►
From YouTube: CNCF Research End-User Group Meeting: containerssh.io
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right
so
welcome
everyone
to
our
usual
meeting
for
the
cncf
research
User
Group
today
is
May
the
4th.
There
was
an
initial
idea
to
celebrate
this
by
bringing
Tim
Hawking
to
to
tell
us
about
the
Carly
kubernetes
War
Stories
and
the
Star
Wars,
but
we
have
a
even
better
topic
with
the
kind
of
the
bridge
between
traditional
SSH
UI,
like
environments
and
things
like
this
and
and
containerization
and
kubernetes
it's
pretty
exciting.
This
is
something
that
a
lot
of
us
have
have
discussed
in
past
meetings
here
as
well.
So.
B
A
Venus
that
will
tell
us
a
lot
about
the
project
and
then
we
have
Nicos
from
CERN
genius,
concrete
use
case.
So
I'll
pass
the
word
you,
you
start
generos
I!
Guess
yes,.
C
Here's
here's
the
thing,
though,
so
so
it's
not
like
Nicos
is
just
using
the
project.
He's
a
substantial
contributor
to
the
project
he
spent
I,
don't
know
how
many
hours
working
on
on
container
SSH
and
on
the
code
base
on
a
lot
of
the
features
have
been
contributed
by
Nicos
himself.
C
C
Here's
the
part
where
we
would
have
the
funny
video,
which
we
can't
show
you,
because
there
is
no
audio
when
I
play
video,
but
you
can
go
to
the
website
and
you
can
just
watch
the
video
there
oops
at
least
that's
what
I
thought
so
back
to
the
the
slides.
So
container
SSH
is
an
SSH
server,
but
it's
not
an
SSH
server
like
you
would
expect.
When
you
install
openssh
it's
an
SSH
server
that
doesn't
create
a
shell
on
the
server
it
runs
on.
C
Instead,
it
connects
to
an
API,
so
it
connects
to
Docker
or
it
connects
to
podman
or
kubernetes
and
starts
a
container
and
then
the
shell.
It
creates
is
inside
the
container
containers,
as
such
itself
doesn't
have
to
run
in
a
container
it.
You
could.
Of
course
you
can
run
it
in
a
container
and
the
other
important
feature
is
that
you
configure
it
dynamically.
So
it's
entirely
built
with
this.
You
could
say
with
web
hooks
in
mind,
so
it's
kind
of
like
a
cloud
native
SSH.
You
can
configure
it.
C
C
The
way
it
works
is
you
have
container
SSH
and
then
the
user
connects
to
container
SSH
using
their
normal
SSH
plan.
So
there's
no
specific
client
required
no
special
configuration
or
anything
else,
it's
just
their
normal
SSH
client,
and
then
we
start
a
container
and
the
user
lands
in
that
container.
C
When
the
user
disconnects,
then
the
container
is
destroyed,
which
is
an
important
feature,
because
you
want
to
clean
up
after
your
users
and
that's
one
of
the
the
problems
that
you
typically
have
when
you
create
a
lab
setup.
Is
that
people
leave
stuff
flying
around
or
processes
running
and
that
kind
of
stuff?
You
don't
have
this
problem
with
containers
such
because
container,
SSH
destroys
the
container
after
the
user
is
gone
and
we'll
see
later
that
you
still
have
the
ability
to
save
data.
C
Now,
if
two
use
separate
users
connect,
they
of
course
go
into
separate
containers,
so
they're
nicely
isolated
from
each
other.
If
you
place
resource
restrictions
on
the
containers
themselves,
then
the
users
are
restricted
to
the
resources
that
you
give
them,
and
the
directories
and
mounted
folders
Etc
can
be
configured
just
as
if
you
were
to
do
a
Docker
run
and
whatever
Docker
run
supports.
We
support
in
containers
assh.
The
same
goes
for
for
kubernetes.
So
if
you
do
a
cube,
CTL
run
or
a
cube,
CTL
create
pod.
You
could,
whatever
you
can
do
there.
C
You
can
do
in
container
SSH
as
well
and,
as
I
said,
this
is
all
Dynamic,
so
you
can
do
it
using
web
hooks.
Now,
if
one
user
connects
with
two
connections,
the
tricky
part
is
that
you
land
into
separate
containers
so
at
currently
it
works
on
a
per
connection
basis,
so
every
container
is
created
for
individual
connection
and
when
the
connection
breaks,
then
the
container
is
also
removed.
C
This
is
an
important
design
constraint
and
we
have
opted
to
do
this,
because
if
we
wanted
to
drop
one
user
with
multiple
Connection
in
the
same
container,
then
we
would
need
to
think
about
how
to
scale
this.
If
you
wanted
to
run
multiple
copies
of
container
SSH,
then
you
would
have
to
think
about
how
do
I
scale
this?
How
do
I
synchronize
the
cleanup
of
containers
Etc,
and
that
is
something
that
we
haven't
done
yet
it's
definitely
a
plan
for
the
future,
but
at
this
time
one
SSH
connection
lands
in
one
container.
C
The
way
this
whole
setup
works
is
that
container
SSH
has
web
hooks
and
there
are
two
important
web
hooks
from
the
original
version,
and
Nicos
will
definitely
talk
about
the
massive
amount
of
extensions
he
has
done
to
the
project.
That's
the
auth
and
the
config
Web
book.
