RT @gnawux: Actually the entire work was done by infra security team of AntGroup, where @Terenceliqiang come from. And our container infra….

Through this whitepaper, we aim to share the insights and practical implementations behind AntCWPP, contributing to the evolution of the container security ecosystem and raising awareness of the security risks associated with AI agent runtime environments.

This solution is designed to support traditional workloads—both online and offline—while offering exceptional value for AI agent workloads, addressing their unique security challenges.

By integrating the strong isolation capabilities of Kata Containers with the reliable, security feature rich of eBPF, AntCWPP represents a significant leap forward in next-generation container security.

We are thrilled to announce the release of the AntCWPP Whitepaper, which details Ant Group's innovative approach to container runtime security.

初学者的角度记录了调试transformer的推理过程。《大模型是如何进行推理的？-transformer的一点代码调试分析》

下一个 项目起名，这个也是痛中通.

Worth read, Netflix debug story is always quite interesting.

最近在学习赖总的PVM(，发现其融合了lguest、xen、kvm等技术，特别是lguest的思想，所以需要深入研究lguest，首先就遇到一个跑不起来。记录了一下跑不动的bug和解法。.

Does landlock have a roadmap to support network access control based ip/ipblock/domain ? There are lots of requirements for this. I have implemented a sandbox which have nearly perfect process/file access control. But the networking(ip/domain) solution is not perfect currently.

The FIM in production is not easy. I also thought of the inode-based method, but don't find a way to monitor the inode change. Seems the answer is also eBPF.

最近分析了gVisor的一个问题，细看之下是 在容器中mount procfs的问题，简单记录一下。当然，主要目的还是为了让blog在2023的文章不为空。. 《mount procfs in unprivileged container》.

gVisor is quite powerful, we have used it in behaviour monitor and access control.

Oh, just notice my post was referenced in this. It's

I have a topic in this year's @HITBSecConf next month. Build a process-level sandbox based VM, and with networking and system-level security policy.

RT @rhatdan: A little more then one week until the #containerplumbing conference. March 22nd and 23rd, 1300 UTC to 1800 UTC. 9:00-1:00 EDT.….

看到北京这一波感染之后，我的观点从“早阳早浪”变成了“能苟一天是一天”😂😂😂.

Interesting vul. Also it seems that the redhat portal is totally wrong referenced to another issue:

开源社区的同行也是形形色色的。我前段时间花了两天一晚定位了kprobe的一个bug，发了patch 也一直在pending，催了两次一直没merge，懒得管了。.

Just see that Falco has support gVisor .Then any plan to support Kata? @sysdig 😂.