►
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Security Considerations for Container Runtimes - Daniel Walsh, Red Hat
Explain/demonstrates using Kubernetes with different security features for your container environment General Concept - Run containers without root, period - Take advantage of all security features the host provides Configuring CRI-O: - Run containers with read-only images - Limit the Linux capabilities running within your container - Set up container storage to modify the storage options in a more secure manner - Configure alternative OCI Runtimes: Kata, Gvisord and Nabla to run locked down containers Building images with security in mind. - Limit packages/attack surface of container images - Build container images within a locked down kubernetes container Advances in User Namespaces - Demonstrate running each container with a different User Namespace - Configure system to take advantage of user namespace container separation, without taking a drastic speed hit And many more...
To learn more: https://sched.co/GrZ8
A
We're
going
to
do
this
presentation,
we
have
about
an
hour-long
presentation.
We
have
to
do
in
about
35
minutes,
so
we're
going
to
try
to
go
as
fast
as
possible
a
lot
of
the
presentations
going
to
be
demo.
So
that's
all
live
demo.
Well,
90%
live
demo,
a
little
bit
of
recording.
So
today
my
name
is
Dan
Walsh
I
am
a
longtime.
Red
Hat,
employee
and
I'm
in
charge
of
the
container
team
contain
a
runtime
team
at
Red
Hat.
A
B
A
So
the
name
of
this
talk
was
actually
security.
Considerations
for
container
runtimes,
but
I
actually
like
to
talk
about
it
differently.
It's
it's
really
we're
talking
about
container
engine
saya,
there's
one
of
the
problems
in
the
container
world
is
that
we
have
these
overlapping
terms.
So
a
lot
of
people
call
these
things.
They
call
docker
or
contain
a
runtime.
But
really
all
these
things
are
engines.
What
I'm
talking
about
engine?
A
A
B
A
So
content
containers
are
more
than
just
this,
just
docker
right,
docker
sort
of
revolutionized
this
thing,
but
containers
are
much
more
than
really
a
Linux
concept
and
we're
gonna
go
through
that.
But
let's
look
at
what
it
means
to
run
a
container
a
lot
of
system.
What
do
you
have
to
do
to
run
a
container
so
really,
when
I
looked
at
darker
years
ago
and
I've
been
working
on
docker
pretty
much
you
know
not
since
the
beginning,
but
since
it
really
exploded
onto
the
scene,
what
dock
it
does
is
it
does
multiple
different
things.
A
It
handles
multiple
different
kinds
of
workloads
and
really
in
some
ways
didn't
follow
it
sort
of
the
traditional
UNIX
model,
ways
that
you
do
individual
tools
to
do
individual
tasks
and
then
do
them
well.
So
really,
what
we
wanted
to
do
is
to
break
a
pot
sort
of
what
darker
is
doing
and
try
to
figure
out
different
ways
of
doing
some
of
those
functions
and,
of
course,
since
I'm
from
Red
Hat.
We
have
to
insert
the
system
D
joke
at
this
point.
A
Okay,
so
we'll
get
that
out
of
the
way.
So
don't
ask
me
what
about
system
D,
so
we
wanted
a
separate
use
case.
There's
separate
container
use
cases
when
we're
dealing
with
containers.
We
have
separate
ways
we
want
to
deal
with
containers
and
I
break
them
down
to
three
main
use
cases.
The
one
I
push
the
hottest
is
containers
in
production,
so
most
of
the
people
that
came
to
come
to
this
conference.
They
here
for
kubernetes,
so
kubernetes,
is
all
about
running
containers
in
production.
A
Right,
it's
not
about
developing
containers,
it's
not
about
playing
with
containers.
It's
running
containers
and
productions
really
moving
them
out
and
the
security
goals
of
running
containers
and
production
is
much
different
than
developing
containers
or
even
building
containers.
So
the
second
use
case
for
containers
is
building
container
images,
so
when
I
want
to
build
a
container
image,
building
image
that
I'm
going
to
push
to
a
container
registry
that
requires
more
privileges
than
running
a
container
in
production.
Okay,
so
because
I'm
actually
writing
to
the
images
writing
content
into
the
image
stuff.
A
Lastly,
there's
developing
and
playing
and
sort
of
getting
familiar
with
what
it
means
to
be
a
container.
Ok,
so
just
playing
around
with
the
Catana
and
that's
a
different
use
case
as
well,
alright,
so
there
what
we
wanted
to
do
is
we
wanted
to
build
tools
for
those
three
different
use
case
and
not
basically
lump
them
all
together.
A
So
when
we
looked
at
it,
you
know
we're
here
for
mainly
for
a
kubernetes
conference.
