►
From YouTube: CNCF SIG Runtime Meeting 2021-02-04
Description
CNCF SIG Runtime Meeting 2021-02-04
A
A
A
A
B
A
A
B
B
New
projects
that
are
out
there
and
and
go
about
you
know
reaching
out
to
github
or
or
sending
out
emails.
So
I
mean
the
the
idea
with
the
sig.
Is
you
know,
trying
to
get
more
participation
from
community
projects
and
get
exposure
and
and
for
the
projects
to
get
exposure?
So
they
they
they
mature
more?
They
get
more
users
and
they
grow
their
communities.
B
A
Yeah
well,
thank
you,
yeah.
Thank
you
again
for
the
invitation.
I
think
one
of
the
things
that
we're
definitely
looking
for
is
a
little
bit
more
exposure.
You
know
we
don't
necessarily
want
to
get
overexposed
either
because
we're
a
very
small
team
yet
but
summer
exposure
will
definitely
help
us.
You
know.
B
Yeah
yeah
yeah
it's
yeah
and
I
think
it
helps
overall,
like
you
know,
companies
supporting
open
source
projects,
you
know
if
they
can,
the
other
places
can
know
about
the
project.
They
can
start
using
it
and
then
it
also
could
be
become
more
of
a
business
model
for
the
company
too
right
and
that's
why
the
company
can
do
well,
then
open
source
can
do
well
right.
That's
right!
That's
right!
That's
right!
Yeah
cool!
So
yeah,
let's
get
started
so.
A
All
right
well,
hi,
everyone,
my
name
is
cesar
talido
and
I'm
the
founder
and
ceo
of
a
company
called
nastybox.
My
co-founder
rodney
molina
is
joining
us
right
here
and
we
are
a
very
young
company
started
about
a
year
and
a
half
ago
just
went
through
the
y
combinator
accelerator
in
the
summer
and
rodney,
and
I
are
both
software
engineers
or
low
level
system
software
kernel
level
engineers.
You
know
I
ronnie
was
at
linkedin
for
many
years.
A
I
was
a
vmware
in
their
esx
sacramento
team
and
we
left
our
jobs
to
found
nasty
box
with
the
idea
of
enhancing
containers.
Particular
docker
containers
grenades.
You
know
bots
such
that
they
can
run
not
just
microservices,
but
any
workload.
That
would
normally
run.
Let's
say
on
a
virtual
machine
you
know
and
that
they
can
do
that
securely.
A
You
know
without
the
need
for
privileged
containers
right,
we
saw
you
know
there
were
use
cases
where
people
wanted
to
do
run
things
in
containers
that
normally
run
in
vms,
but
they
were
always
resorting
to
privileged
containers.
Plus
these
complex
configurations,
complex
locker,
run,
commands
complex
entry
points
and
we're
like.
Why
is
it
that
the
container
itself
cannot
just
create
an
abstraction
right,
so
the
processes
that
are
running
inside
of
it
can
seamlessly
run
all
that
type
of
software
right.
A
Everything
is
boxed
with
us.
You
know
nasty
box,
that's
his
box
and
it's
a
very
young
run
time,
but
it's
getting
starting
to
get
some
adoption.
So
we're
very
happy
about
that.
I'm
I'm
gonna
briefly
talk
about
what
is
this
box
some
of
the
features
and
benefits
use
cases
I'll
give
a
little
demo
I'll
talk
a
little
bit
about
the
different
flavors
that
we
have.
A
So,
as
I
mentioned
this
sysbox
is
this
low
level
container
runtime
that
we've
developed,
we
forked
it
from
the
oci
1c,
which
is
a
standard
runtime
used
by
doctor
and
kubernetes
in
2019,
and
it
tracks
it
very
closely
right.
So,
as
changes
come
into
the
oscillator
and
see
we
we
cherry
pick
those
into
into
xbox
itself.
A
A
As
I
mentioned,
the
goal
is
to
enhance
containers
to
enable
them
to
run
the
same
workloads
that
would
run
the
same
virtual
machine
or
another
physical
host,
seamlessly
and
securely
seamlessly
means
without
any
complex
configurations
required.
You
just
deploy
the
container
and
you
can
use
it
almost
as
if
it
were
a
vm
right
and
securely
meaning
with
strong
isolation
between
the
container,
no
more
privileged
containers
right.
In
order
to
do
that,.
A
Here's
a
diagram
that
explains
a
little
bit.
What
what
are
the
way
six
blocks
work
right,
I'll
go
into
more
details
later
right,
but
basically
you
have
a
host
machine.
It
has
to
be
a
linux
machine
right
now
and
you
know
in
it.
You
have
to
occur
kubernetes
or
even
portman
nowadays
and
sysbox
server
lives
below
them
right.
It's
a
low
level
runtime
like
the
run
c,
and
so
you
use
it
like
with
docker,
you
do
the
docker
run
and
you
pass
it
a
flag
saying
use
sysbox
instead
of
the
regular.
A
Also
I
can
see
and
you
can
pass
it
any
image
that
you
want.
There
is
no
requirement
whatsoever
that
says
block
bases
of
the
image
right.
Any
container
image
would
work
and
then
what
cisco
creates
is
a
container
that
is
capable
of
not
only
running
microservices
like
all
regular
containers,
but
it's
also
capable
of
running
what
we
call
system
level
software
things
such
as
system
d,
docker
itself,
even
kubernetes,
all
this
software
that
traditionally
requires
that
either
runs
on
vms
or
a
mass
running.
A
You
know
that
gives
you
full
wrote
inside
of
the
container
that
has
zero
privileges
outside
of
it,
which
in
turn
that,
coupled
with
a
bunch
of
other
techniques
that
csbox
uses
as
far
as
always
virtualization
enables
this
type
of
software
to
start
running
inside
of
the
container
seamlessly.
