►
From YouTube: Kubernetes Sig Node 20180220
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
C
D
D
Yeah
so
actually
before
they
Scott
idea
only
206
test
fears
and
we
understand
of
them,
but
now
there
seems
to
be
like
some
more
so
I
need
to
look
into
it.
It's
all!
That's
one
thing
almost
oh,
that
has
older
if
we
type
the
past
in
including
the
the,
for
example,
the
Alpha
features
and
that
you
guys
might
in
ofte.
So
that's
the
first
thing
we
focused
on
we
focused
on
this
quarter
and
another
one
is
performance.
D
So,
if
you'll
compare
all
darker
reasons,
yeah
nerdy
the
memory
you'd
ages
as
there
are
these
communities
hello,
my
name
is
a
little
bit
higher
because
the
canary
shame
use
more
memory,
but
you
don't
nativist
new
doctor.
The
one
used
Nyoka
nerdy,
so
it's
HTV,
Samia
other
than
that
other
metrics
are
a
bit
better
than
the
knocker.
D
That's
for
the
performance
side
and
another
one
we
want
to
do
this
quarter
is
to
merge
the
two
project
to
let
cannot
even
dirtier
Kennedy
so
for
this
one
where
they
finished.
We
already
finished
most
of
the
code,
so
it's
very
possible.
Today
we
have
a
pending
PR
ready
for
review.
I
know:
I
got
some
comment
here,
so
we
plan
to
merge
days
is
quarter
so.
D
Oregon's
got
some
review
from
poor
and
often
and
if
I
care
about
this
part,
oh
yeah,
you're
interested
in
this
area.
Please
take
a
look
so
after
this
one's
merged,
qubit
will
be
responsible
to
a
tape
and
nerd-off.
It's
not
some
third
party
log
rotator
or
the
canoe
on
time,
so
Kublai
to
go
to
wait
yeah
only
for
for
CRI
removin
times
so
yeah.
E
D
D
Yeah,
so
it's
this
one,
so
what
this
one
does
it
does,
it
adds
previously
queue
blade
cat
container
log
stash
colleges
can
allow
and
they're
not.
You
are
discouraged
from
state
of
either
with
house
now
accumulate
knows
where
is
the
canary
log
and
CRI
defines
the
log
past,
so
actually
Cuba
can
very
easily
do
that.
We
already
have
the
library,
so
this
PR
wouldn't
see
this
reality
for
that
feel
that
all
those
people
have
way
the
other
way
to
gather
these
stats
of
this
hello.
D
D
A
Kelly,
can
we
also
schedule
a
their
latest
update
we
still
ow
next
week,
I.
F
D
A
A
So,
and
also
we
mentioned
that
before
you
choose
vacation
and
actually
she
is
working
on
the
testing
matrix
for
the
other
content
of
runtime,
so
that
everyone
can
Hestia
and
confirm
test
it
returns
and
around
its
after
Burhan.
So
then
we
can
generate
off
the
release
grade
and
pass
degree
in
canyoneering
is
between
when
we
have
all
those
who
run
hands
product
in
writing.
So
that's
why
we
want
you
at
a
nice
to
have
the
children
have
I
thought
what
we
sponsored
us
through
the
sale
I
interfaced
I've
heard
anything
we
could
follow.
C
This
is
a
follow-up
discussion
of
the
sandbox
sandbox
isolation
document
that
I
introduced
last
week
and
hopefully
more
folks
have
had
a
chance
to
take
a
look
at
that.
I
did
want
to
mention.
I
got
a
lot
of
feedback
around
the
use
cases
and
being
hard
to
understand
the
differences
on
the
requirements
between
guns
and
so
I
reorganized
that
section
a
bit
to
kind
of
better
capture
the
differing
requirements.
A
lot
of
those
kind
of
sort
of
security
requirements
are
not
really
well
defined.
You
know
it's
not
cleared
why
one
use
case
needs.
C
C
Think
the
largest
open
question
that
I
have
is
what
level
the
the
sandboxing
should
be
at.
It
should
be
the
pod
level
or
the
container
level
I
think
a
lot
of
the
remaining
open
decisions
where
once
that's
decided,
those
will
sort
of
fall
into
place
as
kind
of
implementation
details
almost
from
that,
and
so
that's
been
a
big
focus
or
for
a
lot
of
the
discussions
that
I've
been
having
and
I
wanted
to
and
get
some
feedback
from
this
group
I
don't
know
if
anyone
has
thoughts
on
that
and
then
just
quickly.
C
I'll
mention
two
other
topics
that
I'd
like
to
discuss.
