Welcome to day 4 of our series on containerd internals! Container images are the mechanism that we use to capture a container’s filesystem, distribute it to nodes that will eventually run containers, and ensure that containers start from a known-identical configuration. In many ways, images are the defining characteristic of a containerized system; they are the interaction point for users who want to create a workload and make it repeatable and predictable. Without images, you could still have similar isolation characteristics that are available in containerized systems today, but it would be more difficult to achieve reliable, production-ready, and understandable workloads.

This past September, I joined the containerd project as a security advisor. In March, I increased my involvement as a reviewer. And this week, I joined the Moby project as a maintainer. My colleague Kazuyoshi Kato wrote about joining containerd on his blog and I’ve been wanting to do that too.

Note: This post was originally published on the AWS Compute Blog. On Monday, February 11, CVE-2019-5736 was disclosed. This vulnerability is a flaw in runc, which can be exploited to escape Linux containers launched with Docker, containerd, CRI-O, or any other user of runc. But how does it work? Dive in!