►
From YouTube: GMT 2018-06-14 Containerization WG
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
I
added
to
agenda
item
to
this
meeting.
So
basically
it's
the
the
the
single
change,
we're
gonna
make
on
containerized
a
part
in
near
10,
which
is
like
very
likely
we're.
Gonna
blend
this
purchased
some
time
this
way
on
next
week.
So
the
first
one
is
a
pretty
simple
one.
So
right
now
we
to
enable
each
single
subsystem
like
CPU
and
memory
and
the
others.
We
rely
the
user
to
consume
the
isolation
flag,
Asian,
flag
and
I
specify
each
sips
assistant.
A
They
would
like
to
use
in
their
agent
in
their
agent
configuration
and
now
some
people
might
like.
They
expect
the
auto
detection
of
the
of
the
sequel
subsystem,
which
means
like
they
gonna
read
the
kernel
config
file
on
the
host
and
then
file
like
what
are
their
is
the
products
sick
of
system
and
what
and
which
range
of
them
are
enabled
by
default
by
the
kernel
and
just
less
and
then
consume
those
subsistent
automatically.
A
So
if
the
user
specify
the
secret
or
for
the
isolation,
so
all
the
available
stickups
assistant
on
this
machine,
gonna
be
gonna,
be
enabled
for
missiles
and
the
somatic
here
it
is
biocompatible
and
if
some
people
like
they
specify,
Siegel
or
and
sequel
CPU,
and
if,
if
the
seagull
or
is
single
slashed
or
is
specified
or
the
other
subsistence,
it
cannot
be
acknowledged,
which
means
we
always
detect.
The
hosts
file
system,
see
group
and
then
all
the
other
specifies
is
what
will
be
will
be
included.
A
So
just
the
current
somatic
is
like
the
single
CPU
gonna
be
ignored.
We
still
just
do
sequel
or
if
the
user
specifies
two
of
you
just
to
see
you
all.
Okay,
that's
the
current
somatic.
We
think
we
think
like
we
think
this
is
very
compatible
and
everything
like
if
the
user
specify
see
you
all,
they
suppose
not
specified
the
others.
If
they
do
oh
yeah,
they
are
gonna,
be
ignored.
It.
Okay
can.
B
A
B
A
A
A
Another
somatic
change
we
have
for
the
seagull
or
it
is
the
it
is
the
perfect
thing
so
seriously.
The
awesome
ethic
we
have
for
the
perfect
man.
It
is
like.
If
users
want
to
consume
per
frame
rail
and
do
sampling
on
something,
then
they
have
to
express
this
to
specify
what
events
they
are
by
using
this
agent
frag,
and
they
also
need
to
specify
the
sequel
perfectly
event
subsystem.
A
A
They
can
enable
the
horrific
event
subsistent
and
in
and
turned
it
on,
but
they
will
not
do
any
sampling
if
they
don't
have
any
event
specified
by
the
user.
So
so
this
is.
This
is
not.
This
is
just
like
another
chance
to
compare
to
our
peers
behavior
because
peers
seriously.
If
you
don't
specify
perfect,
then
we
just
written
an
error
now.
Instead,
we
don't
return
an
error.
We
just
enable
empty
perfectly
been
subsisting.
A
So
so
this
la
this
change
allow
us
to
get
rid
of
the
dependency
of
the
of
the
perf
comment.
Librarian
so
case
life.
I
remember
we
checked
the
comment:
I
version
to
be
the
minimum
minimum
version,
and
now,
if
we
don't
do
sampling,
we
don't
rely
on
that.
So
this
and
not
a
change
we
have,
we
can
make
yeah.
Basically,
it's
just
very
simple
small
feature.
Any
questions
about
auto
detection
on
civil
subsystem.
B
A
Are
did
it
in
our
chain,
so
we
we
update
all
the
agent
fret
and
agent
configuration
doc
and
we
upgrade
the
we
are
going
to
table
in
upgrade
up
and
as
well
as
we
add
a
very
clear
cinematic
change
in
the
upgrade
of
MD
yeah
I
think
they
are
already
on
on
the
reviewable
patch.
We
could
take
a
look
if
necessary,
okay,
so
this
is
the
yeah
I
think
we
could
move
the
neck
move
to
the
next
one.
You
only
have
to
add
gender
identity,
so
the
next
one.
It
is.
A
So
the
motivation
about
of
this
it
is
like
the
user
expect
they
could
have
civil
namespace
and
under
one
one
single
container
inside
of
one
single
container,
they
could
only
see
their
own
sigil
and
they
could
not
see
all
the
other
container
sigil
and
that
different
way
to
achieve
this.
So
the
most
refer
way.
It
is
like
just
from
a
new
single
system,
but
it
is
not
the
product
by
some
of
the
okra
know
like
CentOS
7
and,
alternatively,
darker
have
been
doing
this
for
a
while.