What
does
kubernetes
need
to
do
to
run
a
container,
so
the
first
thing
kubernetes
needs
to
do
to
run
a
container
is
identify
what
the
hell
a
container
is
right.
We
have
this
art,
but
what
is
a
container,
so
container
really
means
a
container
image
right.
A
So
people
say
I
want
to
run
the
nginx
container,
Irana
run
the
yo
fedora
container
or
the
httpd
container,
and
what
we
needed
to
do
is
have
a
definition
of
what
a
container
is,
and
this
is
really
what
docker
invented.
So
doctrine
invented
the
idea
of
a
container
image
right.
It
was
basically
a
tower
ball
and
some
JSON
files
that
describes
what's
inside
the
tab
wall.
Really
it's
a
root
of
s
that
I
put
content
in,
or
this
thing
directory
in
my
system.
A
That
sort
of
looks
like
slash,
I
put
content
to
do
it
and
then
I
create
a
JSON
file
that
describes
that,
what's
the
entry
point
when
environmental
variables
and
that's
really
what
a
container
image
is
and
what
we
needed
is
we
needed
a
standard
to
define
what
goes
in
that
JSON
file
so
early
on
in
the
container
process.
When
darka
came
out,
we
need
you
know
docker,
basically
on
the
standard
in
this
history
of
that
being
a
problem.
A
So
we
needed
to
do
is
get
a
standard
and
get
a
standard
on
extend
his
bodies
together
to
do
that,
Koro
West
came
along
before
red
had
acquired
them
and
they
said
we're
going
to
generate
a
specification.
They
generated
a
specification
for
what
they
defined
as
a
container
and
they
generated
the
app
C
spec.
The
FC
spec
came
along
and
suddenly
we
had
two
ways
of
doing
containers.
A
We
had
docker
containers
and
we
adapt
C
containers
and
what
happened
is
the
bunch
of
companies
got
together
at
that
point
and
said
we
have
to
have
a
standard.
We
can't
have
debian
in
rpm
again
right.
20
years,
25
years
ago,
debian
and
RP
red
had
in
in
other
open
source
developers,
couldn't
get
together
on
a
standard
or
mint
software
on
Linux.
So
we
ended
up
with
two
formats,
so
anybody
wants
to
ship
software
and
in
Linux
has
to
ship
in
the
two
formats.
A
Darker
and
a
few
others
and
I
always
forget
the
others,
and
if
they're
in
the
room,
they
can
shout
what,
but
basically
they
get
together
and
created.
Osi
ISO
OCIE
image
specifications
bundle
specification
came
out
a
year
ago,
and
that
basically
says
this
is
what
it
means
to
be
a
container
image
and
those
container
images
consider
the
container
registries.
So
the
next
thing
you
need
to
do
after
you
define
what
a
container
is.
A
They
wanted
us
to
create
a
separate
library,
so
CLI
on
top
of
scope,
EO
split
into
a
CL,
a
library
in
a
separate
executable,
and
so
we
created
containers
image.
So
containers
image
is
a
full
library,
go
library
that
can
be
used
for
pulling
and
pushing
images
from
container
registries.
The
next
thing
you
need
to
do
after
you
pull
the
image
to
the
host.
A
Is
the
image
usually
comes
in
a
bunch
of
layers,
so
I
need
to
be
able
to
take
those
layers
of
that
image,
bundles
and
untier
it
onto
my
system,
so
I
need
to
untier
on
to
several
different
yeah.
Well,
the
way
we
do
it
is
we
do
it
with
a
layered
file
system
called
a
copy
on
write
file
system.
So,
if
you
played
with
darker
you've
seen
overlay
device
mapper,
so
we
have,
we
have
a
library
out
there.
That
actually
was
you
know.
A
Originally
a
lot
of
it
was
written
by
Red
Hat,
some
of
it
came
from
darker
and
other
people.
It's
called
container
storage
and
what's
inside
a
container
storage,
is
overlay
driver,
a
ufs
driver,
XFS
butter,
efest
device,
mapper
and
BFS
I
believe
that
the
ones
so
basically,
we
have
a
library
that
can
be
used
to
store
container
images
onto
a
host.
The
last
thing
you
need
to
do
you
know
so.
A
Basically,
I
have
the
ability
to
identify
a
container
I
have
ability
to
pull
a
container
image
off
a
container
registry
I
have
the
ability
to
store
it
on
disk
now
I
have
to
execute
the
container.
So
the
last
thing
was
done
was
the
OCI
standard
for
runtime,
so
we
defined
OC
I
got
together
and
defined
what
it
means
to
be
a
runtime.