The
auth
Web
book
is
responsible
for
authenticating
the
users
so
take
their
password
or
take
their
SSH
key,
and
the
auth
webbook
can
decide
whether
to
let
the
user
in
or
not,
and
then
there's
the
config,
which
gets
the
gets.
C
A
call
from
container
Association
says:
hey
here's,
this
user.
He
says
the
user
successfully
authenticated
and
the
config
server
has
the
option
to
return
a
partial
configuration
with
their
Docker
settings
or
or
kubernetes
settings
or
whatever
else,
and
that's
how
the
container
is
created
and
of
course
you
can
configure
the
container
to
mount
volumes.
Just
as
you
would,
when
you
do
Docker
or
cube
CTR
run.
C
C
So
why
would
you
use
container
SSH?
Why
wouldn't
you
use
something
else?
Of
course
you
can
build
a
lab
environment
with
other
tools,
but
with
container
SSH,
it's
incredibly
easy
to
access,
so
you
don't
need
your
users
to
install
any
specific
clients
if
they
are
running
Windows,
they
can
just
use
the
built-in
client
in
in
Windows
10
now,
so
you
don't
even
need
to
install
putty
or
anything
like
that.
C
You
can
just
go
and
have
your
users
ssh
in
and
it
will
immediately
work
off
the
bat
you
can
create
resource
constrained
environments
which
traditionally
has
been
a
bit
of
a
problem
as
well
as
the
automatic
cleanup.
What
users
leave
lying
behind
and,
what's
probably
important
more
for
the
corporate
world,
is
that
you
can
record
a
detailed
audit
log,
that's
important
when
you
want
to
make
sure
that
you
record
everything
that
users
do
so,
for
example,
if
you
let
the
developer
access
a
production
system,
you
want
to
record
all
the
commands
that
they
type.
C
This
is
something
that
is
fairly
difficult
to
achieve,
with
traditional
SSH
servers
and,
last
but
not
least,
it's
fully
open
source.
So
it's
under
the
MIT
zero
license.
You
can
do
pretty
much
whatever
you
want
with
the
code
base
and
yeah.
So
where
can
you
get
it?
You
can
go
to
containerssh.io.
We
have
a
fairly
extensive
website.
We
have
development
documentation,
we
have
a
reference
guide,
we
have
starting
tutorials.
We
have
a
funny
little
video.
We
have
a
few
more
guide.
Videos,
there's
also
a
slack
link.
C
E
Can
okay
great
so
I'm
Nicos
I'm
working
with
a
Linux
configuration
team
at
CERN
for
the
past
year,
I've
basically
been
investigating
ways
to
containerize
SSH.
This
is
the
project
that
I
was
hired
for
and
the
contingencies
was
not.
The
only
thing
I
tried
believe
me,
I
the
first.
The
first
thing
I
tried
was
actually
using
open,
SSH
and
messing
out
with
scripts
on
blogging
and
all
that.
But
this
did
not
work
at
all
for
obvious
reasons,
which
is
it's
quite
clunky
and
the
other
features
of
SSH
success.
E
E
To
give
some
background
information,
our
use
case
turn
we
provide.
What's
the
What's
called
the
LX
Plus
service.
Lx
Plus
is
the
Linux
public
login
user
service,
which
is
basically
exactly
what
it
sounds
like
it's
a
set
of
Linux
machines.
We
that
are
have
open,
SSA
taxes
for
for
all
users
and
employees.
At
turn,
this
these
machines
contain
a
big
variety
of
pre-installed
programs
and
Analysis
tools,
programming
tools
and
all
that
compilers
and
compilers.
E
They
also
contain
a
set
of
network
file
systems,
three
or
four
that
are
used
for
for
user,
home
directory
external
data
storage
and
also
for
for
delivering
software
generally.
The
the
main
uses
for
the
services
I
said
is
writing
and
testing
code
also
it's
used
for
submitting
jobs
in
our
Computing
grid
and
for
general
for
General
file
operations.
E
E
So,
as
I
said,
we're
investigating
to
integrate
this
service
with
container
SSH
Janos,
as
well
mentioned
that
we
have.
We
have
made
out
of
contributions
to
continuous
States
upstream
and
more
specifically,
condensate
with
its
with
its
authentication.
Well,
of
course,
did
not
really
support
the
the
Kerberos
kerbus
protocol
that
we
need.
E
The
SSH
protocol
has
a
specific,
a
different
way
of
authenticating
if
it's
based
on
kyberos,
which
is
the
GSS
API
protocol
with
the
current
integration,
condensates
only
supported
password
public
key
and
public
key
with,
though
it
did
have
different
backends.
It
did
not
support
the
gcpi
protocol.
We
have.
We
have
now
written
a
native
integration
for
that,
and
you
can
test
it
out.
The
current
status
of
the
service
at
CERN
is
that
we
have
set
up
a
pilot
and
we
are
now
testing
its
productivity,
productive
production
Readiness.
E
Another
point
to
go
through
is
why
go
through
all
this?
Why
containerize
well
previous
privilege?
Escalation
vulnerabilities
are
quite
common,
especially
with
the
especially
with
Linux
and,
more
importantly,
when
you
have
a
service
like
Alex
plus,
which
is
a
public
login.
This
one
orbit
has
become
of
way
more
importance,
as
and
previous
escalation
can
result
in
a
compromise
of
multiple
users.
E
Another
another
point
is
that
there
are
a
lot
of
share
resources
on
our
LX
Plus
nodes,
for
example
the
temporary
directory
and
the
network
interface
for
the
temporary
directly,
for
example,
the
most
important
thing
we
store
there
is
the
Kerber's
credentials.
