►
From YouTube: CNCF SIG Runtime 2021-03-18
Description
CNCF SIG Runtime 2021-03-18
A
B
B
C
B
D
Awesome
thanks
ricardo
yeah,
so
so
I
was
just
speaking
together
a
while
back,
and
I
mentioned
it
about
the
you
know
a
couple
months
ago
or
several
months
ago
now
in
the
last
q
problem,
we
kind
of
announced
the
sick
security
white
paper.
This
was
kind
of
collaborative
effort.
We
had
this
really
nice
document.
Actually,
let
me
share
my
screen.
D
So
a
while
back
week
I
released
a
white
paper
right.
This
was
like
something
very
conceptual
on
a
high
level
covering
different
aspects
of
cognitive
security,
and
you
know
part
of
that.
You
know
we
get
a
lot
of
good
information
from
the
various
different
groups,
but
really
what
what
this
white
paper
was
about
is
kind
of
touching
on
concepts
very
high
level
here,
very
generic
recommendations.
D
D
Which
we
also
have
this
intrinsic
that
in
chinese
now
so
so
you've
got
the
random
environment.
You
know
you
talk
about
the
different
phases.
You
know
how
to
to
compute
what
needs
to
be
secure,
the
orchestration
level
protecting
resource
all
that
and
things
like
that.
But
you
know
we
don't
have
like
specific
tooling,
involve
this.
D
D
The
idea
here
is
that
it
would
be
kind
of
addition
to
the
cognitive
security
white
paper,
so
you'll
have
information
about
the
general
concepts
and
then
you
could
click
in
and
you
could
see
the
different
projects
that
are
related
to
the
different
ideas
or
security
requirements,
and
then
there
will
be
examples
so
kind
of
just
to
give
a
quick
overview.
We
are
currently
like
curating
content
for
this.
D
So
one
example
here
is:
you
know
for
security
checks
and
development.
We
will
have
a
list
of
projects,
so
this
is
kind
of
like
kind
of
similar
to
the
landscape,
and
also
we
will
have
examples
to
kind
of
help
illustrate
for
someone
to
to
go
in
and
say,
okay,
what
would
a
security
control
within
this
area
look
like,
and
so
there
are
examples
of
what
you
would
do,
and
these
would
be
very
specific
to
okay
if
you
were
using
a
specific
technology.
What
would
this
look
like?
D
They
are
meant
to
kind
of
just
give
in
a
more
graphical
idea
on
water
control
may
be,
and
what's
going
to
happen
is
all
this.
We
are
currently
working
on
kind
of
a
ui
to
put
all
this
in,
so
the
idea
is
all
this
information
would
be
navigatable.
So
if
you're
interested
in
you
know
development,
you
could
go
and
you
could
click
on
this
go
in
and
then
there'll
be
lists
of
projects.
D
D
The
idea
is
like,
whenever
you're
assigning
trust
and
integrity
on
the
on
the
the
devops
session,
the
distribution
stage,
you
still
want
to
also
be
able
to
enforce
that
integrity
at
the
runtime
as
well.
So
our
plan
is
to
have
a
linked
content
point.
So,
for
example,
if
you
look
at
you
know,
this
is
artifact
integrity.
There
will
be
a
link
here
that
says:
okay.
You
may
also
want
to
check
out
the
runtime
section
on
this.
D
D
E
D
D
D
But
I
would
say
you
know
whatever
I
think,
a
lot
of
projects
on
the
runtime
side.
We
don't
have
great
visibility
on
so
you
know
if
anyone
can
also
just
go
through
the
different
projects
in
those
sections
and
say:
okay,
maybe
this
additional
project
may
be
helpful
here.
That
would
also
be
that
will
also
be
very
good
for
the
document.
B
D
D
We
also
are
kind
of
keeping
track
of
a
few
commercial
projects
as
well,
so
so
there's
actually
another
motivation
of
this
is
that
we
also
want
to
look
for
gaps
within
the
cncf
ecosystem,
so
about
this
exercise
is
kind
of
saying.
Okay,
if
there
are,
there
are
certain
areas
where
their
approach,
their
open
source
projects.
Sorry
there
are
commercial
projects,
but
there
are
no
open
source
projects.
Then
we
will
try
and
make
a
recommendation
to
the
to
the
talk
about
you
know.
Maybe
we
should
try
and
get
some
of
these
projects
in.