A
They
just
buy
mom
the
the
single
the
6
FC
go
to
the
continue
and
and
for
each
of
the
subsystem,
and
so
which
makes
the
continuous
self
can
only
sees
its
own
single.
So
this
is
a
very
happy
solution,
and
but
unavoidably
we
have
to
do
this
for
for
some
Oh
Colonel,
because
because
for
most
of
the
user
on
production,
they
are
still
using
some
kind
of
side
of
the
okra
and
they
they
can
rely
on
this
hack.
So
we
I
think
we
list
out
all
the
possible
solutions
here
as
I
mentioned.
A
Basically,
they
are
two
of
them
and
we
so
in
this
way,
because
it
is
a
hack,
we
start
to
inject,
with
introduce
a
new
age
of
rec
to
to
control
this
behavior
and
by
default
it
is
forced,
which
means
we
don't
we
don't
buy
differently
by
different.
We
don't
do
the
Seco
FS
by
mount
our
missiles,
and
we
rely
on
a
new
agent
rack.
Then
we
did
not
decide
the
name
yet
so
right
now
we
name
it
as
sigil
in
naval
containers
spesh
specific
mount
this
asian
threat
if
it
is
specified
as
true
we're
gonna.
A
C
Hi
Jason
here
so
I,
so
sorry,
I
didn't
get
that
like
much
time
to
comment
on
this
talk
but
like
my
I
propose
them
understood
this
ticket
and
I
was
I
was
having
like
kind
of
more.
You
know
a
comprehensive
thought
about
this,
so
it's
it's.
This
agent
flag
is
more
like
a
configurable
and
there
are
several
levels
in
here.
A
C
So
maybe
like
the
dolphin
issue
or
container
specific
and
and
then
just
does
it
that
in
the
doctor
way
that's
option
two
and
that's
already
one
our
chance
I'll
be
mentioning
and
then
option
three
is
the
map
I'm
not
all
up,
to
see
groups
to
the
inside
of
a
container
and
then
optionally
would
have
a
sub
flag
from
our
old
tool
to
mark
it
as
read
only
so
that's
option,
three
yeah.
C
C
Two
is
what
doctors
are
currently
doing
so
by
mounting
all
of
C
groups
and
then
hiding
hiding,
like
you
know,
kind
of
name
spacing
and
then
only
down
to
the
severs
the
container
the
container
kids
are
in.
So
that's
a
doctor
way
right,
III.
B
See
so
so
Gilbert
I
think
he's
not
I.
Think
Jason,
what's
a
sunset,
is
you
have
three
options?
One
there's
no
secret
mount
at
all
in
the
container
number
two.
You
have
secret
mount
in
the
container,
but
those
the
amount
would
be
exactly
the
same
as
what
you
have
on
a
host.
Yeah
and
number
three
is
what
docker
does
right
now?
Is
they
buy
mount
a
corresponding
signature
to
the
root
of
the
C
group
hierarchy,
subsystem
Araki?
C
B
C
Actually
could
be
some
of
the
use
cases
in
this
case.
For
this,
for
example,
item
you
know
be
more
privileged
to
a
more
privileged
like
containers,
and
they
do
use
this
and
likely
I
mean
I.
I
can
put
this
common
on.
The
dock
am
I,
saying
like
I'm.
More
likely
we
could
have
am
ia
agent
flag
somewhere.
C
Oh
sorry,
like
am
ia
container
info
flag,
for
example,
in
the
leaks
in
for
whatever
and
saying
this
is
no
our
privilege,
and
that
means
them.
You
know
for
this
particular
container
and
it's
allowed
to
set,
as
you
know
like
not
to
do
to
visit
all
of
their
see.
Groups
are
from
the
host
and.
A
C
C
D
Think
you
hear
me
hi,
it's
James
I'm,
pretty
negative
on
adding
container
flags,
especially
for
the
zero
case
where
you
don't
want
it
at
all.
So
I
I
struggle
to
see
a
downside
in
having
a
a
sensible
default
which
is
attach
the
C
groups
for
the
container
I
can
see
that
you'd
need
a
certain
kinds
of
privileged
containers
it
you
might
want.
You
want
to
optionally
on
a
per
container
basis,
yeah
give
to
give
that
visibility
or
control
of
all
the
system.
D
D
B
B
The
option
to
my
understanding
option
two:
is
you
see
the
same
exact
cedar
mountain
as
the
host,
as
you
can
you're
just
poking
on
your
mounting
space
that
you
haven't
changed
anything
option?
Three?
Is
you
do
the
doctor
way?
Basically,
in
the
first
coming
see,
group
I
suppress
the
memory
it
may
so
slash
container
ID
2/5
seeks
justify
see
group
memory,
so
the
contingency
on
the
root
of
the
CFS
secretive
memory
is
essentially
on
the
curse
founding
C
group
on
the
host.
