►
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
How to Choose a Kubernetes Runtime - Justin Cormack, Docker
This year has seen the launch of several new container runtimes, including gVisor from Google and Nabla from IBM, as well as the consolidation of the Hyper and Intel VM container projects into Kata containers. This talk looks at all the runtimes, how we can evaluate their security, and how they compare to the standard OCI runtime, runc.
There are a variety of ways of measuring how much the different runtimes reduce the Linux kernel attack surface, so this talk makes an assessment of those risks, based on types of code that are blocked, and actual and theoretical attacks. In addition we discuss the threat models for different types of users and code, and look at which types of user should consider these options.
This talk is aimed at people wishing to increase the security of the runtimes they are using for Kubernetes, and who wish to understand what the risks and improvements are.
To learn more: https://sched.co/GrZB
A
We're
going
to
talk
about
choosing
a
kubernetes
runtime
today
my
name
is
Justin
Cormac
I
work
at
docker
and
I've
been
working
on
runtimes
for
kind
of
a
long
time
which
is
kind
of
why
I
decided
to
do
this
talk
I'm
based
in
Cambridge.
This
is
a
picture
of
down
the
road
from
my
house.
Cambridge
is
a
sort
of
science
village
in
England,
and
this
is
where
quasars
were
discovered
50
years
ago.
It's
very
scenic,
just
full
of
people
doing
tech.
A
It's
it's
kind
of
a
interesting
place
if
you
like
tech
and
countryside,
so
yeah
I've
been
working
on
container
infrastructure
and
security
for
many
years,
and
so
I
kind
of
got
a
lot
of
opinions
about
runtimes
and
I.
Think
it's
where
it's
actually,
we
only
were
kind
of
really
interesting
space
with
runtimes
this
year,
in
particular
wise,
particularly
interesting.
A
A
A
A
Why
do
I
have
to
make
a
choice?
Why
do
I
want
to
choose
a
different
runtime?
So
the
original
cubist
is
sort
of
specification.
I
mean
the
API
justification
was
what
Tim
all
Claire
proposed
around
it
was
just
before,
and
you
Connie
you,
which
was
called
the
San
sandboxes
API,
and
this
was
a
checkbox.
You
were
going
to
be
able
to
put
in
your
Cuban
Isis
saying:
do
I
want
to
sandbox,
so
I
do
not
want
a
sandbox.
A
Yet
it's
not
quite
clear
what
the
semantics
for
the
runtime
class
are
going
to
end
up
looking
like,
but
the
actually
the
original
use
case
of
tick-box
of
more
isolated
or
less
Isolators.
Actually,
what
most
people
are
kind
of
interested
and
I
think
that's
still
a
useful
way
of
thinking
about
it.
All
the
runtimes
going
to
talk
about
today
are
really
I
want
more
sam
boxing
and
and
that's
that's
still
kind
of
the
the
more
useful
way
of
thinking
about
it
in
principle.
A
A
So
untrusted
code
is
basically
a
slightly
vague
term,
but
it
really
means
code
that
you,
you
either
haven't
written
yourself
and
you
are
just
getting
it
from
someone
else,
who's
just
giving
you
some
code
and
you're
just
going
to
run
it
without
reading
it.
So
you
know
if
you
and
if
you've
ever
downloaded
some
code
from
the
internet
and
run
it
that's
untrusted
code
unless
you've
actually
looked
at
it.
You
know
if
you
curl
to
bash
untrusted
code
or
it's
code
that
deals
with
very
hostile
inputs.
A
One
of
the
common
things
is
things
like
media
processing,
where
most
programs
that
do
processing
of
audio
or
video
for
image
files,
and
things
like
that
have
had
a
lot
of
vulnerabilities
in
the
past,
because
the
input
that
they're
running
is
is
can
be
a
sort
of
a
hostile
input.
That's
designed
to
attack
the
program,
and
typically
these
programs
are
not
very
well
tested
against
hostile
input.
They
they
will
decode
correctly
correct
input
and
they
will
often
crash
or
be
exploitable
in
with
hostile
input,
and
this
is
gradually
getting
better,
as
people
do
fuzzing.
A
But
it's
it's
been
a
traditional
case.
