►
From YouTube: Mesos Containerization WG 06 29 2017
Description
https://docs.google.com/document/d/1z55a7tLZFoRWVuUxz1FZwgxkHeugtc2nHR89skFXSpU/edit?usp=sharing
Agenda/Notes:
[YanX, Jason, Gilbert] pre/post hook discussion
[YanX] preliminary doc about the problem and the thoughts
[Jie] sounds good. The key is to figure out the “context” where those commands will be executed. For instance, what namespaces (agent/container) the commands can assume? What cgroup those commands will be put into? What filesystem (agent/container) the command will assume?
[Jie] hooks within the container context can be done via a nested container by the executor?
[Jie] What’s the relationship between isolator container work? Will isolator container be sufficient for the use case?
[Jpeach] Linux capabilities enhancement, MESOS-7671
[Jpeach] Demo on the new linux capability improvement using mesos-execute
[Greg] Authorization on what capabilities a framework can grant a container?
[Jpeach] Host port isolation, MESOS-7675
[Jie] ephemeral port? Libprocess based executors are binding to a port that is not allocated by Mesos. Work around: only scan advertised ports (i.e., ‘port’ resources).
Status update
Planning spreadsheet
A
A
B
B
B
B
B
D
B
About
this,
let's
do
trying
with
the
discussion
and
unbox
there,
the
first
day
finishing
in
20
minutes
and
and
the
next,
the
next.
Like
the
35
minutes,
we
James
doing
a
total
inactivity,
stuff
I
hope
you
can
wrap
it.
That
I
wrap
this
up
in
like
15
minutes
and
then
the
rest
of
the
discussion
on
a
host
for
I
follow
the
Democrat
sounds
good.
Okay,
I
think,
like
I,
seem
to
have
a
pretty
tight
schedule.
Let's
get
started,
okay,
sharing
the
screen.
All
right,
I
will
fine.
E
E
E
F
E
E
B
But
it
can
be
started,
certainly
as
at
the
start
of
the
container
lifecycle
you
just
don't
given.
If
it's
hooks
the
host
doesn't
have
to
terminate
right,
you
can
have
it
like
a
pope.
If
it's
like
a
in
in
this
terminology,
a
post
start
book,
it
doesn't
have
to
terminate,
it
can
be
a
long-running
thing.
I
guess:
there's
there's!
No,
no,
no
reason
to
say
that
that
shouldn't
happen,
but
basically
we
have
these
cases
and
right
now.
B
What
we're
doing
is
that
we
have
a
custom
isolator
module,
which
is
just
you
know,
calling
out
a
whole
bunch
of
commands,
and
then
we
decided
to
do
more.
Then
we
started
to
think
well.
Why
don't?
We
just
have
this
as
a
very
generic
thing
and
just
specify
these
commands
as
hooks,
and
we
can
then
execute
them.
So
that's
what
we
want
to
do
it.
Okay,
so
I
have
a
long.
I
have
a
couple
questions.
B
One
questioning
is
who's,
gonna
specify
the
command
is
the
framework
that's
been
extracted
by
the
commands
aboard
the
isolator
rider
or
the
operator
operator
is
in
the
specify
the
command
for
those
priests
are
in
both
also
so
I.
In
this
particular
case,
there
are
two
things:
one
I
think
it
will
make
more
sense
to
be
specified
by
the
operator
and
to
definitely
it's
going
to
be
executed
in
the
host
context
rather
than
the
container
context,
and
because
it's
doing
so,
there
are
two
things
that
the
hooks
can
be
associated
with.
B
B
E
B
D
B
B
No
I
was
just
saying
we
can
already
do
that
right.
We
have
launch
command,
launch
info
and,
and
the
launch
info
has
three
exact
commands
so
right
now
these
three
exact
commands
are
specified
by
are
prepared
by
individual
Isolators,
but
I
don't
see
the
reason
they
cannot
be
specified
by
the
operators
so.
C
B
B
So,
even
for
people
we're
talking
about
the
commands
that
gets
executed
in
the
hosts
contacts
and
certainly
shouldn't
lock
either
the
Asian
or
the
container
is
a
should
just
block
the
lifecycle.
Progress
of
that
container
itself.
Okay,
so
yeah
yeah
I
think
like
I.
Think
I
have
another
question.
Sorry,
sorry
about
that!
So
I
have
another
question
because
I
refine.
So
so
the
question
is
like
a
dimensional.
You
want
some
process
to
be
long-running
inside,
like
a
long-running
process.
Sort
of
like
a
bicarb.
C
B
C
B
D
B
Use
net
the
container
right,
so
the
teacher
can
launcher
your
custom
ethic.
Here
is
a
launcher
container
inside
the
pot
like
instead
of
like
the
Epicure
container,
and
that
would
be
long
run
as
you
can
maximize
site
where
right,
certainly
1%,
so
so
I
do
think
there
are
there
cases
that's
not
covered
by.
You
know
the
rivet
of
the
work
that
other
projects
have
done
so
and,
and
that
could
be
actually
what's
pretty
interesting
for
us.
Okay,
okay,
okay,
guys
get
some
background
like,
for
example,
on
P
I
post,
our
pre
stop
in
kubernetes.
B
You
know
like
a
what,
like
that,
a
command
that
user
can't
specifying
the
path
back
and
then
basically
like
a
user
guide,
oh
right,
so
so
in
this
case,
well,
I
realized.
If
I
click,
these
links-
oh
well,
I
will
I
lose
the
screencast,
no
I
think
you're
high
okay.
So
actually
so
this
is
the
link
to
the
definition
of
a
hook
or
a
handler
in
kubernetes.
So,
as
you
can
see,
it's
it
could
be
so.
Criminales
has.
B
B
Where
are
you
specified?
You
should
be
just
in
in
the
definition
of
the
containers
so
I
differently
here
and
you
have
this
bag
containers
and
in
a
containers
you
have
a
life
cycle
and
pre-start,
a
post
start
and
free
stop
and
give
it
a
bunch
of
system
and
it's
guaranteed
add
those
commands
with
me
executing
the
hoax
post
environment.
I
get
this
in
Cooper
I
know
so
in
this
case
it's
actually
executed
in
the
container
okay.
So
that's
a
slight
a
different.
E
B
The
stuff
you
guys
want
to
do
because,
if
I
understand
correctly,
what
you
guys
wants
to
do
is
have
some
problems
in
the
agent
process
aging
like
namespaces
on
to
do
privileged
stuff.
Where
is
different,
like
kubernetes,
like
basically
view
things
of
like
there,
those
posts
are
and
creeps
up
things
you
cancel
in
from
the
garage
I.
Oh
that's
pathetic!
You
really
want
to
right.
So.
B
So
here
here's
the
bucker
to
get
it
by
basically
copied
over
some
comments,
so
I
think
in
in
our
case.
We
have
basically
the
same
concerns.
You
have
some
commands,
so
we
we
don't.
We
don't
currently
have
the
use
cases
for
for
these
kind
of
hooks
inside
of
the
container
context,
but
I
think
it's
it's
just
generally.
Not
that
I
would
imagine
people.
Some
people
would
have
desire
that.
B
Who's
going
to
execute
the
commands
so
right
now
we
have
three
back
commands,
which
is
done
by
the
launcher,
but
I
think
do
things
at
a
later
stage,
but
also
instead
of
the
container
context,
I
mean
we
have.
We
have
methods
just
to
insert
the
container
and
the
correct
exact
commands
there,
so
you
shouldn't
artificially
bit
difficult
for
us
to
do
either,
even
though
we're
not
currently
doing
anything
like
this
yeah
I
think,
like
I
mean
depends
on
what
you
need
right.
B
B
Or
like
just
depends
on
what
semantics
you
long
do
you
want
to
do
on
that
commands?
We
share
the
same
files
inside
the
container.
You
want
to
command
to
share
the
same
name
spaces
in
the
container,
or
do
you
want
to
convention
share
the
same
key
group
called
us
to
compare
like
oh
respond
to
those
questions,
but
I
think
I,
oh
I,
think,
like
I
mean
actually
they're
doing
like
those
things
like
this
make
sense
to
me.
B
F
B
Definitely
don't
want
user
offerings
to
be
able
store,
but
but
as
an
isolator
and
us
operator
to
specify
those
commands
for
all
the
containers.
I
think
that
make
sense
to
me,
because
if
you
define
those
semantics
clearly
like
a
wooden
851
I
that
share
the
same
name,
so
I
think
with
an
agent
process
or
the
other
container
in
my
pocket
depends
all
we
need
right.
B
B
I
think
that
all
sounds
good
I
just
want
I
get
you
for
a
take.
A
look
at
the
OCS
back
view
like
what
exactly
the
context
of
those
priests
are
posts
are
post-op,
poking
fun,
namespaces
and
what
things
and
what
about
isn't?
It
amazing
I
think
like
that,
just
to
get
a
clear
context
on
what
they're
doing
right
now
and
what's
the
right
command
to
worship,
report,
okay,
right
so
related
to
this.
G
Little
is
not
early
to
start
alien
clarified,
this
all
semantics.
What
you
do
when
you
think
about
when
you
actually
support
the
OC
articles,
then
I.
Imagine
that
the
OCI
implementation
will
eventually
want
to
support
clips
on
SEO
I
then
implement
them
in
my
club.
You
have
really
awesome
ants
right,
yeah.
B
B
I
mean
to
me
rent
a
spec
is
the
implementation
details,
for
example
like
a
year
or
never
expose
the
rent,
an
axe
user
directory
like
because
the
runtastic
upper-crust
will
see
groups
would
announce
like
what
we
are
the
mount
system
now
technology
for
the
container,
which
you
don't
want
to
actually
view
the
directly
I
think
like
extranets,
also
going
to
overseas
directory.
So
to
me,
run
as
package.
Is
a
implementation
detail
how
to
realize
a
container
pack
that
by
by
frame
offer
or
user,
but.
B
Writing
as
far
as
I
know
that
the
hooks
are
in
the
runtimes
back
identical
of
those
folks
is
trying
to
allow
things
like
a
rocket
to
on
to
do
networking
stuff
I
put
a
name
for
continuing
to
now
in
a
place
like
the
looting,
mostly
ni.
Things
like
that
I
think.
That's
a
whole
purpose
of
those
folks
had
initially
I,
don't
know
what
was
being
developed
like
later
on
to
support
some
more
use
cases
anyway.
B
A
B
A
time
check
without
like
three
more
minutes
on
this
and
it'll
net
right,
so
I
sort
of
already
gone
through
all
the
things
that
I've
been
considering
and
I
want
to
have
feedback
on
by
basically
surveying
the
little
bit
of
work.
But
here's
to
summarize
right.
So
we
need
to
decide.
You
know
what
folks
to
to
export
to
to
a
lot
of
it,
specify
and
more
contacts
to
run
them
either
host
or
the
container
I.
B
It's
not
clear
to
me
yet
whether
each
and
every
poke
needs
to
have
hooks
on
both
sides
so
we'll
see,
perhaps
some
of
them
only
make
sense
to
be
running.
Those
contacts
are
some
of
them
coming
on
energy,
parantha
I
think
pretty
much
true
that
we
agree
that
it
should
probably
be
at
one
time
as
an
isolator,
but.
B
If
you,
if
you
put
the
burden
on
the
executor,
it's
probably
not
going
to
be
a
free
container,
it's
then
it's
not
going
to
be
associated
with
the
container.
Your
marks
just
going
to
be
associated
with
the
with
the
task
and
then,
but
you
know,
nested
container
can
be
associated
test,
so
I
haven't
even
gone
there
yet,
but
seems
to
me
no.
B
B
So
whether
it
should
have
a
blocking
behavior
and
how
should
you
handle
the
error
which
is
terminate
or
not
terminate
and
who
specifies
them,
I
think
we've
talked
we've
covered
that
and
what
hostesses
I
think
we
just
have
one
minutes,
but
here's
actually
what's
interesting,
which
is
what
you
provide
to
be
quote.
So
in
one
of
our
specific
cases,
we
actually
want
to.
B
Expose
the
entire
container
config
its
definition
to
to
the
to
the
hook
so
I
think
at
least
for
two
DS.
If
we
learn
from
the
CNI,
I
hope
plugins,
for
example,
you
typically
could
just
dump
the
whole
thing
as
a
JSON
to
the
standard
and
and
have
the
hooks
person,
but
also
I,
think
I
I
think
it's
possible
to
to
have
the
API
Express
some
kind
of
a
mapping
from
this
container
config
for
the
bus
to
directly
to
a
very,
very
variable
name,
something
like
that.
I
think!
That's
that's
doable
so
providing.
B
Folks,
it
is
just
we
are
talking
about
I,
go
like
the
commanding
appearance
to
get
the
information
about
the
continuum
itself
and
the
way
we
task
those
containers
and
like
the
information,
is
a
CD
input
and
output
or
a
standard
input.
It's
not
like
a
just
like
a
plain
command.
The
command
of
the
wall
are
like.
We
need
some
information
about
and
can
do
this
happening.
Rather,
the
others
are
useless.
B
Yeah
I
see
okay,
yeah
I
think
this
is
also
related
to
the
other,
like
ticket
I'm,
about
to
create,
which
is
like
chess
or
a
support
like,
like
writing,
an
article
right
now,
it's
pretty
nice
material.
You
have
to
know
C++
and
all
the
times
like
the
detail.
Amazing
things
like
internal
details,
I
think.
B
One
thing
we
want
support
definitely
is
like,
though
we
want
to
a
lot
of
people
to
write
an
isolator
in
any
language
in
the
textile
in
a
container,
and
then
there
will
be
a
general
isolator
that
talks
to
that
continuous
and
well-defined.
A
protocol
like
gr
PT
on
to
that,
like
that,
the
isolator
for
yourself
can
be
written
in
any
language
infection.
That
container,
that's
something
kind
of
related
I'm,
not
sure
like.
B
B
Let
me
know
like
what
do
you
think
on
this
right
yeah,
let's
hear
your
thoughts
on
that,
because
that's
actually
our
initial
we're
going
to
do
that
and
then
it
feels
like,
even
if
it's
in
another
language
having
Christina
in
a
multi
team
organization,
if
you
don't
want
to
have
the
other
party
learn
Super
Plus,
when
they
could
just
expose
a
a
command
to
you,
then
they
probably
don't
want
to
learn
how
the
isolator
works
either.
So
I
see
the
two
things
as
complementary,
but
both
being
useful,
so
so
yeah.
B
Let's,
let's
follow
up
on
that
yeah
we
can
do
a
follow
up
on.
Maybe
I
can
do
a
presentation
on
idea
on
this
container
yeah
I'll
take
Evan
as
a
note
and
I'll
do
some
pronunciation
on
an
idea
of
that
one
I
think
we
have
to
need
some
key
from
put
that
thing
as
well
and
I
think
it's
okay
to
have
both
given
the
way
we
design
isolator
to
be
modulized
I.
B
Think
it's
okay
to
have
those,
but
if
you
think
that
the
container
based
isolator
is
going
to
satisfy
your
need,
we
can
collaborate
on
this
all
right,
so
I
think
also
yeah.
It's
pretty
good
once
you
sort
of
win,
so
you
finish.
The
design
like
I
think
that
all
sounds
good.
I
think
the
main
thing
is
figure
out.
C
G
B
D
I
think
it's
uni,
okay,
so
before
we
wrap
it
up,
so
we
have
this
to
have
so.
It
seems
to
me
generally,
we
have
two
purpose.
One
is
to
for
long-running
process
operator
can
specify
either
is
purposeful
on
the
house
side
or
from
the
container
process
so
which
we
can
do
is
called
isolated.
No
matter
it
is
a
generic
isolated
automatic,
so
the
other
one
is
the
impose
our
hook
and
everyone
I
took
a
quick
look
on
the
light
to
see
our
image
stand
at
the
image
that
and
three
the
hoof
it
is.
B
It's
it's
thing:
ab
c--,
knowing
LCI
I,
don't
think
like
I
see
that
you
know
CI
swag
like
I
to
me
like
a
skier,
the
dining
space
so
like
a
Larry
specified.
Therefore
it
doesn't
matter
too
much
and
I
feel
like
like
6000
TI,
because
I
think,
like
a
you
know,
like
the
chorus
guys,
are
like
a
person
to
OC
I
support,
though
I
don't
think
I
wish
to
spend
too
much
time
on
no.
G
G
G
I
think
there
was
already
invisible,
I
think
Ben
Ben,
you
did
it
originally
and
we,
our
use
case,
was
to
restrict
capabilities,
so
we
wanted
to
so.
We
wanted
to
set
the
bounding
set
and
the
way
we
specify
the
bounding
set
was
to
specify
the
capabilities
that
we
want
it
and
that
seemed
pretty
intuitive
because
it
almost
like
saying
I
want
to
have
these
things
for
the
purposes
of
being
kind
of
the
opposite
effect.
G
So
what
I
wanted
to
do
with
this
is
to
wear
is
be
a
pretty
clearly
is
to
simplify
the
capabilities
model
into
the
capabilities
that
you
you
want
to
restrict
and
the
sort
of
capabilities
that
you
want
to
hold,
and
so
now
we
have,
though
we
have
these
those
may
turned
down
in
capabilities
or
the
ones
you
want
to
restrict
yourself
to
and
effective
capabilities
for
the
ones
you
actually
want
to
hold
and
grant
to
to
your
process.
So
you
have
the
ability
to
limit
privilege,
but
also
grant
more
privilege.
G
G
B
G
G
G
G
G
Right
so
there's
its
opinion,
so
we
can
use
that
to
restrict
what
the
crucifer
done,
except
to
restrict
capabilities
like
we
don't
want
anything
anything
to
have.
So
we
can
force
things
not
to
work
so
there's.
Basically,
the
two
use
cases
that
we're
trying
to
support
here
are,
for
security
purposes,
break
things
that
depend
on
capabilities
and
to
do
privileged
operations
with
limited
privilege.
You
can
use
your
effective
capabilities,
yeah.
B
I
think
like
a
morning
Braga
previously,
we
don't
support.
I
got
another
room
users
on
having
certain
capability.
I.
Think
like
that.
This
change
also
allows
to
like
say:
I'm
nobody,
but
I
can't
have
like
things
like
a
DAC
research
to
list
on
/lu
things
like
that.
Last
thing:
I
wasn't
appropriate
player,
yeah.
B
A
A
B
G
So
yeah,
especially
with
the
capability,
is
in
the
bindings
in
the
bounding
set.
Then
you
can
choir
that,
if
you
want
is
cool
specifics,
so
basically
where
you
would
acquire
that
capability
is
by
executing
a
binary
file
which
has
those
capabilities
set
on
it.
Yeah
I
think
that
I
couldn't
answer
that
would
yeah.
B
I
think
the
family
is
basically
like
I
got.
What's
the
maximum
capability,
that
containers
can
acquire
I
say
some
malicious
container
has
done
like
a
binary
special
binary
has
I
could
set
you
a
deep.
It's
that
or
I
could
have
special
responsibilities,
beauty
actually
executed
by
narrating
Games
Village.
Thank
you
really
like,
except
this
maximum
down,
so
that
I
go
no
matter
what
by
Z.
You
cannot
see
that
story
fat
and
effectively
to
get
like
the
first
process.
B
Seeing
that
container
was
capability
that
products
from
the
get
you
a
step
process
and
all
I'd
say
underneath
readers
that
or
that
process
is
going
to
have
that
capability
to
do
things.
Like
humble
things,
acknowledges
reply.
If
it'll
mean
you
can
just
rant
about
that
with
this
amazing
abilities,
even
the
project
itself
is
under
like
nobody,
it
can
do
across
things
like
an
outcome.
A
F
G
So
in
general,
I
think
the
frameworks
are
generally
part
of
the
trusted
compute
base.
So
that's
the
approach
have
been
taken.
So
as
a
as
an
operator,
you
can
specify
effective
and
bounding
capabilities
on
on
your
on
your
agent
and
the
isolator
constrains
all
the
framework
requests
to
be
within
the
bounding
capabilities
that
the
agent
has
has
specified.
I
am
I
feeling
like.
C
The
bounding
capability
should
be
tied
to
rules
I
mean
you
have
a
super
set
bounding
abilities
for
the
agent
enter,
but
then
the
rules
have
their
own.
You
know
subsets
of
a
super
set
bonding
capability
and
then
the
effective
capabilities
are
chosen
from
that.
Based
on
the
framework,
I
mean
that
kind
of
a
hierarchical
model
makes
and
I
mean
fits
into
the
Linux
user
control
model
as
well.
Right
I
gave
use
a
detail
model,
so
Rose
knows
all
that
resources
right
Rose
on
about
yeah.
B
I
think
regarding
authorizations
to
change,
I
think
one
cycle
right
now
we
have
authorizations
for
the
frame
of
the
user.