E
D
Is
it
this
one
yeah
yeah,
so
this
one
is
like
there's
only
one
project
right,
so
maybe
there
are
some
that
they
may
not
be
aware
here
it
may
be
the
ebpf
stuff.
I
noticed
about
stuff
in
the
area
yeah.
So
it's
not
just
something.
That's
like
content
heavy
is
pretty
much.
You
yeah,
there's
a
project
here,
some
examples
and
then
just
to
help
help
folks
get
a
better
idea
on
how
to
secure
a
certain
aspects
of
of
the
ecosystem.
E
B
F
So
even
in
the
resolutions,
the
article
can
gain
normal
user
on
the
host,
but
the
attacker
cannot
change
root
privileges
and
the
user's
containers
are
implemented
using
a
kind
of
feature
called
username
species
which
arrows
mapping
a
non-root
user
to
something
like
reduces
the
pathways
limited
set
of
privileges
and
as
a
kubernetes,
kubernetes
signaled
there's
a
similar
enhancement
proposal
about
username
space.
But
the
root
response
is
not
related
to
this
username's
space
enhancement
proposal
and
do
not
conflict
either.
F
F
And,
of
course,
results
continuous
is
not
the
panacea
and
there
are
some
drawbacks.
For
example,
the
network
circuit
is
a
slightly
slower,
just
like
50gwps
to
10gbps.
So
this
is.
This
is
a
really
slow,
but
we
are
seeing
huge
improvements
in
these
years
and
resource
controls
cannot
support
nfs
and
block
strategies.
F
F
So
in
2018
build
it
started
to
support
rootless
mode,
and
we
also
had
geography
portraying
and
cryo
all
of
them
supported
through
this
containers
this
year,
and
we
also
made
a
purchase
for
kubernetes
to
support
religious
mode.
But
the
purchase
are
not
merged
into
the
japanese
upstream
at
this
moment,
but
ts3s
already
supported
losers
mode
in
2019.
F
F
F
And
let
me
show
some
examples
of
rules
continues,
such
as
utilities.
Usually,
this
is
our
reference
distribution
opportunities
for
supporting
gluten
smooth
and
we
have
a
demo
using
a
druka
compost
for
showing
a
marginal
demand
of
kubernetes
cluster.
I
also
demo
today
about.
I
have
some
screenshots
in
this
screen.
F
F
And
just
pressuring
kind,
humanising
docker
started
to
support
users
mode,
and
this
will
be
included
in
kind
version.
0.11
and
kind
supports
tribal
tests
without
plotting,
but
for
supporting
geometrics
without
protein
we
have
several
complicated
hacks,
such
as
bind
mounting,
devil
neural
into
thrust
proxies
sorry,
a
thrust
process,
this
slash
kernel
to
emulate
some
syscontrol
values,
and
we
also
need
to
some
complicated
configuration
for
chemoproxy
to
avoid
studying
several
privileged
sincere
values.
F
F
This
is
a
very
similar
to
peters,
but
it's
a
more
lightweight,
so
it
doesn't
need
contrast,
switches
compared
to
repeaters,
and
this
feature
wasn't
supported
by
the
author.
Runtime
speak,
but
just
two
days
ago
there
was
a
true
request
that
was
merged
into
also
runtime
speak,
so
also
runtime
spec
now
supports
this.
Syncope
certification,
yeah
and
registrations
will
be
able
to
use
this
second
visualization
for
emulating
sub
urges
a
result.
A
file
called
slash,
adc
subuid.
F
F
So
this
is
very
difficult
on
user
environments
because
you
have
a
very
bunch
of
users
and
you
have
to
provide
your
industries
within
file,
but
with
set
computer
notification,
you
no
longer
need
to
prepare
this
rush.
Each
suburd
file,
and
also
with
this
computation
and
we
can
completely
remove
a
setting
using
binary
files
such
as
user,
slash,
pinstruct
new
uid
map.
So
this
is
better
in
the
security.
F
F
F
E
F
So
the
kind
of
maintenance
do
not
want
to
support
username
species
for
extra
file
system
and
xf5
resistance,
and
so
several
file
system
drivers
are
likely
to
have
bugs
and
they
don't
want
to
expose
these
potential
bugs
to
non-root
user.
So
the
kind
of
maintenance
do
not
want
to
have
little
support
for
xo4
and
xph
and
other
procedurality
file
systems.
So
we
cannot
support,
but.
