►
Description
KCD Brasil 2022 - Rootless Container vai um pouco além de executarmos um container sem o usuario root, mas sim executarmos o próprio container runtime (Docker, Containerd, CRIO) e, até mesmo, o Kubelet sem os privilegios de root. Com o foco de mitigar un dos maiores vetores de ataque quando falamos de containers e Kubernetes, mas nem tudo são vantagens.
Nessa palestra vou abordar como funcionam os rootless containers, suas vantagens e desvantagens, evolução dos projetos e como podemos rodar nossos Containers runtime e Kubernetes em um user namespace.
A
I'm
very
happy
I
'm
participating
here
for
20
today,
you
these
20
gigantic
history
that
is
being
to
take
care
of
Brazilians
too.
So,
let's
start
guys
pleasure.
My
name
is
João
and
I'm
back
in
cash
at
the
stadium
lot,
I'm
an
information
security
enthusiast
in
container
a
curious
piece
of
information,
I've
been
the
one
since
Contenda
in
the
commercial
I.
Wasn't
a
big
fan:
I
came
from
a
world
of
security,
I
earn
about
four
five
years
for
box
salad,
and
it
was
there
four
years
ago
that
I
found
kybernetes
and
I
don't
have
it.
A
A
And
we
will
make
some
changes
as
well
So.
The
first
thing
I
would
like
to
leave
you
the
first
impactful
message
in
check
Dispute
by
default.
It
is
executed
as
useful
when
I
say
that
it
is
executed
as
root,
and
it
is
not
the
process
inside
the
container.
Yes,
the
process
there
on
the
HOST,
so
our
process
contains
a
team.
It
is
running
as
root,
so
I
could
default.
This
is
for
all
the
contours
of
a
team.
This
also
applies
to
the
components
of
some
orchestrators,
for
example
the
camera.
A
So
we
that
the
public
also
runs
as
root
well,
so
die.
Capillary
are
container
container
a
technology
that
allows
us
to
cut
applications
with
everything
it
needs
in
a
single
package
and
it
can
be
executed
in
several
environments,
and
it's
always
you
who
is
in
the
same
way
So.
Ok
everything
inside
that
package.
So
this
image
here
gives
the
right
that
we
can
see
that
we
have
our
applications.
They
are
on
top
of
an
inherent
account.
A
They
share
the
same,
want
Hi
and
there
is
everything
it
needs
to
be
so
all
the
packages
and
where
are
we
put
it
in
it
will
run
only
that
your
mother,
imagine
superficially
what
really
happens
down
there.
So,
let's
see
what
really
happens.
There
is
a
system
to
trigger
the
see
how
this
works,
so
here,
I
have
two
images
in
the
image
on
the
left.
I
am
portraying
the
process
How
that
the
client
works
has
a
first
item
of
mine
from
the
client
when
I
docker
Run
something
he
talks
to
the
Doctor's
ati.
A
That
I
give
ask
him
sent
that
DMO.
He
calls
he
calls
the
contains
direct
the
containing
he
will
call
the
bid
and
the
bid,
and
this
one
will
run.
Our
container
still
has
a
whole
process
So,
it's
not
the
DOC
it
executes.
It
will
just
manage
a
little
study
this
and
here
in
the
image
on
the
right.
We
have
the
process
of
Fundão
managing
it.
B
A
A
little
faster
because
it
has
some
steps.
Unless
then,
we
call
rancig
Uber
RS,
Oi,
and
he
hum.
If
he
is
going
to
call
our
namespaces
capabilities
and
groups
and
the
bias,
then
the
heart
of
the
study
is
the
namespaces.
The
film
now
will
understand
a
little
more
in
detail
how
that
works.
So
here,
I
have
a
nuisance.
A
Part
in
a
gillooly
part
that
I'm
doing
here,
I'm
giving
more
Trace
that
I'm
going
to
get
all
the
system
calls
all
the
scales
that
were
made
by
the
processes
of
the
container
I'm
saving
in
above
a
file
called
oil
and
down
here
and
bring
that
there
is
a
docker
Run
I'm,
calling
it
a
best
and
I'm
asking
it
to
run
like
pass
from
Brazil
and
a
command
there.