Where
M
you
need
to
be
a
bit
careful
and
not
trust
your
cage
and
if
you're,
actually
a
hosting
provider
providing
a
service
to
other
people,
all
code
is
untrusted.
You
know
that
your
customers
are
there
and
they
may
be
running
anything
and
they
may
be
trying
to
attack.
You
attack
your
infrastructure
or
anything
like
that.
So
that's
definitely
untrusted
code.
So
if
you're
in
that
position,
that's
untrusted
code.
So
these
are
the
kind
of
cases
of
which
we
normally
refer
to.
A
Code
is
untrusted
code
that
you
write
yourself
is
not
untrusted
code.
If
you
don't
trust
your
developers
to
write
code
fix
that
first,
don't
treat
your
developers
as
hostile
I'm.
Some
people
are
laughing
but
seriously
I
mean
I'm.
Working
security
I've
had
conversations
where
people
literally
do
treat
their
developers
as
hostile
people
trying
to
attack
their
platform.
It's
not
it's
not.
Actually.
You
know
that
uncommon,
particularly
I
mean
I.
Think
one
of
the
things
is
that
you
know
that
the
whole
dev
psych
ops
movement
is
about
helping
security.
A
People
work
with
developers
and
ops,
people
and
traditionally
security
people
have
just
treated
everyone
else
as
being
hostile
and
out
to
get
them
and
and
claim
that
they
don't
know
what
they're
doing
that
they
running
all
sorts
of
stupid
things,
blah
blah
and
and
and
they
they
have
had
that
kind
of
a
two-unit.
It's
really
really
not
helpful
if
you,
if
you
want
to
build
a
platform
that
is
as
secure
AWS
say
because
you
actually
want
to
run
untrusted
code.
A
It's
about
code
quality,
particularly
in
the
cases
where
the
code
is
running
in
a
unexpected
path,
rather
than
the
happy
path,
which
generally
is
often
it's
often
less
tested.
But
that's
it's
really
really
important
that
you
know
we're
not
having
a
community
of
runtime
in
order
to
deal
with
our
developers
and
problems
with
with
our
processes.
A
But
there
are
some.
There
are
a
few
cases
where
treating
your
internal
code
as
untrusted,
isn't
maybe
a
good
thing,
so
media
processing
things
like
that,
where
it's
it's
difficult
to
get
really
good
code
and
to
totally
trust
it
so
kubernetes
runs
on
containers
and
then
the
sort
of
question
that
people
ask
is
do
containers
contain
I
mean
it
they're
called
containers
they
sound
like
they
contained
it.
Does
it
really
doesn't
need
this
stuff
matter?
Is
my
thing
secure
enough
anyway,
if
I
just
run
it
in
containers
and.
A
The
first
thing
is
here:
containers
do
help
contain
that
their
name
does
mean
something
it's
not
kept
totally
stupid.
It's
definitely
you
know.
Running
stuff
in
containers
is
better
than
not
running
containers
from
a
security
point
of
view,
but
all
code
has
bugs
and
all
bugs
can
be
security
issues
and.
A
A
Miss
configuration
is
actually
I,
probably
the
biggest
issue.
So
if
we
look
at
things
like
the
kubernetes
volume
CVE
that
we
had
earlier
this
year,
that
was
effectively
a
kind
of
mist
configuration
issue
around
around
volumes,
and
you
can
also
just
miss
configure
things
yourself
quite
easily
and
those
things
are
kind
of
things
that
that
can
let
people
escape
from
containers.
If
you
mount
parts
of
the
host
into
the
container
and
things
like
that
in
general,
mounts
are
kind
of
problematic
in
for
security
reasons,
often.
A
A
The
I
mean
there's
normally
I'm,
going
to
say,
there's
normally
four,
maybe
five
known
exploits
a
year
that
you
could
use
to
escape
from
containers,
some
of
them
the
docker
default
set.
Comp
policy
has
blocked
in
the
past
and
some
of
them
it
hasn't
some
of
these.
Some
of
these,
if
bugs
are
really
kind
of
obscure
to
exploit
some
of
them
are
things
that.
A
Some
of
them
don't
require
many
put
any
privileges
at
all.