F
We
could
have
huge
file
system
user
space
for
implementing
extra
4
and
x
in
the
user
space.
So
the
potentially
we
can
support
hub
block
services,
but
we
are
likely
to
have
a
significant
performance
overhead,
because
file
system
in
user
space
is
slow
yeah,
but
we
can
support
processors
if
we
want
to
do.
G
F
G
Okay,
I
hadn't
heard
that
so
that
could
be
good
a
good
improvement
in
performance.
Hopefully
we'll
refuse
overlayfest
yeah
another
one
is
I
run
into
lots
of
problems
with
getting
the
pid
namespaces
backer
and
kubernetes
block
them
by
default
they
put
in
they
mask
them
by
mounting
other
masking
by
mounting
other
file
other
things
on
top
of
slash
proc,
so
that
you
can't
mount
a
new
slash,
proc
in
an
unprivileged
username
space.
G
F
G
F
G
What
what
which
does
it
did?
You
say
you
mean
a
bind
mounted
from
outside
the
flashlight
yeah
yeah
binding
mount
broke
into
it's
a
container
yeah,
but
if
that
you
can
do,
but
if
you,
but
you
want
to
have
its
own
pid
namespace
inside
of
a
container,
then
you
need
a
new
slash
proc.
You
need
to
have
an
unprivileged
pid
namespace.
G
So
I
mean
docker
is
relatively
easy
because
they
have
this
option.
Security
system
pass
equals
unconfined
for
that,
if
you're
just
running
inside
docker,
you
can
run
this
and
it
will
allow
you
to
mount
to
slash
product
kubernetes.
We
have
a
regular
k8s
has
been,
we
haven't
actually
figured
out
how
to
and
how
to
enable
the
the
corresponding
option
there's
supposed
to
be
a
way
to
do
it
with
rock
mount
unmasked,
but
we
haven't
got
it
to
work,
and
I
I
presume
the
k3s
and
stuff
that
don't
block
these.
F
G
F
G
Now
this
is
this,
is
this
is
a
beyond
kernel
problem,
because
the
kernel
allows
it,
but
the
problem
is
that
these
container
systems
are
blocking
other
things
inside
the
container
from
using
it,
so
because,
because
they
are
doing
they're
putting
they're
deliberately
putting
in
other
things
on
top
of
slash
proc,
so
you
can't
so
that
to
prevent
it
so
that
by
default,
docker
will
will
make
those
confined
of
slash,
proc
and,
and
so
does.
Kubernetes
and
kubernetes
makes
it
even
harder
to
do
that
loud.
Procma
types.
F
A
G
A
I'll
take
a
look
hey
hero,
oh
if
I
met
your
fam
if
I'm
asked
my
name
is
caesar-
and
I
am,
as
I
mentioned,
the
developer
in
runtime
called
sysbox
and
neurancy
and
number
one.
I
wanted
to
introduce
myself
and
thank
you
so
much
for
all
the
work
that
you've
done
on
google's
containers
on
all
the
many
years.
You
know
it's
a
lot
of
perseverance
from
your
part
to
work.
I'm
very
challenging
technical
feats.
You
know
in
the
kernel,
so
we
really
appreciate
that.
A
The
other
thing
is,
you
know
you
just
at
a
high
level.
When
you
talk
about
rootless
containers,
I
almost
feel
like
the
term
rootless
containers.
It's
a
it's
not
entirely
accurate
to
what
you're
actually
doing.
I
think
what
you're
trying
to
do
is
a
rootless
run
time.
You
know,
because
the
rootless
container
itself
right
is
sort
of
a
subset
of
that
right.
A
A
rootless
runtime
generates
a
rootless
container,
but
the
reason
I
mention
it
is
because,
for
example,
in
the
kubernetes
kep,
you
know
that
you
mentioned
right
there
there's
going
to
be
the
notion
of
a
rootless
spot,
but
kubernetes
itself
is
running.
You
know
root
full
right
in
order
to
do
whatever
it
needs
to
do,
and
so
I
can
sense
already.
You
know
a
bit
of
confusion
there
right
and
where
people
say
rule
this
container.
Does
that
mean
that
kubernetes
is
running
ruthless
or
does
it
mean
the
pods
are
running
rudely
and
they're
two
different
things?
F
A
Have
researched
runtimes,
even
the
name?
Ruthless
is
already
kind
of
weird
because
you
are
rooting
inside
of
the
container
or
inside
the
pot,
but
you're
not
rude
at
the
host.