So
here
in
these
lines
below
are
already
the
result
of
this
command.
A
That
I
got
with
the
three
So
this
one,
just
in
execution,
was
almost
21
years.
So.
This
one
here
is
very
filtered.
Let's
see
what
happens,
then
here
look
how
I
know
there's
the
DOC.
He
called
Cristiano.
If
Him
the
one
of
Cristian
was
called
the
contains
direct.
Then
here
I
used
your
processes
too
hum.
If
we
are
going
to
execute
our
contain-
and
here
in
this
process,
800
4,
5,
90
and
the
magic
starts
to
happen.
He
is
using
a
fill.
He
is
passing
some
very
specific
syscalls
that
will
be
the
heart
of
ours.
A
I
told
him
that
it
is
a
clone
web
cam,
Clone,
MS,
I'm,
New,
dress,
New,
apps
and
cranio
pide
and
with
the
slightest
idea,
is
that
we
already
see
in
the
process
below
just
print
again
and
the
execution
of
our
command
and
here
below
it,
executing
this
again
executing
all
these
cones
and
that
one
already
have
equal
to
2,
which
means
that
here
each
one
of
it
each
tax
represents
this
one
namespace
and
different.
Then
the
same
Come
here
so
just
like
we
found
it
don't
move.
We
are
calling
Angels
the
process.
A
A
Now,
let's
understand
this
step
was
one
a
little
confusing,
but
you'll
understand
what
the
namespaces
are
so
I,
don't
even
Face
it.
It
involves
a
Global
system,
resource
How
to
ask
for
Network
malt
and
the
PS,
and
he
brings
it
back
and
he
manages
to
isolate
this
resource.
He
puts
it.
He
can
put
this
resource
inside
a
box
who
is
outside
the
ship
in
the
perspective
of
purple.
He
can
see
everything
that
is
happening
inside,
but
who
is
inside
this
box
that
we
Moreno
Space
can
not
have
anything
outside.
So
we
are
the
resource
So.
A
B
A
Behind
the
containers
and
let's
see
what
they
are,
let's
take
that
last
line
there
and
let's
see
what
they
are,
these
Neves
did.
So
we
have
this
group
Space
that
the
scout
creates.
He
is
the
clone
I'm
sure
he
creates
a
root
directory
of
the
Lord
in
a
new,
very
simple
way
of
speaking.
It's
also
as
if
he
did
what
will
be
the
garrucha
of
an
insurance
directory.
A
We
have
Flávia
to
create
the
IPC.
He
is
the
PC
clone.
He
is
responsible
for
interprocess
communication
and
memory
points
sharing
and
you
we
have
a
Space
Network,
which
he
is
the
leonete
clone
and
he
is
responsible
for
isolating
devices
network
External
network,
strong
communication.
We
have
a
lot
here-
oh
Machine,
Space-
that
he
is
the
clone
of
INSS
have
isolates
assembly
points.
We
have
the
penis
think
that
aflag
Colonial
Summer
for
the
visual
processes.
We
have
a
team.
A
That
is
the
the
team's
path,
that
is
for
him
with
the
eyes,
and
we
have
to
use
namespaces
and
for
us
today
it
will
be.
Mit
will
go
a
little
deeper.
That
is
the
heart
of
the
groups
that
are
isolating
the
e
digio
processes
and
being
able
to
have
a
little
one
inside
and
we
have
another
SQ
apply
to
create.
It
is
to
unite
if
it
will
isolate
Rosilene
from
the
machine.
A
For
us,
let's
see
how
each
one
of
these
works,
but
first,
let's
see
who
is
the
a
little
deeper
about
the
Wilson,
animes
and
Stacey?
He
is
one
of
the
last
months
Face
he
is
from
version
3.11
of
Terno.
He
manages
to
isolate
the
e
digio
process
inside
over
a
process
as
of
makeup
them,
with
that
I
can
have
fake
user
roru
I
here,
not
us
inside
the
side,
o
mine
process
on
the
face,
and
it
has
an
ide
1001
only
link
or
I,
don't
use.
Neither
Selene
Space
I
can
gain.
A
The
capability
of
need
here.
Need
me
so
I
can
do
anything
within
itself.
Space
I
can
also
map
a
user.