So
when
I
run
a
container
I
have
three
people
that
participate
in
defining
what
means
to
run
the
container.
A
First
of
all,
I
have
the
container
image
that
has
that
JSON
file
associated
way
at
the
image
bundle
spec.
The
second
thing
I
have
is
the
container
engine
it
has
sort
of
hard-coded
constants
inside
of
it
that
it
defines
to
run
a
container,
and,
lastly,
I
have
the
user
of
that.
You
know
like
kubernetes
or
something
like
that.
That's
talking
to
the
container
engine
and
said
I
don't
want
to
use
the
defaults.
I
want
to
use
these
separate,
separate
other
things.
A
What
the
container
engine
then
does
is
it
takes
the
input
from
the
image
its
own
hard-coded
image
content
and
the
content
from
the
user
combines
it
all
together
invites
a
JSON
file.
That
JSON
file
is
what
the
image
specification
is
then
there's
a
tool
that
can
run
that
read
that
image
spec
the
read
that
JSON
file,
which
points
to
the
root
of
s
that
was
created
on
the
copy-on-write
filesystem
and
it's
taught
to
execute
the
container.
Basically
configures
the
kernel
to
set
up
the
container
and
run
paid
one
run.
A
C
was
actually
came
out
of
Lib
Lib
container,
which
was
donated
to
the
OCI
by
darker,
and
then
we
built
a
tool
and
sadly
it
continues
to
be
developed,
while
all
these
years
a
year
and
a
half
to
23
years
later,
and
it's
continued
still
isn't
1.0,
but
pretty
much
everybody
in
the
world
that
runs
containers
right
now
so
to
the
traditional
containers,
that's
using
run,
see
darker
uses.
It
try
out
all
the
toast
tools,
we're
going
to
be
talking
about
today,
I'll
use,
run
C.
A
A
So
the
last
step
of
what
kubernetes
needed
around
a
container
is
also
triggered
by
core
OS,
so
core
OS.
Sadly,
all
this
happened
before
Carlos
got
bought
by
Red
Hat
by
the
way
so
congratulation
to
chloro
West.
So
core
OS
came
along
and
they
wanted
they
had
rocket
and
what
they
did
is
they
came
to
kuben
and
said
we
want
to
run
rocket
under
kubernetes
and
at
the
time
kubernetes.
This
is
three
three
years
ago
or
so.
At
the
time
all
kubernetes
did
is
call
out
to
the
docker
api.
A
Basically,
at
that
point
said
hold
on
you
know:
the
people
have
pibbles,
gonna
come
and
they're
gonna
say
if
def
gear
do
it
this
way
right,
and
so
they
didn't
want
to
have
all
these
different
container
engines
sort
of
specifying
what
it
meant
to
run
the
container
out
of
kubernetes
and
they
turned
it
on
its
ear
and
said.
Instead
of
you
guys
coming
to
us
and
embedding
your
you
know
secret
sauce
into
us,
we
will
call
out
an
api
to
you
to
run
a
container
and
that
was
called
the
CRI
container
runtime
interface.
A
B
So
quiet
what
is
growl
growl,
basically
loves
cuban
artists,
so
cryos
only
purpose
is
to
implement
the
cuban.
It
is
CRI
interface,
nothing
more
and
nothing
less
doesn't
care
about
my
so
spare
some
care
about
anything
else,
so
it
lost
cuban.
It
is
basically
so
dan
talked
about
all
these
pieces
that
we
used
to
to
make
up
the
container
runtime
and
let's
see
what
cuban
at
this
node
looks
like
when
we're
using
cryos
a
runtime.
So
on
the
left.
B
Here
you
see
the
cubelet
and
on
the
right
is
a
cryo
demon
and
the
GRP
capi
is
basically
the
CRI,
which
is
implemented
by
the
crowd.
Demon
and
cubelet
is
using
the
client
side
of
the
DPI
to
talk
to
cryo
to
to
create
and
run
images,
so
CRI
comprises
of
the
image
service
and
the
runtime
service,
and
the
image
service
is
basically
responsible
for
pulling
down
images.
B
It's
basically
takes
all
the
CRI
configuration
and
converts
it
into
a
JSON
that
that
Co
CIA,
runtime
spec
JSON
so
runs
he
can
understand
it
and
for
networking
we
have
been
using
CNI,
so
any
plug-in
that
is
CNI
compatible
can
be
used
with
cryo.
You
just
write
down
the
CNI
config
and
pick
flannel
or
calico,
or
any
other
CNS
solution
and
then
finally
for
the
runtime
today
it
calls
out
to
any
OC
I
incompatible
runtime.