So
if
a
user
manages
to
get
the
previous
escalation
or
even
actually
just
manage
to
log
uses
another
user
and
they
know
I
use,
they
know,
and
they
know
they
know
that
the
user
is
currently
using.
Then
they
can.
E
Someone
else
can
basically
steal
their
credentials
with
content
with
container
SSH
and
with
the
current
setup
that
we
are
testing,
every
user
gets
their
own
temporary
directory.
So,
even
if
someone
does
manage
to
log
in
even
actually
even
if,
for
some
reason,
someone
steals
a
user's
password
and
they
manage
login,
they
do
not
have
any
credentials
on
the
container.
The
container
is
just
an
empty
cell
Additionally.
E
The
second
important
point
is
the
network
interfaces
when
I'm
sure
when
you're
developing
you
have
a
lot
of
you,
you
have
seen
that
you
have
a
lot
of
development
servers.
You
have
language
servers
to
provide
the
completion
and
linking
you
also
have
debuggers,
which
also
provide
the
server
and
a
lot
of
these
don't
really
have
authentication
and
many
haven't
even
considered
the
untrusted
the.
How
many
consider
the
threat
model
of
having
someone
untrusted
that
is
able
to
connect
to
it.
E
They
they
usually
assume
they
are
behind
the
firewall
which,
in
a
shared
service,
this
is
not
the
case,
and
last
but
not
least,
first
there
is
quite
problematic.
Linux
has
c
groups,
and
it
does
have
some
interesting
things
to
manage
resources
between
users,
but
it's
not
really
the
best
a
lot
of
times
when
I
know
this
overload.
We
see
a
lot
of
times
and
I
know
this
overloaded,
it
crashes
and
we
have
to
move
user
users
around
and
it
gets
quite
messy.
E
Moving
to
Containers,
Docker
and
podman,
for
example,
have
really
good,
really
good
options
for
managing
resources.
We
can.
We
can
limit
exactly
how
much
memory
it's
usually
supposed
to
is
supposed
to
use
limit,
how
much
CPU
and
even
how
much
network
network
bandwidth
and
all
of
that
we
can
do
it
on
a
per
user
basis.
So
the
dynamic
configuration
of
container
SSH
allows
us
to
have
different
limits
depending
on
the
user
or
group
or
their
needs.
E
Finally,
this
was
basically
the
presentation
of
the
use
case
I'm
now
going
to
share
to
you
the
extension
that
was
made
to
containing
states
to
allow
authentication
via
Kerberos.
This
is
basically
in
case
your
organization
is
running
the
same.
The
same
you
engage.
Your
organization
also
depends
on
Kerberos.
It
would
be
yep.
E
Also.
One
thing
I
wanted
to
mention,
and
I
forgot.
Is
that
the
reason
we
did
all
this
and
extended
containers
set
your
cable
is
that
certain
depends
depends
on
Kerber's
authentication,
a
lot,
and
especially
analyx,
plus
the
biggest
use
case
is
that
users
are
used
to
the
passwordless
authentication,
which
is
a
big
convenience,
and
we
weren't
really
willing
to
give
that
up.
The
second
point
is
that
kerberus
is
used
to
authenticate
users
to
their
remote
file
system,
so
as
soon
as
they
log
in
they
need
access
to
their
home
directories
without
the
taxes.
E
A
lot
of
our
setup
scripts
do
not
work,
and
that
brings
a
lot
of
other
issues
so
having
the
user
be
often
be
able
to
authenticate
to
a
third-party
Service
as
soon
as
as
soon
as
the
login
is
successful,
is
a
vital
is
of
critically
important
to
us
to
continue
on
with
how
the
authentication
flow
Works
your
keyboards.
E
Basically,
when
a
user
connects
to
contains
the
states,
you
have
the
cables
protocol
and
contains
Associates
when
setting
it
up
needs
to
be
provided
with
a
key
tab.
That
GitHub
is
a
cryptographic
service
key
of
container
SSH.
So
when
a
user
connects,
they
provide
their
ticket
for
container
SSH
container
States
verifies
the
ticket
and
as
soon
as
it
does
that
it
knows
that
the
connection
is
genuine
and
that
the
user
who
is
authenticating
is
who
they
say
they
are
so
we
have
the
username
of
the
user
after
that.
E
Condenses
continues
with
its
webflow
as
yanos
display
described
earlier.
The
difference
here
is
that,
instead
of
an
authentication
webhoop,
we
do
an
authorization,
we
send
the
username
of
the
user
and
we
expect
back
if
this
user
is
allowed
to
log
in
or
or
he
isn't
in
our
case,
this
in
our
case,
a
turn.
This
takes,
for
example,
our
user
database.
It
ensures
that
the
user
is
registered
and
it
also
ensures
that
the
user
is
authorized
to
use
the
service.
E
Finally,
there's
also
the
configuration
section
which
basically
returns
a
standard
template
for
the
container,
along
with
a
few,
with
a
few
customizations,
for
example,
when
the
authorization
server
fetches
back
the
user.
It
also,
it
also
keeps
like
the
user's
preferred
cell
and
the
user's
uid.
As
long
as
any
users
groups,
these
groups
often
pass
the
configuration
and
including
the
container
so
the
users
so
inside
the
container,
the
user
has
their
own
cell
and
their
own
uidn
group
ID
the
same
as
any
other
standard
Linux
system.
E
The
next
most
important
step
is
that
before
containers
to
say
it's
hands
over
access
to
the
user,
they
write
the
ticket
the
Kerber's
tickets
into
the
Container.
This
ticket
is
placed
in
the
slash
temp
directory
by
default,
but
it's
configurable
this
ticket.
Basically,
it
is
then
used
to
authenticate
the
user
20
third
party
service,
that's
necessary
for
for
our
use
case.
E
It's
a
remote
file
systems
and
after
that's
done,
the
the
user
cell
is
executed
and
the
user
gains
gains
access
to
the
container
as
usual,
and
to
note
that
this
is
all
transparent
to
the
user.
The
user
has
an
idea
that
all
these
process
has
taken
place
and
the
login
time
in
my
experience
is
about
the
same
as
containers
to
say
it.
So
there's
no
really
any
overhead.
E
So
this
was
this
was
like
what
I
had
to
present
for
now.
I
understand.
Janos
has
prepared
the
nice
demo
for
us
and
I
left
quite
a
bit
of
time
as
well.
So
we
can
discuss,
discuss
the
use
case,
discuss
continuous
space
as
well,
and
let
me
know
what
you
think.
C
If
there
are
any
questions,
we're
happy
to
take
them
yeah,
maybe
we
get
like
two
or
three
minutes
for
questions
before.
A
Yes,
let's
do
that
any
anyone
wants
to
step
in
I
think
we
shocked
everyone,
I
can
I
can
I
can
kick
start,
and
maybe
someone
will
jump
in
at
the
question
regarding
you
explained,
because
just
now
that
the
Kerber's
credential
is
written
into
the
Container
environment,
yes,
is
there
a
process
for
Renewal
or
are
the
users
supposed
to
then
reissue
a
credential
on
expiration,
like
the
Corpus
credential
like
one
day.
E
A
E
You
would
set
this
up
in
the
if
what
how
I
would
do
it
is
I
would
set
it
up
as
a
cell
wrapper.
So
as
soon
as
the
user
sells
start,
let's
say
at
the
start
the
task
to
automatically
renew
the
tickets
actually
in
in
our
current
system.
What
we
use
is
basically
a
systemd
unit,
so
this
would
be
quite
the
same.
C
C
Whenever
necessarily
the
only
important
consideration
is
that
the
idle
command
needs
to
stop
whenever
it
gets
a
sick
term,
so
it
needs
to
stop
properly
because
the
idle
command
is
the
first
process
that
runs
in
the
container,
because
in
ssh
what
you
can
do
is
you
can
open
one
SSH
connection
and
then
have
multiple
channels
within
and
that's
what
Nicos
implemented
as
well
for
for
TCP
forwarding
and
things
like
that.
C
E
This
is,
this
is
actually
from
the
configuration
server.
The
users
cannot
obviously
for
security
reasons,
but
you
cannot.
You
can
quite
easily
have
a
system
where
the
users
and
like
their
command
on
a
portal-
and
this
is
entered
into
a
database
in
the
configuration
server-
pulls
that,
for
example,
you
can
do
that
in
ldap.
You
can
have
a
field
there.
Okay,.
E
A
Was
just
for
for
the
image
that
is
running
the
container?
Is
this
curated
image
by
the
service,
or
is
this
also
customizable
by
the
user.
E
I
can
take
that
as
well.
The
image
you
can
have
any
container
image
you
want.
The
only
requirement
is
that
if
you
want
certain
features
of
contingencies
to
work,
for
example,
writing
the
GitHub
or
port
forwarding
that
we're
working
on
you
need
to
have
an
agent,
a
specific
binary
placed
in
the
container
other
than
that
there
are
no
restrictions.
So
what
emergency
can
run.
C
Yeah
realistically
right
now
you
pretty
much
can't
really
use
container
SSH
unless
you
just
want
the
really
basic
SSH
functions
without
the
agent,
so
you
should
really
really
add.
Add
the
agent
and
I
I
think
that's
something
that
we
might
consider
actually
dropping
support
for
it
to
run
without
the
agent
okay.
C
In
the
meantime,
so
so
one
of
the
things
about
about
the
current
version
that
Nicos
is
working
on.
So
this
is
a
this
is
a
working
prototype.
We
haven't
released
this
as
a
fixed
version,
yet
we're
still
working
on
a
few
things
there
and
was
probably
also
interesting
to
mention-
is
that
we're
working
on
an
oauth
integration?
C
So
if
you're,
not
if
you're
not
jumping
into
into
the
Kerberos
world,
what
you
can
also
do-
and
we
have
worked
with
SSH
client
vendors
as
well-
is
basically
have
a
prompt
that
says:
hey
click,
this
link,
you
click,
the
link,
go
through
the
oauth
flow
and
then
it
goes
back
and
then
you're
logged
into
SSH.
So
that's
something
that's
coming
in
the
next
version
as
well.
So
keep
keep
an
eye
on
four
container:
slash
version:
0.5,
yeah.
A
E
Yes,
that's
correct
with
the
cables
we
just
place,
the
ticket
that
is
given
to
us
in
the
container
and
after
the
renew
a
time
either
the
user
has
to
reconnect
to
give
us
a
new
ticket
or
renew
it
himself.
A
A
Okay,
so
does
the
the
question
is:
does
the
agent
run
as
the
user
and
can
we
use
free
Trace
to
have
fun
with
the
agent.
E
That's
a
fun
question:
yes,
the
agent
does
run
as
the
user
and,
yes,
you
can
fun,
have
fun
with
the
agent,
but
it
will.
