►
From YouTube: Flatcar Container Linux community meeting
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
hello,
hello,
welcome
to
our
office
hours,
how
about
we
start
with
a
short
introduction
round,
just
to
make
sure
everyone
here
knows
each
other,
so
maybe
I'll
go
first!
You
know,
ladies
first,
and
so
I'm
danielle,
I'm
a
community
manager
for
fletcar.
B
C
Yeah,
hello,
hi,
I'm
cyan.
I
also
work
with
the
flat
car
containers
team
and
I
primarily
look
up
into
the
releases
part
and
yeah
handing
out
to
kai.
D
A
C
G
All
right,
I
guess
we'll
go
next,
so
hey
my
name
is
juan
antonio
or
oz
for
short,
and
I
do
all
things:
security
in
equinix
metal.
We
extensively
use
flatcar
and
that's
how
I
started
incessantly
booking
folks
about
s
linux
and
oh
yeah.
That's
me
yeah,
I'm
that
guy.
A
Cool,
so
maybe
I'll
share
my
screen
quickly,
so
we
would
see
the
agenda
once
I'll
find
the
right
screen
to
share
not
over
sharing.
Here.
I
think
I
got
the
right
one
hope
so.
Okay,
can
you
see
the
agenda.
F
A
Okay,
so
maybe
we
do
it
like
we
start
with
updates,
so
yeah,
let's
just
go
and
order
it
listed.
So
I
guess
matthew
you're
next.
B
Okay,
so
yeah
quickly
talk
about
that.
I'm
a
member
of
an
association
here
in
france,
a
devops
one
and
we
try
to
organize
one
meetup
a
month
or
twice.
B
Every
two
months
depends
and
the
next
one
is
about
to
be
tonight
in
the
microsoft
funeral
office,
and
I
will
talk
about
ignition
and
butane,
mainly
and,
of
course,
with
some
flatter
examples
and
yeah.
We
also
have
a
talk
about
serverless
serverless
stuff.
So
it's
about
to
be
quite
interesting
and
a
lot
of
devops
topic,
and
after
that,
we
we
got
a
networking
session
to
yeah
just
exchange
about
devops
and
stuff
like
that
around
the
beers.
B
B
So
this
is
a
place
here
in
france
to
host
this
kind
of
events
and
to
not
organize
everything
inside
the
capital,
so
in
paris
so
like
so,
we
are
able
to
host
this
kind
of
event
outside
the
big
cities
and
yeah.
This
is
pretty
cool
and
we
expect-
maybe
I
don't
know-
10
or
20
people
tonight
in
the
office
and
certainly
10
or
20
remotely,
because
we
can
host
the
event
physically
and
remotely
so
yeah.
That's
it
there's
going
to
be
an
english
presentation
or
also
it
depends.
B
Actually,
I
think-
and
I
expect
to
have
only
french
people
tonight
but
of
course
yeah.
If
we
have
english
speakers
in
the
room,
I
will
talk
in
english,
but
it
depends.
B
A
B
B
So
I
know
it's
not
the
highest,
but
it's
the
youngest
it
has
been
built
last
year.
A
Cool
and
you'll
be
giving
a
talk
as
well
right.
A
Anyway,
now
speaking
of
conferences,
we
had
kcd
in
berlin
last
week
it
was
pretty
cool.
I
also
popped
popped
there
and
tried
to
talk,
so
we
should
have
the
recordings.
I
guess
soon.
So
a
couple
of
people
who
were
the
organizers
took
a
time
off,
maybe
related
to
the
conference,
maybe
not,
but
yeah.
There
are
off
now
and
once
we.
A
B
Yes
sure
so,
with
the
flat
car
team,
we
tried
to
to
sort
and
organize
all
the
issues
related
to
flapper
and
we
try
to
close
the
oldest
one
and
the
ones
that
are
not
accurate
anymore.
So
we
closed
around
20
issues
and
we
updated
40
or
45
and
yeah.
That
was
a
good
event.
