Containers are considered to be a standard way of deploying these microservices to the cloud. Containers are better than virtual machines in almost all ways except security, which may be the main barrier to their widespread adoption.This article will provide a better understanding of container security and available techniques to secure them.A Linux container can be defined as a process or a set of processes running in the userspace that is/are isolated from the rest of the system by different kernel tools.

A look into what causes kernel panics and some utilities to help gainmore information.Working in a Linux environment, how often have you seen a kernel panic?When it happens, your system is left in a crippled state untilyou reboot it completely. And, even after you get your system back into afunctional state, you're still left with the question: why? You may have noidea what happened or why it happened. Those questions can be answeredthough,and the following guide will help you root out the cause of some of the conditionsthat led to the original crash.

Jonathan Corbet wrote a document for inclusion in the kernel tree, describingbest practices for merging and rebasing git-based kernel repositories. As he putit, it represented workflows that were actually in current use, and it was a livingdocument that hopefully would be added to and corrected over time.The inspiration for the document came from noticing how frequently LinusTorvaldswas unhappy with how other people—typically subsystem maintainers—handledtheir git trees.

David Howells put in quite a bit of work on a script,./scripts/syscall-manage.pl, to simplify the entire process of changing thesystem call tables. With this script, it was a simple matter to add, remove,rename or renumber any system call you liked. The script also would resolvegitconflicts, in the event that two repositories renumbered the system calls inconflicting ways.

Steven Rostedt wanted to do a little housekeeping, specifically with the functiontracing code used in debugging the kernel. Up until then, the kernel could enablefunction tracing using either GCC's -pg flag or acombination of -pg and-mfentry. In each case, GCC would create a special routine that would execute at thestart of each function, so the kernel could track calls to all functions.

Note: this article is a followup to Zack Brown's "AndroidLow Memory Killer—In or Out?"

The kernel this. The kernel that. Peopleoften refer to one operating system's kernel or another withouttruly knowing what it does or how it works or what it takes to makeone. What does it take to write a custom (and non-Linux) kernel?

Often, a kernel developer will try to reduce the size of an attack surface againstLinux, even if it can't be closed entirely. It's generally a toss-up whether such apatch makes it into the kernel. Linus Torvalds always prefers security patches thatreally close a hole, rather than just give attackers a slightly harder time of it.

Mike Rapoport from IBM launched a bid to implement address space isolation in the Linuxkernel. Address space isolation emanates from the idea of virtual memory—where thesystem maps all its hardware devices' memory addresses into a clean virtual space sothat they all appear to be one smooth range of available RAM. A system that implementsvirtual memory also can create isolated address spaces that are available only to partof the system or to certain processes.

Remember a.out binaries? They were the file format of the Linux kernel tillaround 1995 when ELF took over. ELF is better. It allows you to load sharedlibraries anywhere in memory, while a.out binaries need you to registershared library locations. That's fine at small scales, but it gets to bemore and more of a headache as you have more and more shared libraries todeal with. But a.out is still supported in the Linux source tree, 25 yearsafter ELF became the standard default format.

One of the jobs of the Linux kernel—and all operating systemkernels—is to manage the resources available to the system. When those resourcesget used up, what should it do? If the resource is RAM, there's not muchchoice. It's not feasible to take over the behavior of any piece of usersoftware, understand what that software does, and make it more memory-efficient. Instead, the kernel has very little choice but to try toidentify the software that is most responsible for using up the system'sRAM and kill that process.

The Linux kernel stack is a tempting target for attack. This is because thekernel needs to keep track of where it is. If a function gets called, whichthen calls another, which then calls another, the kernel needs to rememberthe order they were all called, so that each function can return to thefunction that called it. To do that, the kernel keeps a "stack" of valuesrepresenting the history of its current context.

Periodically, the kernel developers debate something everyone generallytakes for granted, such as the length of a line of text. Personally, I likelines of text to reach both sides of my screen—it's just a question ofnot wasting space.Alastair D'Silva recently agreed with me. He felt that monitor sizes andscreen resolution had gotten so big in recent years, that the kernel shouldstart allowing more data onto a single line of text. It was simplepragmatism—more visible text means more opportunity to spot the bug in adata dump.

KUnit has been seeing a lot of use and development recently. It's the kernel's new unittest system, introduced late last year by Brendan Higgins. Its goal is toenable maintainers and other developers to test discrete portions of kernelcode in a reliable and reproducible way. This is distinct from various forms oftesting that rely on the behavior of the system as a whole and, thus, do notnecessarily always produce identical results.

Kernel development is always strange. Andrea Parri recently posted a patch tochange the order of memory reads during multithreaded operation, such that ifone read depended upon the next, the second could not actually occur before thefirst.The problem with this was that the bug never could actually occur, and the fixmade the kernel's behavior less intuitive for developers. PeterZijlstra, inparticular, voted nay to this patch, saying it was impossible to construct aphysical system capable of triggering the bug in question.

CGroups are under constant development, partly because they form the core ofmany commercial services these days. An amazing thing about this is that theyremain an unfinished project. Isolating and apportioning system elements is anongoing effort, with many pieces still to do. And because of security concerns,it never may be possible to present a virtual system as a fullyindependent system. There always may be compromises that have to be made.

The printk() function is a subject of much ongoing consternation amongkernel developers. Ostensibly, it's just an output routine for sending textto the console. But unlike a regular print routine, printk() has to be ableto work even under extreme conditions, like when something horrible isgoing on and the system needs to utter a few last clues as it breathes itsfinal breath.

How much do you know about your kernel?Like really know?Considering how critically important the Linux kernel is to the world—and,perhaps just as important, toour own personal computers and gadgets—it's rather amazing how little mostpeople actually know aboutit.

Three kernel developers describe what it's really like to work on thekernel, how they interact with developers from other companies, some petpeeves and how to get started.Like most Linux users, I rarely touch the actual code for the Linuxkernel. Sure, I've looked at it. I've even compiled the kernel myself on ahandful of occasions—sometimes to try out something new or simply tosay I could do it ("Linux From Scratch" is a bit of a right of passage).

Joel Fernandes submitted a module to export kernel headers through the/proc directory to make it easier for users to extend the kernel withoutnecessarily having the source tree available. He said: