►
From YouTube: GMT 2018-07-12 Containerization WG
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
B
B
A
C
A
A
A
C
A
C
D
C
A
C
A
C
D
Doesn't
sound
like
the
behavior,
you
want?
Does
it
because
a
lot
of
these
system
calls
you,
you
might
call
it
you
might.
You
know
accidentally
call
it
because
you
call
some
library
function
which
ends
up
in
this
system
call,
and
if
the
system
of
call
fails
then
or
the
system
called
that's,
that's
fine.
All
right.
C
D
C
C
C
I
think
I
know
like
in
doctor
that,
when
twin
happens
that
the
product
sum
of
the
random
processing,
the
container
will
be
killed,
that
the
entire
container
is
not
teardown,
but
but
that
come
leads
to
like
weird
behavior
for
the
container,
because
it
you
still
lose
one
process.
I
will
behave
normally
if
the
process
being
so
he
this
is
kind
of
similar
to
that
yeah.
B
I
think
this
might
be
a
semantics
we
can.
We
need
to
discuss
and
define
our
mazes
and
on
stalkers
I
my
assumption
it
is
like
given
a
second
profile.
Any
tripod
says
underneath
this
continue
continue.
If
it
hits
some
system
core
which
is
forbidden,
the
choice
versus
Mike
maybe
kill
it
should
be
killed,
but
the
container
process
my
studio-
and
we
need
to
do
an
experiment
to
verify
that.
B
But
I
think
doctor
did
not
do
something
special
to
to
watch
the
signal
and
then
was
any
or
my
provide
some
mechanism
to
help
like
any
of
the
any
of
the
tracker
says,
get
killed
or
the
other
process
can
be
cleaned
up,
so
I
think
they
just
call
the
leaves
that
come
library
directly
so
I
think
we
could.
We
might
be
able
to
do
that,
but
we
need
to
do
some
experiments
so
yeah.
C
A
A
A
A
B
Just
show
an
example
from
from
github
link,
because
I
think
I
mean
Jen
and
chance
are
here,
so
they
might
provide
some
very
we'll
be
back
on
this
on
this
pending
question,
just
because
stalkers
second
config
change
as
some
point
two
years
ago,
and
they
introduced
some
inclusive
and
exclusive
for
capabilities
or
architectures.
So
just
like
what
Angie's
showed
on
his
screen
so,
which
means
like
the
second
actually
my
need
to
can't
you
have
ability,
or
the
second
acid
and
my
need
to
have
dependency
on
capability,
isolated.
A
For
example,
here,
if
we
launch
our
process
container,
which
does
not
have
cup
capabilities
dark
research,
then
this
rule
related
to
open
by
a
handle
at
system
call
is
not
included
into
DP
f
into
resultant
appear
program,
I
mean,
while
so
currently
daughter,
Parsons
this
file
twice.
This
includes
and
excludes
rules
to
check
like
whether
to
include
or
exclude
this
rule.
This
cone
filtering
rule
like.
D
A
A
C
C
Is
that
change
measures
like
that
I
think
it's
just
for
some
privileged
process
to
call
some
the
system.
Call
at
you.
Don't
you
don't
implement
some
like
the
rule
that
applied
to
all
process?
These
assuming
different
capabilities
so
basically
depends
on
the
capabilities.
You
have
different
rules
that.
C
C
A
D
A
C
C
D
No
I
think
that's
I
didn't
quite
follow
that,
because,
if
you
want
to
disable,
if
you
want
to
allow
specifics,
some
calls-
and
you
can
just
specify
the
system-
calls
independently
of
the
capabilities.
I
think
the
reason
you
want
to
make
a
conditioner
or
conditional
on
capabilities
is
for
the
use
case,
where
you
want
the
privileges
to
to
actually
work.
So
you
want
to
be
able
to
specify
privileges
and
have
those
and
have
the
corresponding
system
calls
automatically
work
right.
Yeah.
C
C
B
So
this
is
the
biggest
island
entry
and
myself
would
like
to
discuss
with
folks
here
first,
because
we
we
could,
we
could
never
do
that,
but
it
might
be,
it
might
be
a
little
complicated.
We
might
need
to
introduce
a
lot
of
proper
to
parse,
the
doctor,
specific
config
and
the
other
concern.
It
is
like
we
kind
of
understand
why
they
make
this
change
to
change.
B
But
we
yeah,
we
are
our
our
concern,
it
is
like,
don't
we
config?
It
is
toka
specific
things,
they
might
change
at
some
point
Thomas
to
contemplate
the
they
might
change
at
some
point
and
that
we
need
to
support
that
performing
what
whatever
they
change-
and
this
is
the
biggest
biggest
concern
the
things
and
then
the
second
concern
it
is.