So
I
don't
know
if
kai
or
saiyan
you
have
something
to
to
add
regarding
the
event.
A
I
have
something
if
no
one
else
takes
the
stage
so
like
one
of
the
things
that
you
do
also
is
kind
of
labeling
them
and
say
hey.
This
is
a
first
good
issue
so
like
if
someone
wants
to
get
their
hand
dirty-
and
you
know,
smash
some
bugs
too
there's
a
nice
segway
there
so
like.
As
far
as
I
know,
all
the
issues
that
are
have
the
appropriate
labels,
so
everyone
could
join
the
party
right.
C
G
A
All
right,
so
I
guess
next
one
is
one.
You
have
the
spotlight
this
week
or
this
month.
G
No
pressure,
no,
no!
Oh,
hey
everybody,
so
yeah!
So
people
might
know
me
for
my
incessant
poking
regarding
s
linux.
As
you
all
know,
we
actively
use
flat
car
and
I
am
like
one
of
the
six
people
that
care
about
s
linux,
including
matthew,
but
but
yeah,
so
so,
basically,
just
give.
Let
me
give
a
quick
introduction
of
what
what
that
is
and
why
it's
important
right.
G
So
if
you
read
about
this
linux
and
you
search
around
like
hey
what
the
hell
is,
this
thing
you're
just
gonna,
see
like
hey:
it's
mandatory
access
control
for
linux,
and
that
doesn't
really
say
much
right,
but
basically
I
think
it's
a
very
underrated
tool
for
you
to
secure
a
kubernetes
environment,
and
it
has
been
so
and
taken
into
use
for
containers
before
that
for
virtualization
before
that,
and
it's
just
very,
very
effective
at
keeping
a
container
actually
constrained
right.
G
So
what
what
it
actually
does
is
that
it
was
it
is
an
lsm
right
and
as
an
lsm
and
lsm
is
hooks
into
the
kernel
that
will
prevent
certain
operations.
From
touching
many
many
attributes
from
the
linux
kernel
right
being
files
being
inodes
socket.
Buffers
are
protected
as
well
all
sorts
of
things
right
so
with
an
appropriate
lsm
you're
able
to
limit
what
actions
can
be
taken
into
the
kernel
so
with
digging
down
into
s
linux
now
in
a
container
you're
able
to
not
allow
containers
from
messing
with
each
other
right.
G
So
selinux
has
a
thing
called
context,
and
so
even
everything,
even
if
everything
from
a
container
would
be
labeled
as
container
underscore
t
so
container
type,
is
the
label.
G
It
will
have
a
unique
context
in
a
node,
and
so
only
that
specific
process
is
going
to
be
able
to
touch
the
network
resources,
the
files,
the
memory
resources
that
it's
allowed
to
touch
right.
So
this
is
why
I
think
it's
very
important
because
it
allows
you
to
do
some
sort
of
multi-tenancy
in
a
kubernetes
cluster,
which
is
pretty
hard
to
do.
G
If
you
don't
take
such
actions,
and
now
the
current
state
of
flatcar
is
that
we
have
a
policy
that's
taken
from
the
virtualization
space
and
that
that
was
initially
what
s
linux
was
doing
for
docker
and
for
very
early
versions
of
kubernetes,
right
and-
and
it
effect
effectively
allows
you
to
do
that
right.
So
today,
if
we
set
up
s
linux,
enforcing
container
d
or
whatever
cri,
that
you're
using
is
gonna
actually
label
the
container
and
allow
some
protections
which
is
fine.
G
The
problem
is
that
you
know,
as
time
has
gone
by
just
protecting
your
container
and
isolating.
It
is
not
enough
right.
We
need
extra
labels.
We
need
extra
things
to
tell
the
container
to
do
things.
G
One
modern
label
that
people
use
a
lot
is
spc
underscore
t,
that's
a
super
privileged
container
type
right
and
that's
gonna,
be
your
fluency
stack
right
that
actually
reads
logs
from
the
server
itself.
