backdoor-image can be used to easily add user with passwordless sudo access to a image or a root filesystem.
Operating on an image requires the 'mount-image-callback' tool from
cloud-utils. That can be installed on ubuntu via apt-get install -qy cloud-image-utils.
| #!/bin/bash | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| sudo rm -rf /var/lib/containerd/devmapper/data-disk.img | |
| sudo rm -rf /var/lib/containerd/devmapper/meta-disk.img | |
| sudo mkdir -p /var/lib/containerd/devmapper | |
| sudo truncate --size 20G /var/lib/containerd/devmapper/data-disk.img |
To check if there are any processes are running in a namepace :
$ # Run as root:
$
$ nspath=/tmp/katapod/var/run/netns/cni-4f6eb895-1dfd-cd01-b54e-05ffbef9b0c5
$ inode=$(ls -i $nspath | cut -f1 -d" ")
$ pids=$(find -L /proc/[1-9]*/task/*/ns/net -inum $inode | cut -f3 -d"/" | uniq)
$ ps -p $pids
sudo add-apt-repository ppa:projectatomic/ppa
sudo apt-get update
sudo apt-get install podman uidmap
echo "$(whoami):10000:65536" | sudo tee /etc/subuid
echo "$(whoami):10000:65536" | sudo tee /etc/subgid
echo -e "[registries.search]\nregistries = ['docker.io']" | sudo tee /etc/containers/registries.conf
| for table in $(echo filter nat mangle raw security); do echo $table; iptables -L -v -n --line-numbers -t $table; done | |
| tcpdump -elnXXi |
Kernels can be found at https://kernel.ubuntu.com/~kernel-ppa/mainline/?C=N;O=D
For installing kernel 5.0.5 :
curl -LO https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.0.5/linux-headers-5.0.5-050005_5.0.5-050005.201903271212_all.deb
curl -LO https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.0.5/linux-image-unsigned-5.0.5-050005-generic_5.0.5-050005.201903271212_amd64.deb
Chameleon is a containerized setup for (automagically) configuring redsocks to aid in creation of a transparent proxy inside intel. Based on this, we first assume you have docker installed on the system.
You'll need to initially setup env variables for proxy such that you can install docker on the system. ex:
Hi if you are reading this document you may also want to create a kata Containers Release.
The Kata Containers Release Process is defined in the follwoing documents.
https://github.com/kata-containers/documentation/blob/master/Releases.md
To simply the process of read each release we have created a checklist for it.
https://software.intel.com/sites/default/files/managed/c5/15/vt-directed-io-spec.pdf
• Legacy pin interrupts
— For devices that use legacy methods for interrupt routing (such as either through direct wiring to the I/OxAPIC input pins, or through INTx messages), the I/OxAPIC hardware generates the interrupt-request transaction. To identify the source of interrupt requests generated by I/OxAPICs, the interrupt-remapping hardware requires each I/OxAPIC in the platform (enumerated through the ACPI Multiple APIC Descriptor Tables (MADT)) to include a unique 16-bit source-id in its requests. BIOS reports the source-id for these I/OxAPICs via ACPI