It
really
does
not
do
much
like
for
the
port
forwarding.
All
the
AIDS
and
ties
is
basically
telcondary.
States
new
connection
came
in
here's.
The
details
of
the
connection
and
containers
is
just
forwards
that
to
the
client,
so
you
can
have
as
much
fun
as
you
could
with
a
standard
SSH.
C
You
what
you
can
do
so
so
one
of
the
the
things
is
that
for
another
demo,
I
hacked
together
a
little
bit
of
a
modification
of
the
audit
log
protocol
and
what
I
did
for
the
for
the
audience
is
hey.
Here's
an
SSH
service
I
sent
you
into
that
and
then
I
opened
the
website
and
on
the
website.
You
could
in
real
time
see
what
they're
typing.
C
So,
if,
if
that's
the
the
kind
of
fun
you're
into
then
I
can
definitely
just
message
me
after
I
can
give
you
the
the
source
code
for
the
patch
to
make
that
happen.
Hopefully
that's
gone.
So
that's
that's
one
of
the
things
Nicos.
Maybe
I,
don't
know
if
you
you
kept
track
of
that.
So
that's
one
of
the
things
we're
using
a
storage
format
called
seabor
for
for
binary
storage
of
the
audit
logs
and
they
are
now
working.
C
So
the
the
the
the
people
who
are
implementing
the
Seaboard
Library
are
now
working
on
implementing
the
patch
that
we
need
for
for
live
decoding
of
of
Seaboard
messages
into
the
library.
So
that's,
hopefully
going
to
be
fairly
interesting.
F
Yeah
no
I
think
that's
really
cool
I
was
just
wondering.
I
mean
I
was
looking
into
this.
In
the
context
of
you
know,
we
call
it
a
bit
like
analysis
facilities
like
if
you
wanna
like
traditionally,
people
would
always
SSH
to
the
machines
and
then
well,
basically
only
have
terminal
access,
but
but
nowadays
more
often
people
actually
want
the
jupyter
notebook.
So
then
they
would
have
a
web
page
instead
and
like
combining
these
two
and
I
mean
from
the
discussion.
F
I
get
is
a
principle
possible
would
be
really
cool
if
you
can
basically
use
your
terminal
and
then
SSH
and
then,
for
instance,
also
use
your
local
text
editor
for
changes,
but
then
on.
At
the
same
time,
you
basically
have
the
browser
where
you
can,
for
instance,
then
execute
your
your
Jupiter
notebook
or
something
like
that.
So
is
that
something
that's
in
principle
possible,
although
you've
even
tried.
C
We
have
so
so
there
as
this.
If
you
have
your
either
you
go
with
with
the
single
node
setup,
where
you
say:
okay,
this
user
is
living
on
that
that
node,
which
can
be
a
VM
or
it
can
be
a
physical
physical
machine
and
then
you're
on
the
jupyter
notebook
on
there.
And
then
you
share
a
directory
between
between
the
The
jupyter
Notebook
container
and
the
container
that
the
user
is
editing
in
or
you
use
something
like
in
like
an
NFS
server,
where
you
can
just
give
them
their
home
directory.
C
Their
home
directory
is
mounted
in
the
Jupiter
notebook
container
and
is
also
mounted
in
in
containers.
Association
and
a
Jupiter
notebook
container
would
obviously
keep
running
the
container.
Ssh
containers
are
just
popping
up,
as
the
user
is
sshing
in
and
of
course
you
can
use
SFTP
as
well
as
long
as
you
have
an
SFTP
binary
inside
the
the
container.
C
A
Thanks
awesome,
there's
one
more
I
think
we'll
take
the
last
one,
and
then
we
do
the
demo,
which
is
from
Timothy
about
persistence.
Do
you
want
to
ask
Timothy.
G
I
can
I
couldn't
find
the
window,
it
got
hidden
multitasking
here
yeah,
you
mentioned
that
you
have
persistent
storage
and
you
can
share.
Storage.
Did
I,
hear
that
correctly,
you
wanna
is
that
just
to
Simply,
you
know
a
shared
volume
or
do
it.
C
So
I
don't
know
how
how
Nicos
does
it
in
LX
Plus?
But
basically
since
when
you
do
a
a
pod
in
kubernetes,
you
can
specify
okay
Mount
this
volume,
the
volume
claim
itself.
So
let's
say
you
wanted
to
dynamically
set
up
a
volume
claim.
You
would
have
to
do
that
from
the
config
server.
So
you
would
have
to
talk
to
kubernetes
and
say:
please
make
a
volume
claim
and
then
you
would
have
to
use
that
volume
claim
in
the
Pod
in
the
Pod
spec.
C
C
Apc
cluster,
there
is
there's
nothing,
there's
nothing
specific.
That
container
SSH
does
specific
to
volumes.
We
just
simply
pull
in
the
config
structure
of
the
back
end,
whatever
the
back
end
is
by
the
way.
So
a
little
side
note
there
is
an
SSH
proxy
backend
as
well.
So
if
you're
not
into
containers,
you
can
just
use
it
as
a
proxy
for
for
auditing,
but
we
don't
do
anything
with
the
volumes
we
just
whatever
the
config
server
does
With
It
Whatever
the
config
server
says
we
just
mount
it.
G
A
E
Yeah
we
do.
We
have
AFS
Android
file
system,
which
is
actually
this
one
was
quite
a
complicated
to
get
it.
