2019-5736: A runc container escape!

Note: This post was originally published on the AWS Compute Blog. On Monday, February 11, CVE-2019-5736 was disclosed. This vulnerability is a flaw in runc, which can be exploited to escape Linux containers launched with Docker, containerd, CRI-O, or any other user of runc. But how does it work? Dive in!