►
From YouTube: CNCF SIG Runtime 2021-03-18
Description
CNCF SIG Runtime 2021-03-18
A
B
B
C
B
Get
started,
we
got
a
nine
people
on
the
call,
so
welcome
everyone.
So
we
got
two
items
on
the
agenda
today.
We
have
brandon
he's
gonna
talk
for,
I
think
five
minutes
about
the
security
white
paper
and
then
we
have
akihiro
and
he's
gonna
talk
about
the
current
state
of
rootless
containers.
D
Awesome
thanks
ricardo
yeah,
so
so
I
was
just
speaking
together
a
while
back,
and
I
mentioned
it
about
the
you
know
a
couple
months
ago
or
several
months
ago
now
in
the
last
q
problem,
we
kind
of
announced
the
sick
security
white
paper.
This
was
kind
of
collaborative
effort.
We
had
this
really
nice
document.
Actually,
let
me
share
my
screen.
D
So
a
while
back
week
I
released
a
white
paper
right.
This
was
like
something
very
conceptual
on
a
high
level
covering
different
aspects
of
cognitive
security,
and
you
know
part
of
that.
You
know
we
get
a
lot
of
good
information
from
the
various
different
groups,
but
really
what
what
this
white
paper
was
about
is
kind
of
touching
on
concepts
very
high
level
here,
very
generic
recommendations.
D
Nothing
to
do
with
with
anything
specific.
You
know,
kubernetes
isn't
even
mentioned
within
this
white
paper,
because
it's
supposed
to
be
non-buyers
really
looking
at
concepts.
D
D
Which
we
also
have
this
intrinsic
that
in
chinese
now
so
so
you've
got
the
random
environment.
You
know
you
talk
about
the
different
phases.
You
know
how
to
to
compute
what
needs
to
be
secure,
the
orchestration
level
protecting
resource
all
that
and
things
like
that.
But
you
know
we
don't
have
like
specific
tooling,
involve
this.
D
So
what
what
we've
been
recently
working
on
to
kind
of
augment
the
information
here
is
something
we
call
the
security
cognitive
security
map.
So
the
idea
here
is
that.
D
The
idea
here
is
that
it
would
be
kind
of
addition
to
the
cognitive
security
white
paper,
so
you'll
have
information
about
the
general
concepts
and
then
you
could
click
in
and
you
could
see
the
different
projects
that
are
related
to
the
different
ideas
or
security
requirements,
and
then
there
will
be
examples
so
kind
of
just
to
give
a
quick
overview.
We
are
currently
like
curating
content
for
this.
D
So
one
example
here
is:
you
know
for
security
checks
and
development.
We
will
have
a
list
of
projects,
so
this
is
kind
of
like
kind
of
similar
to
the
landscape,
and
also
we
will
have
examples
to
kind
of
help
illustrate
for
someone
to
to
go
in
and
say,
okay,
what
would
a
security
control
within
this
area
look
like,
and
so
there
are
examples
of
what
you
would
do,
and
these
would
be
very
specific
to
okay
if
you
were
using
a
specific
technology.
What
would
this
look
like?
D
They
are
meant
to
kind
of
just
give
in
a
more
graphical
idea
on
water
control
may
be,
and
what's
going
to
happen
is
all
this.
We
are
currently
working
on
kind
of
a
ui
to
put
all
this
in,
so
the
idea
is
all
this
information
would
be
navigatable.
So
if
you're
interested
in
you
know
development,
you
could
go
and
you
could
click
on
this
go
in
and
then
there'll
be
lists
of
projects.
D
So
these
are
examples,
and
you
know
one
thing
that
we
want
to
do
in
the
future
is
also,
for
example,
if
you're
talking
about
in
the
distribution
phase
right
for
artifacts
and
images.
Let's
say
you
have
signing
trust
and
integrity.
D
The
idea
is
like,
whenever
you're
assigning
trust
and
integrity
on
the
on
the
the
devops
session,
the
distribution
stage,
you
still
want
to
also
be
able
to
enforce
that
integrity
at
the
runtime
as
well.
So
our
plan
is
to
have
a
linked
content
point.
So,
for
example,
if
you
look
at
you
know,
this
is
artifact
integrity.
There
will
be
a
link
here
that
says:
okay.
You
may
also
want
to
check
out
the
runtime
section
on
this.
D
So
then
you
cover
how
do
I
assign
the
images
by
the
same
value
so
cover
within
my
orchestration
system?
How
do
I
verify
these
images
when
they're
running
oops,
so
what
we
are
looking
for
right
now
is
content
contributions
we
have
under
the
runtime
section.
D
We
do
have
a
couple
that
are
still
kind
of
semi.
Phil
are
not
yet
filmed,
so
this
is
kind
of
like
a
a
plug
to
see.
If
anyone
in
this
group
is
interested
in
contributing
to.
