BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.all-systems-go.io//all-systems-go-2025//PX3TGS BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-all-systems-go-2025-SPGAXS@cfp.all-systems-go.io DTSTART;TZID=CET:20251001T121000 DTEND;TZID=CET:20251001T123500 DESCRIPTION:Going for minimal containers with restricted system calls and u nprivileged users is the usual Kubernetes approach these days\, and it wor ks great for most web apps. However\, the development of more complex infr astructure extensions frequently hinders application functionality.\n\nWhi le looking for a solution to deploy virtiofsd in an unprivileged container for KubeVirt\, we stumbled on seccomp notifiers. Seccomp notifiers are a kernel feature which monitors syscalls and get notifications to a userspac e application when a syscall is executed. \n\nAlternative options involved either the use of a custom protocol using UNIX sockets or the deployment of virtiofs as a privileged component alongside the unprivileged VM.\n\nAf ter our evaluation\, the seccomp notifier turned out to be the simplest so lution among all the choices. Unfortunately\, the main constraint is the m onitor's resilience after a restart\, such as after a crash or an upgrade. This limitation forced us to back up to one of the less elegant approache s. But there is hope how this could be solved!\n\nThe session will explain why seccomp notifiers are a lean solution to avoid extra userspace commun ication and synchronization\, the current limitations and possible future solutions to overcome today’s challenges. DTSTAMP:20260315T024633Z LOCATION:Loft SUMMARY:Privilege delegation for rootless containers\, what choices do we h ave? - Alice Frosi\, German Maglione URL:https://cfp.all-systems-go.io/all-systems-go-2025/talk/SPGAXS/ END:VEVENT END:VCALENDAR