Then
I
can
map
my
user
1001
in
my
perspective,
from
the
face
into
the
container
with
Israel
then
into
the
container.
So
what
I'm
talking
about,
people,
Contender
I'm,
referring
to
the
Space
environment,
so
when
I
fall
in
there?
My
perspective
from
inside
this
Contender
is
that
I'm
Rute,
but
for
my
host
I'm
being
made
up
a
fake
Ruth
in
there,
but
all
the
permission
that
Ruth
will
have
is
linked
to
my
user.
A
So
I'll
have
a
totally
separate
environment
in
there
or
for
me,
do
administrative,
but
not
they
are
still
the
predictions
that
my
user
has.
So
here
is
an
example
of
us
doing
this
And.
How
does
it
work
so
here
I
am
on
my
machine.
I
have
cultivated
eyes,
I
have
around
1000,
so
here
are
the
groups
I'm
in
It's
just
that
I'm
using
it
as
the
non-seeing
one
is
for
us
to
create
namespaces
I'm
saying
here
it
's
going
to
be
humble
and
not
Space
and
I'm,
marking
root
user.
A
So
here
look
I'm
here
inside
I'm
with
the
eyes
is
so
I'm
Rute,
it's
like
a
joke:
White,
zero
and
everything
after
the
processes
in
a
sequence.
So
here
is
my
perspective
from
inside
the
container
and
only
this
0
And.
How
does
it
work
and,
in
short,
we
have
a
package
that
I
upload
there
from
today?
It
is
already
standard
in
all
distributions
and
it
is
what
will
make
these
processes
inside
gain
AIDS
30
from
the
perspective
of
inside
the
face,
as
well
as
inside
the
container.
A
So
here
my
user
fights,
so
he
has
one
of
a
thousand
processes
that
will
create
the
uploads
different
varden.
Did
they
will
start
I,
don't
know
they
tend
from
100
thousand
to
sixty-
five
thousand.
What
is
this
so
here
on
my
face,
my
arde
is
a
thousand
inside
the
namespace.
It
is
zero,
so
here
my
next
process,
it
will
be
one
inside,
and
here
it
goes,
there
are
100,000
So,
it
has
65,000
processes
for
each
and
the
babies
did
that
I
created.
So
let's
go
here
for
the
demo
for
our
first
demo.
A
And
not
Play,
here
in
the
city
it
was
recorded
so
below
I
have
the
perspective
of
my
face
and
above
I
you
I'm
going
to
create
the
containers
I'm
going
to
use
the
missiles
so
here,
first
demonstrating
that
I
don't
have
permission,
for
example,
to
open
a
door
below
so
I'm
trying
to
open
port
80
I,
don't
have
permission.
I
tried
to
change
your
face
and
I
don't
even
have
the
machine
permission.
I
also
tried
to
create
a
Space
Beauty,
Beauty
S.
A
And
I'm
going
to
try
to
do
now
the
same
thing
with
namespace'
of
the
type
of
Netflix.
Also
don't
have
permission
So
now
I'm
going
to
create
one
and
the
Space
anime.
Only
here
I,
don't
I
killed
it
with
the
root
user,
so
he
plays,
or
it
doesn't
go
well
so,
and
here
I
already
start
to
gain
where
permission
I'm
going
to
see
how
that
was
my
perspective
of
the
Hulk.
A
So
here
in
I'm
running
for
day
75034
and
let's
see
how
mine
face
sees
it
so
inside
my
face,
it
still
sharia
that
the
good
user
is
running
it
well
so
inside
the
namespace
I
have
something
in
my
appreciation
that
took
away
from
my
face
that
I
have
another
good.
So
here
look
I
still
couldn't
from
the
namespace.
I
can
open
other
namespaces
and
here,
as
we
can't,
I
have
privilege.
So
I
can't
open
a
type
II
TS
namespace.
Now
that
we're
going
to
do.
A
The
rotary
are
in
the
perspective
of
the
host
I'm,
still
the
na
in
the
perspective
Sorry
guys
in
the
perspective
of
the
container
I'm
Rute
and
let's
see
here
in
the
perspective
of
the
host
I,
'm
still
world
user,
and
let's
try
to
fix
now
one,
for
example,
to
open
a
low
door.