No
change
to
that
software
is
required
right,
so
you
should
be
able
to,
for
example,
deploy
one
of
these
containers
and
install
the
software.
If
you
want
it
just
like
you
would
on
a
vm
and
it
should
stall
and
run
perfectly
fine
right.
A
As
I
mentioned
no
complex
setup,
meaning
no
custom
entry
points
into
the
container
no
complex,
docker
run
commands
the
run.
Time
is
taking
care
of
setting
up
the
abstraction
of
the
container
such
that
it
really
starts
resembling
that
of
a
vm
in
many
ways
right
and
that's,
enabling
that
type
of
software
to
run
any
questions
at
this
point.
Or
is
it
pretty
clear.
A
A
A
There
is
no
hypervisor
required
here
exactly
pure
os
virtualization
right.
What
it
is
doing,
however,
it
is.
The
linux
kernel
already
supports,
always
virtualization
through
namespaces
c
groups,
right
it
is,
but
it's
not
enough
what
the
experience
has
it's
not
enough
to
enable
containers
to
run
this
type
of
software.
Sysbox
is
complementing
all
of
the
holes
that
are
in
the
lens
kernel
such
that
it
creates
a
container
an
always
virtualized
container
that
is
able
to
run
this
type
of
software.
A
A
A
You
know
where
the
holes
are
in
the
linux
kernel
and
it's
trying
to
cover
those
as
far
as
name
spacing
is
concerned
right,
but
still
one
kernel,
there's
no
user
mode
kernel,
there's,
there's
there's
it's
just
the
it's
just
a
runtime
setting
of
the
container
in
a
more
coherent
way.
That's
what's
happening:
okay,
gotcha
gotcha
yeah,
so
it
is
very
different
than
than
qatar
on
on
or
those
other
runtimes
that
rely
on
vms.
A
Yeah,
some
of
the
key
features
that
it
has
at
a
high
level
are:
it
has
what
we
call
fake
root
right,
meaning
the
linux
username
right
root
in
a
container
has
full
capabilities,
but
only
inside
the
container,
not
outside
of
the
host
right,
not
too
confusing
with
ruthless
containers
right,
because
there's
something
called
rootless,
docker
right,
which
is
docker
itself,
is
running
without
privileges
at
the
host
level
right.
This
is
not.
This
is
not
that
we're
not
going
there.
A
A
It
assigns
exclusive
user
namespace
id
mappings
to
each
container
for
extra
isolation.
So,
for
example,
if
you
land,
you
know,
I
don't
I'm
not
sure
how
familiar
you
guys
are
probably
with
the
linux
username
space
right
in
which
you
know,
there's
an
id
mapping
like
building
the
containers,
mapped
to
some
id
on
the
host.
That
is
fully
unprivileged
right,
so
user
id
and
post
and
what
it
does
is
to
each
container.
A
You
can
give
exclusive
range
of
host
user
ids
that
are
non-overlapping
and
that
creates
that
creates,
enhances,
cross-container
isolation
right,
oh
so
so
escape
will
do
that,
but
we
only
do
that
in
the
six
box
enterprise
edition
at
this
point
right,
so
we're
leaving
some
of
the
of
the
features
that
we
fill
our
more
enterprise
level.
We
we
of
right
now
have
in
the
enterprise
version
so
that
we
can
have
something
you
know
to
to
keep
the
lights
on.
A
It
also
supports
what
we
call
pre-loading
of
inner
container
images
into
the
outer
container
right,
because
a
lot
of
a
lot
of
people.
What
they're
running
inside
of
the
cismo
containers,
it's
docker
itself
right.
They
love
to
run
docker
in
sort
of
an
isolated
environment
without
having
to
resort
to
vms.
A
You
can
have
the
inner
docker
pull
them
from
the
network
or
you
can
also
easily
preload
them
into
the
into
the
other
container,
using
a
docker
file
or
a
docker
connect
and
I'll
show
you
that
in
the
demo
and
then
it's
also
capable,
when
you
have
one
of
the
problems
that
arises.
Okay
now
you
have
multiple
of
these
containers.
They're
all
running
docker
inside,
for
example,
and
they're
pulling
their
own
images,
but
those
images
can
be
pretty
heavy.
You
know
they
can
start
consuming
very
quickly.
A
lot
of
space
on
the
holes.
A
Is
there
a
way
to
share
you
know
the
inner
container
layers
across
you
know,
for
example,
if
you
have
two
of
these
system
containers-
and
you
have
an
instance
of
docker
on
each
and
they
all
have
they're
all
using
the
same
images.
Is
there
a
way
to
share
those
layers?
You
know
those
image
layers
between
those
and
and
the
enterprise
version
has
a
technique
that
it
uses
to
share
those
those
layers
and
that
reduces
storage
significantly
on
the
host.
A
Right,
some
of
the
benefits
that
we
see
as
a
result
of
says
box
are
number
one.
It
hardens
container
isolation
because
it
always
uses
the
linux
username
space,
even
if
you
don't
want
to
run
docker
or
kubernetes
or
systemd
inside
of
a
container,
even
users
want
to
run
microservices
sysbox
gives
you
a
hardened
container
already
right,
a
fake
root
container
with
exclusive
user
id
mappings
in
the
case
of
the
enterprise
edition.
A
Now,
because
it's
able
to
run
things
like
systemd
docker,
when
it
is
securely
inside
of
the
container
that
opens
up
a
bunch
of
new
use
cases
for
containers
right,
it
sort
of
bridges
the
gap
between
a
container
and
a
vm,
and
it
gives
users
an
alternative
to
a
vm,
a
container
based
alternative
to
a
vm,
something
that
is
more
efficient,
faster
to
deploy
and,
like,
I
said,
more
portable
because
it's
not
tied
to
a
particular
hypervisor.
You
know
when
I
deployed
vm
on
aws.