E
D
Parts
of
this
that
would
be
super
helpful,
especially
I
know
like
the
group
here-
is
a
lot
more
familiar
with
the
runtime
projects
yeah,
so
this
could
be
a
good
way
to
to
also
introduce
that
with
the
ecosystem.
D
Yeah,
that's
kind
of
all
that
I
had
to
share.
I
guess
any
questions,
if
not
I
I'm.
This
is
pretty
much
all.
I
have.
B
What
are
some
of
the
runtime
sections
that
this
that
are
missing
some.
D
Initially,
we
had
resource
request
limits,
contrapping
authentication
secrets
encryption.
I
think
this
was
three
of
the
main
ones.
D
I
think
these
and
bootstrapping
on
the
driving,
so
these
are
a
few
that
I'm
missing,
I
would
say
the
the
main
focus
areas
that
we
we
are
lacking:
expertise
as
resource
requests
and
limits
and
the
control
plane,
authentication
and
secret
encryption
part
of
it.
D
But
I
would
say
you
know
whatever
I
think,
a
lot
of
projects
on
the
runtime
side.
We
don't
have
great
visibility
on
so
you
know
if
anyone
can
also
just
go
through
the
different
projects
in
those
sections
and
say:
okay,
maybe
this
additional
project
may
be
helpful
here.
That
would
also
be
that
will
also
be
very
good
for
the
document.
B
Got
it?
Thank
you
so
one
more
question.
So
do
you
have
a
sample
of
some
one
of
the
one
of
those
sections.
D
Yeah,
so
that's
that's.
Let's
pick
one
here
just
pick
one
time
I
haven't
reviewed
the
one
there
yet
so,
let's
see.
D
We
also
are
kind
of
keeping
track
of
a
few
commercial
projects
as
well,
so
so
there's
actually
another
motivation
of
this
is
that
we
also
want
to
look
for
gaps
within
the
cncf
ecosystem,
so
about
this
exercise
is
kind
of
saying.
Okay,
if
there
are,
there
are
certain
areas
where
their
approach,
their
open
source
projects.
Sorry
there
are
commercial
projects,
but
there
are
no
open
source
projects.
Then
we
will
try
and
make
a
recommendation
to
the
to
the
talk
about
you
know.
Maybe
we
should
try
and
get
some
of
these
projects
in.
E
B
So
I
think
run
timeline
is
actually
at
the.
If
you
scroll
down
yeah
there,
yeah
yeah.
D
Is
it
this
one
yeah
yeah,
so
this
one
is
like
there's
only
one
project
right,
so
maybe
there
are
some
that
they
may
not
be
aware
here
it
may
be
the
ebpf
stuff.
I
noticed
about
stuff
in
the
area
yeah.
So
it's
not
just
something.
That's
like
content
heavy
is
pretty
much.
You
yeah,
there's
a
project
here,
some
examples
and
then
just
to
help
help
folks
get
a
better
idea
on
how
to
secure
a
certain
aspects
of
of
the
ecosystem.
D
Oh
yeah
that
I'm
gonna
I'll
put
the
the
link
to
the
issue
and
to
the
top
and
the
chat.
Thank.
E
B
Yeah
you're
welcome.
Thank
you
for
coming
by
okay.
So
now
we
have
rocky
hero
and
thank
you
for
joining
hi
excited
to
have
you
talk
about
the
state
of
rootless.
F
All
right,
so
let
me
introduce
myself,
I'm
a
software
engineer
at
entity,
telecom
company
in
japan
and
I'm
a
manager
of
several
projects,
including
including
ramsey,
continued
and
moby,
and
also
similar
subs
under
gita,
continuous.
F
So
even
in
the
resolutions,
the
article
can
gain
normal
user
on
the
host,
but
the
attacker
cannot
change
root
privileges
and
the
user's
containers
are
implemented
using
a
kind
of
feature
called
username
species
which
arrows
mapping
a
non-root
user
to
something
like
reduces
the
pathways
limited
set
of
privileges
and
as
a
kubernetes,
kubernetes
signaled
there's
a
similar
enhancement
proposal
about
username
space.
But
the
root
response
is
not
related
to
this
username's
space
enhancement
proposal
and
do
not
conflict
either.
F
F
And,
of
course,
results
continuous
is
not
the
panacea
and
there
are
some
drawbacks.
For
example,
the
network
circuit
is
a
slightly
slower,
just
like
50gwps
to
10gbps.
So
this
is.
This
is
a
really
slow,
but
we
are
seeing
huge
improvements
in
these
years
and
resource
controls
cannot
support
nfs
and
block
strategies.
F
F
F
So
in
2018
build
it
started
to
support
rootless
mode,
and
we
also
had
geography
portraying
and
cryo
all
of
them
supported
through
this
containers
this
year,
and
we
also
made
a
purchase
for
kubernetes
to
support
religious
mode.