That's
going
to
be
basically
anything
that
has
that
needs
very
privileged
access
into
the
node
right.
G
So
this
is
why
I
started
talking
about
hey:
let's
get
an
update
for
the
as
linux
policy
to
get
the
new
container
dot
te
file
that
what
was
the
name
of
that
folk
concord
from
the
game,
2
community,
but
yeah
that
the
contribution
from
concord
right
it's
it's
just
gonna,
allow
us
to
start
expanding
into
more.
G
And
actually
take
the
best
use
of
as
linux
possible
right.
The
second
thing
that
I
want
to
start
taking
in
is
being
able
to
effectively
update
tesla
index
modules,
install
custom
ones
and
trim
down
the
permissions.
So,
for
example,
instead
of
giving
back
to
fluency
all
the
permissions
in
the
world,
you're
just
going
to
allow
fluentd
to
read
logs
all
right
and
nothing
else.
G
So
even
if
there's
a
container
escape,
it's
not
able
to
touch
anything
else
in
the
cluster,
and
so
it
allows
you
to
partition
your
note
in
in
a
very
effective
manner,
and-
and
I
love
it
so,
but
as
matthew
has
noticed-
and
many
of
you
might
have
noticed
as
well-
it's
extremely
intrusive
right.
So
you
need
to
label
every
single
attribute
of
your
system.
G
You
need
to
make
sure
that
your
note
starts
with
it
being
labeled
right,
so
there
has
been
changes
that
matthew
has
been
doing
for
building
the
flat
car
image
with
appropriate
labels
right
s.
Linux
also
requires
you
to
give
information
of
transitions
right.
So
when
you're
running
systemd
and
that's
going
to
be
running
another
system
disservice,
that
needs
to
have
a
specific
label
and
you
need
to
give
it
permissions
to
do
things.
So,
basically,
you
need
to
model
with
a
policy
language.
G
What
are
all
of
the
interactions
that
your
system
is
going
to
have
in
order
to
get
s
linux,
to
work
in
an
effective
manner
right,
and
that
has
been
the
challenge,
because
in
the
past
we've
had
a
lot
of
stuff.
That
is
unlabeled
and
we
cannot
really
do
a
policy
for
that
right.
So
let's
say
that
if
we
would
have
had
the
logs
unlabeled,
then
I
cannot
really
give
permission
to
fluently
to
access
unlabeled
files
right.
So
that
has
been
a
big
challenge.
G
But
but
that's
the
work
that
he's
been
doing
and
I've
been
trying
to
support
with
comments-
and
I
guess
emotional
support,
maybe
but
but
yeah
that
has
been
happening
right,
making
sure
that
we
label
absolutely
everything
in
flat
car
making
sure
that
we
update
the
policies
to
make
use
of
the
latest
and
greatest
stuff
that
the
selling
they
give
to
community
and
this
linux
community
has
been
doing
making
sure
that
the
tools
that
run
very
early
in
the
process
of
flat
car
work
like
torques,
for
example,
we've
had
to
do
some.
G
Some
changes
there
in
how
we
run
that
and
that's
the
gist
of
it
right.
Where
we
want
to
get.
Is
we
want
to
get
into
a
point
where
you
can
just
pass
the
kernel
parameter
s.
Linux
equals
one
enforce
by
default,
and
it
should
just
work
smoothly,
as
it
does
in
other
distributions,
as
well
toning
down
a
little
bit.
My
rambling
does
any
of
the
stuff
that
I'd
say
that
I
just
said
made
sense.
F
Yeah,
I
have
just
one
question:
it's
the
actual
network
also
going
to
cover
the
base
system,
because
right
now
I
think
it's
mostly
targeted
about
to
have
like.
C
G
G
Is
that
there
has
been
a
lot
of
changes
in,
for
example,
the
systemd
policy
that
allow
us
to
run
a
bit
more
things?