A
A
A
As
I
mentioned,
it
gives
users
a
fully
capable
root
inside
of
the
container,
and
that
is
very
helpful,
because
a
lot
of
people
also
have
headaches
with
hey.
You
know
for
security
purposes.
I
don't
want
to
be
rude
inside
of
the
container
and
but
then,
if
I'm
not
running
side
of
the
container,
there's
many
things
I
cannot
do
inside
of
it
right.
This
says:
hey,
you
know
just
be
rude
inside
of
the
container.
A
So,
for
example,
with
rodney.
We
did
an
analysis
on
this
and
we
on
our.
We
have
a
big
test
server
with
a
lot
of
cores
and
a
lot
of
memory,
and
we
found
that
we
can
put
twice
as
many
of
these
system
containers
as
we
can
put
vms
running
the
same
workloads
at
the
same
performance
right.
So
it
sort
of
doubled
the
capacity
of
that
machine
right.
A
Here
are
some
of
the
use
cases
that
we're
seeing
from
our
adopters
the
most
common
one
right
now
is
cicd
use
cases.
Why?
Because
a
lot
of
people,
the
docker
in
docker
and
coordinators
in
docker
paradigm,
show
up
in
the
cicd
use
case
right.
The
jobs
are
containers,
but
then
the
jobs
need
to
run
docker
itself
or
in
some
cases,
even
the
clock
overnight
cluster.
So
it's
very
convenient
to
do
that
and
prior
to
sysbox
people
were
using
privileged
containers
and
sysbo
gives
them
a
way
of
saying
hey.
A
A
A
They
create
containers
and
they're
behind
the
scenes
you
know
to
to
provision
those
environments,
but
those
containers
were
fairly
limited
in
what
they
could
run
with
this
box.
It
opens
a
lot
more
workloads
that
they
can
run
inside
of
those
environments,
so
they're
very
so
so
they're
using
that
already-
and
as
I
mentioned
it
is
you
know,
container-based
infrastructure
as
code
right,
some,
we
are
seeing
also
people
that
say
hey
instead
of
having
to
deploy
a
vm,
you
know,
can
I
use
one
of
these
containers.
A
It's
a
lot
more
natural
to
a
lot
of
people
that
are
already
in
cloud
native
to
use
a
container
than
to
use
a
vm
right.
It's
the
docker
file.
It's
a
simple
docker
run
command.
It
runs
on
the
cloud
it
runs
on
that
on
on
on
the
machine.
It
doesn't
require
nested
virtualization
on
the
cloud
right
voice,
the
need
for
nested
virtualization
cloud
and
and
and
it's
very
efficient
right.
So
so
we
are
seeing.
B
A
Like
aws,
you
require,
and
and
when
you're
doing
this
virtualization,
not
only
is
it
a
little
bit
painful
to
set
up
on
the
cloud
itself,
you're
wasting
your
cloud
computing
cycles
right,
you're,
wasting
your
cloud
computing
cycles
in
emulating
hardware
in
software
right
you're
paying
for
those
cycles.
You
know
this
is
a
much
more
efficient
way
of
doing
it.
Right,
hey
we're,
not
saying
that
this
is
equivalent
to
a
vm.
In
some
cases
you
do
need
a
vm
right.
A
Let
me
tell
you
a
little
bit
of
how
things
are
what
it
does
are
that
the
covers,
and
then
I'll
show
you
a
demo
and
give
you
a
little
bit
of
how
to
use
this,
and
I
could
also
show
you
what
it
doesn't
have
to
cover.
So
some
of
the
key
things
at
a
high
level
that
it
does
under
the
covers
it
uses
a
kernel
module
called
shift.
A
Fs
is
right
now
only
present
in
ubuntu
kernel,
okay,
that
allows
us
to
give
the
fake
root
inside
of
the
container
access
to
the
container
file
system
so
what's
happening
there
is
that
docker
normally,
you
know,
sets
up
the
container
file
system
under
the
covers
on
the
bar
leave
docker
and
everything
is
root.
Everything
is
owned
by
root
in
those
directories
right,
but
then,
when
we
create
a
container
like
inside,
the
container
processes
are
not
the
rooting
inside
of
a
container
but
they're
not
brought
inside
the
hose.
A
So
how
do
we
make
those
known
root
processes
at
host
level
access,
rooftop
systems?
You
can't
shift
the
first
serve.
That's
the
glue
between
that
right.
It
allows
us
to
you
know
if
we
mount
it
inside
of
the
container
and
whenever
the
container
processors
are
accessing
their
file
system,
their
ch
root,
glo
shiftfs
enables
them
to
access
those.
Those
were
file,
systems
that
are
set
up
for
them.
A
That
doesn't
mean
that
sysbox
only
works
on
ubuntu
right.
It
means
that
with
ubuntu
you
get
that
you
get
this.
It
works
without
any
changes
in
docker,
without
ubuntu,
with
or
or
more
more
accurately,
without
this
module,
you
do
need
to
put
docker
in
what
is
called
user
ns
remote
mode
right,
which
is
enable
the
username
space,
but
in
ubuntu
you
don't
even
need
to
do
that
right.
A
Config,
it
also
does
what
we
call
partial
emulation
of
the
proc,
the
phase
and
ccfs
file
system.
Those
are
slash
programs
like
this
right
and
by
that
we
mean
that
what's
happening.
There
is
that
you
know
that
those
those
file
systems
have
many
resources
with
which
applications
communicate
with
the
kernel,
in
particular
system
level,
apps
like
docker,
kubernetes
systemd.
A
It
also
does
selective
cisco
trapping,
so
in
general
we
don't
want
to
trap
cisco's
because
they
immediately
affect
performance,
but
for
certain
ciscos
in
particular
control
level
operations
that
are
that
seldom
occur
that
are
not.
There
are
more
control
path
operations
rather
than
data
path
operations.