I
also
don't
have
permission
yet
because
that's
why
I'll
need
to
use
a
Network
Space
and
the
same
thing
for
us
to
change
there
for
Ruth
or
to
change
the
cine
I'll
need
the
pressure
Dorothy
S
of
this
namespace.
A
So
now,
let's
create
this
new
Neves
did
to
do
this,
but
as
an
administrative
permission
inside
this
namespace'
I'm
going
to
create
a
namespace
inside
cinema
Space.
Well,
so
this
will
be
the
heart
of
fights
and
I
gave
a
namespace.
I
can
create
namespaces
inside
it
and
before
you
can
see,
I
didn't
have
permission
to
remove
the
boot.
B
A
A
He
received
me
with
an
accident,
so
I
managed
to
change
this
president
of
the
face,
so
I
had
used,
non-privileged,
create
privileged
user
and
his
and
create
memes
Face
I
managed
to
change.
So
now,
let's
try
to
do
a
deal
before
we
couldn't
open
port
80,
so
they
create
one
in
that
country
passing
or
less
net
and
I
manage
to
create
now
opening
port
80
But
still
there.
A
In
my
perspective
of
the
face,
still
all
Thanks
world
is
so
a
few
batches
just
for
us
to
have
then
leave
the
second
Neves
did
now
there
's
nothing
I'm
here.
I
have
a
process
that
created
other
processes.
So
my
process,
how
can
you
not
change
it
now
we're
going
to
create
a
container
a
little
more
complete,.
You
see
I'm
passing
by
Pit
or
Network
Speed
,
but
here
he's
saying
here
he's
giving
an
error
to
São
João.
A
A
Happen:
dumm
dumm
here,
I
created
it
now,
I
can
create
about
the
process
But
still
here,
I
'm
still
seeing
all
the
processes
on
my
face.
So
what
we're
going
to
do
now
is
create
a
namespace
like
this
additional
evil
in
the
Space
of
the
type
malt,
and
we
will
map
it.
Also,
not
the
agents
themselves,.
You
can
see
that
everything
is
still
in
the
same
perspective
of
the
face
and
now
I
will
ask
him.
Let's
assemble
a.
A
A
They
are
all
about
processes,
it's
just
that
not
all
of
them
are
yet.
There
are
no
privileges
at
all.
Continue
with
my
privileges,
I
managed
to
open
port
80
normally
and
all
that
with
the
eyes.
No,
it
doesn't
privilege
the
so
here
look
I'm
changing
the
face:
I'm
not
even
going
to
see
if
there
will
be
any
reflection
on
my
face
X.
So
there
was
no
reflection,
none
so
here
I
created
it
again
and
we
have
a
command
over
there
in
the
sky,
lsms
that
we
can
do
without
Space,
so
Here.
A
You
can
see
that
we
have
a
series
of
namespaces
the
patterns
you
understand
and
the
So
we
have
the
namespaces
and
we
have.
The
What
is
YouTube
mouse.
So
all
Neves
did
that
we
created
AND
the
number
of
processes
that
are
under
it.
So
we
have
two
for
home
and
here
I'm
going
to
create
a
new
subprocess,
a
new
Wilson
Neves
think
inside
my
other
one
and
the
exams
you
did
so
here.
We
can
see
that
a
month
like
T
S
was
created.
A
A
A
What
is
not
brutes
before
we
see
what
I
use,
allow
access
to
the
docker
socket
or
add
the
user
in
the
docker
group,
giving
user
RG
in
the
docker
group.
This
is
not
arugula.
If
you
are
giving
permission,
it
is
the
same
thing
that
you
give
root
permission
to
the
user
that
you
have
this
until
in
the
documentation.
So
if
you
do
that,
you
can
do
it
through
a
container
you.
The
person
cannot
have
this
street.
Of
that
we
put
it.
A
She
cannot
mount
the
entire
disk
if
a
privileged
control
and
having
access
to
the
entire
face.
So.
Let's
talk
like
this,,
not
like
that
day,
Scalla
Scalla,
Privilege
escalation
with
container,
so
it's
very
dangerous
and
something
that
ends
up
reaching
common
people
at
the
price
of
the
processes,.