I
say
we
have
authorizations.
They
say
this
frame:
okay,
only
register
and
their
user
no
buddy,
so
that
it
cannot
launch
a
test
under
user
root.
In
fact,
advocate
I,
think
yeah,
I
think
in
program.
They
said
to
authorities
like
what
capability
on
that
promote,
an
and
and
hostess
that
things
like
that,
and
then
we
authorize
that
that
electricity's
we
can
do
by.
G
B
And
yeah
we
were
named
Bonnie
agree
because
isolator,
like
the
operative
town,
already
like
a
set,
the
maximum
bounding
capability,
you
mean
like
the
different
account
and
not
override
this.
It
will
be
rejected
if
it's
found
in
greater
than
the
operatives
County.
So
we
do
have
a
like
sticky
line
there,
so
the
operator
can
say
no
container
on
this
machine
and
the
bounding
capability.
This
compounding
capabilities
and
then.
B
Able
to
do
that
so
I
think
I'm,
less
worried
about
that
part.
Yeah
I
think
like
in
generalizing
Persia
and
all
the
regulations
for
that,
especially
we
have
authorizing
for
user,
which
I
don't
think
I'm
going
to
do
that.
But
we
do
have
to
add
a
lot
of
authorization
put
some
other
stuff
too.
It's
not
just
talking.
B
G
G
Basically,
the
idea
here
is
to
have
an
isolator
which
does
pretty
much
what
all
the
networking
tools
do,
which
is
it
scans.
Your
local
processes
figures
out
what
the
listening
socket
are,
tries
to
associate
them
with
containers
and
then
shoot
you
in
the
head.
If
you're
listening
on
anything,
that's
not
in
your
resources.
B
G
It's
not
you
could
you
could
do
it,
you
could
do
it
for
container
networks
you
have
to.
You
have
to
basically
NS
enter
their
network
namespace
and
muck
around
there,
but
yeah,
but
there's
little
pointing
that
right.
The
East
Coast
for
it
is,
is
pretty
weak,
so
I
have
an
implemented
that
and
I
don't
really
plan
to
yeah
I
agree.
Yeah.
B
G
So
I
have
so
I
have
some
some
preliminary
pipes
and
touches
up
here.
So
I
put
working
progress
on
on
the
outsider
itself.
It
needs
some
more
tests.
One
thing
one
thing
that
I
found
is
that
you
can't
run.
You
can't
run
a
six
iron,
a
successful
job
with
the
command
executor,
because
the
command
exactly
users
with
process
which
listens
on
a
port
and
that
port
is
not
resource
allocated.
B
Ic
yeah
I
think
like
the
normal
setting
we
have
is
like
the
I
way
start
an
agent.
We
specify
the
range
of
ports,
I
say
on
thirty
one
thousand
to
thirty
one
thousand
four
on
a
listening
socket,
but
you
also
have
some
eternal
ports
which
you
don't
on
do
allocation
basically,
and
then
you
can
do
a
bind
zero.
So
that's
basically
the
ports
we
are
taking
for
the
detractors
you
wanna
the
framework
to
be
able
to
add.
Also.
B
E
B
G
G
G
So,
if
you're
looking
on
any
socket
I,
don't
think
that
if
that,
if
you're
listening
on
a
seminal
port
range
socket,
it's
really
different
beneficial
listing
on
some
other
port
that
you
haven't
been
allocated
because
the
whole
I
think
the
goal
is
to
make
sure
that
you're
only
listening
on
things
that
you
you
are
allocated
on,
so
maybe
as
an
option
to
maybe
only
really
optionally.
You
can
ignore
the
ephemeral
port
range,
but
I
think
the
goal
is
to
not
see
that
I
think.
B
C
G
B
B
And
make
sure
that
only
those
ports
are
enforced.
No
one
can
ever
like
listen
on
a
four
in
that
particular
range.
That's
not
nice!
That
might
be
a
short-term
workaround
to
bypass
that
command.
If
you're
a
any
educator,
that's
using
the
live
process,
Tibor
so
I,
don't
know
the
question:
what's
the
over
hab,
this
one
being
like
scanning
the
whole,
possibly
the
least
five
senses
I,
have
you
like
to
do
any.