Working
I
actually
have
two
two
deployments.
For
goodness,
it's
a
CERN
wasn't
one
is
based
on
kubernetes
and
one
is
based
on
Plain
Linux
machines
on
the
kubernetes.
Basically,
both
of
these
we
have
the
AFS,
which
is
which
requires
a
kernel
module,
and
then
it
works
as
a
network
file
system.
G
F
A
For
some
of
the
systems
we
are
able
to
get
around
with
the
running
the
module
kernel
module
itself
as
a
container,
but
for
others
like
AFS,
is
a
bit
more
tricky
because
of
the
library
is
not
supporting.
Recent
features
in
the
kernel.
C
I'd
like
to
reflect
on
on
Benjamin's
comment
regarding
SSH
with
ss50
or
I:
don't
know
how
you
pronounce
that.
So
as
far
as
creating
a
web
client
is
concerned,
we
looked
into
that
briefly.
C
It's
it's
one
of
the
on
the
things
on
a
roadmap
and
the
reason
why
it's
on
a
roadmap
is
because
the
the
way,
if
you
have
to
set
up
an
external
web
interface
for
people
to
use,
then
it's
fairly
complex
to
set
up,
because
you
need
to
Tunnel
through
a
websocket
connection
and
then
make
an
SSH
connection
out
of
it.
C
In
which
case
you
lose
things
that
you
could
use
like
Kerberos,
because
the
browser
can
authenticate
via
Kerberos
as
well.
So
the
plan
is
actually
to
build
in
support
for
a
web
client.
It's
a
bit
of
a
tall
order.
So
I
don't
know
when
that's
going
to
happen,
but
it
would
be
very
nice
if
you
could
natively
integrate
Kerber
support
into
container
SSH
using
a
web
terminal,
in
which
case
you
could
just
go
and
and
basically
open
a
browser.
C
And
then
you
have
your
SSH
and
it
just
works
and
you're
logged,
and
you
can
go
and
start
typing
on
that,
so
you
do
for
normally
for
for
SSH
for
web
SSH
things,
you
need
some
sort
of
a
server
which
is
going
to
be
either
python
or
go,
or
something
like
that
and
and
I
think
that's
a
bit
of
an
overhead
to
set
up,
especially
if
you
want
the
more
advanced
features.
C
I
think
I
just
jump
into
the
demo
real
quick.
So
what
you're
going
to
see
here
is
a
modified
version
of
the
quick
start
example.
So
what
I
did
here
is
hold
on
there
we
go
so
here's
the
quick
start
example
and
what
I'm
going
to
do
is
I'm.
Just
gonna.
Do
Docker
compose
up
to
start
a
bunch
of
containers
and
you
can
see.
I
have
debug
logging
because
I
can.
This
is
a
fairly
extensive
logs.
C
You
might
want
to
turn
this
down
for
for
production
and
then
I
can
do
SSH
Foo
at
localhost
minus
P22,
and
this
is
running
in
the
Honeypot
configuration.
So
I
can
use
any
user
to
log
in
it's
going
to
let
you
in
without
a
password
for
any
key
Etc,
and
the
interesting
part
is,
as
I
said,
we're
dropping
in
a
container.
C
So
oh
actually,
I
didn't.
Oh
I,
didn't
add
an
ifconfig.
But
if,
if
I
added
an
ifconfig
to
this
image,
then
you
would
see
that
there
is
no
network
interface
running
here.
There
are,
apart
from
the
the
container
SSH
agent,
which
is
running
as
I
said,
as
pit
number
one.
There
is
nothing
else
running
in
this
container,
you're
you're
completely
isolated
and
you
can
set
up
the
file
system
permissions
as
you
desire.
You
can
set
a
a
read-only
or
a
root
file
system
Etc
and
you
can
see.
C
I
even
took
the
the
username
from
the
SSH
connections.
I
logged
in
as
Foo
and
I
took
it
in
and
and
emulated
that
for
the
for
for
the
user.
So
it
looks
like
hey
I'm,
on
a
really
I
I'm
on
some
machine.
That's
still
doing
some
Bitcoin
mining.
So
if
you're
going
into
research
and
and
trying
to
research
SSH
attack
patterns,
then
then
this
is
a
fairly
good
way
to
do
it,
because
you
can
actually
simulate
a
real
environment.
C
If
you
want
some
more
hardening,
you
could
look
into
something
like
firecracker
VM,
which
actually
runs
VMS
instead
of
containers,
etc,
etc,
and
as
far
as
the
the
entire
setup
is
concerned,
what
we
have
is
the
config
file,
so
the
config
file
is
is
really
well
documented.
We
have
this
little
Banner,
you
could
add
your
privacy
disclaimer
or
whatever
you
want
to
add
there,
whatever
you're
required,
and
then
you
have
the
two
web
hooks
in
this
case.
I
have
two
separate
containers
running
one
is
the
auth
config
server?
This
is
the
default.
C
We
Supply
a
basic
auth
config
server
that
you
can
use
for
testing
and
I
created
a
separate
config
server
to
make
sure
that
the
username
matches
I
selected,
the
backend
Docker
in
my
case
and
then
I
have
a
whole
bunch
of
settings
that
that
reduce
my
exposure
to
potential
attackers.
This
is
really
well
documented,
so
we
have
a
guide
for
setting
up
a
Honeypot,
and
these
settings
are
all
documented
in
that
guide.
We
have
additional
to
that.