B
So
if
you
have
a
part
to
your
OC,
I
binary
by
default,
it's
run
C,
but
we
also
added
support
for
cotta
working
with
Intel.
So
we
have
support
for
both
of
those
and
any
other
I.
Think
even
G
visor
works
through
that
interface
and
on
top
you
see
a
couple
of
pods
running
and
so
what
actually
makes
up
a
pod.
So
if
you're
talking
run
see,
we
have
an
infra
container,
which
is
kind
of
the
holder
container
for
for
the
C
groups
and
all
the
shared
namespaces
between
the
containers
running
in
the
pod.
B
So
you,
when
you,
when
you
when
cubelet,
says,
start
a
sandbox.
We
launch
that
in
for
a
container
and
then
when
it
asks
us
to
create
containers
inside
that
pod.
Those
containers
come
and
join
the
namespaces
of
the
pod
and
they
are
all
run
under
the
C
group
slice
that
is
assigned
to
that
pod.
So
they
are
kind
of
contained
inside
that
pod
and
then
on
the
right.
You
see
one
more
little
thing
called
conmen
now.
What
is
con
one?
B
So
we
wanted
to
design
a
cryo
from
the
big
to
be
able
to
like
restart
cryo
without
taking
down
the
containers
that
are
started
by
cryo.
So
Kahneman
is
a
small
program
written
in
C
and
it
stands
this
for
caught
like
container
monitoring.
So
what
it's
doing
is
it's
basically
watching
the
container
process
and
it's
it
just
records
when
it
exits
it
and
it
it
can,
so
it
can
return
the
is
it
could
back
to
the
cubelet.
B
In
addition,
it's
also
responsible
for
all
the
logging
needs,
so
CRI
defines
a
logging
format
and
con
one
is
responsible
for
reading
the
logs
from
that.
The
container
process
is
spewing
out
and
writing
them
out
in
the
CRI
format.
It
is
also
responsible
for
handling
like
attach
exact
and
oome
events.
However,
like
on
Mon
I
mean
you
see
so
many
common
processes
running
so
for
efficiency,
we
have
written
carmen
using
c
and
shared
libraries,
so
your
memory
usage
overall,
even
if
you
spawn
hundreds
of
containers,
shouldn't
be
a
lot.
B
So
what's
the
status
of
cryo,
so
we
have
like
nine
test.
Suites
passing
on
each
p
are
like
more
than
a
thousand
tests
and
no
pull
request
is
merged
without
running
all
these
tests,
including
cuban
at
this
end,
to
end
test.
So
all
the
branches,
all
the
peers
that
go
in
there
are
always
passing
the
cuban
a
distress
right
now
we
are
supporting
versions,
one
ten
through
one
thirteen,
so
we
said
like
krylov's
kubernetes
right.
So
can
you
guess
what
version
of
claro
works?
What
version
of
q
very
simple?
B
You
just
take
one
ten
for
cube,
110
111
for
cube,
111
and
113
for
cube
113,
which
was
just
really
used
last
week,
and
one
more
additional
points
of
openshift
for
dotto,
which
is
red,
adds
well.
Distribution
of
cuban
artists
is
going
to
use
cryo
by
default
for
food
or
dough.
It's
already
available.
As
a
preview,
you
can
try
it
out.
It's
using
graph
and
also
openshift
online
is
using
crime
and
production
today.
B
B
B
B
So
this
is
a
cryo
configuration
file
where
you
setup
the
cryo
daemon.
This
is
the
part
to
the
socket,
for
example,
and
right
now
we
care
about
the
capabilities.
So
if
you
take
a
look
at
the
capabilities
here,
it's
a
list
is
lot
shorter
than
what
docker
does
by
default
and
the
reason
is
like
Crowl
is
configured
to
run
containers
in
production
and
it
doesn't
support
bills,
a
lot
of
other
things
that
docker
does
by
default.
B
So
that's
why
we
have
been
able
to
trim
down
this
list
and
like
it
can
be
trimmed
down
even
further.
If
you
can
figure
out
what
capabilities
your
containers
aren't
going
to
need,
so
one
thing
to
note
here
is
that
we
don't
have
cap
Metro.
Now,
let's
go
to
our
container
and
see
what
capabilities
we
have.
B
Yes,
we
can.
So
if
anyone
was
like
ping
requires
cap
Nitro,
how
are
we
still
able
to
bring
the
other
container
right?
So
we
are
taking
advantage
of
a
new
kernel
feature
that
was
added.
So
basically
it's
a
sis
cuttle
that
you
can
enable
that
allows
you
to
use
ping
and
without
having
captain
I
draw
the
advantages
like
cap.