We
had
a
kernel
exploit
recently
that
only
required
fork
and
M
map,
so
it's
totally
impossible
to
block
with
any
kind
of
policy
and
we've
had
other
bugs.
There
was
a
bug
and
run
C,
two
or
three
make
Nothing
two
years
ago
that
allowed
container
escape
due
to
issues
in
run.
C
itself.
You
know
so
overall
containers
do
contain,
but
there
are
bugs
there
are
bugs
and
everything,
and
so
the
question
is:
is
it
sufficient
for
my
purposes?
A
Can
I
mitigate
these
bugs
with
other
defense-in-depth
I
mentioned
seccomp,
which
is
not
yet
the
default
in
communities
and
one
day
that
will
switch
and
be
turned
on,
but
you
can
turn
it
on
yourself.
Selinux
napa
I'ma
have
stopped
a
lot
of
these
bugs
from
being
exploitable
in
production.
I
mission
updates,
updates,
updates,
always
update
everything,
locking
down
minimizing.
A
What's
on
the
hosts,
dropping
all
the
capabilities
with
the
the
pod
security
policy
lets
you
enforce
these
things
in
a
kind
of
not
very
granular
way,
don't
run
containers
as
route
route
containers
running
as
root
have
extra
privileges
they're
slightly
easier
to
exploit.
They
there's
usually
a
few
extra
kernel
interfaces
they
can
use
and
if
you're
not
running
as
route,
that
kind
of
minimizes
things
and
repaving
and
really
updating
things.
A
A
If
you
look
at
the
the
actual
kind
of
container
exploits
we
see
in
practice,
a
lot
of
them
are
just
exploiting
miss
configuration
to
do
Manero
mining
and
things
like
that
and
they're,
not
really
that
don't
involve
much
actual
sort
of
container
escape
or
anything.
If
people
just
want
to
run
stuff
on
your
infrastructure,
they
don't
need
to
escape
from
your
containers.
They
can
just
run
it
in
your
containers
so
so
run
times.
The
actual
runtime
is
not
necessarily
what's
the
most
thing
for
for
doing
things
in
practice.
A
A
Virtual
machines
are
kind
of
well
understood.
Isolation.
Technology
they've
been
around
a
long
time.
So
essentially
you
boot
up
a
little
tiny
virtual
machine
with
the
smallest,
that's
kernel,
you
can
actually
sanely
build
in
it
for
each
container
it
uses
by
default
users,
qmu
running
on
KVM
or
qmu
light,
which
is
their
stripped
down
version
of
qme
with
them
more
of
the
pieces
removed.
A
Actually
that
was
one
a
case
where
and
Farriss
people
were
not
actually
vulnerable
because
they
had
removed
the
floppy
drive
or
anyway,
but
it
was.
There
are
issues
like
this
with
queue
in
the
past
because
it
was
designed
really
around
emulating
a
whole,
a
whole
computer,
rather
than
being
a
lock
down
runtime
for
actually
being
secure
in
order
to
run
counter
containers,
you
need
to
not
be
already
running
in
a
VM
and
it's
and
it's
we're
actually
using
nested
virtualization,
which
is
kind
of
complicated.
A
So
ideally
you'll
run
this
on
on
bare
metal,
so
that
actually
rules
that
that
used
to
rule
out
pretty
much
everyone
actually
trying
it
out
until
they
only
actually
started
releasing
bare
metal
machines
this
year
or
late
last
year.
So,
if
you're
running
on
AWS
bare
metal
instances,
this
can
actually
run
in
a
in
a
sane
way.
A
Google
and
Azure
cloud
platforms
do
support
nested
virtualization
to
some
extent
as
you
support
it.
As
a
as
a
proper
security
boundary.
They
say:
I've
got
a
meeting
pallet
later
that
summer
there
but
Google
I'm,
not
sure
they
count
it
as
a
security
boundary.
So
it's
not
clear
if
that's
necessarily
that's
secure,
but
and
if
you're
running
on
pram
again
you'd
have
to
be
running
bare
metal
to
run
this,
so
that
kind
of
is
a
bit
of
a
limiting
factor
for
some
people
in
actually
putting
this
into
production.