C
G
It's
fairly
expensive,
so
let
the
basically
what
you
have
to
do
is
you
have
a
queue,
a
set
of
containers,
then,
for
each
container
you
find
all
the
processes
in
that
in
the
freezer
secret,
then,
for
each
process
in
the
free
to
see
group
a
new
scan,
all
the
you
scan
every
file
descriptor
until
you
find
the
sockets
and
then
for
each
socket.
You
check
whether
it's
in
the
set
of
things
that
are
listening
and
you
verify
that
again
support
range.
So
it
is
it's
a
quite
an
expensive
check.
G
I
have
a
kernel
patch,
well
that,
basically,
you
can
make
a
trivial
kernel
patch
to
publish
the
network.
Classid
comes
from
the
soccer
say.
If
you
look
at
the
net
link
code,
if
anyone
on
this
chat
would
like
to
publish
a
kernel
patch,
which
is
super
trivial
and
obvious
to
publish
the
class
ID
arm
from
the
socket
diag
net
length
call,
then
you
can
leverage
the
class
ID
to
immediately
figure
out
which
c
group
which
receiver
from
which
container
a
socket
belongs
to.
So
you
can
optimize
the
hole.
B
B
B
G
G
But
anyone
can
do
that
like
once
it's
upstream
then
I
think
there
is
they
need
to
do
bed
for
at
Lee
and
also
reruns
we're
under
stable
kernels
anyway,
and
it
so
for
us.
It's
probably
it's
much
easier
to
say
back
port
this
kernel
from
the
back
for
this
small
patch
from
linux's,
true
ministers,
history,
and
and
run
it
in
the
stable
kernel.
But
it
is
to
say
you
should
have
to
carry
on
this
other
creeper,
okay,.
B
So
it
sounds
good
I
think,
like
my
only
concern,
is
just
performance
because
I
think,
like
it's
an
experiment
like
a
long
time
ago,
actually,
like
I,
told
you
like
we're
like
those
have
a
lot
of
connections,
that
operation
is
really
slow,
inking.
The
order
of
like
the
second,
so
just
just
be
careful
I
get
on
the
performance
in
location.
You
know
like
what's
the
interval
of
doing
that.
Yeah
I
think
like
that.
Yes,.
G
So
right
about
this
one,
the
boy
works
now
is
in
the
form
of
overhead
to
to
the
public.
Statistically
you
guys
later
right
so
yeah
we're
almost
you're
running
a
Alex
can
and
yeah
you're
doing
a
best
effort
based
on
the
colonel,
so
you
have
yeah
alright.
Did
you
find
a
shepherd
for
this
work?
No,
it's
going
to
say,
look
I'm
looking
for
shepherds,
so
anyone.
B
Okay,
so
I
think,
like
I,
think
I
can
think
of
the
best
person
is
chance
with
a
committee
in
China
and
I
think
he's
not
always
call
duty.
Different
I'm
gonna
paint
him
a
feast
interesting
that
I
think
he
had
some
he's
the
one
that
wrote
the
now.
You
know
isolator
that
he
might
have
the
context
for
this
one
too.
So
I'll
try
to
ask
them
see
you
have
fun
to
see
shepherdess
work
and
to
get
back
to
Jen
on.
B
All
right
sounds
good,
I
think
we
don't
have
women
it
up.
I
think
I
have
a
hard
stop
at
10.
So
thank
you
very
much
and
I
think
I'll.
Try
to
adding
notes
to
the
doc
and
published
the
original,
recording
and
and
the
next
kind
agenda.
Tentative
agenda
is
me:
it's
been
talking
about
the
the
container-based
isolator,
which
is
kind
of
like
a
doll,
design
and
I
think
a
lot
of
times.
There's
one
action
item
which
is
like
the
scheduled
meeting
on
the
volume
ownership,
cleanup
I,
think
I
scheduled
a
meeting.
B
So
it's
going
to
be
right
after
July
posting
holiday
I
want
to
do
that
and
if
you
have
anything
else,
you
want
to
do
in
the
next
time.
Please
feel
free
to
add
the
agenda
either
into
the
dock
and
though
we're
gonna
make
sure
that,
like
to
to
to
make
sure
like
we
have
enough
time
for
that
all
right.
Thank
you!
Everyone
and
see
you
guys
next
time.
Alright.