Nobody
will
have
access
to
Ruth,
but
several
people
work
with
doc
on
this
machine
and
it
added
users
to
the
group
yesterday.
A
Be
running
like
Rute
is
to
change
a
user
inside
the
container
in
our
bild
process.
For
example,
doing
this
will
change
our
eyes
only
in
the
perspective
of
inside
the
container
some
of
ours.
Yet
our
account
get
up
and
me
will
continue
running
as
root
and
the
same
thing.
We
change
this
inside
security.com
from
Clube
Alex.
It
will
give
the
same
thing.
We
finish
the
docker
in
mode
and
the
CNS,
and
he
does
the
MPE
of
MS.
A
Then
it
will
create
all
these
namespaces
to
create
everything
in
there
creating
the
pen
to
use,
but
it
happens.
This
is
the
same
proposal
guys
now
quickly.
It's
just
a
white
slide
alert.
So
since
everything
is
dark,
it
will
lighten
up
a
little
how
it
works
in
Perspective
of
the
face
and
the
container,
if
I'm,
not
using
namespace'
mine
is
from
0
to
100
in
a
joke
with
the
error
trunks
of
the
same
thing,
and
here
are
mateus
one
containing
it
will.
B
B
B
A
Will
be
made
up
to
Wide
high
that
already
the
Snap,
then
only
that
I
still
have
my
Digimon
running
with
root,
but
here
then
you
fight.
What
is
the
last
mine
is
from
0
to
100
of
a
joke
where
a
user
with
no
privileges
at
all
and
everything
will
be
removed
under
this
map
of
all
eyes.
Even
if
I'm,
not
a
user
Today,
it's
being
mapped
to
the
user
without
any
privileges,
it'sso
good,
so
now,
Let's
define
what
generated
brings
Lucas
is
the
ability
to
run
a
create?
A
container
will
run
manage
it
also.
A
This
also
applies
to
and
other
fasteners
de
Contenda
that
we
can
run
this
tool
without
any
administrative
privileges,
and
when
we
talk
about
no
administrative
request
and
if
I
also
approach
is
to
install
the
package,
we
don't
need
to
have
one
I
managed
to
download
Everything
run
my
user
there.
We
won't
have
a
problem,
good
And,
that
too
I
don't
need
to
be
deaf.
I
don't
need
anything
and
it
applies
to
any
type
of
container.
So
if
I
have
a
container
in
my
hand,
God
adoquery
can
create
it.
A
A
Let's
take
Palácio
do
Magno
today
as
a
basis
for
those
who
saw
talking
about
skill
in
projects
and
also
Security
the
number
skill
in
a
process,
for
example
like
the
own
hum
se
cubicle
docker
container,
no
matter
how
much
you
suffer
if
bad
thought,
without
percent
and
security
developed
with
the
best,
the
greatest
care
already
attention
to
security,
and
yes,
looking
for
skill
can
happen.
Last
year
we
saw
a
very
large
cartilage.
Vulnerability
arise,
DN,
project
E.
Why
is
this
dangerous
when
you
have
any
of
these
components?
Exploited
Simply
one
has
to
embed
the
machine.
A
So
this
meat,
our
third.
Here,,
which
is
a
woman's,,
the
biggest
attack
surface
I,
woke
up
talks
about
me
with
sneakers,
that
is
anything
from
a
seed,
has
been
exploited.
For
example,
if
we
manage
to
exploit
the
Husky
and
a
milk
cube,
even
some
failure
in
the
docker
is
I
managed
to
escape
from
this
container.
Some
form
that
crushed
durability
is
even
with
bad
configuration,
and
this
is
very
important
and
roman
will
always
happen,
no
matter
how
much
we
have
Keeper
people
taking
care
of
the
cyclical
existence
comes
and
stealing
can
always
happen
there.
A
In
the
past.
We
saw
a
lot
of
examples.
This
with
the
disaster
happened.
Yes,
So.
If
it
can
happen,
no
matter
how
big
the
most
sophisticated
environment
is,
tidying,
it
can
always
happen.
These
projects
also
have
the
air
skills.
The
amount
of
resource,
for
example,
socket
doc
exposed
over
the
internet
cubilete
without
authentication
that
obtains
authentication.