C
We
have
some
hardening
guides
for
both
kubernetes
and
Docker
itself,
and
that's
it
so
basically
there's
the
config
file,
and
then
you
have
the
docker
compose
file
which
which
fires
up
the
containers,
what
it
does
I
have
the
guest
image
just
for
the
convenience
of
building
it.
I
have
container
SSH
itself,
which
I'm
exposing
on
Port,
222
and
I
have
a
bunch
of
volumes
which
is
basically
just
the
SSH
host
key
mounted
in
the
config
file
mounted
in
and
I'm
mounting
in
the
docker
socket.
C
So
it
can
talk
to
the
docker,
Docker
Daemon
and
then
I
have
my
two
other
little
helper
web
hooks
there,
and
then
we
have
of
course,
libraries
in
in
go
to
help.
You
write
a
webhook
server
or
you
can
just
take
the
the
description
and
write
your
own.
It's
basically
a
Json
that
you
need
to
return.
One
note:
the
current
stable
version
of
container
SSH.
We
publish
an
open,
API
DOC
for
these.
A
A
Is
the
you're
passing
this
to
kubernetes,
I
guess,
but
there's
no
usage
of
like
username
spaces
or
anything
like
this
I
guess.
E
For
for
kubernetes,
specifically
there's
no
support
for
username
space,
sadly,
but
for
Alex
for
the
other
service
we
are,
we
are
looking
into
enabling
users
namespaces
as
well,
but
currently
it's
using
their
users
as
it
gets
from
ldap.
Yes,.
C
Yeah,
so
that's
actually
something
that
we
could
look
into
implementing
in
container
SSH
that
we
can
start
an
ephemeral
container
in
an
existing
pod.
To
back
to
the
question
of
running
Jupiter
notebook,
we
could,
for
example,
run
Jupiter
notebook
and
then
run
an
ephemeral
container
for
the
purposes
of
SSH
access,
but
that's
something
we
currently
haven't
implemented.
C
A
A
C
Yes,
so
so
the
the
thing
about
the
users
is
that
we
don't
know
most
of
our
users,
because
we
don't
do
any
sort
of
tracking
or
anything
like
that.
The
only
number
that
we
have
is
is
is
the
number
of
container
poles
and
that's
that's,
that's
a
fairly
large
number,
so
we
had
over
the
last
year,
I
think
over
a
hundred
thousand
guest
image,
poles
and
several
thousand
installations
we
did
consider.
So
so
the
thing
about
container
SSH
is
it's
very
early
in
its
life,
and
Nicos
is
so
there
are
a
few.
C
We
are
right
now
for
core
maintainers
and
Nicos
is
next.
To
me
is
is
one
of
the
people
who
write
the
most
go
code?
We
have
one
other
friend
of
mine
who
was
working
on
on
the
web
web
related
stuff,
so
there
is
now
configurator
for
for
container
SSH
Etc
and
my
wife
Sanya
who's
very
avidly.
C
Looking
at
her,
her
own
project
right
now
is
is,
is
working
with
a
lot
of
the
the
organizational
stuff
and
also
did
Fair
number
of
contributions,
the
problem
that
we're
we're
having
right
now
and
why
we
haven't
done
this
yet
is
because,
in
order
to
to
donate
to
the
cncf,
we
would
kind
of
have
to
think
about.
Okay,
what's
the
governance
model
and
right
now
the
governance
model
is
we
agree
on
something
and
that's
had.
A
C
So
we'd
have
to
think
about
the
governance
model
to
to
make
that
happen
and
I
believe
for
in
order
to
donate
it
to
the
cncf.
Then
we'd
also
have
to
change
to
the
Apache
2
license.
So
that's
the
that's
something
that
I
read
was
a
requirement
of
in
order
to
submit
it,
which
is
not
a
problem,
because
we
are
MIT
zero
which
allows
us
to
do
that.
C
But,
as
I
said,
this
is
just
an
organizational
matter.
We'd
have
to
we'd
have
to
go
and
and
actually
do
the
legwork
right
now
we're
focusing
on
on
actually
getting
the
next
release
done,
and
then
we
can
see
where
we
can
take
this
project
in
the
future,
because
you're
right,
it
would
actually
be
a
good
fit
for
the
cncf.
A
The
MIT
license,
I
think,
is
compatible
because
it's
copy
left,
so
it
should
be
fine
if
you
need
help
with
this
ping
me
as
well.
Thank.
D
Does
Jonathan
have
Mike
issues,
I,
don't
remember.
I
do
I
just
wanted
to
ask
if
you're
you're,
aware
of
HP
craze
uais
that
is
available
under
their
CSM
stack
management
stack.
So
does
their
sort
of
answer
to
what
I
guess
container
SSH
is
providing.
So
it
is
a
containerized
login
environment
that
folks
can
directly
SSH
connect
to
run
run
there.
It
it
sort
of
replaces
just
having
a
a
static,
login
friend
users,
yeah.
C
I'm,
not
a
I,
wasn't
aware
of
this
project.
What
I
I
am
aware:
I,
don't
know
because
you,
maybe
you
cannot
speak
if
you
have
any
additional
info
to
add
what
I
am
aware
of.
Is
that
the
there
is
an
SSH
server
called
teleport
Pro,
but
what
they're
doing
in
order
to
make
their
two-factor
authentication
and
and
web-based
login
flows
possible?
Is
they
have
an
extra
client
that
you
need
to
install
and
so
I?