Let's
say
when
you're
starting
system
d
in
in
the
init
ram
fs,
it
will
need
to
relabel
some
files,
there's
a
lot
of
us
that
we
said
in
systemd
tempting
those
need
to
be
relabeled,
and
that
is
not
possible.
With
the
current
policy
that
is
actually
not
even
possible.
G
With
a
newer
policy,
there
has
been
changes
that
need
to
be
done
to
ref
policy
itself,
ref
policy
being
the
upstream
s,
linux
modules
right.
So,
yes,
there's
gonna,
be
changes
to
base.
There's
gonna,
be
contributions
to
selinux
itself
as
a
policy.
Well,
the
reference
policy-
and
I
mean
it-
covers
everything.
F
G
B
For
this
greater
explanation,
I
think
we
we
are
able
to
see
the
issue
in
the
global
way
and
yeah
something
quite
complicated
with
s.
Linux
is
that
if
you
try
to
change
something,
you
need
to
build
the
whole
image
and
it
takes
a
bunch
of
times
and
also
just
to
conclude
on
this
topic.
We
work
a
lot
with
the
gen
2
community
and
the
s
linux
community
on
the
ioc
channel.
So
this
is
where
your
team
works.
It's
not
only
flat
card,
it's
also
the
other
communities
so
yeah.
B
This
is
really
cool
to
have
this
traction
between
each
other.
On
this
topic,
and
if
you
want
to
help
on
this
topic,
we
have
s
linux
label
on
github,
flat,
car
repository
and
yeah.
B
You
can
just
try
to
define
all
you
can
help,
so
it
can
be
just
running
container
workloads
with
s
linux
in
enforced
mode,
just
to
try
out
and
to
see
what's
broken,
and
you
can
also
yeah
try
to
see
if
the
patches
we
are
still
using
are
still
accurate,
because
some
of
them
are
quite
legacy
and
we
need
to
identify
if
it's
still
a
wolf
to
maintain
this
page
is
a
upstream
downstream
sorry
and
yeah.
B
That's
it
and
thanks
a
lot
run
for
your
help
and
all
your
inputs
on
this
topic
so
handing
to
daniel.
If
you
want
to
continue
or
if
someone
else
has
questions
on
this
topic,.
D
I
know
it
was
just
a
small
tip.
If
you
build
a
flatter
image,
you
can
also
disable
them
verity.
That
means
you
don't
have
this
read-only
mount
from
the
user
partition
but
a
writable
mount,
and
then
you
can
maybe
try
out
some
other
labels
quickly.
If
you
don't
have
to
build
an
other
image
for
that,
but.
B
B
Yeah
I
tried
that
in
the
past,
but
I'm
not
sure
if
we
can
do
that
in
the
ci,
because
it's
an
option
you
need
to
pass
in
the
build
image
steps.
So
I'm
not
sure
if
we
can
pass
this
option.
D
G
A
A
So
I
guess
the
next
item
on
the
agenda
is
the
release
planning.
So
we
just
go
over
the
release
board.
So
yeah
back
to
you,
cyan.
D
Yeah,
so
a
lot
of
the
items
in
plan
to
do
are
build
system
items
that
are
not
really
exciting
features
landing
in
the
final
flicker
image,
but
just
the
mean
to
get
to
an
image.
So
it's
yeah
more
work
behind
the
scenes.
That's
not
really
exciting
for
for
users,
but
it
has
to
happen.
D
So
that's
why
we
delayed
the
next
release
a
bit
and
still
we
can't
really
finish
everything
to
make
the
next
release
with
new
pipeline,
so
it
will
maybe
be
the
release
in
august.
That
happens
to
be
the
first
release
with
a
new
pipeline
using
this
container
docker
sdk
approach,
instead
of
cork
from
the
mantle
tool
that
we
use
currently
still
and
yeah.
We
have
some
other
stuff
reverb.
So
there's
this
bin
case
server
where
things
are
stored.
