Software Engineer at NTT Corp. Interested in distributed systems and containers. Tweets are my own.
My twitter ID is "_AkihiroSuda_", not "AkihiroSuda".
Dockerfile now supports multi-line RUN with heredocs (<<eot)
---
# syntax = docker/dockerfile-upstream:master-labs
FROM debian
RUN <<eot
apt-get update
apt-get install -y vim
eot
Lima: Linux-on-Mac ("macOS subsystem for Linux", "
@containerd
for Mac"), with automatic file sharing, port forwarding, and
@containerd
integration.
Supports both Intel and ARM guests.
@_AkihiroSuda_
is a legend! His contributions endless across the kernel, containerd, runc, buildkit, kubernetes and much more! Rootless, lazy pulling, so many features that have enabled scientific computing on
#kubernetes
!
#kubecon
Congratulations!
Last week I had an opportunity to give an online lecture about containers to students at Kyoto University.
Thank you to
@daisuke_k
sensei for inviting me.
After nearly two years of development, nerdctl (
@contaiNERD
CTL) finally reached v1.0.0 🤓 .
A huge thanks to more than 80 contributors, 4,600 stargazers, and an uncountable number of users, for making this possible! 🎉
Wrote a blog about
@containerd
1.4 (released today). This release includes a lot of novel features such as “lazy-pulling”, SELinux MCS on CRI, cgroup v2, and Windows CRI!
I wrote “nerdctl”, a Docker-compatible CLI for contaiNERD, but I don’t think this name is good... Any suggestion for a better name? Needs to be unique, short, pronouncible, rememberable, and googlable
The Docker/Kubernetes Security Practice Guide will be published soon. Covers UserNS, Rootless, SELinux, gVisor, Trivy, Dockle, Harbor, RBAC, Admission Webhook, Istio, SPIFFE, and whatever. Thanks to
@Ladicle
and
@hiyosi
for co-authoring this book with me!
Wrote a blog about Docker 20.10:
TL;DR:
- Works on CentOS 8 and Fedora by default (firewalld, cgroup2)
- Rootless GA
- `RUN --mount=type=(cache|secret|ssh)` GA
- Swarm Jobs
Released nerdctl (
@contaiNERD
CTL) v0.14.0.
- P2P image distribution using IPFS (by
@TokunagaKohei
)
- `nerdctl run` on Windows (by James Sturtevant)
- `nerdctl stats` (by
@DorgaaFahed
)
- `nerdctl compose (pull|push)` by Anders Björklund
and more!
CBI (Container Builder Interface): a vendor-neutral interface for building (and pushing) container images on top of a
#Kubernetes
cluster, with support for several backends such as
#Docker
,
#img
,
#BuildKit
, and
#Buildah
.
(my WIP project)
New project: diffoci (diff for Docker/OCI images)
The purpose is to help
@ReproBuilds
for supplychain security.
The attached screenshot compares the official `golang:1.21-alpine3.18` image with a local image built from its public source. [1/4]
Lima: Linux-on-Mac ("macOS subsystem for Linux", "
@containerd
for Mac"), with automatic file sharing, port forwarding, and
@containerd
integration.
Supports both Intel and ARM guests.
Rootless Kubernetes (Usernetes) now supports setting CPU and memory resource limitation (requires cgroup v2 and systemd). The lack of the cgroup support was the main blocker toward upstreaming the patches. Now getting much closer toward upstreaming.
Lima v0.14 supports Virtualization.framework, including virtiofs and Rosetta for Linux
```
limactl start template://experimental/vz
```
Thanks to all contributors for making this possible!
Dockerfile (master-labs) now supports `ADD --checksum=sha256:...` for better supply chain security
```
# syntax=docker/dockerfile-upstream:master-labs
# ↑ Will be included in docker/dockerfile:1.5-labs
FROM scratch
ADD --checksum=sha256:...
```
Today we are happy to announce a new open source project, Finch. 🎉
Finch is a command line client for building, running, and publishing Linux containers.
Learn more in this blog from
@estesp
and
@ChrisShort
➡️
#AWSCloud
#containers
#opensource
@acute_aura
@CarfolioS
@QuinnyPig
@Docker
Lima is similar to Docker on WSL2, but s/Windows/macOS/, s/Docker/containerd/, s/Hyper-V/QEMU/, s/Proprietary/Open Source/.
The default engine is containerd, but it works with Moby and Podman too.
Lima is also adopted by Rancher Desktop.
Shipped a new binary release (v20180821.0) of Usernetes: Kubernetes as an unprivileged user. Now Usernetes both supports dockershim and CRI-O (thanks
@gscrivano
). containerd will be supported as well.
Weird. On macOS, bind("0.0.0.0:80") can listen on 127.0.0.1:80 (as well as other interfaces) without requiring the root, but bind("127.0.0.1:80") requires the root 🤔
Porting over the Rootless Docker port driver (RootlessKit) into Rootless Podman. This will solve a bunch of `podman run -p` issues, and yet significantly improve the throughput (8.3 Gbps -> 27.3 Gbps).
Released RootlessKit v2
This will be integrated to nerdctl v2 to bring:
- Accelerated `nerdctl (pull|push|build)`
- Proper support for `nerdctl pull 127.0.0.1:....`
- Proper support for `nerdctl run --net=host`
Released nerdctl (
@contaiNERD
CTL) v0.16.0
- Support `nerdctl.toml` for global configuration
- Support `hosts.toml` for configuring certs
- Improved
@projectsigstore
cosign integration
And more!
Thanks to the contributors
This PR enables `kind` to support Rootless Docker without patching Kubernetes, though it has dirty hacks such as bind-mounting regular files under /proc/sys to trick kubelet and kube-proxy. Rootless Podman will be supported soon as well.
NoRouter now works as a VPN-ish proxy that seamlessly brings clients into remote Docker/Kubernetes networks. No public IP is required. No privilege is required. The only requirement is shell accessibility (docker exec, kubectl exec).
Released Lima v0.17 ,with the new simplified CLI user experience
```
limactl create --vm-type=vz --mount-writable --name=foo template://docker
limactl start foo
```
This release also removes the dependency on `qemu-img` binary for VZ mode