Podman and user namespaces: A marriage made in heaven | Opensource.com

User namespace allows you to specify a user identifier (UID) and group identifier (GID) mapping to run your containers. This means you can run as UID 0 inside the container and UID 100000 outside the container. If your container processes escape the container, the kernel will treat them as UID 100000. Not only that, but any file object owned by a UID that isn’t mapped into the user namespace will be treated as owned by “nobody” (65534, kernel.overflowuid), and the container process will not be allowed access unless the object is accessible by “other” (world readable/writable).

Podman and user namespaces: A marriage made in heaven | Opensource.com https://opensource.com/article/18/12/podman-and-user-namespaces

LXD 3.8 has been released – News – Linux Containers Forum

LXD 3.8 has been released – News – Linux Containers Forum https://discuss.linuxcontainers.org/t/lxd-3-8-has-been-released/3450

Kubernetes Services By Example – OpenShift Blog

In a nutshell, Kubernetes services are an abstraction for pods, providing a stable, virtual IP (VIP) address. As pods may come and go, for example in the process of a rolling upgrade, services allow clients to reliably connect to the containers running in the pods, using the VIP. The virtual in VIP means it’s not an actual IP address connected to a network interface but its purpose is purely to forward traffic to one or more pods. Keeping the mapping between the VIP and the pods up-to-date is the job of kub

Source: Kubernetes Services By Example – OpenShift Blog

A brief introduction to how Linux containers are designed | Opensource.com


A brief introduction to how Linux containers are designed and image signing.

Source: A brief introduction to how Linux containers are designed | Opensource.com

This is a good high level description of containers and why migrating your web apps to them is a good idea.

The rise of containers sparks #GIFEE and changes the world

This may sound a bit like an older technology called virtualization, but tools like DC/OS and Kubernetes takes things much further. For one, they can run massive quantities of software far more efficiently than virtualization ever could. “The magic of the container world is that the computational overhead is far less than full virtualization,” says Mike Stoppelman, the senior vice president of engineering at Yelp, which now runs its operation at DC/OS. “Even today, moving around a 20 megabyte container is so much easier than moving a 100 megabyte virtual image … and the network traffic created by this stuff is an order of magnitude less.”

— You Want to Build an Empire Like Google’s? This Is Your OS | WIRED http://www.wired.com/2016/04/want-build-empire-like-googles-os/

Good article that covers the basics of the new containerized world and serves as an introduction to the concept of “Google infrastructure for everyone else” #GIFEE. I think this is the future.