But
the
purchase
are
not
merged
into
the
japanese
upstream
at
this
moment,
but
ts3s
already
supported
losers
mode
in
2019.
F
And
this
year
we
added
a
little
support
for
kind
keyboards
in
docker.
So
now
you
can
run
kubernetes
industrious,
local
and
also
use
the
sportman
and
with
regard
to
ruralia's,
there's
a
lot
of
news.
F
So
last
year
there
was
a
new
feature
called
sitcom
at
the
hoodie,
and
in
this
year
we
are
seeing
a
cardinal
mode
overlay
effects,
quality,
continuous
and
usually
random,
speak
is
being
modified
to
support
state
comp
activity.
I
will
talk
about
this
topic
later.
F
And
let
me
show
some
examples
of
rules
continues,
such
as
utilities.
Usually,
this
is
our
reference
distribution
opportunities
for
supporting
gluten
smooth
and
we
have
a
demo
using
a
druka
compost
for
showing
a
marginal
demand
of
kubernetes
cluster.
I
also
demo
today
about.
I
have
some
screenshots
in
this
screen.
F
F
F
And
just
pressuring
kind,
humanising
docker
started
to
support
users
mode,
and
this
will
be
included
in
kind
version.
0.11
and
kind
supports
tribal
tests
without
plotting,
but
for
supporting
geometrics
without
protein
we
have
several
complicated
hacks,
such
as
bind
mounting,
devil
neural
into
thrust
proxies
sorry,
a
thrust
process,
this
slash
kernel
to
emulate
some
syscontrol
values,
and
we
also
need
to
some
complicated
configuration
for
chemoproxy
to
avoid
studying
several
privileged
sincere
values.
F
But
we
have
several
complex
hacks
about
camera
humanities
without
patching
at
all,
and
it
is
very
included
in
kind
of
version
0.1.
So
we
see
in
a
few
weeks,
you
can
try
this
easily.
F
And
the
topic
of
this
year
is
a
second,
so
just
two
years
I
will
kind
of
color
browser
5.0
added
a
new
kind
of
feature
called
setcomp
user
notification.
F
This
is
a
very
similar
to
peters,
but
it's
a
more
lightweight,
so
it
doesn't
need
contrast,
switches
compared
to
repeaters,
and
this
feature
wasn't
supported
by
the
author.
Runtime
speak,
but
just
two
days
ago
there
was
a
true
request
that
was
merged
into
also
runtime
speak,
so
also
runtime
spec
now
supports
this.
Syncope
certification,
yeah
and
registrations
will
be
able
to
use
this
second
visualization
for
emulating
sub
urges
a
result.
A
file
called
slash,
adc
subuid.
F
F
So
this
is
very
difficult
on
user
environments
because
you
have
a
very
bunch
of
users
and
you
have
to
provide
your
industries
within
file,
but
with
set
computer
notification,
you
no
longer
need
to
prepare
this
rush.
Each
suburd
file,
and
also
with
this
computation
and
we
can
completely
remove
a
setting
using
binary
files
such
as
user,
slash,
pinstruct
new
uid
map.
So
this
is
better
in
the
security.
F
And
color
5.9
added
support
for
a
sec
comp,
io
ctl
motif
at
fd.
This
is
a
new
feature
that
allows
injecting
file
distributors
from
a
host
process
into
container
processes.
F
F
We
also
want
to
put
over
users
kind
to
mini
cube
with
a
docker
driver
and
portman
driver,
and
we
have
a
proposal
for
treatment
signals,
but
this
proposal
is
not
merged
yet,
so
we
need
some
help
to
facilitate
acceptance
of
this
proposal,
and
we
we
have
some
questions
about
rural
spontaneous
on
cycle,
overflow
and
reddit,
and
also
on
several
community
sites.
F
F
F
And
for
further
information,
please
visit
https
chrome
structures,
users
contain
dot
rs
and
last
year
in
cubicle
we
have
some
presentation
about
rules
continuous
and
we
also
have
a
proposal
to
express
signals.
E
I
have
a
question
about
the
block.
Storage
support.
Is
it?
Is
it
a
completely
no
go,
or
is
it
something
that
the
project
owners
are
looking
into
and
is
it
is
it
just
because,
like
the
mount
is
not
is
not
available,
or
what
is
why
why
you
cannot
use
that.
F
So
the
kind
of
maintenance
do
not
want
to
support
username
species
for
extra
file
system
and
xf5
resistance,
and
so
several
file
system
drivers
are
likely
to
have
bugs
and
they
don't
want
to
expose
these
potential
bugs
to
non-root
user.
So
the
kind
of
maintenance
do
not
want
to
have
little
support
for
xo4
and
xph
and
other
procedurality
file
systems.
So
we
cannot
support,
but.
F
We
could
have
huge
file
system
user
space
for
implementing
extra
4
and
x
in
the
user
space.
So
the
potentially
we
can
support
hub
block
services,
but
we
are
likely
to
have
a
significant
performance
overhead,
because
file
system
in
user
space
is
slow
yeah,
but
we
can
support
processors
if
we
want
to
do.
G
I
have
a
question
I
have
a
few
actually,
but
one
is:
is
there
any
any
update
on
on
a
kernel
support
of
overlay
fs
from
my
username
spaces?
G
I
know
that
they've
talked
about
that
for
a
long
time,
but
is
there?
I
know
this
fuse
overlay
fs,
but
is
there
so
there
you
go
the
kernel
mode,
overlay,
fs.
F
Oh
yeah,
so
there's
a
two
implementation
of
overlapping
effects
in
the
kinder
mode
in
the
inside
user.
Space
like
accusable
interface
but
color
mode
overlay
effects
didn't
support
uterus
until
kernel
5.11,
but
so.
F
Oh
yeah,
five,
four,
there
it's
released
last
month.
I
think.
G
Okay,
I
hadn't
heard
that
so
that
could
be
good
a
good
improvement
in
performance.
Hopefully
we'll
refuse
overlayfest
yeah
another
one
is
I
run
into
lots
of
problems
with
getting
the
pid
namespaces
backer
and
kubernetes
block
them
by
default
they
put
in
they
mask
them
by
mounting
other
masking
by
mounting
other
file
other
things
on
top
of
slash
proc,
so
that
you
can't
mount
a
new
slash,
proc
in
an
unprivileged
username
space.
G
If
you
have
any
any
insight
into
that,
I
presume
that
the
rootless
ones
have
don't
block
those
things
like
docker
and
kubernetes
dude.
F
Sorry,
you
said
slash.
G
F
G
And
you
need
this
for
anytime,
so
so,
but
but
you
can't
run
within
docker.
You
can't
create
another
unprivileged
pid
namespace
because
they
block
slash
proc,
you
can't,
unless
you
run
with
you,
know
the
unmasked,
it's
called
dust.
This
is
security.
F
Oh
yeah,
so
basically
you
need
to
bind
mount
slash
profile
system
and
bluetooth.
Sportsman
already
supports
that's
just
pid
with
such
bind
amount.
G
What
what
which
does
it
did?
You
say
you
mean
a
bind
mounted
from
outside
the
flashlight
yeah
yeah
binding
mount
broke
into
it's
a
container
yeah,
but
if
that
you
can
do,
but
if
you,
but
you
want
to
have
its
own
pid
namespace
inside
of
a
container,
then
you
need
a
new
slash
proc.
You
need
to
have
an
unprivileged
pid
namespace.
F
So
if
you
have
some
problem
or
maybe
you
can
post
the
configuration
of
ocr
runtime
to
digital
issues
of
run
city
pro
or
maybe
some
somewhere
else,
so
maybe
I
cannot
look
into
that
to
help
the
problem.
G
So
I
mean
docker
is
relatively
easy
because
they
have
this
option.
Security
system
pass
equals
unconfined
for
that,
if
you're
just
running
inside
docker,
you
can
run
this
and
it
will
allow
you
to
mount
to
slash
product
kubernetes.
We
have
a
regular
k8s
has
been,
we
haven't
actually
figured
out
how
to
and
how
to
enable
the
the
corresponding
option
there's
supposed
to
be
a
way
to
do
it
with
rock
mount
unmasked,
but
we
haven't
got
it
to
work,
and
I
I
presume
the
k3s
and
stuff
that
don't
block
these.
F
G
F
Oh
yeah,
I
guess
we
need
to
have
our
work
in
the
kernel
to
to
facilitate
amount
broke
reference
without
such
a
such
security
opt
yeah.
So
I
think
I
will
have
some
mark
in
the
corner.
G
Now
this
is
this,
is
this
is
a
beyond
kernel
problem,
because
the
kernel
allows
it,
but
the
problem
is
that
these
container
systems
are
blocking
other
things
inside
the
container
from
using
it,
so
because,
because
they
are
doing
they're
putting
they're
deliberately
putting
in
other
things
on
top
of
slash
proc,
so
you
can't
so
that
to
prevent
it
so
that
by
default,
docker
will
will
make
those
confined
of
slash,
proc
and,
and
so
does.
Kubernetes
and
kubernetes
makes
it
even
harder
to
do
that
loud.
Procma
types.
F
A
G
Like
I'd
like
to
be
able
to
run
completely
unprivileged
container
within
a
kubernetes
pod
sure,
and
in
particular,
we
use
singularity
unprivileged
and
with
the
dash
dash
pid
option
so
that
you
can
create
a
a
separate
pid
name
space.