Nitro
has
been
involved
in
many
security
issues
over
the
years
and,
if
you
give
it
to
your
containers,
they
have
the
ability
to
craft
packages
and
potentially
cause
security
issues.
B
B
Let's
take
a
look
at
one
more
thing,
so,
let's
see
if
I
can
actually
write
or
touch
any
files,
so
I
cannot-
and
why
is
that?
Well,
I
made
use
of
another
feature
here,
which
is
called
read-only
equal
to
true.
So
what
this
means
is.
All
of
my
containers
are
running
with
no
write
table
top
layer.
So
if
you,
if
you're,
if
you're,
given
a
write
table
top
layer
to
your
containers,
they
can
end
up
writing
content
over
there
and
end
up
using
this
space,
which
you
would
want
to
save.
B
So
if
you
graph,
if
you
write
your
containers
well,
then
the
containers
should
be
designed
in
such
a
way
that
they
are
only
writing
to
bind
mounts
that
you
provide
to
the
container
so
in
case
of
cuban
it
is
you
would
you
would
be
using
the
appropriate
amount
like
an
empty
door
or
a
possession
volume,
or
something
like
that,
so
cryo
allows
you
to
like
enable
read-only
just
like
how
how
one
more
tenets
of
being
secure
is
never
run
any
container
as
route.
So
this
is
a
security
feature
similar
to
that.
B
B
B
So
earlier
we
talked
about
kata
and
Friends
of
Intel
have
created
this
nice
little
demo
for
us
and
so
coupon.
It
is
recently
add
added
a
feature
called
runtime
class
and
what
runtime
class
does
is
it
allows
you
to
configure
multiple
runtimes
and
it
allows
you
allows
a
way
for
you
to
pick
the
runtime
in
your
pod,
Yaman
say,
for
example,
if
you
want
more
security
for
a
particular
part,
then
you
would
say
you
would
want
to
run
that
in
a
VM
based
container
like
kata.
B
B
B
Then
we
jump
ahead
and
you
can
see
a
custom
resource
definition
is
cleared
for
run
time
class
and
then
another
one
is
created
for
kata.
So
now
the
cluster
understand
this
is
another
type
of
run
time
called
kata.
Then
we
launch
a
default
port
using
run
C.
There
is
no
runtime
class
added
to
this
pod
definition.
Here.
B
B
Then
we
see
that
there's
nothing
running
under
cotta
containers
right
now,
then
we
create
a
podium.
Alfa,
cotta
and
thing
to
note
here
is
the
runtime
class
is
set
to
cotta.
So
this
basically
tells
cryo
that
when
you
see
this
part
and
take
a
look
at
the
runtime
class
and
use
car
time
sort
of
run
C
to
spawn
that
pod.
B
A
Okay,
so
that
was
basically
cryo
now
we're
gonna
be
talking
about
Codman.
So
one
of
the
originally
talked
about
the
three
ways
you
want
to
run
containers
well,
one
of
them
was
running
in
production,
as
we
just
saw.
We
can
take
advantage
of
a
lot
of
security
features
that
aren't
available
when
I
want
to
sort
of
play
and
test
with
the
container.
A
So
now
we're
going
to
look
at
what
you
want
to
do
when
you
do
on
a
test
and
play
with
a
container,
and
we
introduced
a
new
project
called
pod
man
about
a
year
and
a
half
ago,
and
we
call
a
part
of
the
live
pod
project,
but
basically
pod
man
stands
for
a
pod
manager,
but
really
what
we
wanted
to
do
is
we
want
to
replace
docker
CLI.
So
this
is
a
different
presentation.
I
give
sometimes
called
replacing.
Daka
was
replacing
Dhaka
with
God.
A
You
fall
asleep
out
there,
okay,
so
this
is
what
you
do.
You
do
a
DNF
install
pod
man
and
then
you
do
a
alias
doctor.
It
goes
pod
man,
any
questions,
but
we'll
hold
off
questions
to
the
end.
Okay,
so,
and
in
the
way
I
could
prove
that
that's
true
here
is
this:
was
my
favorite
tweet
all
time
this
is
alan
moran,
who
I
don't
know.
I
said
I
completely
forgot
that
two
months
ago
I
set
up
an
alias
of
dr.
A
who
those
pod
man
and
by
the
way
this
happened
to
me
and
it
has
been
a
dream
and
then
he
says
no
big
fat
demons,
which
is
my
mantra
and
down
here.
Someone
responded
to
him
and
said:
how
did
you
figure
out
that
you
were
running
weren't
running
doctor
and
he
said
he
ran
docker
help
and,
of
course,
pod
man.