All
of
this,
you
can
make
the
environment
there
for
the
very
large,,
but
we
use
the
clothing
technique
if
any
of
these
components,
flowers
for
leaving
My,
Container,
everything,
I,
still
have
my
eyes,
always
Village.
None
so,.
A
B
A
From
being
exploited
and
installed
in
the
router
kit,
where
it
won't
be
detected,,
but
this
here
too,,
not
everything
is
just
joy,
right
guys
and
when
we
talk
about
fights
today,
the
biggest.
It's,
the
complexity
So.
It's
a
very
complex
thing
for
us
to
keep
creating
organize
having
one
for
the
time
being
the
very
image
of
the
causes.
They
don't
support
us
doing
this.
We
're
going
to
move
from
some
very
specific
resources,
we're
not
going
to
be
able
to
Matera
low
doors
until
we
give.
A
We
will
need
a
meat,
it's
a
time
that
you
found
the
affection
together
to
use
ver,
FS
or
Fusion
with
Ice
we
get
so
expensive,
14.8
higher
per
while
we
don't
have
any
tools
to
manage
your
mind
there,
the
Hard
Way
and
some
politicians
like
Siena.
It
doesn't
work
either.
So
for
now
this
life
that
works
on
the
locals
and
using
the
Firewall
and
calico
in
Live
at
One
mode.
A
A
Well,
so
here
I
am
installing
fights
So
this
installation
process,
for
example,
of
the
author
and
simple
systems:
I
have
the
user
without
any
privileges,
even
though
I
was
working,
ateriorly
understanding
a
pipe
to
get
his
script
and
I'm
playing
his
output.
As
a
writer
pull
here
he's
going
to
hit
it,
he
configured
it.
For
me,
it
falls
from
only
that
I
sport
from
users
of
the
environment
that
is
close
to
his
good
and
the
study
changes
So.
A
B
A
2
and
now
what
are
we
going
to
do?
Let's
create
a
container
to
see
how
it
works
in
the
perspective
of
the
Ghost
in
the
perspective
of
the
user,
who
is
running
it
so
here
I'm
going
to
create
a
Simple
container,
so
I'm
going
to
give
it
a
sister
touch,
I'm
going
to
throw
the
process
down
there.
He
asked
for
another
one
just
run
an
accident
again
for
us
to
see
each
other
I'm
downloading
the
image,
so
no
problem
to
download
this
image.
Now,
what
I'm
going
to
do?
Let's
see
how
it
works.
A
A
For
the
eyes
together-
and
let
me
go
just
a
little
bit
so
here-
I'm-
going
to
look
for
sleep,
So
everything
running
with
the
user
I'm
going
without
any
problem
now
at
the
bottom.
I
have
a
perspective
of
my
face,
and
here
on
the
machine
below
is
the
same
machine.
Sorry,
I
have
a
perspective.
I
feel
sorry
for
it
normal
installed.
Let's
see
what
is
the
main
difference
between
it,
so
it
doesn't
look
so
in
the
top
one
I
'm
running
no
slices
container.
A
B
A
A
So
what
did
this
proposal
do
and
change?
Is?
They
were
2
Pets
that
were
made?
One
was
a
small
combat
dish
that
was
for
him
to
ignore
some
errors
so
that
before
they
gave
him
a
program
and
how
he
did
not
have
access,
he
feels
to
to
see
this,.
So
the
process
doesn't
stop
all
this
is
through
an
n-space
function.
B
A
In
this
case,
Cade
o
Caique
was
one
of
the
first
to
adopt
Lucas
support
before
it
was
made
a
pet.
Now
it
is
no
longer
about
the
original.
We
have
this
same
omnicube
scenario,
and
now
they
are
directly
on
the
face.
We
have
the
ca3s
it
already
has.
Today.
It
already
has
modules,
and
we
have
me
and
Zé
Neves
Luiza
Neves.
He
it's
a
kubernetes
distribution
that
was
based
on
it
was
made
for
the
proof
of
concept
to
show
that
it
worked
to
support
that
proposal
they're
already
there.
A
There
are
all
the
examples
of
how
it
works,
the
how
it
runs.
It
has
a
quick
one
you're
just
that
it's
a
proof
of
concept
a
and
now
we
are
going
to
our
third
demonstration,
which
is
the
Hard
Way.