G
A
I'll
take
a
look
hey
hero,
oh
if
I
met
your
fam
if
I'm
asked
my
name
is
caesar-
and
I
am,
as
I
mentioned,
the
developer
in
runtime
called
sysbox
and
neurancy
and
number
one.
I
wanted
to
introduce
myself
and
thank
you
so
much
for
all
the
work
that
you've
done
on
google's
containers
on
all
the
many
years.
You
know
it's
a
lot
of
perseverance
from
your
part
to
work.
I'm
very
challenging
technical
feats.
You
know
in
the
kernel,
so
we
really
appreciate
that.
A
The
other
thing
is,
you
know
you
just
at
a
high
level.
When
you
talk
about
rootless
containers,
I
almost
feel
like
the
term
rootless
containers.
It's
a
it's
not
entirely
accurate
to
what
you're
actually
doing.
I
think
what
you're
trying
to
do
is
a
rootless
run
time.
You
know,
because
the
rootless
container
itself
right
is
sort
of
a
subset
of
that
right.
A
A
rootless
runtime
generates
a
rootless
container,
but
the
reason
I
mention
it
is
because,
for
example,
in
the
kubernetes
kep,
you
know
that
you
mentioned
right
there
there's
going
to
be
the
notion
of
a
rootless
spot,
but
kubernetes
itself
is
running.
You
know
root
full
right
in
order
to
do
whatever
it
needs
to
do,
and
so
I
can
sense
already.
You
know
a
bit
of
confusion
there
right
and
where
people
say
rule
this
container.
Does
that
mean
that
kubernetes
is
running
ruthless
or
does
it
mean
the
pods
are
running
rudely
and
they're
two
different
things?
F
Yeah
yeah
yeah
makes
sense,
yeah
actually
reverse
content.
It's
not
something
I
invented.
So
there
was
already
when
I
I
became
interested
in
yeah.
So
actually
it's
difficult
to
rename
reduced
contacts
yeah,
but
yeah
yeah.
I.
A
Have
researched
runtimes,
even
the
name?
Ruthless
is
already
kind
of
weird
because
you
are
rooting
inside
of
the
container
or
inside
the
pot,
but
you're
not
rude
at
the
host.
So
there's
also
that
there's
a
whole
thing
you
know,
but
yeah
just
so
that
I
would
mention
it
in
our
case,
for
example,
with
the
runtime
that
we
developed
all
the
containers
we
generate
are
ruthless,
meaning.
E
A
Are
in
the
linux
username
space
right
and
we
do
things
like
virtualizing,
procfs
virtual
licenses
effects,
cisco
trapping.
You
know
special
amounts
shift
fs.
You
know
we're
doing
all
sorts
of
advanced
things
to
enable
these
ruthless
containers
to
run
things
like
docker,
systemd
and
microservices
all
that
stuff.
But
it
is
just
rootless
containers.
A
Our
runtime
itself
needs
root
because
it
needs
to
do
very
advanced
things
like
cisco
trapping
and
things
like
that.
That
are
really
hard
to
do
ruthless.
You
know
so
we're,
I
think
ourselves
as
rootless
containers,
but
we're
not
a
rootless
runtime.
You
know,
and
I
think
a
lot
of
what
you're
mentioning
here
is
a
rootless
runtime,
which
is
an
even
more
challenging
thing
that
what
we're
that?
What
we're
up
to,
if
I.
D
A
D
D
E
D
Sitcom
stuff,
we
talked
about
the
the
user
notifications.
He
said
that
it
has
better
performance
and
features.
You
know,
do
you
have
any
details
about?
You
know
we're
looking
at
this
assignment,
if
not
block
right,
we
look
at
s
trace.
Is
this
supposed
to
be
better
than
and
then
ashtrays
as
well?
Do
you
have
any
experiments
or
any
numbers
that
that
you
could
kind
of
share.
F
Oh
yeah,
so
for
pictures
you
have
to
sub,
you
have
to
inject
hooks
for
every
ciscos,
even
for
c
scores.
You
are
not
interested
in,
but
with
secondary
certification.
You
can
only
inject
hooks
into
the
interesting
system
course.
So
the
number
of
quantity
switches
is
proportional
to
the
number
of
syscalls
you
want
to
emulate.
In
the
user
space.
D
F
I
don't
have
branch
data
yeah.
A
F
Yeah,
it's
really
great
with
we
can
get
some
experiments
in
overhead
of
this
second
visualization
yeah.
A
Thanks
thanks,
we
I
subscribe.
We
use
this
mechanism
quite
a
bit
to
intercept
certain
system
calls.
It
is
very
useful
and
because
we
can
select
the
specific
system
calls
that
we
want
to
intercept.
For
example,
we
intercept
the
mount
system
call
because
it's
very
important
that
whenever
prog,
fs
or
csfs
are
mounted
inside
of
one
of
these
woodless
containers,
it
is
our
emulated,
proper
phase
and
csfs
that
get
mounted
not
the
kernels
rockefes.