Don't
know,
I,
don't
know
about
this
project,
so
I
guess
I'll
have
to
take
a
look
at
it.
A
A
C
If
you,
if
you
need,
if
you
need
help
setting
up
the
version
that
Nicos
has
been
working
on
I,
think
then
the
best
way
to
do
that
is
pop
into
the
containers.
As
it's
slack
and
we
can,
we
can
help
you
get
started
there,
because
there
are
fair.
There
are
still
a
few
patches
that
are
unmerged,
and
now
we
need
to
review
and
make
sure
that
they're
stable
before
we
can
merge
them
into
the
main
branch.
E
B
Yeah,
just
I
think
there
are
a
couple
of
companies
who
do
this
with
proprietary
kind
of
options.
I
just
wondered
if
you
could
talk
about
how
how
things
compare
I
think
like
teleport,
is
a
an
alternative,
doing
something
similar
yeah
a
lot
of
the
same
things
pop
up
like
audit
logs
and
and
a
lot
of
the
same
features.
Is
there
a
a
way
for
me
to
compare
one
to
the
other?
B
C
So
so
so
the
the
way
that
you
can
think
about
is
I
think
so
teleport
is
actually
open
source.
So,
if
you
want
to
go,
you
can
try
teleport
today,
it's
they,
they
make
it
open
source
the
business
model
of
these
companies
when
they
sell
your
solution
like
this
is
usually
Access
Control.
So
the
way
that
this
usually
works
is
is
okay.
You
want
to
protect
your
company
Network
you
want
to
have
people
come
in,
then
you
can
use
our
solution
whatever.
C
That
is,
if
they
use
a
custom,
client
or
you
can
use
teleports
companion
to
your
regular
SSH
client
Etc
to
access
the
network.
I
believe
hashicorp
also
has
some
sort
of
a
Gateway
solution
where
you
can
go
into
your
company
Network
and
they
give
you
some
sort
of
an
access
control
of
what
can
be
accessed.
The
the
difference
between
container
SSH
and
these
projects
is
that
container
SSH
is
relatively
unopinionated,
I'm
saying
relatively
because
we
still
require
you
to
use
a
guest
agent.
C
If
you
use
the
the
container
back
ends,
if
you,
if
you
use
the
SSH
proxy,
then
you
can
do
whatever
you
want
behind
it.
So
you
can
just
pipe
it
to
the
to
the
next
SSH
server
and
it
will
just
continue
working,
but
we
don't
give
you
a
business,
a
model
of
okay.
This
is
what
we
think
you
should
do
with
it.
We
just
say
here's
the
tool.
Here's
you
can
start
containers
with
it.
You
can
proxy
with
it.
It
has
audit
logging
and
then
you
could
go
into
details
of
of
comparing
okay.
C
How
detailed
are
those
audit
logs,
because
we're
literally
logging
everything
if
you
wanted
to
yeah
and
then
you
could
decode
the
SFTP
streams
and
extract
the
files
and
whatnot,
but
if
you've
been
build
a
lab
environment?
If
you
build
a
honey
pot,
if
you
build
some
sort
of
something
that
we
didn't
even
think
about,
you
can
do
it
with
with
container
SSH,
because
it's
a
building
block,
whereas
the
commercial
Solutions
are
usually
geared
towards
a
specific
audience
of
of
this,
is
what
you
should
do
with
it.
A
A
A
So
the
first
thing
I
would
mention
is
that
we
won't
have
the
meeting
in
two
weeks
because
it's
cook
on
so
we'll
skip
that
one.
Next
one
will
be
June
1st.
We
we
are
now
setting
up
the
agenda
for
the
rest
of
the
year,
like
we
did
in
January
for
or
December
for
the
first
half.
So
if
you
have
suggestions
on
topics
that
you
would
like
to
be
covered
in
the
group
post
them
on
the
channel
and
either
Jamie
or
myself
will
follow.
A
If
you
have
ideas
of
speakers,
that's
even
better
and
then
the
last
one
is
I
mentioned,
there's
a
couple
of
people
that
indicated
they
are
new
to
the
group.
So
let
me
just
make
sure
that
we
get
all
the
presentations
because
we
didn't
do
them
to
start
so.
Snickers
already
presented
himself
pianos
as
well.
C
I
don't
know
I
work
at
Red.
Hat
is.
A
H
Yeah
I'm
the
Noir
I'm
a
limbic
systems
engineer
at
some
accelerator
controls.
We
have
a
physical
infrastructure
of
400
servers
and
the
way
we
work
with
Ricardo
on
doing
some
workloads
to
kubernetes
so
get
new
here
and
then
everyone.
A
Awesome
welcome
and
I.
Think
I,
don't
think
the
list,
but
I
see
RNA
as
well
was
probably
doesn't
have
a
mic
either
I
can
introduce
him
he's
done
the
corridor
at
CERN
as
well.
Then
he
actually
runs
the
team
that
takes
care
of
Linux
in
the
cloud
here
and
I.
Think
that's
everyone
so
yeah.
So
anyone
has
any
other
business
for
today.
A
Let's
see
the
chat,
Majestic
awesome,
okay,
if
not,
then
we
can
reclaim
five
minutes,
and
this
has
been
great
thanks
a
lot
and
see
you
all
either
at
kukan
or
June
1st.
When
we
have
our
new
session.
Hopefully
there
will
be
a
lot
of
people
at
cooker,
so
looking
forward,
we
can
try
to
get
like
a
small,
informal
Meetup
of
research
and
user
group
people.