Health
came
up,
so
let's
jump
and
I'll
give
a
quick
demo
to
show
you
all
the
security
features
that
are
in
pod
man,
so,
first
of
all,
a
sort
of
Ronald's
password
when
your
does
sudo.
A
A
So
we
wanted
to
allow
you
to
customize
and
pick
which
registries
you
want
to
have
in
your
environment,
so
if
out
of
the
boxes
in
the
fedora
system,
so
we
have
docker
I/o
for
a
project
on
Al
Queda
at
I/o,
red
hats
and
sent
to
us
as
registry.
So
if
you
give
me
just
you
know,
I
want
to
run
the
nginx
it'll
go
through
the
list
of
registries
and
ask
if
you
want
to
set
up
your
own
registry
and
remove
all
these
registries,
you
can
do
that.
A
You
can
do
whatever
you
want
with
the
configuration
of
this
tool
right.
So
it's
any
registry,
so
one
of
the
things
we
talked
about
is
building
containers
right.
So
we
talked
about
building
containers
as
a
third
way,
but
we're
not
gonna
have
time
to
actually
show
you
builder
today,
but
we're
actually
running
builder
right
now.
A
But
what
we
were
actually
doing
is
we're
running
a
container
with
builder
inside
of
it
and
then
we're
using
builder
inside
of
a
container
to
build
a
container
okay
and
it's
a
lovely
wait,
wave
yeah,
so
we're
actually
just
built
up
up
above.
We
had
docker
file
that
actually
had
the
three
lines
of
keep
going
up
a
little
bit.
More
basically
have
pulled
Alpine,
set
up
a
couple
of
environments
of
variable
and
a
label
and
actually
traded
an
image
inside
of
a
catana.
Now
what
that
really
demonstrates
is
using
this
tool.
A
There
are
no
demons
right,
there's
no
reason
to
have
a
demon,
it's
just
a
standard
fork
and
exact
process
for
running
a
container
underneath
it,
and
we
can
actually
build
containers
inside
the
containers
without
leaking
the
darker
socket
into
containers
and
by
the
way,
access
to
the
darkest
socket
means.
You
have
full
route
on
the
host
and
there's
no
logging
to
attract
what
you
do
so
now.
We
are
actually
going
to
basically
run
container
and
show
you
that
we
have
actually.
So
here
is
the
container
image
that
we
built
on
the
system.
A
A
So
pretty
much
doctor
can
do
that
right.
You
know
somewhat
everybody
seen
doctor
do
that.
What
I'm
about
to
show
now
was
something
that
doctor
can't
do
we're
actually
gonna
run
the
entire
CLI
as
non-root
okay.
So
the
first
thing
we're
gonna
do
here
is
we're
gonna
wow
he's
already
done
it,
so
he
pulls
the
Alpine
image
as
non-root.
A
So
if
you
looked
up
above
these
pod
man
commands
used
to
say
sudo
and
now
they're
not
saying
sudo,
he
just
ran
an
Alpine
LS
command
inside
of
a
container
and
now
he's
going
to
list
all
the
containers
that
we've
written
previously
all
the
stuffs
happening
in
the
home
directory
right.
This
is
pod
man
running
inside
the
home
directory
when
I
present
the
customers,
customers
are
always
asking
me,
should
I
allow
darker
socket
to
be
leaked.
A
All
the
developers
want
to
run
with
darker
socket
and
I,
say:
darker
socket
is
worse
than
giving
sudo
with
no
password
at
least
sudo
with
no
password
has
logging,
okay
and
when
I
say
that
everybody
say
doc
has
logging
yes
and
I.
If
I
have
ax
as
a
darker
socket,
do
all
my
stuff
and
then
I
destroyed
the
lock
the
container
and
I
destroy
the
log
at
that
time.
So,
if
I
do
quod,
man,
images,
you'll
notice,
that
I
have
two
images
inside
of
my
home
directory.
A
But
now,
if
I
do
sudo
cloud
man,
images
you'll
see
that
I
have
a
whole
bunch
of
now.
That
shows
that
there's
a
separation
root
images
versus
user
injury,
user
directory
images,
and
that
means
that
every
user
is
going
to
have
his
own
store
inside
of
its
own
home
directory,
and
that
way
they
were
isolated
from
each
other.
That's
taking
advantage
of
the
username
space.
A
Now,
if
you
come
to
the
pot,
if
you
want
to
see
a
demonstration
username
space
takes
too
long
right
now,
I'll
be
at
the
bread
that
booth
afterwards
and
I
can
show
you
some
of
the
stuff.