A
Otherwise,
you
create
a
security
goal,
so
we
use
that
second
user
notification
mechanism,
and
it
also
has
the
advantage
that
you
can
just
decide
when
to
process
a
particular
consistent
call,
and
if
the
arguments
are
not
ones
that
you
need
to
process,
you
can
send
it
back
to
the
kernel
so
that
the
kernel
can
do
the
the
regular
processing
of
the
system
calls.
So
it
doesn't
like
the
mount.
For
example,
system
code
is
a
very
complex
system
call
to
to
emulate
right,
so
we
only
emulate
emulated
in
certain
scenarios.
A
In
the
case
that
we
don't
we
don't
care
about
it,
we
send
it
back
to
the
kernel.
Another
kernel
continues
with
the
with
the
processing
right.
I
do
think
that
it
does
add
a
bit
of
overhead,
so
we
only
use
it
in
control
path
operations.
We
shy
away
from
using
a
negative
data
path
operations
and
how
much
overhead
it
depends.
How
much?
What
are
you
doing
there
right
with
that
particular
system
called
in
user
space?
You
know
it's
a
very
powerful
mechanism.
Yes,.
F
For
emulating
sub-urges,
we
have
to
a
lot
of
systems,
of
course,
such
as
cj
owen
and
set
uid
and
several
scores
yeah.
So
these
are
very
yeah
complicated.
A
F
A
C
Had
one
here
actually,
this
was
also
the
initial
trigger
please,
but
in
your
health
wanted
slides
here
right,
it's
it's
kind
of
amazing.
The
amount
of
work
you've
done
tracking
this
in
all
these
different
projects.
So
it's
it's
in
it's
insane,
but
my
question
would
be
like:
what's
the
best
way
to
help
you
out,
because
I
don't
know
if
you
need
some
help
from
the
end
users
to
to
like
try
this
out
or
but
it's
it's
not
very
clear
to
me
how
to
to
to
report
this.
C
Would
it
help
to
have
like
some
place
where
we
can
coordinate
all
these
things,
you're
doing
in
different
components
and
maybe
report
user
experience?
What
do
you
think.
F
C
Yeah,
I
I
was
wondering
I
don't
know-
maybe
ricardo's
can
say
I
don't
know
where
it
would
fit
and
if
there's
one
place
where
you
could
have
like
a
working
group
dedicated
to
this,
where
we
can
track
all
the
points,
all
the
work,
all
the
components
that
have
support
what's
missing,
because
I
guess
it's
in
your
head.
But
I'm
wondering
if
it's,
if
it's
worth
creating
something
somewhere
for
this
just
dedicated
to
rootless
support.
B
So,
no,
I
think
I
think
I'm
interjecting
here,
but
I
think
what
ricardo
is
talking
about
is
you
know,
maybe
from
the
cnc
of
how
the
community
can
organize
around
it
right
so
and
into
one
way,
the
the
six
and
the
tlc
have
of
organizing
the
communities
by
creating
work
groups
under
some
of
these
six.
B
So
I
mean
there
will
be
somebody
who
drives
that
like
when
it
could
be
you
if
you're
interested
right
like
a
hero,
it
could
be
the
the
chair
or
the
the
lead
of
that
community
and
and
basically
gather
the
people
around,
so
that
you
get
more
contributors
right
and
and
then
also
you
get
the
support
from
from
the
cncf.
B
Yeah,
so
so
yeah,
if
you,
if
you
think,
that's
a
good
way
to
go,
you
know
the
cncf
will
be
happy
to
be
there
to
to
help
you
out,
and
you
know
regardless
also
in
the
tlc.
So.
C
Yeah,
I
I
think,
if
you're
interested
here,
I
think
we
can
come
up
with
something
to
to
give
more
visibility
to
this
effort.
Oh.
F
Thanks
yeah,
so
so
it's
a
reverse
continuous.
We
have
several
people
such
as
alexa
from
suzy
and
joseph
scribner
from
record.
So
maybe
I
I
will
ask
these
guys
about
the
single
group
yeah.
C
G
One
more
thing
I
wanted
to
point
out
is
I'm
submitting
a
change
to
your
singularity
page
on
rootless
containers,
because
there
you're
talking
about
the
set
uid
mode
and
fake
root
mode
of
singularity,
but
there's
actually
that's
not
the
main
either
of
those.
Well,
let's
say
there
is
another
there's,
a
third
mode
which
is
more
the
default.
When
you're
running
unprivileged
you
can,
you
can
run
unprivileged
singularity
without
fake
root.
G
The
default
mode
is
to
just
use,
what's
called
unprivileged
username
space
mode
it
just
it
has
no
root
at
all
inside
the
the
container.
That's
actually
more
rootless
than
what
you
guys
are
talking
about,
because
there's
no
root,
there's
no
root
user
at
all
inside
the
container.