A
A
Because,
as
you
will
see
inside
of
the
container,
we
are
already
emulating,
slash
brokers,
assist,
but
then
inside
of
the
container,
someone
may
say
mount
brock
somewhere
else,
and
the
proc
that
has
to
show
up
is
our
emulator
pro,
not
just
another
prop
from
the
kernel,
otherwise
the
radius
of
the
very
whole.
So
that's
why
the
trap
and
the
amount
of
cisco
gets
trapped
and
we
mount
hours
right,
and
that
happens
inside
of
the
container
or
any
other
inner
containers.
That
may
happen
that
may
be
inside
of
the
system.
A
Container
right,
where
we're
always
traveling
and
and
and
that
emulation
is
very,
is
not
easy,
because
we
have
to
then
figure
out
okay
that
process
what
name
spaces
is
it
in?
How
are
we
emulating
right?
You
know
it's
that's
where
a
lot
of
the
meat
offset
boxes
in
this
area,
okay
and
rodney
is
the
main
responsible
for
all
that
stuff.
A
Okay,
sysbox
also
sets
up
some
implicit
amounts
in
the
container
right.
So
even
you
know
what,
as
soon
as
you
deploy
a
container,
it's
already
setting
up
a
bunch
of
other
mounts
that
you
necessarily
the
user
may
not
have
asked
for,
but
that
it
knows
processes
like
dockers,
systemd
kubernetes
rely
on
in
order
to
work
properly
right.
These
are
things
that
you
normally
would
find
on
a
regular
vm
right.
These
are,
and
so
it's
setting
those
things
up
for
you
inside
of
the
container.
A
A
A
You
know
so
so
it
installs
like
that
and
then
once
you
install
it,
the
only
thing
you
need
to
do
is
now
use
docker,
always,
except
that
you
need
to
pass
that
flag
right.
That's
the
only
thing
you
need
to
do
once
you
do
that
you're
going
to
get
that
enhanced
container
at
that
point.
Right,
for
example,
now
you
can
pass
any
container
image
you
want.
We
have
sent
many
references
referenced,
except
for
sample
container
images
on
our
docker
house
website,
one
of
them,
for
example.
This
one
has
the
ubuntu
focal
destroyer
in
it.
A
A
This
is
the
showing
you
that
this
is
a
fake
root
container
right
rooting,
the
container
map
to
some
user.
That
fleetwood
has
chosen
at
host
level
right.
So
that
already
gives
you
the
strong,
strong
isolation
you
can
create
inside
of
it
in
your
containers,
for
example,
with
docker,
it's
going
to
run
a
full
speed
because
there's
nothing
that
we're
doing
to
slow
down
docker
pretty
much
there
right.
A
A
So
let
me
show
you
what's
happening
there
you
are,
you
can
see
this
is
the
outer
container
right
here
running
systemd
right.
This
is
the
one
that
was
deployed
by
sysbox
there's
container,
dishing,
okay,
the
systemd.
This
is
everything
that's
running
inside
of
that
container
right
all
of
the
systemd
demons
and
here's
the
inner
container.
A
A
nice
property,
actually,
we
think,
because
it
allows
a
system
administrator
to
have
a
full
view
inside
of
what's
happening.
You
know
on
all
of
the
containers
right,
no
matter
how
many
levels
of
nesting
there
are.
You
have
a
full
view
from
the
front.
Each
of
the
levels
below
has
a
full
view
as
to
inside,
but
from
the
inside.
Of
course,
you
cannot
see
anything
right
so
from
here.
A
Well,
you
can
see
right
from
here.
You
cannot
see.
You
only
see
itself
right,
yeah
the
container
inside
the
containers.
That's
right!
That's
right!
Right!
You
can
only
see
himself
and
that
it's
also
a
nice,
I
think,
from
a
secure
perspective.
This
may
be
something
important
because
you
know
with
vms
you're
sort
of
for
big
right
like
if
you're
a
hypervisor.
You
cannot
really
look
what
processes
are
necessarily
running
inside
of
that
pm
right.
It's
an
opaque
abstraction
where
three
containers
is
at
least
from
the
holes.
A
You
can
see
what's
happening
inside
of
the
container,
so
that
may
help
with
monitoring.
Does
that
answer
your
question
also
over
here
I'll
show
you
here
you
can
see
that
the
username
space
is
right.
There
right
on
the
container
that
sysbox
creates
in
the
inner
container
there's
no
username
space.
That's
a
container
that
docker
is
creating
with
this
without
crmc.
It's
a
regular
container
right,
but
this
username
space
ensures
that
everything
that
is
running
here
is
isolated
from
the
host.
A
So
again,
back
here,
I'm
again
inside
of
that
container.
Oh,
let
me
a
little
bit
I'm
going
to
decrease
just
a
little
bit,
because
I
want
to
show
one
thing
inside
of
the
container,
which
is
you
can
see
that
under
proc
there's
proc
inside
of
the
sysbox
container,
you
can
see
that
this
box
is
right.
There
right,
emulating
certain
things
inside,
in
particular
the
proxy's
hierarchy.
A
Again
I
just
mounted
proc
and
then
at
this
new
directory
and
then
again
you
should
see
sysbox
right
there
right,
it's
a
sysbox
back.
That
shows
you
that
the
cisco
is
what's
intercepted,
basically
right
from
the
container
and
so
that
we
were
able
to
do
what
we
needed
to
do
right
now,
one
now.
I
I
showed
you
how
I
I
I
use
docker
to
deploy
an
inner
container
using
alpine
right.
So
now,
there's
inside
of
this
sysbox
container
there's
an
alpine
image.
A
A
A
No
longer
empty,
there's
the
alpine
image
right,
so
it
captures
it.
So
it's
able
to
capture
with
the
commit-
or
you
cannot
do
the
same
trick
with
the
docker
file.