C
D
I
think
that
90%
people
will
just
use
the
docker
profile
because
it's
known
to
work
and
that's
why
most
people
don't
care
most
people
care
about
security
and
take
compares
as
a
check
as
a
checkbox
item.
Not
there's
very
few
people
who
are
going
to
you
know
thoroughly
analyze
what
their
containers
do
and
and
tweak
things
to
be
more
secure
it.
Basically
people
base
I'll
actually
just
going
to
take
the
doc
away.
Yeah.
C
I
think
that's
my
kind
of
I'm
leaning
towards
that's
you,
because
I
think.
At
the
end
of
the
day,
the
goal
is
trying
to
move.
People
found
doctor
to
collect
amazes
continues,
stand
whatever
the
doctor
provides
and
as
James
mentioned,
that
it's
very
hard
for
them
to
understand
those
things
or
even
modify
the
things,
and
they
just
take
whatever
the
default
that
doctor
provides
and
then
then
we
just
provide
exact
the
same
behavior
as
we
do.
C
D
Use
case,
which
I,
which
I
think
is
probably
realistic,
is
if
there's
a
kernel
vulnerability
and
it's
that,
if
there's
a
kernel,
vulnerability
in
a
specific
system
call
which
is
sort
of
optional
for
applications,
then
maybe
you
could
you
maybe
maybe
sites.
Would
you
know,
use
tech
comm
to
disable
that
but
I
think
maybe
that's
a
narrow
path,
because
you
know
I
think
the
last
big
kernel,
vulnerability,
I
remember
was
in
wait
to
wait
for,
and
you
know
you
can't
just
decide.
C
Yeah,
okay,
okay
builder,
is
that
I
think
my
bias
is
also
like
just
make
sure
that
we
are
compatible
with
stalker,
because
that's
what
most
people
are?
Usually
we
also
I
think
you
should
go
back
to
product
I
mean
this
kind
of
makes
us
fear.
Internal
I
should
go
go
back
to
proxy
if
the
customer
loss
to
the
customer
wants
to.
D
B
Basically,
our
goal:
our
goal
was
like
to
support
doctor
specific
set,
come
profile
so
from
our
internal
requests,
atmosphere,
our
customer,
they
using
second
profile
for
dr.
demon,
and
they
want
would
like
to
use
the
same
of
second
term
fake
profile
or
basis
continuous,
so
and-
and
then
we
yeah
there's
some
trade-off
here.
So
we
totally
understand
like
maybe
it's
more
than.
B
So
that's
the
biggest
concern
for
us
for
MJ
and
myself
to
like
discuss,
but
we
just
want
to
bring
that
window
up
because
there's
some
progress,
specific
somatic
and,
for
example,
like
capabilities
which
is
not
identical
with
what
interface
the
lipstick
can
provide
it.
The
least
account
like
we've
abided
to
to
us
so
yeah.
We
just
want
to
get
have
more,
have
more
people
involved
in
this
discussion
and
mixture
like
the
okay,
we
go
there,
we
go
through
the
route
of
like
supporting
stalkers,
section
profile
and
and
I
think
yeah.
B
C
B
B
C
B
A
A
A
C
B
I
think
I
think
we
is
the
perfect
enough
time
to
discuss
aloud
about
the
NASA
continued
inheritance
symmetric,
and
then
we
realized
that
we
realized
that
like.
If
we
really
want
to
support
inheritance,
it
might
be
a
lot
more
completed.
We
need
to
check
for
a
lot
of
information
and
we
decide
to
like.
Basically
we
can
regard
next
container
impaired.
They
share
sleep
groups.
The
second
is
not
kind
of
slips
on
the
in
space,
so
it
is
some
security
controlled
by
the
operator
or
from
the
user.
B
So
we
will
make
it
over
to
user
and
operator
to
sis
right
to
provide
a
second
profile
and
then
have
them
have
to
bring
work,
to
define
light.
What's
the
right
semantics
for
those
parent
containers
and
try
container
2
with
stricter
all-night,
stricter
second
divided,
so
that
could
be
controlled
by
framework,
we
will
just
exclude
the
API
and
missus
will
not
can
show
the
inheritance.
A
A
B
This
is
the
step
to
become
a
support
for
the,
for.
The
second
feature
on
amazes
continue,
sir,
so,
basically
we
converted
because
there
we
can
implement
the
second
oscillator
first
and
they'll,
be
just
for
MEP.
We
gonna
finish
the
defroster
compact
bio
for
the
cross,
the
wires
accountable.
So
is
it
it's
the
same
for
all
containers
you
can
make
it
as
a
Phase.