It's
only
the
original
user
same
one
inside
and
outside
right,
so
it
can
be
completely
unprivileged
and
it
doesn't
need
any
help
or
you
know
new
uid
map
tool
or
anything
like
that
because
it
just
has
no
roots.
G
So
that's
that's
not
useful
in
some
cases,
but
it's
it's
useful
in
a
lot
of
cases
too,
for
just
we're
trying
to
isolate.
We
have
have
an
unprivileged
user
that
runs
other
other
users
payloads.
So
this
becomes
very
useful
for
that,
because
we
don't
care
if
they
don't
have
any
access
to
root.
We
just
want
them
to
so
that's
just
a
it's
not
nearly
a
as
a
complete
a
container
system,
but
it,
but
it's
still
very
useful.
F
Oh
sounds
interesting,
yeah
yeah,
so
I
think
I
need
to
modify
as
a
little
conscious
page
about
a
single
idea.
I
would.
A
Okay
hero,
if
I
may
ask
where
what
is
your
vision,
sort
of
where,
where
rootless
containers
I
mean
the
product,
the
the
project
they're
working
on?
What
is
your
vision
for
it?
Where
you
know,
when
would
you
say:
okay,
I'm
happy
that
we've
reached
the
state
where
you
know
I
accomplished
everything
that
I
wanted
to
accomplish
for
for
this
project
right
on
yeah.
Where
would
where
do
you
see
this
like,
let's
say
five
years
from
now?
If
you,
if
you
pass
it
away,
sorry,
you
said
what
what
what
is
where.
F
A
You
where
what
is
your
vision
for
the
project?
Where
do
you
see
it
going?
Let's
say
in
five
years
right.
F
Yeah
in
five
years
I
think
most
drunkard
users
and
portman
users.
I
will
use
ruger's
content
by
default.
F
I
think
it's
highly
likely
for
local
continents
on
laptop,
but
who
are
promoting
roots
continuous
to
production
processors,
especially
japanese
clusters.
F
F
So
gte
and
eks
and
ats
I
will
have
a
checkbox
on
their
web
user
interface
and
click
here
to
run
kubrick
and
continue
d
as
a
non-new
user,
so
that
my
dream,
I
was
in
five
years
yeah,
but
I
I
don't
work
for
google,
I
don't
remember
amazon
or
microsoft,
so
so
sure.
Obviously,
as
a
team
is
helpful,
industry.
F
Yeah
yeah:
okay,
that's
the
main
motivation
yeah.
But
aside
from
that
hpc
users
high-performance
computing
users
will
want
to
use
users
for
some
kind
of
margin,
chancey
in
a
serious
cluster.
A
And
just
a
general
question
for
anyone
that
wants
to
answer.
Is
I
mean
in
your
experience?
Do
people
care
more
about
securing
the
runtime
itself
or
do
they
care
more
about
securing
the
container
itself
right?
You
know
because,
as
I
was
mentioning
the
kubernetes
kep
that
would
use
our
namespaces
would
secure
the
pot
itself,
but
not
the
cubelet
right.
The
coupler
will
continue
to
run
root,
but
the
part
itself
is
now
ruthless
right.
A
I'm
wondering
you
know,
obviously
if
people
could
have
both
they'd
probably
have
both,
but
I'm
wondering
at
this
stage
of
things
where,
where
is
more
of
the
demand
of?
Is
it
more
on
protecting
the
runtimes
or
just
protecting
the
container?
The
container
isolation
boundary
itself.
F
Yeah,
so
I
think
the
both
points
are
really
important
and
so
and
there's
a
lot
of
smart
and
the
username
space.
It
has
missed
proposals
that
do
not
conflict
either,
so
we
can
just
save
them
together
by
nesting
username
space
inside
redress,
continuous
yeah
yeah.
So,
ideally,
we
are
runtimes
as
a
non-reducer,
such
as
uid
one,
zero,
zero,
zero
and
also
around
port
arrays
different
uids
such
as
200
and
201,
and
such
as
so
yeah.
A
It
would
be
first
rootless
spots
initially
just
the
parts
right.
The
coupler
will
continue
to
run
ruthful,
but
then,
eventually,
as
you
continue
to
work
in
enabling
user
navies
and
running
the
cupola,
let's
say
ruthless
at
some
point.
They
could
interact
together
right
in
the
sense
that
you
have
the
cubelet
rootless
and
then
inside
of
that
you
could
even
nest
a
username
space
inside
for
the
pods
themselves.
Is
that
what
you're
saying.
B
Yeah,
I
think,
if
I
may
add
that
the
production
environments
would
like
to
have
something
less
privileged
and
at
the
lowest
level.
So
I
think
the
rootless
run
times
hasn't
been
pretty
necessarily
available
in
all
places
or
or
hasn't
been
available
at
all
right.