Also
right
so
you
can.
When
you
build
your
outer
image,
you
can
start
inserting
inner
containers
in
it
very
quickly,
very
useful
for
for
many
ccd
scenarios.
A
They're,
both
stopping
right
there.
Would
you
would
you?
Let
is
this
good
enough?
Would
you
guys
like
to
see
also
maybe
a
kubernetes
example
running
inside
of
the
container
or
or
sir
sure
so
for
kubernetes
is
the
same
exact
thing.
You
know
we
have
a
reference
image
that
comes
pre-loaded
with
all
of
the
kubernetes
components.
A
I'll
show
you
this
one
takes
a
little
bit
more
because
there's
a
little
bit
of
setup.
That
is
happening
underneath,
whether
it's
running
already
by
the
way.
This
is
slow,
because
it's
running
on
my
on
a
vm
inside
my
laptop,
so
you
know
you're
gonna,
on
a
faster
machine
a
little
faster.
Now
I
launched
the
image
that
has
the
kubernetes.
As
I
mentioned,
it
comes
pre-loaded
with
inner
con
with
all
of
the
coordinated
components.
A
Look
at
this
if
I
do
docker
images,
look
at
all
the
stuff
that
I
already
came
inside
of
that
q,
proxy
controller
manager.
All
of
the
you
know,
as
you
know,
kubernetes
run.
All
of
these
things
in
pots
is
able
to
run
all
of
these
things
in
pockets
themselves
right.
These
are
all
the
the
images
that
are
going
to
create
those
spots
right
and
so
now,
in
order
to
start
kubernetes,
you
will
do
sudo
and
then
you
would
use
the
exact
same
command
that
you
would
on
a
vm
to
set
up
kubernetes
that
command.
A
A
Here
there
it
is
it's
that
one,
the
keyboard.
So
if
we're
doing
things
right,
there's
nothing
special
that
you
need
to
do
in
the
container.
The
exact
same
sequence
that
works
on
a
physical
machine
or
ibm
has
to
work
inside
of
the
container
to
install
kubernetes
and
there's
kubernetes
trying
to
boot
up
it's
going
to
tell
you,
hey,
I'm
going
to
wait
to
four
minutes,
but
it's
going
to
actually
go
way
faster,
probably
30
seconds,
because
it's
gonna
find
that
it
has
already
all
of
the
components
that
we
needed
to
download
they're
already
there
right.
A
So
it
doesn't
mean
to
to
to
pull
all
that
stuff
right.
So
you
give
it
a
few
seconds.
So
the
way
you
would
create
in
a
kubernetes
cluster
is
you
will
launch
multiple
of
these
sysbox
containers
right
connect
them
through
a
docker
network
or
an
overlay
network,
and
each
of
those
containers
represents
a
kubernetes
node,
that's
what's
happening
in
this
case,
this
is
became
like
the
master
node
right.
A
A
A
You
only
see
the
outer
container
and
the
whole
level
is
pretty
clean
right.
Everything
got
encapsulated
inside
of
that
container
and
I
can
launch
another
one
of
those
and
create
and
join
it
into
the
cluster
right.
I
can
launch
as
many
as
I
can
and
join
them
into
the
cluster
with
a
simple
command,
but
you
can
see
already
kubernetes
is
running
and
it's
looking
is
looking
good
inside
of
that
container.
Right.
A
B
A
And
and
kind
uses
privileged
containers
and
uses
very
complex
image
entry
points.
You
know
right
that
they've
set
up
right
so
so
because
of
user
product
containers,
you
already
put
your
hosts
at
risk
immediately
right
and
then
mini
cube.
Well,
you
can
use
you
can
have
both
the
vm
mode
or
without
vms
right.
It
goes
either
way,
but
in
other
cases
either
using
previous
containers
or
using
vms.
A
E
Well,
we
haven't
really
tested
the
mac,
you
know,
but
obviously,
as
long
as
you
have
a
linux
vm,
you
can
do
anything
that
you
do
in
linux.
Now,
when
cesar
mentioned
5.5,
that
is
excluding
ubuntu
ubuntu,
we
are
fully
compliant
with
what
they
have
since
5.2,
so
yeah
for
none
of
wounded
kernels
is
5.5
and
when
it
comes
down
to
the
mac,
as
I
said
you
know,
if
you
have
a
linux
vm,
you
should
run
two
yeah.
Of
course,.
D
D
A
E
Yeah
and
actually
there
are
a
couple
of
engineers
working
on
arm
testing,
cisco
right
now
we
haven't
heard
from
them
that
just
happened
last
week,
but
they're
interested
in
trying
arm,
and
I
think
there
they
made
it
work,
but
we
have
to
you
know
to
keep
track
of
what
happened
there.
Okay,
interesting.
A
Let
me
go
back
to
the
presentation
here.
I
talk
about
the
two
flavors
of
salesbooks
that
we
have
right.
So
we
have
what
is
called
the
community
edition,
which
you
can
find
on
github
and
it's
free
open
source
using
apache
2.0,
and
it's
really
meant
for
individual
developers
to
play
around
with.
You
know,
get
get
a
feel
of
experience
and
even
set
up
initial
ci
infrastructure.
You
know,
and
then
we
have
the
enterprise
version
which
is
paid.
A
A
It
has
the
sharing
of
the
inner
container
layers
for
higher
efficiency
right.
We
build
we
tested
with
a
higher
scalability
and
it
comes
with
our
support
and
future
prioritization
right.
So
this
is
what
we're
hoping
we'll
keep
the
lights
on
for
up
for
for
a
while
and
more
than
that
right,
we'll
allow
us
to
grow
right,
but
really
where
the
adoption
is
happening
right
now,
mainly
here,
and
we're
very
happy
about
that.