So
there's
also
that
there's
a
whole
thing
you
know,
but
yeah
just
so
that
I
would
mention
it
in
our
case,
for
example,
with
the
runtime
that
we
developed
all
the
containers
we
generate
are
ruthless,
meaning.
E
A
Are
in
the
linux
username
space
right
and
we
do
things
like
virtualizing,
procfs
virtual
licenses
effects,
cisco
trapping.
You
know
special
amounts
shift
fs.
You
know
we're
doing
all
sorts
of
advanced
things
to
enable
these
ruthless
containers
to
run
things
like
docker,
systemd
and
microservices
all
that
stuff.
But
it
is
just
rootless
containers.
A
Our
runtime
itself
needs
root
because
it
needs
to
do
very
advanced
things
like
cisco
trapping
and
things
like
that.
That
are
really
hard
to
do
ruthless.
You
know
so
we're,
I
think
ourselves
as
rootless
containers,
but
we're
not
a
rootless
runtime.
You
know,
and
I
think
a
lot
of
what
you're
mentioning
here
is
a
rootless
runtime,
which
is
an
even
more
challenging
thing
that
what
we're
that?
What
we're
up
to,
if
I.
D
A
D
D
E
D
Sitcom
stuff,
we
talked
about
the
the
user
notifications.
He
said
that
it
has
better
performance
and
features.
You
know,
do
you
have
any
details
about?
You
know
we're
looking
at
this
assignment,
if
not
block
right,
we
look
at
s
trace.
Is
this
supposed
to
be
better
than
and
then
ashtrays
as
well?
Do
you
have
any
experiments
or
any
numbers
that
that
you
could
kind
of
share.
F
Oh
yeah,
so
for
pictures
you
have
to
sub,
you
have
to
inject
hooks
for
every
ciscos,
even
for
c
scores.
You
are
not
interested
in,
but
with
secondary
certification.
You
can
only
inject
hooks
into
the
interesting
system
course.
So
the
number
of
quantity
switches
is
proportional
to
the
number
of
syscalls
you
want
to
emulate.
In
the
user
space.
D
A
A
Thanks
thanks,
we
I
subscribe.
We
use
this
mechanism
quite
a
bit
to
intercept
certain
system
calls.
It
is
very
useful
and
because
we
can
select
the
specific
system
calls
that
we
want
to
intercept.
For
example,
we
intercept
the
mount
system
call
because
it's
very
important
that
whenever
prog,
fs
or
csfs
are
mounted
inside
of
one
of
these
woodless
containers,
it
is
our
emulated,
proper
phase
and
csfs
that
get
mounted
not
the
kernels
rockefes.
A
Otherwise,
you
create
a
security
goal,
so
we
use
that
second
user
notification
mechanism,
and
it
also
has
the
advantage
that
you
can
just
decide
when
to
process
a
particular
consistent
call,
and
if
the
arguments
are
not
ones
that
you
need
to
process,
you
can
send
it
back
to
the
kernel
so
that
the
kernel
can
do
the
the
regular
processing
of
the
system
calls.
So
it
doesn't
like
the
mount.
For
example,
system
code
is
a
very
complex
system
call
to
to
emulate
right,
so
we
only
emulate
emulated
in
certain
scenarios.
A
In
the
case
that
we
don't
we
don't
care
about
it,
we
send
it
back
to
the
kernel.
Another
kernel
continues
with
the
with
the
processing
right.
I
do
think
that
it
does
add
a
bit
of
overhead,
so
we
only
use
it
in
control
path
operations.
We
shy
away
from
using
a
negative
data
path
operations
and
how
much
overhead
it
depends.
How
much?
What
are
you
doing
there
right
with
that
particular
system
called
in
user
space?
You
know
it's
a
very
powerful
mechanism.
Yes,.
F
A
A
C
Had
one
here
actually,
this
was
also
the
initial
trigger
please,
but
in
your
health
wanted
slides
here
right,
it's
it's
kind
of
amazing.
The
amount
of
work
you've
done
tracking
this
in
all
these
different
projects.
So
it's
it's
in
it's
insane,
but
my
question
would
be
like:
what's
the
best
way
to
help
you
out,
because
I
don't
know
if
you
need
some
help
from
the
end
users
to
to
like
try
this
out
or
but
it's
it's
not
very
clear
to
me
how
to
to
to
report
this.