A
There's
also,
some
overhead
virtual
machines
take
up
more
memory
than
containers,
because
the
memories
specifically
allocated,
rather
than
shared
cache
containers
is
used
in
production
at
at
least
Alibaba
JD
comm
I
believe
that
a
distillation
are
using.
It
I
think
when
I
touch
them,
they
were
at
least
they
were
using
hyper
before
I
haven't
taught
some
recently,
so
I'm
not
sure.
But
yes,
it's
it's
real.
It's
being
used
in
production
by
by
people
who,
in
particular,
who
are
running
public
cloud
type
services
around
so
as
providing
containers
for
people
surround
securely
hostile
people.
A
So
it's
it's
a
real
production
run
time
it
definitely
it's
definitely
working
G
visor,
as
I
said,
was
launched
by
Google
this
year.
It's
a
totally
different
model.
It's
based
on
actually
emulating
Linux,
rather
than
running
a
little
Linux,
a
separate,
isolated,
Linux,
so
they've
actually
written
that
complete
emulation
of
Linux.
In
go,
which,
every
time
when
your
program
runs,
it
does
a
system
call
instead
of
doing
the
actual
system
call
it
gets
trapped,
it
calls
into
the
go
runtime,
which
then
basically
runs
the
code
to
do
that
system.
Call.
A
This
sounds
kind
of
a
bizarre
and
complicated
thing.
To
do.
I
mean
I
think
it's
quite.
It's
actually
really
interesting
code
base
and
it's
something
and
the
team
are
really
friendly
and
helpful.
If
you
were
interested
in
how
this
actually
works
in
practice,
it's
so,
if
you,
you
know,
if
you're
interested
in
the
internals
of
of
it
I
highly
recommend.
Just
you
know,
reading
the
code
on
top
of
the
team
who
run
it
because
it
has
to
emulate
the
whole
of
Linux.
It's
not
actually
fully
complete
because
looks
is
a
gigantic
interface.
A
It
has
several
hundred
system
calls,
but
some
of
those
just
ways
of
hiding
thousands,
more
interfaces
that
get
more
and
more
obscure,
but
it
runs
most
things,
I
mean
when
they
launched
it.
It
was
the
issue
there
was
an
issue
of
doesn't
run
nginx,
which
was
kind
of
always
the
first
application.
I
tend
to
run
on
things
to
test
them
out,
but
actually
they
fix
that
issue
very
quickly
and
if
you
report
issues
ons
particular
applications,
they're
they're,
very
good
at
fixing
them
because
they'll
there'll
be
just
one
little
bit
of
emulation.
That's
missing!
A
The
sandbox
is
sandboxed,
always
like
layers
of
there's
a
sandbox
thing,
so
the
emulation
code
runs
as
an
unprivileged
user
with
that
with
capabilities
dropped
and
it's
wrapped
in
sec
comm
to
stop
it
doing
anything
it
shouldn't.
Do
it
has
two
backends
for
how
to
trap
these
system
calls.
One
of
them
is
P
trace,
which
is
slow,
but
works
anywhere
without
any
particular
privileges,
and
the
other
is
a
source
of
a
VM
based
thing:
it's
not
it's
not
a
full
virtual
machine,
but
it
uses
the
virtualization
features
of
the
CPU
to
make
the
traps
faster.
A
A
That
is
the
system
called
trapping
and
some
memory
mapping
in
in
the
virtualization,
which
is
the
the
backend
that
you
should
probably
use,
because
it's
faster
and
it's
got
a
more
understandable
security
model,
so
G
visor
is
used
in
production
on
Google
App
Engine
on
the
kind
of
the
new,
the
the
new
released
version
that
they
did
this
year.
So
it's
it's
definitely
production
grade
and
you
know
secure
and
design.
A
You
know
you
know
battle-tested
for
their
use
case
the,
but
it's
kind
of
a
new
it's
as
if
from
the
open
source
point
of
view,
it's
kind
of
new,
a
new
project.
So
I
don't
know
if
anyone
outside
Google
helped
with
it
in
production.
Yet,
but
maybe
maybe
there
are
some
people,
but
it's
definitely
something
that
is
mature.
It's
not,
it
wasn't
just
released.