Two
and
four
phases
see
I
think
we
might
have
some
idea
like
to
introduce
a
new
agent
API
or
for
second
conflict.
C
C
D
D
C
D
C
Your
or
it
is
like
we,
we
sent
someone
called
Asian
API
for
one
particular
agent
to
add
a
profile
name
called
foo,
but
not
doing
like
the
same
40
on
the
rest
of
the
agents.
Then
we
end
up
in
a
state
where,
like
we,
some
agent
adds
to
profile
over
some
agent
tones
and
then
the
prima
can
not
use
the
pronoun
named
foo,
because
it's
not
homogeneous
I.
D
C
B
Session
of
the
after
agent
API
ink
is
still
not
accomplished
yet
because
we,
it
is
not
higher
the
highest
priority
for
us.
We
can
focus
on
the
MIT
based
one
as
I
mentioned,
so
even
for
MVP.
We
will
not
support
the
Prima
API
as
well,
so
we
could
keep
those
as
an
open
question
and
continue
to
investigate
so.
E
E
B
How
we
decided
on
the
priority
like
the
Asian
API,
will
be
the
lowest
one.
We
may
not
do
it
in
Newton,
but
we
would
like
to
bring
their
hub
in
the
decider
and
if
any
company
or
any
user
has
strong
interest
on
on
the
agent
API,
we
can
pick
it
up
from
there
and
continue
so
I
have
another
item
we
like
to
discuss
with
you
guys
yeah.
So
if.
E
B
C
B
So
so
another
idea
I
would
like
to
discuss
with
you
guys,
maybe
like
just
a
minute.
It
is
bounded
for
from
API.
If
you
rely
on
an
agent
fact
possessed
are
worse
the
compactor.
The
second
profile
is
there
so
here
in
the
decide
that
we
make
a
second
specific,
but
in
the
future,
as
far
as
I
can
tell
for
other
lineage
security
features
like
armor
as
we
do
in
Unix,
so
they
all
have
the
configuration
they
all
have.
B
The
config
file
through
the
parts
include
maces
to
concern,
so,
which
means
should
we
consider
to
make
all
the
Linux
security
specific
config
into
one
single
directory
by
introduce
general
agent
right,
like
Linux
security
term,
and
then
underneath
it
has?
It
has
different
directories
of
their
creator
as
a
Linux.
A
second,
so
they're
gonna
be
the
default
second
of.
C
B
G
B
Clean
it
up
to
see
like
if
it
looks
more
crisp,
oh
if
we
could
put
all
the
security
country
under
this
using
the
spot
that
using
the
same
agent
right,
so
you
can
introduce
more
agent,
rack
and
and
I
think
this
might
be
related
to
what
kubernetes
printed
does
so
so
NJ
I
I
forget,
could
you
it
might
be
like?
What's
the
what's
the
cymatics
on
kinetic
site,
do
they
have
a
genuine
security
threat
or
they
provide
like
separate
config
track
for
different
security
feature.
C
B
C
C
Same
mana,
tween
yeah,
but
to
me
this
is
like
API
like
to
just
group
a
bunch
of
related
stuff
into
one
single
API
kind
of
API
strapped
it's
similar
to
like
will
group
all
the
name,
Linux
specific
things
under
Linux
info
I
always
say
this
is
similar
to
this.
So,
if
you
want
to
say
I
want
to
because
always
what
they
are
doing
like
one
way
to
do,
that
is
to
group
all
the
security
related
stuff
under
Linux
I
have
a
like
security
people
under
Linux
input,
I,
don't
think
that's
necessary!
I!
E
C
B
C
D
D
C
D
C
E
C
E
C
D
I
guess
in
in
theory
at
least
the
device
might
not
be
populated,
so
I
can
imagine
a
case
where
you
want
you.
You
can
create
advice,
but
it's
not
actually
present
on
the
host.
Yet
there's
no
device.
You
can
imagine
that
there's
no
device
note
on
the
host,
but
you
know
some
hardware
is
physically
attached,
so
once
you
create
the
device
node
you
can
access
it,
but
knowing
that
it's
there
in
the
first
place
would
require
you
to
traverse
sisyphus
somewhere.
C
B
D
I
think
four.
Sorry,
thank
you
for
going
down
to
the
authorization
there
probably
I
think
this
is
something
where
I
hope
to
engage
Alexandra
rehearse
a
bit
and
I
did
briefly
chat
to
him.
We
can
add
Ackles
for
it,
but
there
doesn't
seem
to
be
like,
as
we
had
an
authorization
you
know
word
for
it,
but
there
doesn't
seem
to
be
a
way
to
really
express
it
in
their
default.
Authorizer
Akal
format.