You
do
I
not
like
this,
so
that
the
difference
is
so.
D
C
D
C
B
C
B
B
D
I
think
they're,
not
the
knobs
around
the
knobs
should
be
around
visibility.
Access
control,
so
I
can
imagine
a
knob
where
a
specific
container
I
want
to
see
everybody's
cgroups,
all
the
secrets
on
the
system
and
imagine
a
knob
where
a
specific
container
should
have
like
right
access
to
it.
Although
that
sounds
a
little
wonky
I,
don't
know
that
I'm
not
sure
if
there's
a
use
case
for
anything
except
the
agent
really
writing
to
the
secret.
The
cgroups.
C
So
writing
I
think
that
would
be
a
use
case
for
for
some
of
no.
So
writing,
I
think
like
ma
by
default.
For
all
the
all
the
system
is
a
secret
system.
Trees
and
probably
like
right
accident
is
not
the
best
idea,
but
for
the
container
specific
I
can
see
some
up
some
of
the
more
system.
You
know
these
cases
using
that
okay.
C
B
I
think
I
like
this
way.
I
think
it
soccer
way
should
not
be
the
standard
I
think
if
we
have
sequin
any
space
support
that
we
should
just
go
that
way
right
and
then
we
just
leverage
secret
namespace.
If
we
don't
have
secret
namespace,
we
fall
back
to
the
talker
way
of
doing
by
amounts
and
I.
Think
for
for
this
option.
B
I
I
think
to
just
go
the
words
that
direction,
but
I
think
we
still
have
to
have
discussion
on
like
the
what
those
knobs
will
be
looked
like
a
API,
because
I
think,
maybe
we
don't
even
need
to
do.
This
I
would
take
a
learnable
default
and
we
we
are
adding
this
to
foreign
oil
from
API
to
allow
pretty
much
the
customer,
because
eventually
I
think
customer
wash
to
customize
that
yeah
for
continued
have
different
use
cases
and
they
want
different
notes.
B
C
A
C
B
B
A
B
It's
an
automatic
change
for
the
continue
that
have
you
FS.
It's
a
semantic
change
when
the
container
is
running
on
the
host
power
system
because
they
have
access
to
those
secret.
The
rack
they
previously
and
Darren
III
depends
on
what
the
people
will
be
right
if
they
will
choose
the
people
to
be
on
the
darker
way,
guys
it's
gonna,
break
them.
I!
Think
that
that's
a
good
point
that
we
might
want
people-
oh
yeah,.
B
B
D
B
No,
that's
not
true.
I
want
to
do
it
consistently.
Like
gif.
We
say
we
want
to
go
as
a
docker
way.
I,
don't
want
a
container
to
see
other
1c
groups
and
I
think
even
the
container
on
the
host
processor.
We
just
really
do
it
by
amounts
you
to
hide
them.
You
see
it's
a
secret
product
containers
just
so
silly
and.
D
D
What
I'm
saying
is
that
I
think
it
container
either
has
a
root
hair
face,
or
it
has
the
host
of
this.
It
shouldn't
have
a
quasi
bits
of
both,
like
you
can
imagine,
a
container
which
has
the
host
FS
and
its
own
dev
or
its
own
/proc
and
everything.
But
once
you
get
once
you
start
building
these
intermediate
states,
it
becomes
very
hard
to.
You
know
even
talk
about
what
you
have
yeah.
B
B
C
I
I
can
I
can
kind
of
reflect
on
how
system
do
you
would
do
those
things
and
system
D
would
actually
have
some.
You
know
kind
of
protect
us
not
protect
a
mono
flag,
and
that
would
actually,
but
by
mount
some
of
those
things
as
read-only
you
or
even
hide
them
for
that
for
the
tasks
with
or
without
like
people
runing,
so
I
think
we
can.
We
can
consider
this
as
a
reference.
B
C
D
Again,
I
think
this
is
well
case
where
it
adds
a
lot
of
complexities
of
the
implementation
and
to
the
documentation
to
like
operators.
But
is
it
really
adding
a
lot
of
valley
I?
Think
if
you
can
say
we
have
a
container
and
that's
a
well-defined
notion.
That's
great!
The
all.
These
intermediate
states
are
really
hard
to
explain
and
hard
to
use
and
they
just
add
complexity
for
everybody.
D
A
The
chameleon
circuit
executor
is
a
heck,
but
for
the
device
you
killed
our
likeness
the
container
we
have
also,
you
also
need
to
like
do
a
10-episode
mount,
because
after
this
sis
address,
they
said
six
FS
month.
If
we
don't
do
at
NFS
bound,
we
could
not
like
mumbles,
except
sequel
to
the
continue.