So
so
what
you
know
some
people
have
been
doing
is
just
trying
to
secure
the
pod
or
secure
the
container
right
so
more
at
the
more
at
the
nest
level.
B
So
yeah,
if
you,
if
you
are
able
to
break
out
of
the
container
and
in
if
you
are
running
something
as
root
the
cube
layer
or
the
the
runtime,
then
an
attacker
could
actually
gain
access
to
the
host.
So
I
mean
I
think
this.
B
The
the
largest
or
the
biggest
concern
is
is
to
is
that
somebody
who
could
gain
access
to
that
host
and
cause
some
damage
right
so
and
that's
what
people
have
been
talking
about
with
multi-tenancy
and
also
you
know
there
are
some
of
the
other
runtimes
like
kata
containers
that
run
the
container
in
the
vm.
F
Host,
so
sorry,
so,
what's
what's
what
first,
your
question.
B
F
Yeah,
so
actually,
carter
congest
provides
more
stronger
ice
ratio
yeah,
but
the
continents
require
cpu
support
for
prioritization
such
as
intel
pgx,
and
this
virtualization
is
not
available
on
typical
cloud
instances.
F
So
it's
available
on
azure
and
also
google
computing
engine
but
necessary
browserization
on
this
class
are
really
slow
and
aws
doesn't
support
necessary
visualization
at
all
so
but
aws
provides
parameter
instances.
So
you
can
run
categories
in
cells.
Perimeter
instance
of
ec2,
but
parameter
instances
are
really
expensive.
Yeah,
so
so
running
categories
on
on
premise
is,
is
really
attractive,
but
running
cutter
continuous
on
crowd
is
somewhat
difficult.
A
So
for
us
at
least
short
term,
we
don't
have
rootless
running
the
runtime
that
we
created
rootless
in
the
short
term,
because
we're
just
doing
things
that
require
really
true
group
sort
of
permission
like
cisco
trapping
is
just
one
example:
nothing.
Having
said
that,
you
know
if
we
could
run
bluetooth.
That
would
be
great
also
right,
because
you
know,
then
we
could
secure
ourselves
to
right.
You
know
that
our
focus
has
been
more
on
the
container
itself.
A
Yes,
but
I
think
it's
very
challenging.
I
think
the
work
that
haka
hero
has
been
doing
all
over
the
last
years
is
securing
the
run
times
shows
how
challenging
it
is
to
secure
the
run
and
it's
getting
more
challenging
because
things
like
evpf
and
second
of
the
fight,
a
lot
of
the
kernel
power
is
going
to
move
into
user
space.
But
that
requires
some
sort
of
high
privilege.
B
B
Yeah
yeah,
it's
an
interesting
topic.
I
think
it
ended
because
you
know
people
have
talked
about
over
the
years
on
how
to
be
more
secure
and
allow
you
know
less
and
less
and
within
containers
and
but
then
in
the
end,
it's
it's
a
matter
of
what
what's
the
most
important
for
particular
users
right
so
like
there's,
there's
got
to
be
some
compromises
right.
So
if
you,
if
you
are,
for
example,
you
know
preventing
people
from
using
root,
but
then
you
need
to
allow
something
you
know
so.
D
I
think
part
of
this
is
also
like
just
granularity.
A
lot
of
the
capabilities
have
kind
of
scaled
down
from
a
big
umbrella
over
the
couple
of
years,
so
that
helps-
and
I
think
just
like
you
know,
having
parts
of
the
code
they're
using
which
are
privileged
to
be
measured
and
and
attestable.
I
think
that
that's
kind
of
like
will
solve
half
of
the
problem
as
well.
A
So
before
we
run
out
of
time
like
a
hero,
if
you
need
any
help,
I
mean
we
we're
not
the
work
that
we're
doing
is
not
exactly
the
same.
What
what
you're
doing
right,
because
you're
trying
to
occur
in
the
runtime,
so
we're
just
securing
the
container,
but
there
is
an
overlap
right,
there's
an
overlap,
certainly
so
we'll
be
happy
to
help
you
in
that
area
of
overlap
right
there
right
and
the
overlap.
It
revolves
around
the
rootless
container
itself
right
and
the
things
that
can
run
in
the
rootless
container
itself.
A
B
Right
so
I
think
it's
nine
o'clock
well.
Thank
you.
Everyone
for
attending.
Thank
you,
akihiro
for
the
presentation.
Thank
you
brandon
for
the
presentation,
yeah,
and
if
you
want
to
keep
the
conversation
going,
I
mean
we
have
a
slack
channel,
so
we
can
also
have
any
conversation
there,
any
follow-ups
and
any
questions
or
anything
related
to
the
work.
The
lucky
hero
is
doing
or
says,
boss,
success
box
is
doing,
and
yeah
and
and
also
security.