A
A
A
A
It's
really
the
first
entry
point
right,
so
it
takes
the
container
spec
from
from
the
higher
layers
and
it
actually
sets
up
the
name,
spaces
c
groups,
the
ch
root
gl
for
the
container
right.
It
creates
really
the
container
it
runs
ephemerally.
In
other
words,
it
sets
up
the
container
and
then
the
pro
that
process
dies.
This
is
what
rancid
process
dies
is
very
much
very
similar
to
the
old
severancy,
but
with
some
modifications.
A
A
A
It
also
does
the
cisco
trapping
again
when,
while
silver
currency
sets
up
the
container,
he
tells
the
kernel
hey
any
processes
that
are
inside
of
the
container
that
are
accessing
these
syscalls
trap
them
and
send
them
to
sysvogfs
right,
and
so,
when
the
processes
go
and
do
mount,
that
access
comes
to
silverfest
figures
out
what
containers
is
coming
from?
What
do
I
need
to
do?
You
know?
Where
do
I
need
to
mount
and
he
doesn't
mount
the
important.
E
A
Will
scale
that's
right,
data
path
start
we
try
to
stay
as
much
as
possible
away
from
the
data
paths
right
so
that
we're
not
affecting
that
performance
of
the
container,
because
that
would
immediately
kill,
because
you
know
if
the
data
path
has
to
go
to
the
kernel
and
then
come
back
to
sysborg
fs,
then
and
then
go
back
to
the
kernel
that
will
probably
her
performance
battery,
but
for
control
path
operations.
That's
all
right,
and
then
we
have
the
sysbox
manager,
it's
also
a
demon,
and
he
does
things
like
allocating
exclusive.
A
A
So
you
can
see
that
this
is
a
more
involved
runtime
than
say
the
oc.
Iran
see
right.
The
autoimmunity
is
really
this
component
right
and
that's
that's
the
most
important
component
by
the
way.
But
these
two,
you
know,
are
the
heart
of
this
box
right
here,
but
they've
got
this
guy
right.
It
is
the
heart
of
the
thing.
A
A
A
That
is
still
something
that
we're
just
starting
with
right.
Now,
we've
been
focusing
more
on
hardening
in
the
container
itself
right.
You
know
which
the
inside
whatever
is
running
inside
of
the
container.
That's
the
container
is
the
trust
boundary,
that's
sort
of
the
way
we
live,
but
but
we
do
need
to
work
on
these
two,
because
people
are
going
to
ask
about
that
too.
B
A
You
some
of
the
limitations
right,
because
nothing
is
perfect.
One
is
that
it
requires
the
next
five
to
five
or
more
integration
with
kubernetes
is
still
a
working
progress.
In
other
words,
we
are
not
yet
able
to
have
kubernetes,
deploy
pods
with
sysbox
right
and
that's
because
kubernetes
itself,
the
topic
of
using
the
linux
username
spacing
pods,
is
something
that's
still.
A
A
It
is
not
100
oci
compatible
and
that
what
what's
happening
there
is
that
the
ocs
again,
the
spec,
that
the
container
d
or
or
or
cryo,
would
pass
to
xbox
to
create
a
container.
The
reason
is
not
100
compatible.
Is
that
on
sale
box
always
uses
a
linux
username
space
right
it
always
will
do
that.
In
other
words,
even
if
docker
says
just
create
me
a
regular
container,
you
know
without
the
username
we
set
it
up
with
the
space
right,
because
that's
the
heart
of
the
thing
right.
A
So
those
little
things
create
the
incompatibility
right
there
other
than
that
everything
is
pretty
much
compatible.
This
hasn't
not
been
a
problem.
People
don't
even
notice
this
right,
they're
just
doing
docker
run
and
things
are
working
for
them.
So,
but
it's
certainly
something
that
we
would
love
to
work
with
the
oci
on.
In
order
to
try
to
see
if
we
can
work
on
the
spec,
you
know
to
try
to
accommodate
some
of
the
things
that
we're
doing,
but
we
haven't
yet
had
a
chance
to
do
that.
A
Some
low-level
functionality
does
not
yet
work
inside
of
the
container
right.
There's
things
like,
for
example,
ipvs
still
doesn't
work
inside
of
the
container
right.
It
finds
itself
without
permissions.
You
know
actually
examine
binds
it
up
without
permissions.
Sysbox
needs
to
do
some
more
trickery
in
order
together
to
run.
A
And
the
process
and
system
simulation
well,
we
have
some
there's
still
more
plenty
more
to
do.
For
example,
we
want
to
emulate
things
like
prox
cpu
info
proc,
maybe
info
they
should
reflect
not
the
resources
of
the
host.
They
should
reflect
the
resources
that
were
given
to
the
container
via
the
c
groups
right.
A
As
far
as
the
road
map,
our
number
one
item
right
now
is
integration
with
kubernetes,
also
enabling
more
functionality
to
run
inside
of
the
container
right.
More
and
more
system
level
workloads
right
inside
of
the
container
improve
the
process
and
system
phase
ventilation,
improve
the
security
hardening
both
on
csbox
itself,
as
well
as
the
container
even
exposes
even
exposing
false
devices
into
the
container,
with
the
appropriate
permissions
right.
A
A
A
This
vm,
like
containers,
but
the
big
big
difference
being
that
lxd
is
not
compatible
with
docker
and
kubernetes
ecosystem
right.
It
is
its
own
thing.
You
know
where
a
cis
box
plugs
in
to
the
docker
kubernetes
ecosystem
and
and
in
a
way
it
takes
docker
and
brings
it
closer
to
the
capabilities
of
lxd
right,
and
we
think
that
that
is
the
missing
piece
right,
because
we
think
that
people
already
in
that
you
know
used
to
when
they
think
containers
they
think
darker,
they
think,
coordinates,
and
so
that's
the
way
to
go.
A
As
I
mentioned,
there's
something
called
rootless,
docker,
not
the
same
thing.