But
all
this
is
taking
advantage
to
use
the
namespace
to
be
able
to
do
this
functionality,
but
using
namespace
is
actually
even
better
than
use.
The
namespace
means
I
can
map
non-root
uses
to
route
inside
of
a
container.
A
So
here
we
are
demonstrating
we're
going
to
create
a
container
now
we're
going
back
to
route
and
we're
going
to
create
a
container
that
map's
zero
to
a
hundred
thousand
and
then
the
first
five
thousand
you
IDs
after
it
so
I'm
by
mapping
five
thousand
UID
starting
at
zero
inside
like
container
in
this
they're,
actually
UID
100,000.
So
one
other
things
we
added
to
pod
man
is
we
added
the
ability
to
actually
applaud
me
on
top
now,
has
the
ability
to
reveal
what's
going
on
inside
of
a
container?
A
So
here
we
have
used
their
ant
host
user,
so
it
shows
you
that
you're
running
as
root
and
UID
a
hundred
thousand.
The
next
line
we
did
is
like
rep.
We
did
basically
just
a
standard,
PS
command,
and
it
shows
that
that
container,
even
though
it's
running
in
a
user
name,
space
is
running
as
a
hundred
thousand
on
the
host.
A
Now
we
run
a
second
container
as
two
hundred
thousand
and
we're
gonna
see
that's
running,
it's
rooted
and
two
hundred
thousand
now
we're
going
to
do
the
PS
command
and
that
you
can
see
now
is
running
at
two
hundred
thousand.
So
we
have
two
processes
running
in
container.
They
both
think
that
route
and
but
if
they
break
out
of
the
container,
they
would
be
treated
as
UID
100,000.
You
undo
you
two
hundred
thousand
now
this
is
used
a
namespace,
but
it's
never
been
used
anywhere.
A
Okay
use
the
namespace
of
the
available
inside
of
docket
right
now,
but
it's
a
single
user
namespace
for
the
entire
all
container
run
times
all
right.
It's
not
even
using
the
cryo
yet,
and
that's
mainly
because
kubernetes
is
behind
and
being
able
to
handle
it
if
we
put
in
user
name
space
but
we're
doing
it
in
pod
man
we're
experimenting.
We're
also
working
with
the
Linux
kernel,
guys
to
make
this
fast
to
make
it
as
fast
as
possible
as
far
as
handling
it.
A
So
another
interesting
thing
about
pod
man
versus
docker
is
docker
is
a
client-server
operation.
That
means
that,
basically,
when
you
run
the
darker
client,
the
container
is
not
a
child
of
your
processes.
Child
of
the
container
daemon
pod
man
is
different
in
that
it
is
a
fork
and
exact
model.
So
the
process
that
you
continue
was
actually
a
child
yet
process.
How
many
people
in
here
have
ever
heard
of
logging
UID
some
of
you
care
about
security.
The
ollie
hands
should
have
gone
up.
A
It's
a
really
cool
security
feature
when
a
user
logs
into
a
Linux
system,
logging
UID,
is
recorded.
The
login
program
basically
says
this
process
was
started
by
Dan
Walsh
or
in
this
case
Imran.
Oh,
so
you
can
see
that
when
I'll
argue
that
the
process
is
running
as
a
thousand
now
we're
gonna
run,
sudo
become
root,
execute
pod
man,
which
is
going
to
execute
a
container
and
then
we're
going
to
look
at
the
sec
logging
UID,
okay.
A
So
it
comes
out
as
one
thousand
right
now
we
do
the
exact
same
command
with
darker
and
darker
comes
out,
as
this
really
huge
number,
which
stands
for
minus
one
and
the
64
bits
okay.
So
this
means
that
the
darker
daemon
was
never
set
right.
It
wasn't
created
by
a
user
process;
they
never
logged
in
so
it
ran
the
container.
Is
that
so?
Why
is
that
important?
A
Let's
look
at
the
auditing
subsystem,
so
this
command
here
basically
says
I'm
going
to
watch
that
see:
shadow
okay,
it's
gonna
watch
for
anybody
modifying
it,
see
shadow
and
we're
gonna
break
out
about
container
we're
gonna
run
pod
man
and
actually
modify
it
see
shadow.
We
do
want
to
touch
about
see
shadow.
Now,
let's
look
at
the
audit
log.
It
says
right
here
that
this
evil
human
being
up
here
just
hacked
the
system.
Okay
and
then
he
did
something
weird
on
that
gameplay,
okay,
so
monolith
basically
is
modified
that
so
now
we
just
ran
dark.
A
Are
the
exact
same
break
out
of
docker?
And
now
we're
gonna
see
what
happens
when
darker?