C
C
Yeah,
I
I
was
wondering
I
don't
know-
maybe
ricardo's
can
say
I
don't
know
where
it
would
fit
and
if
there's
one
place
where
you
could
have
like
a
working
group
dedicated
to
this,
where
we
can
track
all
the
points,
all
the
work,
all
the
components
that
have
support
what's
missing,
because
I
guess
it's
in
your
head.
But
I'm
wondering
if
it's,
if
it's
worth
creating
something
somewhere
for
this
just
dedicated
to
rootless
support.
B
C
F
C
G
One
more
thing
I
wanted
to
point
out
is
I'm
submitting
a
change
to
your
singularity
page
on
rootless
containers,
because
there
you're
talking
about
the
set
uid
mode
and
fake
root
mode
of
singularity,
but
there's
actually
that's
not
the
main
either
of
those.
Well,
let's
say
there
is
another
there's,
a
third
mode
which
is
more
the
default.
When
you're
running
unprivileged
you
can,
you
can
run
unprivileged
singularity
without
fake
root.
G
The
default
mode
is
to
just
use,
what's
called
unprivileged
username
space
mode
it
just
it
has
no
root
at
all
inside
the
the
container.
That's
actually
more
rootless
than
what
you
guys
are
talking
about,
because
there's
no
root,
there's
no
root
user
at
all
inside
the
container.
It's
only
the
original
user
same
one
inside
and
outside
right,
so
it
can
be
completely
unprivileged
and
it
doesn't
need
any
help
or
you
know
new
uid
map
tool
or
anything
like
that
because
it
just
has
no
roots.
G
So
that's
that's
not
useful
in
some
cases,
but
it's
it's
useful
in
a
lot
of
cases
too,
for
just
we're
trying
to
isolate.
We
have
have
an
unprivileged
user
that
runs
other
other
users
payloads.
So
this
becomes
very
useful
for
that,
because
we
don't
care
if
they
don't
have
any
access
to
root.
We
just
want
them
to
so
that's
just
a
it's
not
nearly
a
as
a
complete
a
container
system,
but
it,
but
it's
still
very
useful.
F
A
Okay
hero,
if
I
may
ask
where
what
is
your
vision,
sort
of
where,
where
rootless
containers
I
mean
the
product,
the
the
project
they're
working
on?
What
is
your
vision
for
it?
Where
you
know,
when
would
you
say:
okay,
I'm
happy
that
we've
reached
the
state
where
you
know
I
accomplished
everything
that
I
wanted
to
accomplish
for
for
this
project
right
on
yeah.
Where
would
where
do
you
see
this
like,
let's
say
five
years
from
now?
If
you,
if
you
pass
it
away,
sorry,
you
said
what
what
what
is
where.
F
A
F
F
So
gte
and
eks
and
ats
I
will
have
a
checkbox
on
their
web
user
interface
and
click
here
to
run
kubrick
and
continue
d
as
a
non-new
user,
so
that
my
dream,
I
was
in
five
years
yeah,
but
I
I
don't
work
for
google,
I
don't
remember
amazon
or
microsoft,
so
so
sure.
Obviously,
as
a
team
is
helpful,
industry.
F
A
And
just
a
general
question
for
anyone
that
wants
to
answer.
Is
I
mean
in
your
experience?
Do
people
care
more
about
securing
the
runtime
itself
or
do
they
care
more
about
securing
the
container
itself
right?
You
know
because,
as
I
was
mentioning
the
kubernetes
kep
that
would
use
our
namespaces
would
secure
the
pot
itself,
but
not
the
cubelet
right.
The
coupler
will
continue
to
run
root,
but
the
part
itself
is
now
ruthless
right.
A
F
Yeah,
so
I
think
the
both
points
are
really
important
and
so
and
there's
a
lot
of
smart
and
the
username
space.
It
has
missed
proposals
that
do
not
conflict
either,
so
we
can
just
save
them
together
by
nesting
username
space
inside
redress,
continuous
yeah
yeah.
So,
ideally,
we
are
runtimes
as
a
non-reducer,
such
as
uid
one,
zero,
zero,
zero
and
also
around
port
arrays
different
uids
such
as
200
and
201,
and
such
as
so
yeah.
A
It
would
be
first
rootless
spots
initially
just
the
parts
right.
The
coupler
will
continue
to
run
ruthful,
but
then,
eventually,
as
you
continue
to
work
in
enabling
user
navies
and
running
the
cupola,
let's
say
ruthless
at
some
point.