That's
running
docker
and
the
host
without
privileges
is
very
challenging.
It
does
not
result
in
containers
that
can
run
docker
or
kubernetes
inside.
No,
it
just
results
in
you
not
needing
root
access
to
run.
Docker
containers,
firecrackers
or
those
are
all
vm
based
micro,
vm,
based
approaches
to
wrap
containers
in
micro,
vm,
very
interesting
tool,
but
not
the
same
thing
right.
In
some
cases
there
may
be
better
like
if
you
want
a
stronger
isolation.
A
Even
for
your
containers.
Those
are
probably
approaches
that
give
you
stronger
isolation,
but
then
I
can
require
you
hypervisor
or
require
necessary.
Virtualization
right
csv
gives
you
stronger
isolation
than
a
regular
container.
It
doesn't
take
you
all
the
way
to
the
isolation
of
a
vm
right,
but
at
least
it
gives
you
an
alternative
in
the
middle
things
like
pokemon
are
different,
like
pokemon
is
more
of
a
like:
a
replacement
for
docker
a
seat
box
runs
underneath
button.
A
It
would
integrate
with
button
there's
also
something
called
g
bios
or
which
is
a
runtime
a
container
runtime,
but
it
has
the
purpose
of
securing
the
container
by
sort
of
restricting
the
the
cisco's
that
you
know
trapping
and
restricting
some
of
the
syscalls
that
that
it
that
it
does
towards
the
kernel
again.
It
doesn't
result
in
containers
that
can
run
things
like
docker
and
kubernetes
inside.
So
it's
a
different
thing.
A
A
B
A
No
not
yet
no
at
this
point
we've
we
it's
something
that
has
crossed
our
mind,
but
we
haven't
given
it
the
serious
thought
yet
because
we
haven't
had
the
time
you
know
we're
sort
of
focused
so
focus
right
now
in
keeping
the
company,
you
know
growing
the
company
right,
it's
a
very
young
company.
We
want
to
keep
it
alive
in
a
challenging
year,
so
we've
just
been
focusing
on
getting
the
functionality
nice
to
be
there
and
getting
the
customers
without
surfing
any
red
tape,
or
anything
like
that
right.
Just
just
going
away.
A
So
that's
something
that
has
crossed
our
minds,
certainly
something
that
we
would
consider
you
know
we
would
need
to
balance
that
out
to
see,
if
also
from
a
business
perspective,
how
we
can
arrange
that
so
that
we
can
have
six
bucks,
be
part
of
an
organization,
let's
say
like
cncf
or
or
oci,
even
and
at
the
same
time
you
know
make
sure
that
we
are
able
to
to
give
the
lights
on
and
and
have
some
avenues
of
revenue.
That
would
allow
us
to
create
a
nice
relationship
between
open
source
and
the
business.
B
Correct
correct
yeah
yeah,
so
you
mentioned
that
you're
more
like
an
open
core
model
like
so
meaning
like
the
open
source
version.
Is
it's
actually
really
available
and
I
guess
mentioned
apache
license
right.
So
what
would
be
the
the
the
non,
the
the
components
that
are
not
part
of
that
open
source
yeah.
A
No,
you
know,
basically,
all
of
the
components
that
I
showed
in
that
design.
You
know,
and
all
of
the
basic
functionality
is
open
source
right,
because
that's
what
you
need
in
order
to
get
a
basic
thing
working,
what
is
not
part
of
the
open
source
is
functionalities,
are
features
that
are
meant
more
for
enterprise.
A
You
know
and
those
I
would
rely
around
even
stronger
security
efficiency
and
scalability
on
the
security,
for
example,
if
you
use
the
sysbox
open
source
version,
you
know
all
containers
always
use
a
linux
username
space,
but
they
all
get
the
exact
same
id
mapping
to
the
host
right,
so
cross
container,
isolate
container
to
host
isolation,
strong,
but
cross
container
isolation,
not
as
strong.
If
you
use
the
enterprise
version
now,
it
gives
you
the
exclusive
mappings
per
container
right.
So
that's
a
a
small
feature
on
the
efficiency
side.
A
You
know
if
you
use
the
enterprise
site,
then
it
will
do
the
sharing
and
they
lose
the
whole
storage
right,
make
it
a
little
bit
faster.
So
the
criteria
that
we're
using
at
a
high
level
is
features
that
are
meant
for
developers
that
allow
developers
to
benefit
play
around.
With
this.
You
know
even
start
using
their
ci
initially
or
whatever
they're
they're
going
to
go
on
the
open
source.
A
A
Those
we
typically
right
now
are
reserving
for
the
enterprise
version
right
and
then,
as
we
grow,
some
things
and
the
enterprise
may
end
up
eventually
being
open
sourced
into
the
reversion
right.
I
don't
think
we'll
ever
go
the
other
direction
right
once
it's
open
source,
that's
the
united
states
open
so
but
that's
sort
of
what
we
have
in
mind
right.
B
A
B
B
You
know
as
far
as
like
being
mentioned,
or
maybe
a
cube
con
and
you
know
shown
on
the
website
so
some
of
those
things
right
so
and
so
a
lot
of
the
product.
There
are
a
lot
more
more
projects
in
the
sandbox
level
and
and
then
from
there
they
start
maturing
and
if
they
and
they
have
like
a
more
adoption
and
more
use
cases,
then
what
they
can
do
is
apply
for
incubation
and
in
an
incubation
stage
they
there's
there's
some
due
diligence.
B
You
know
where
a
member
of
the
toc
reaches
out
to
like
end
users
and
members
of
the
community
to
find
out
details
about
the
the
adoption
and
how
the
project
is
doing
and
eventually
there's
a
vote.
You
know
whether
to
include
that
in
the
incubation
stage
in
that
that
that
actually
gets
even
more
exposure
right.