So
here
we
have
3
lenses
that
we
used
as
a
basis
to
do
this.
So
the
first
is
the
test
that
is
there
in
the
Camaro
documentation.
It
says
that
we
said
that
I,
milk
and
business
Space-
and
here
we
have
Zé
next,
the
Hard
Way
here
are
the
tips.
A
What
we
need
to
do
for
it
to
work
there,
and
for
now
we
don't
have
a
step-by-step,
but
we
have
an
idea
of
everything
that
needs
to
be
done.
For
this
to
work.
This
is
what
we
used
as
a
base
to
do
all
the
configuration
of
the
partner
of
everything
we
used.
The
government
at
the
Hard
Way
I,
really
like
this
Itaú
project,
is
what
is
the
following.
Is
today
when
the
people
talk
about
the
processes
of
the
control,
plane
is
Connect
and
the
components
of
the
night
of
the
cameras,
I,
very
big
mystery.
A
Only
people
Station
vinegar
that
need
to
be
executed
to
do
a
function,
so
they
are
stable
packages
and
it's
ok.
So
publishing
is
a
package,
the
public,
the
other,
so
it's
just
necessary
to
mention.
This
project
shows
how
to
do
this
manual
manual,
and
it
removes
a
little
of
that
air
of
mystery
that
exists
because
it
has
some
things,
and
we
also
based
on
this
proof
of
concept
example
that
I'm
still
picking
up
some
things
to
do
this
to
really
work.
There's
a
Macro.
A
What
we
need
we
're
going
to
create
no
Space
to
run
the
programs
inside
and
we
need
to
create
a
socket
to
make
it
exist.
We
can
access
this
cluster
outside
the
namespace.
What
If
it's
for
na
my
principle,
your?
What
I'm
going
to
use
to
create
the
namespace
I'm
going
to
use
a
you
that
calls
other
kit.
He
has
a
good
talk
like
this
is
a
switchblade
when
we
talk
about
interest,
so
he
has
a
series
of
options
to
make
my
life
easier.
A
When
we
talk
about
other
disputes,
so
can
module
3
use
the
DOC
there
too,
so
it
is
already
very
used
in
this
vibrant
as
R1
or
we
are
going
to
use
the
Gir
container
for
Network.
We
are
going
to
save
the
sleep
for
NFS
sleep.
It
is
a.
It
is
a
technique
that
brings
internet
packages
to
non-privileged,
Assis
Cals
and
we
will
use
it.
I
said
Assistant
will
use
the
rifle
vlfs
Fusion
and
the
FS
government.
A
A
If
you
stick
with
what
I'm
going
to
do
now
is
to
make
it
work.
I
need
you
to
have
Execute
for
me
to
have
permission
to
create
your
group,
But
I,
believe
local
mayonnaise
in
you
pretend
I'm
going
to
Execute
my
line
from
the
kit
group,
then
I'm
saying
which
one
I
am
directory.
Where
I
was
looking
at
Kubernetes
Which
network.
Will
he
use
any
issue
o
das
integers
anyone?
Oh
MG,
oh2,
Xbox
interface
What
are
the
namespaces?
A
What
will
he
copy
to
create
ruler
s,
and
here
I
am
saying
that
he
will
make
your
joy.
The
milk
one
is
I'm
going
to
allow
him
to
create
this
process
to
be
able
to
create
in
a
privilege
types
of
s
and
group
So.
Now
I'm
going
to
start
this
same
process
here,
it
will
create
the
namespace
for
us
to
have
an
SMS
look
and
gave
me
here
the
process.
Then
there
are
the
anime
Space
I
have
a
great
Space.
A
An
order
in
Space
I
had
now
I'm
going
to
get
this
main
agent
of
mine
and
I'm
going
to
start
executing
my
packages
So.
Today,
all
the
packages
behind
to
leave
a
little,
in
addition
to
a
little
faster,
they
have
already
been
downloaded.
So
I
just
downloaded
the
package
from
the
normal
Beach.
There
is
nothing
different
I.
What
am
I
going
to
do
here,
so
the
first
thing
is
I.
Wait
for
my
process
before
that
about
the.