So
the
current
implementations
are
already
complicated,
so
I
don't
know
what
you're
gonna
look
like,
but
for
now
we
make
the
behavior
consists
consistent
as
it's
like
what
you
mentioned.
We
we
we
make
like
we've
lived
our
image.
B
A
I
think
I
think
maybe
you
should
lie
on
the
decide.
Doctor
Jason.
Do
you
think
you
have
time
to
add
comments?
Okay,
that
would
be
simple:
I'll.
Do
it
today,
yeah
yeah
and
just
just
maybe
just
not
come
and
just
just
modify
the
documentation,
and
then
we
could
sync
up
on
the
Google
Doc
for
the
more
option,
and
then
we
could
decide
where
they're
not
renew
an
new
agent
ray
and
rather
than
that,
we
need
to
defy
consistently
fail.
Behavior
for
with
or
without
you,
FS
yeah
I'll
put
output
like
mother
D.
C
A
C
D
I
guess
one
last
thing:
I'd
be
more
convinced
about
the
host
file
system.
If
it
was,
if
we
had
a
plan
to
kind
of
make
a
consistent
across
all
the
different
Isolators
or
different
things.
We
do
so.
If
you
could
say
you
get
the
host
file
system
but
say
devices
and
C
groups
and
proc
FS,
and
all
these
other
namespace
Matt
namespace
variety
of
things,
work
consistently.
Then
I
think
that
that
would
be.
That
would
address
my
concern
about
complexity,
I.
C
Thinking
about
that,
I
actually
have
a
good
point
about
keeping
the
host
file
systems
so
keeping
like
the
sequence.
If
you
know
the
container
actually
shares
with
the
host
file
system.
So,
for
example,
is
running
systemctl.
It's
a
subsidy,
I,
actually
read
amar.
The
see
groups
like
you
know
kind
of
religiously
about
determining
all
of
those
some
of
the
things
and
if
you
kind
of
the
namespacing
them
into
their
own,
see
groups
and
then
systemctl
would
fail,
but.
D
C
So
system
studio
if,
for
example,
OG,
like
one
container,
actually
uses
the
hosts
file
system
and
then
in
runs
the
system
ctos
to
start
process,
and
you
know
if
those
those
container
like
mount
points
are
kind
of
namespace
that
mean
its
own
students,
and
this
way
a
system
studio
would
not
work
well.
Yeah.
B
I
think
I
think
we
conflated
the
house
file
system
continues
case.
I
think
we
have
different
use
case
for
that,
for
example,
one
use
cases
has
nothing
to
do
with
the
house
file
system.
I
just
want
to
launch
some
java
applications.
I
don't
use
any
of
those
systems
file
system
dependencies
I
have
my
own
dependencies
I.
Don't.
B
B
D
B
D
D
So
you
can
run
if
you
have
something
that
has
no
dependencies.
You
can
just
as
easily
run
that
on
something
with
a
generic
container,
for
as
you
can
on
something
day,
it's
the
host
file
system.
So
it's
not
it's
not
a
requirement
around
the
host
fastest
and
this
just
I,
don't
know
it
like
do
Reni
Reni,
odd.
A
D
E
D
B
I
think
that's
for
an
option
like
using
a
default
container
for
those
use
cases
and
the
restrict
the
hosts
file
system
access
to
only
those
privileged
to
container
that
do
want
to
interact
with
system.
The
host
house
is
like
using
systemctl
or
three
something
so
I
think
something
interesting
receiver,
something
like
this
yeah.
That's.
C
A
B
Like
we
should
do
that
right
now,
I'm
just
saying
like
this
kind
of
sounds
like
the
right
direction.
We
can
do
that
in
a
phased
approach
where
we
can
do
something
first
and
get
gradually
towards
that
goal.
I
think
the
design
dog
should
figure
out
that
exactly
the
face
by
face
1
phase
2
phase
3
will
stay
event,
work
on
something
like
this
yeah.
A
B
A
Sure,
yeah
I
think
I
think
for
the
decide
right
now
we
only
focus
on
the
Jason's
option.
What
what
what
we
currently
have
like
just
by
mungus
ago,
from
the
host
to
the
continue
and
I
think
yeah
we
could.
We
could
just
follow
up
on
this
decide
or
for
the
other
for
the
other
fix
and
so
that
we
could
consolidate
the
plan.
What
we
gonna
do,
whether
or
not
we
need
a
new
agent
fret
and
do
we
need
to
change
the
default
cinematic.
That's
good,
I
think.
C
A
A
Enjoy
I
think
I
think
you
already
got
started
with.
The
second
is
I
so
but
I
think
if
you
just
get
started
like
two
days
ago,
maybe
you
could
have
some
per
person
next
time,
all
the
time
or
like
four
weeks
later
after
four
weeks
after
about
the
second
discussion
and
become
on
the
working
group
meeting.