Now.
If
you
look
at
the
history
of
the
code,
it
goes
back
many
years
and
and
it's
definitely
definitely
not
a
sort
of
an
incomplete
project.
A
Both
of
them
really
fundamentally
require
that
you
run
them
on
something
that
supports
virtualization
for
ideally
I
I'm.
Very
much,
not
a
not
a
believer
that
nested
virtualization
is
security
boundary
but,
as
I
said,
I've
got
a
meeting
with
Microsoft
later.
Who
can
try
and
change
my
mind
about,
has
yeah
but
see,
but
you
you
can
run
them
on
AWS,
bare
metal
on
Prem,
bare
metal,
bare-metal
providers
like
packet
or
net,
and
other
people
like
that
who
give
you
bare
metal
machines
I.
A
You
know
the
the
security
boundary
boundaries
that
virtualization
gives
you
a
kind
of
useful
and
if
you
just
use
those
in
order
to
just
run
a
virtual
machine
in
order
to
run
containers
on
the
virtual
machine,
you're
kind
of
it's
kind
of
pointless,
running
containers
inside
of
inside
a
virtual
machine.
If
you're,
if
you
don't
have
to
it's
better,
to
run,
containers
on
bare
metal
and
then
use
the
virtualization
bits.
If
you
need
to
isolate
containers
more
securely,
I
think
and
I
think
we'll
we'll
see
more
people
kind
of
moving
towards
this
model.
A
It
was
it.
It
was
really
useful
at
AWS,
started
releasing
bare
metal
machines
because
that
made
it
much
more
available
to
people
who
wants
to
try
things
out
and
and
yeah,
using
using
virtual
students,
just
as
the
platform
substrate
for
ease
of
management,
kind
of
means
that
you
can't
then
use
them
to
do
useful
things
like
runtime
security
instead.
So
I
kind
of
I
think
I.
A
Another
runtime
that
came
out
this
year
that
was
nabla,
which
was
a
unique
kernel
runtime,
it's
quite
different
from
the
other
ones,
in
that
you
have
to
rewrite
your
application
as
a
unique
kernel
as
a
so
it.
Basically,
you
can't
just
take
an
unmodified
Linux
application
and
run
it
so
that's
much
much
less
accessible
to
the
average
user
them
the
two
we've
talked
about
before,
but
but
it
has
has
a
nice
security
project,
property
properties.
A
It
kind
of
looks
like
a
sort
of
hybrid
of
the
if
the
kind
of
gee
visor
model
in
a
way
I
mean
with
gee
visor,
so
they
emulate
the
Linux
kernel,
so
they
have
a
TCP
stack
written
in,
go
that
they
run
if
you're
running
a
unique
kernel.
You
also
link
your
application
during
TCP
stack
and
run
that
yourself.
So
if
you
could
use
the
same,
TCP
stack
that
they're
using
for
example,
but
you
have
to
do
that
work
yourself.
So
it's
kind
of
it's
definitely
a
more
complicated
thing.
A
You're
still
running
an
infrastructure
that
runs
on
Linux,
even
if
you're
running
a
hypervisor
with
them
you're
on
your
say,
you're
on
in
cash
containers,
you're
running
machines
in
a
virtual
you're
running
and
contains
in
a
virtual
machine,
you're
still
underlying
that
you're
still
using
Linux
as
as
the
underlying
hypervisor
running
KVM.
It's
still
it's
still.
Actually,
when
you
call
out
to
the
hypervisor
to
do
things,
you're
still
calling
in
to
learn
it's
code.
There
are
still
bugs
in
this
cage.
A
The
virtualization
boundary
is
kind
of
secure,
but
actually
you
have
to
kind
of.
Is
you
kind
of
have
to
basically
still
call
into
the
system
to
actually
get
things
done?
So
talk
to
the
network,
and
things
like
that,
so
there
are
still
potential
exploits
in
all
these
things,
and
we
had
all
these
issues
around
things
like
spectra
and
meltdown
late
last
year,
early
this
year,
which
allowed
you
to
do
things
like
read,
read,
read
memory
from
the
inside
the
hypervisor
and
things
like
that.