A
A
Just
explaining
with
it
and
cnsp
is
an
executable
that
allows
you
to
we
execute
or
enter
inside
a
namespace,
so
I
can
here
for
it
that
it
will
be
used
in
Space
that
it
will
be
a
system.net
Space
namespace,
this
Speedy
group
So.
What
time
is
the
Root
directory
and
a
command
that
I
want
to
execute?
Then
here
is
everything.
A
I
need
next
to
itcd,
so
I'm
going
up
to
precede
and
now
the
same
thing
I'm
going
to
execute
the
invitation
there
manually
also
the
same
thing
all
the
same
logic,
passing
all
the
same
process:
So
everything
is
being
created
on
this
process
that
the
process
here
created
for
the
process
that
holds
one
I,
don't
even
know.
If
so
I
threw
mine
and
brought
it
back.
It
also
discovers
that
big
continuing
to
climb
some
processes.
A
A
B
A
A
A
A
A
B
A
Tom
I
have
mine,
can
you
believe,
and
next
I
exposed
his
port
to
his
strength?
I
can
see
which
port
I
don't
know
I'm
running,
so
it's
13.080
I'm
going
to
this
one
for
this
new
purple
perspective
So,
it's
not
accessed
from
the
face
on
port
80,
and
here,
let's
just
take
it
the
site
line
for
you
to
see
and
I'm
going
to
create
a
socket
that
goes
to
a
door
like
I
did
so
just
get
it
here
and
here
it
didn't
get
it.
A
But
here
I
can
access
this
resource
working
smoothly
and
we
can
come
here.
All
the
processes
are
down
from
my
user,
so
I'm
running
a
fully
functional,
know
everything
below
user,
nothing
with
Root
permission.
So
here's
a
little
bit
of
the
management
of
the
processes
that
were
created
under
my
user.
Everything
calm
is
for
the
future
of
the
project
and
there's
a
tool
like
I
charged
to
do
Generic,
Bootstrap,
less
complex
and
Scan
cnfs,
for
example
an
employee
And.
Then
they
would
be
there.
I
did
the
time.
A
Does
anyone
have
any
questions
you
want
to
send
them
in
the
chat
here?
Are
the
project
references
of
everything
I
used,
then
others
contain
This
control
is,
if
it
is
one
is.
Everything
is
from
the
concept,
how
it
works.
Everything
the
proof
of
concept
that
the
internets,
the
Carmo
do
Rio
Carolina
manual
the
documentation
about
the
process.
B
A
Linguistics
shows
is
a
shared
space
for
liters
container
and
that's
it
guys.
Thank
you
very
much.
It's
an
honor,
it's
here,
I
am
very
happy
to
be
here
with
you.
I
hope,
I
managed
to
pass
everything
there
a
little
nervous,
but
there
are
my
social
networks,
my
limit
for
everything
you
want
and
that's
it
guys.
A
B
A
B
A
B
A
A
B
I'll,
let
me
see
I
think
there's
something
else
that
is
welcome
and
for
you
to
press
here
in
the
chats,
I
didn't
find
any
other
question
too
Okay,.
My
crush's
hair
has
already
gone
to
the
sack,
right,.
We
almost
don't
have
hair
anymore,
right,,
that's
it
João
Thank
you,
thank
you,.
Right,,
say
this
one
of
yours,.
It's
sensational
for
a
change,,
a.
A
B
We
spend
a
little
money
to
dry.
We
post
an
email,
ok
there
in
the
chat
the
face
to
wait
with
organize.
If
you
want
to
also
post
it
on
Twitter
I'll,
ask
João
bo:
ask
Jefferson,
who
also
right
It's
the
one
with
the
most
coverage
Industry
by
providing
the
person
who
came,
there
will
have
their
name
there,
right?.
B
That
have
been
requested.
But
the
recruiter's
eye
shines
the
technician
there
when
you,
the
sugar,
a,
is
Jefferson
panel,
the
trainings
in
the
dry
area
of
.
The
types
have
the
same
as
in
the
drought:
a
is
the
syringe
on
the
edge
and
I
want
that
height
also
has
the
operation
of
cameras
that
go
there.
So
I
think
it
is
I
think
there
is
no
lack
of
resources
to
obtain
certification,
right?.