B
So
there's
like,
I
think,
an
incubation
there
there's
like
sessions
of
kubecon
specifically
for
projects
in
incubation,
and
I
think
there's
some
other
things
like
listed
on
the
on
the
github
page
over
the
cncf
but
yeah
in
general.
You
know
you
go
through
these
levels
right
and
and
then
the
higher
you
go.
B
It
means
that
you
you're
going
to
get
more
exposure
and
the
project's
going
to
be
more
mature,
but
yeah
I
mean
you
can
take
a
look
at
the
cncf
page
and,
and
you
can
see
the
projects
there
and
then
you
can
see.
Maybe
the
the
projects
that
are
in
the
different
stages
and
and
see
how
that
fits
in
with
sysbox.
A
B
Yeah,
so
if
you
want
to
do
some
box
and
you
there's
a
link
on
the
on
the
sick,
runtime
page,
the
google
doc
and
there's
a
spreadsheet
where
you
can
post
your
project
there
and
then
it
can
be
voted
on
whether
to
be
accepted
into
sandbox.
And
I
think
it's
just
not
that
it's
a
very
straightforward
process,
sandboxes
that
the
bar
for
being
into
sandbox
is
not
very
high.
E
B
That
so,
if
you
put
it
there,
then
I
think
it
next
month,
there's
a
vote
on
or
every
month,
there's
a
vote
on
whether
to
include
there
and
and
if,
if
it
passes
like
some
certain
criteria,
I
think
he
needs
to
have
like
an
owner's
file
in
the
github
repo.
It
needs
to
have
my
maintainer
information,
so
some
and
it's
actually
all
those
requirements
are
listed
too.
A
And
one
of
the
one
of
the
of
the
reservations
we
had
when
someone
talked
about
cncf
or
some
of
the
other
organizations
who
said
well
in
our
minds
right,
we're
thinking.
Okay,
we
go
there,
we
probably
gonna,
get
good
adoption
immediately
right
or
or
more
outside,
but
do
you
know?
I
guess
we
we're
a
little
bit
very
afraid
of
losing
control,
and
by
that
I
mean
in
particular
the
control
of
the
features
that
will
go
into
the
free
version
versus
the
enterprise
version
right.
B
You
can,
you
know,
donated
to
the
cncf,
but
if
you
know
of
something
that
is
not
going
to
be
open,
you
know
just
decouple
that
part,
because
once
you
donate
to
the
cncf,
I
mean
there's
right:
it's
already
going
to
be
public
in
open
source
right.
So
so
so
whatever
you
don't
want
to
be
there,
so
don't
make
it
part
of
the
github
repository
or
a
private
repository
or
something,
and
then
you
know
have
your
own
license
for
that.
A
But
would
there
be
a
risk
of
let's
say
you
donate
this
to
the
cmc
of
the
open
source
part
you
give
the
proprietary
closed
source
right
and
you
don't
donate
that
part,
but
is
there
a
risk
where,
as
time
goes
on
the
you
know,
the
cncf
adopters
or
developers
are
saying
hey?
You
know
I
want
this
functionality,
that
is
in
the
enterprise
version.
A
C
B
E
B
B
A
See
value
not
just
I
mean
the
runtime
is
the
piece
that
we're
working
on
right
now,
but
we
do
think
it
opens
up
a
bunch
of
new
use
cases
for
containers
and
as
a
result
of
that,
there's
going
to
be
opportunity
around
those
end.
Use
cases
also
right,
as
opposed
to
the
runtime
itself
right,
so
the
runtime
can
be
a
catalyst
to
a
bunch
of
new
use
cases.
So
there
may
be
value
here
too
right,
but
we're
not
there
yet
and-
and
we
don't
know
where
we
will
be
there
right-
we'll
see.
B
Yeah
exactly
exactly
yeah,
so
yeah
and
and
yeah
yeah.
So
my
recommendation
is,
if
you
decide
to
do
it,
then
make
sure
that
those
components
you
know
that
they're
yeah
those
are
going
to
be
open
source
forever,
right,
those
components
right
and-
and
then
I
I
mean-
I
personally
think
it's
it's
great-
that
you
have
also
the
other
features
right,
because
that
actually
helps
you
sustain
yourself
and
as
a
company
and
also
helps
you
sustain
the
project
right
because.
A
A
B
E
B
Yeah,
in
I
mean
the
next
steps
will
be
cube,
con
sections
or
something
like
you
right,
you
know
submit
some
some
of
these
sessions
or
there
could
be
also
some
work
that
that
that
I've
seen
that
cncf
does
is
webinars.
You
can
maybe
schedule
a
webinar
with
them
and
work
with
with
cncf.
I
see
I
see
so
get
that
to
get
that
more
exposure,
and
additionally,
from
this
right
from
from
this
presentation,
yeah.
A
A
B
E
B
A
B
A
B
Yeah
and
then
there's
a
lot
of
confusion
too,
probably
on
and
because
this
technology
is,
I
guess
it's
you
need
to
understand
all
the
details
and
then
not
everyone
who,
who
is
a
decision
maker,
is
actually
very
technical
or
understands
all
the
details.
So
so
there
could
be
a
lot
of
confusion
right.
So,
oh,
why
do
I
need
to
use
divisor
or
why
do
I
need
to
use
right
this
box
yeah?
So
it's.
It's
also,
there's
also
like
a
lot
of
work
in
terms
of
education
and
yeah.
A
A
Yeah,
thank
you
so
so
much
ricardo
for
the
invitation
and
we'll
be
keeping
in
touch.
If
you
have
again
a
contact
on
the
webinar
or
please
send
it
to
us.
Otherwise
we'll
go
ahead
and
try
to
find
ourselves
see
if
that
there's
an
opportunity
there
for
us
awesome
awesome
all
right
all
the
best.
Thank
you
so.