Does
it
and
it
comes
up
with
an
a
UID,
is
unset.
So
if
a
container
breaks
out
of
docker
and
affects
the
system,
you
have
no
idea
who
created
the
container
to
do
that
where
it's
pod
managed.
So
it's
just
a
way
to
think
about.
What's
happening
versus
a
client-server
model
versus
a
fork
and
exec
model,
let's
go
next,
so
other
features
so
containers.
A
If
you've
ever
seen
me
talk
about
containers,
they
always
talk
about
all
these
security
features
that
are
involved
in
containers
and
a
lot
of
it's
like
me,
waving
at
hands
and
said
Dan
Walsh
said
this
stuff
happens,
so
we
added
to
Padma
and
top
the
ability
to
actually
reveal
what's
going
on
inside
the
container
and
the
base
of
the
security
features.
So
the
first
one
is.
We
now
have
a
kid
in
an
age
pit,
so
kid
tells
you
is
a
pit
of
the
container
and
then
h
p--.
A
It
tells
you
the
process
of
the
system,
so
the
next
one,
we're
gonna
show,
is
actually
showing
you
the
SELinux
label.
So
this
talk
is
showing
you
all
the
process
of
what
SELinux
labels
associated
this
one's,
showing
you
asset
cop,
tells
you
whether
or
not
sec
comp
is
turned
on
and
not
in
the
system
and
the
last
one
remember
mono
was
talking
about
capabilities,
so
linux
capabilities,
the
ability
to
break
root
into
multiple
different.
A
You
know
the
power
of
root
down,
it's
different
things,
so
we
actually
go
with
because
we're
trying
to
modify
you
know
mimic
what
docker
does.
This
is
the
list
of
capabilities.
They
did
so,
if
you
saw
in
his
presentation
there's
about
eight
capabilities,
but
when
I'm
playing
with
containers
I
actually
have
a
lot
more.
So,
for
instance,
I
have
make
node
because
I
might
want
to
do
a
build.
A
I
might
want
to
create
device
notes,
I
have
as
net
raw
write,
because
I
might
want
to
ping,
and
I
might
not
have
that
K
that
just
calls
this
control
set.
So
there's
a
bunch
of
these
things
that
dot
yeah
I
have
auto
write,
I,
don't
know
why
Auto
writes
on
at
all,
but
anyways.
That's
the
list
of
capabilities
that
no
one
knows
they're
hard-coded
into
the
dock,
a
demon
right.
A
So
this
basically
shows
you
what's
going
on
so
quad
Mian
stands
for
pods
pod
manager,
though
pod
is
a
concept
from
analytics
from
kubernetes
that
basically
allows
you
to
run
one
or
more
containers
inside
of
right
inside
of
a
pot
or
a
group
of
basically
the
group,
your
containers
together
inside
the
same
namespace,
so
pod
man
actually
manages
not
only
containers
but
also
pots.
So
here
we
are.
We
just
created
a
new
pod
called
pod
test
and
we're
going
to
create
two
containers
inside
of
it.
A
So
we
joined
the
two
containers
and
you
can
see
that
there's
no
containers
running
on
my
system
right
now,
so
I'm
gonna
actually
start
the
pod
test
and
boom.
Two
containers
Ronnie.
So
basically
we're
showing
that
containers
are
tied
to
the
pod
now
and
we
can
start
to
play
around
with
pots
play
around
with
the
concept
of
pods.
So
he's
gonna
stop
the
pods,
and
now
we
should
see
no
pods
running
inside
like
a
container,
no
clods
left
and
that's
the
end
of
the
demo
and
I
think
we're
just
a
we'll.
Take
a
few
questions.
A
What's
the
difference
between
XFS
and
ext4
and
Ubuntu
and
fedora,
and
it's
just
different
ways
of
doing
the
same
thing
right
that
doesn't
need
to
be
only
one
way
to
rank
containers
on
the
kubernetes,
so
they're
competing
projects.
So
we
actually
believe
that
cryo
is
better.
They
believe
that
container
D
is
better.
A
A
A
You
can
you
can
run
builder
as
non-root,
so,
yes,
you
can
run
build
up
inside
of
you
use
the
namespace
inside
of
kubernetes.
Yes,
so
I
could
writing
a
bunch
of
containers.
Doing
builders
inside
of
kubernetes
yeah
can
I
safely
at
alias
start.
Yes,
I
can
alias
dr.
equals
pod
man
and
I
can
do
a
pod
man
bill
a
docker
build
and
it
will
do
a
pod
man
build
so
builder
is
actually
built
into
pod
man
for
the
pod.
Man
builds
capability,
yeah.