BEGIN:VCALENDAR VERSION:2.0 PRODID:Linklings LLC BEGIN:VTIMEZONE TZID:America/Denver X-LIC-LOCATION:America/Denver BEGIN:DAYLIGHT TZOFFSETFROM:-0700 TZOFFSETTO:-0600 TZNAME:MDT DTSTART:19700308T020000 RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0600 TZOFFSETTO:-0700 TZNAME:MST DTSTART:19701101T020000 RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU END:STANDARD END:VTIMEZONE BEGIN:VEVENT DTSTAMP:20260422T000712Z LOCATION:607 DTSTART;TZID=America/Denver:20231113T105500 DTEND;TZID=America/Denver:20231113T110000 UID:submissions.supercomputing.org_SC23_sess448_ws_canolt102@linklings.com SUMMARY:New Root Emulation Mode for Charliecloud Using seccomp DESCRIPTION:Megan Phinney (Los Alamos National Laboratory (LANL))\n\nCharl iecloud, LANL’s lightweight unprivileged container implementation, has a n ew root emulation mode as of version 0.32. We use this to tell programs, w hich are usually distro package managers, they have real root privileges e ven though they are running as a normal (although containerized) user. Our new mode uses the kernel’s seccomp(2) system call filtering to first cons truct a BPF program that specifies allowed system calls. It then intercept s certain privileged system calls, does absolutely nothing and returns suc cess to the program. \n\nThe advantages of this new mode is that it is sim pler, faster, completely neutral to libc and mostly neutral to distributio ns. The disadvantage is that it is that even the most hasty consistency ch ecks will fail as most programs seem to not do any checks at all. For the few programs that do check and do apt/apt-get, it offers a hook to prevent certain programs from asking for it. \n\nThis lightning talk will discuss how this new root emulation mode uses the kernel’s seccomp filter to crea te a new fully unprivileged container build approach, along with its advan tages and disadvantages.\n\nRegistration Category: Workshop Reg Pass\n\nSe ssion Chairs: Richard Shane Canon (Lawrence Berkeley National Laboratory ( LBNL)); Alberto Madonna (ETH Zürich, Swiss National Supercomputing Centre (CSCS)); Laurie A. Stephey (Lawrence Berkeley National Laboratory (LBNL), National Energy Research Scientific Computing Center (NERSC)); and Andrew Younge (Sandia National Laboratories)\n\n END:VEVENT END:VCALENDAR