A
So
you
and
there's
a
there's,
been
a
whole
series
of
side-channel
attacks
into
virtual
machines
and
and
other
processes
and
things
this
year.
So
you
shouldn't
assume
that
just
because
you're,
using
a
VM
or
your
to
run
your
containers
or
an
contain
your
runtime
that
you're
totally
secure
security
is
just
a
difficult
thing.
There
are
more
and
more
attacks
on
everything.
A
If
you
you
know,
running
untrusted
code
in
production
is
a
really
really
hard
problem.
If
you
as
I,
said
before,
if
you
don't
don't
do
it,
if
you're
not
providing
a
public,
you
know
public
child
API,
then
your
life's
much
easier.
You
can
buy
more.
If
you
want
to
isolate
your
code
and
your
really
really
paranoid
about
it,
you
can
buy
more
computers,
I
highly
recommend,
buying
more
computers.
Computers
are
kind
of
cheap.
You
can
get
lots
of
them.
A
You
don't
have
to
you
know
if
you're
really,
if
you're
running
an
application,
that's
absolutely
you're
a
totally
and
utterly
paranoid
about
the
data.
That's
in
it
or
the
security
of
that
application.
You
can
still
put
it
on
its
own
computer.
You
can
still
manage
that
with
kubernetes.
You
know
as
a
single
node
that
just
runs
that
application
or
some
replicas
of
that
application,
or
something
if
you
want,
but
you
you
know
you
don't
have
to
you-
know
only
think
about
isolation
in
terms
of
runtimes
and
things
like
that.
A
You
know
just
think
about
it
in
terms
of
you
know
where
which
computers
this
running
on,
does
it
matter
what
else
is
running
on
the
same
computer?
What
else
could
attack
it
on
the
same
computer
and
it's
kind
of
important
that,
if
you
you
know,
if
you
have
some
highly
sensitive
applications
and
some
less
sensitive
applications,
it's
a
good
idea
to
just
run
them
on
different
computers,
so,
for
example,
build
and
see
I
should
not
run
on
your
PCI
compliant
infrastructure
on
the
same
machine,
you
know,
there's
no
reason
to
do
this.
A
There
are
a
bunch
of
talks
on
the
details
of
some
of
these
things
by
the
way,
if
you,
if
you
want
to
kind
of
go
into
Katherine
a
blur
and
gee
visor
that
there's
two
talks
later
on
today,
which
I
highly
recommend
you
go
to.
If
you'd
like
want
to
pretty
dig
into
those
details,
there's
a
there's
a
bunch
of
stuff
on
the
on
the
actual
detailed
security
issues
and
exactly
what
the
attack
surfaces
are
on.
Those
kinds
of
things
so
definitely
go
to
those
talks.
If
you're
interested.
A
These
are
not
the
only
runtimes
there's.
Actually
we
that's
the
great
thing,
there's
loads
and
loads
of
runtimes,
and
so
I
once
talked
about
some
more
choices.
You've
got,
we
we
talked
about
run,
see,
but
there's
actually
a
whole
bunch
of
kind
of
early
reimplementation,
zuv
run,
see
which
are
kind
of
interesting
oracle
started,
rewriting
run,
see
and
rust.
A
A
If
anyone
from
Oracle,
please
let
me
know,
Chrome
OS
launched
a
container
run
to
own
this
year
and
they
wrote
an
alternative
to
run
C
and
C++.
It's
fairly
complete.
It
has
a
few
customizations,
further
chrome
OS
platform
and
a
few
things
missing,
but
it's
kind
of
eventually
it
kind
of
quite
a
nice
runtime
system.
D
I
mentioned
before
System
DNS
born,
got
as
some
may
see
a
runtime
support
which
I
haven't
looked
at.
A
It
seems
a
bizarre
idea,
but
I
just
included
it
for
completeness
I,
think
yeah,
because
I
don't
think
your
ships
with
it
by
default.
I
think
it's
a
pluggable
thing,
but
yeah.
So
there's
there's
people
just
looking
at
the
actual
Linux,
IC,
o----,
runtime
and
and
and
experimenting
with
new
in
new
implementations.
A
A
A
And
it's
the
whole.