D
Now,
instead
of
a
google
bucket
and
yeah,
so
it's
a
rework,
it's
slowly
progressing
and
at
the
same
time
we
also
have
this
topic
with
gabriel
to
set
up
github
ci,
where
you
have
a
build
of
your
changes
directly
for
the
pull
requests,
and
then
you
can
download
the
build
image
and
also
see
the
cola
test
report.
That's
what
we
are
currently
working
on.
C
C
Yeah,
so
with
the
next
release,
we
have
a
couple
of
updates.
So
essentially
the
pr's
are.
These
pr's
are
already
created,
but
they
are
in
the
review
state
and
should
be
merged.
We
are
blocked
on
them,
we've
blocked
on
them.
We
are
not
anymore,
so
we
found
the
issue
and
we
have
a
workaround
for
it.
We
yeah.
F
H
H
H
Glitchy
is
blocked
still
blocked
because
of
the
issue
in
update
engine
of
amr64,
and
it's
one
of
the
ci
test
is
failing
when
it
tries
to
update
payload,
insert
update
payload
and
reboot
the
machine
and
wait
waiting
for
the
next
status,
and
it
just
hangs
there
without
any
reason.
So
I
have
not
figured
out
yet
yeah.
That's
it
right.
F
So
I
I
have
seen
some
triceps
fixing
the
update
engine.
It's
like
looking
for
properly
linker,
but
that
wasn't
enough.
C
Okay,
so
and
on
the
system
decide
we
have
still
some
work
to
do
so
I'll
push
that
to
the
next
one,
the
curl
and
open.
The
call
is
done.
I
still
need
to
test
it,
but
openness
is
still
need
to
be
worked
on
and
the
go
is
also
still
pending,
but
we
hope
to
close
it
by
this
week
yeah
and
we
will
start
the
pills
and
get
the
release
out
to
talk
about
the
next
one
ask
I
mentioned
like
we
were
planning.
C
We
did
this
release
for
the
getting
the
new
pipeline
in
in,
but
there's
still
some
work.
That
needs
to
be
done
so
for
the
next
one,
I'm
planning,
which
dates
it
should
be.
So
if
we,
if
we
go
by
the
cadence,
then
it
would
be
around
15th
of
august,
but
we
have
our
conference,
so
we
would
have
folks
preparing
for
the
talks
or
traveling
as
well.
C
So
do
you
think
we
should
move
it
earlier
or
move
it
like
a
week
later,
but
another
thing
is
I'll
be
gone
on
the
week
later,
so
we
have
a
conference
in
india,
so
I
might
be
attending
that
so
yeah.
Any
thoughts
on
that
like
we
could
go
the
either
route-
it's
it
would
be,
it
would
be.
C
It's
like
alpha
would
be
major
and
other
than
that
other
channel
speed
would
be
minor
release,
so
the
load
would
be
less
so
we
could
go
earlier
as
well
and
but
to
get
the
new
channel
a
new
pipeline,
and
we
could
have
more
time
if
we
push
it
to
like
29th
of
august.
C
C
G
C
To
verify
yeah
we
would,
we
would
be
having
a
new
stable,
a
major
stable
in
the
next
release.
That
is
this
current
week.
The
bills
that
we're
starting
right
so.
G
D
G
Okay,
just
making
really
clear
that's
amazing,
so
then
I
can
plan
for
starting
taking
into
use.
F
G
Part
of
beta,
but
we're
mostly
taking
in
the
stable.
F
C
Okay,
so
yeah,
that's
mostly
from
my
side.
If
you
have
any
questions,
do
let
me
know
or,
as
I
will
hand
it
over
to
daniel.
A
Okay,
so
I
guess
I'll
continue
with
this
note
and
open
the
stage
now,
so
if
everyone
anyone
got
questions
or
topic
that
they
want
to
bring
up.
A
Okay,
so
I'll
take
this
note,
as
maybe
a
closing
note,
and
hopefully
I'll
see
you
next
month,
it
was
lovely
to
see
a
lot
of
faces
here.