They
could
interact
together
right
in
the
sense
that
you
have
the
cubelet
rootless
and
then
inside
of
that
you
could
even
nest
a
username
space
inside
for
the
pods
themselves.
Is
that
what
you're
saying.
B
Yeah,
I
think,
if
I
may
add
that
the
production
environments
would
like
to
have
something
less
privileged
and
at
the
lowest
level.
So
I
think
the
rootless
run
times
hasn't
been
pretty
necessarily
available
in
all
places
or
or
hasn't
been
available
at
all
right.
So
so
what
you
know
some
people
have
been
doing
is
just
trying
to
secure
the
pod
or
secure
the
container
right
so
more
at
the
more
at
the
nest
level.
B
B
F
So
it's
available
on
azure
and
also
google
computing
engine
but
necessary
browserization
on
this
class
are
really
slow
and
aws
doesn't
support
necessary
visualization
at
all
so
but
aws
provides
parameter
instances.
So
you
can
run
categories
in
cells.
Perimeter
instance
of
ec2,
but
parameter
instances
are
really
expensive.
Yeah,
so
so
running
categories
on
on
premise
is,
is
really
attractive,
but
running
cutter
continuous
on
crowd
is
somewhat
difficult.
A
So
for
us
at
least
short
term,
we
don't
have
rootless
running
the
runtime
that
we
created
rootless
in
the
short
term,
because
we're
just
doing
things
that
require
really
true
group
sort
of
permission
like
cisco
trapping
is
just
one
example:
nothing.
Having
said
that,
you
know
if
we
could
run
bluetooth.
That
would
be
great
also
right,
because
you
know,
then
we
could
secure
ourselves
to
right.
You
know
that
our
focus
has
been
more
on
the
container
itself.
A
Yes,
but
I
think
it's
very
challenging.
I
think
the
work
that
haka
hero
has
been
doing
all
over
the
last
years
is
securing
the
run
times
shows
how
challenging
it
is
to
secure
the
run
and
it's
getting
more
challenging
because
things
like
evpf
and
second
of
the
fight,
a
lot
of
the
kernel
power
is
going
to
move
into
user
space.
But
that
requires
some
sort
of
high
privilege.
B
B
Yeah
yeah,
it's
an
interesting
topic.
I
think
it
ended
because
you
know
people
have
talked
about
over
the
years
on
how
to
be
more
secure
and
allow
you
know
less
and
less
and
within
containers
and
but
then
in
the
end,
it's
it's
a
matter
of
what
what's
the
most
important
for
particular
users
right
so
like
there's,
there's
got
to
be
some
compromises
right.
So
if
you,
if
you
are,
for
example,
you
know
preventing
people
from
using
root,
but
then
you
need
to
allow
something
you
know
so.
D
I
think
part
of
this
is
also
like
just
granularity.
A
lot
of
the
capabilities
have
kind
of
scaled
down
from
a
big
umbrella
over
the
couple
of
years,
so
that
helps-
and
I
think
just
like
you
know,
having
parts
of
the
code
they're
using
which
are
privileged
to
be
measured
and
and
attestable.
I
think
that
that's
kind
of
like
will
solve
half
of
the
problem
as
well.
A
So
before
we
run
out
of
time
like
a
hero,
if
you
need
any
help,
I
mean
we
we're
not
the
work
that
we're
doing
is
not
exactly
the
same.
What
what
you're
doing
right,
because
you're
trying
to
occur
in
the
runtime,
so
we're
just
securing
the
container,
but
there
is
an
overlap
right,
there's
an
overlap,
certainly
so
we'll
be
happy
to
help
you
in
that
area
of
overlap
right
there
right
and
the
overlap.
It
revolves
around
the
rootless
container
itself
right
and
the
things
that
can
run
in
the
rootless
container
itself.
A
B
Right
so
I
think
it's
nine
o'clock
well.
Thank
you.
Everyone
for
attending.
Thank
you,
akihiro
for
the
presentation.
Thank
you
brandon
for
the
presentation,
yeah,
and
if
you
want
to
keep
the
conversation
going,
I
mean
we
have
a
slack
channel,
so
we
can
also
have
any
conversation
there,
any
follow-ups
and
any
questions
or
anything
related
to
the
work.
The
lucky
hero
is
doing
or
says,
boss,
success
box
is
doing,
and
yeah
and
and
also
security.