The
whole
architecture
of
the
thing
was
designed
around
being
minimal,
being
secure,
written
in
written
and
rust
with
all
the
I/o
pieces,
Sam
boxed
with
set
comp
as
few
device
drivers
as
possible.
It's
basically
got
just
a
virtual
network
device,
a
perpetual
block
device
and
that's
about
a
keyboard.
That's
got
one
button
on
which
resets
the
machine
so.
A
A
When
they,
when
flag
rec,
was
notes,
they
also
notice
that
they're
doing
a
container
D
integration
in
order
to
use.
So
you
can
use
it
as
a
container
runtime.
That's
very
early.
Still,
it's
kind
of
so
they've
only
been
working
on
it
kind
of
briefly,
but
basically
it
plugs
into
container
D,
replacing
as
a
sort
of
Shimla
plug-in
on
container
D,
rather
than
the
run
C
plugin,
but
that
once
that's
ready.
That
means
that
should
just
automatically
work
if
you
use
The,
Contender,
ECRI
implementation
for
kubernetes
or
if
you
probably
should
work.
A
A
So
yes,
so
far,
cracker
is
really
kind
of
exciting.
It's
you
know
part
of
the.
If
you,
if
you
really
care
enough
about
security,
to
run
things
in
a
virtual
machine,
you
should
run
them
with
a
with
a
virtual
machine
manager.
That's
also
built
for
security
and
not
one
that
was
built
to
do
PC
emulation
as
a
kind
of
hack
back
in
the
back
in
the
90s
and
got
incorporated
KVM
kind
of
by
mistake
in
a
way
because
there
was
nothing
else
available
and
I.
A
A
You
probably
don't
want,
spend
your
time
were
implementing
lambda
necessarily
I
think,
but
the
use
case
as
a
as
a
secure
runtime
for
Kunis
is,
is
kind
of
it's
actually
kind
of
interesting
and
and
because
it's
very
lightweight
and
small
and
fast,
it
should
be
not
significantly
difference
in
performance
from
running
native
containers.
So
you
can.
A
Other
runtimes
on
other
operating
systems
is
something
that
kind
of
took
off
a
lot
this
year.
What
so
Windows
containers
have
been
around
for
quite
a
while,
but
the
implementation
for
them
was
kind
of
originally
built
in
directly
into
docker,
and
now
there's
a
proper
standalone
runtime
run
HCS,
which
is
run
compatible
as
a
part
of
the
ACI
spec
for
Windows,
and
that
stuff
is
all
kind
of
become
become
much
more
standardized
this
year,
Windows
actually
has
two
kinds
of
isolation
like
it.
A
Basically
has
a
process,
isolation
and
virtual
machine
isolation
in
the
same
way
as
normal
containers
and
say
cast
containers
but
they're
already
built
into
the
runtime,
and
you
just
with
dock.
You
can
just
use
my
asthma's
isolation,
equals
hyper-v
or
equals
process,
and
they
just
kind
of
work
by
that.
So
they
they
kind
of
already
have
some
of
these
options
that
the
those
runtimes
are
kind
of
adding.
A
A
Freebsd
had
a
run
time
and
actually
I
said
some
interested
in
reviving
with
nothing
concrete.
But
someone
pointed
me
to
get
repair
the
other
day,
so
I
believe
that's
no
longer
true,
and
there
actually
is
a
FreeBSD
run.
C
compatible
runtime
being
worked
on
I
kind
of
hear
things
about
other
Mac,
OS,
I,
I
kind
of
did
some
work
on
that
at
one
point
and
someone
else's
things
I'm
working
it.
Maybe
that
will
happen.
A
A
If
you
want
to
write,
runtime
is
kind
of
fun.
Read
the
spec,
understand
the
platform,
so
in
summary,
D
privileged
your
applications.
First
before
you
even
think
about
doing
any
of
this
stuff,
you
know,
if
you
look
at
things
like
lambda,
they
do
not
run
as
route.
They
they
run
unprivileged
inside
a
VM.
You
know
layer,
multiple
layers
of
capabilities.
If
you
really
really
really
want
to
run
untrusted
code,
it's
a
huge,
difficult
thing
bill.
The
security
team
first
and
eternal
vigilance
is
really
really
important.