Brussels / 2 & 3 February 2019


An operator centric way to update application containers with AtomFS

Operators today have a problem when they want to update application containers: they have to go ask the developers to re-build and re-test the container. That's because application containers today are a bit-for-bit representation of the container that the developer ran.

An insight here is that applications probably don't care about which versions of what libraries are in use: any reasonable libc, python3, ssl, etc. will do. But today, to fix a CVE in SSL, an entire container rebuild is required.

Enter AtomFS. AtomFS is an entirely userspace tool designed to allow operators to update individual libraries inside app containers. In this talk Tycho will cover how the tooling works, as well as what changes are needed to make application container builds work with AtomFS.


Tycho Andersen