If
we
have
time
is
the
the
plug-in
model,
specifically
around
device
general
device,
support
and
Deegan
sets,
and
also
a
little
just
touch
on
white
cycle
which
might
sort
of
fall
out
as
an
implementation
detail
from
the
sandbox
level
discussion,
but
yeah
open
the
floor
to
questions
or
comments.
I.
E
C
I'm,
sorry,
the
implementation
complexity,
but
this
this
sub
pod
approach
is
by
far
the
most
flexible
and
powerful,
and
so
we
were
feeling
like
if
we
decide
that
we
need
to
if
we
decide
that
this
sub
pod
isolation
is
something
that
we
really
need
to
support
that
this
kind
of
flexible
subpod,
you
know
n
sand
boxes
in
a
pod
with
containers.
Mapping
to
one
of
those
is
the
best
approach.
C
However,
the
pod
model
is
definitely
the
most
consistent
with
today's
models
and,
as
a
result,
will
be
much
simpler
to
implement.
It's
particularly
nice
around
the
the
networking
piece
and
general
resource
sharing
is
much
simpler
through
this
model,
and
so
this
is
kind
of
like
the
preferred
default.
If
we
can
dismiss
the
use
cases
for
subpod
isolation
and
just
to
kind
of
read,
what's
one
of
those
use
cases
are
any
situation
where
you
want
to
run
a
sidecar
that
might
have
higher
privileges
or
higher
trust
than
another
container.
C
A
At
least
the
use
cases,
what
do
we
know?
Derrick
I,
don't
know
the
the
epd
building
use
cases.
Last
week
you
mentioned
I,
don't
know,
but
our
internal
use
kisses
people
talk
to
you
with
the
sub
part.
We
discussed
and
I.
Think
oh
I
have
the
some
kind
of
a
comment,
kind
of
comments.
People
say
that's
not
really
impractical.
We
can
provide
that
at
least
that's
the
sofa
story.
So
that's
why
we
I'm
kind
of
looking
forward
to
waiting
for
the
image
Beauty.
You.
F
Are
we
having
to
make
a
choice
here
based
on
like
the
state
of
the
broader
community
today
or
do
we
know
if,
like
folks
who
are
asking
for
privileged
sonic,
our
containers
have
a
way
to
not
require
them
or
what
other?
What
other
tools
could
we
provide
to
avoid
making
them
think
they
need
a
privileged
sidecar
container?
Yes,.
A
B
A
Also
open
question
order:
I
have
one
here:
can
we
start
with
the
pod?
Can
we
have
that
APM
extended
and
a
starter
is
part
of
them
later
and
then
we
can
either
eye
is
open
to
I
introduced
the
sub
pod
and
it
looks
like
it
was
so
fact
means
the
front
API.
Now
it's
not
that
easy
to
do,
and
that's
also
making
this
problem
as
much
harder.
So
can
Yoda
yeah
like.
F
On
the
image
building
side,
I'll
try
to
get
the
details
sent
out.
The
other
way
that
we
were
looking
at
this
was
like
folks,
typically
want
access
like
to
the
docker
socket
or
some
other
highly
public
socket
and
in
the
way
you
can
get
around.
That
is
potentially
using
something
like
it's
a
nice
plugin
that
gives
you
access
to
like
a
a
proxied
socket
where
you
can
provide
the
necessary
sandboxing.
C
Yeah,
so
those
are
good
questions.
I
think
the
kind
of
the
general
path
or
here
is
to
reach
out
to
any
customers
that
want
this
and
better
understand
the
use
cases
when
the
requirements
and
kind
of
brainstorm
what
the
alternatives
are
I
think
there's
a
few
approaches
to
kind
of
you
know,
thinking
about
the
service
service
provider
model.
C
You
know,
there's
perches,
where
you
know,
instead
of
running
a
sidecar
for
every
pod.
Instead,
you
run
say,
obtain
a
diamond
set
on
each
node.
That
kind
of
provides
the
same
the
same
behavior.
No,
that
means
to
be
able
to
multiplex
across
different
user
accounts
potentially,
so
it
adds
some
complexity
there,
but
isn't
undoable.
C
Other
approaches
are
using
kind
of
affinity
based
pods
that
runs
into
some
challenges,
with
kind
of
lifecycle
management,
making
sure
that
those
pods
coexist
in
the
right
ratios
and
whatnot,
and
then
the
other
approach
is
just
say:
you
know
if
you
don't
actually
need
to
be
co-located.
If
you
want
to
provide
some
sort
of
proxy
in
front
of
the
traffic
just
provide
that
with
another
service
in
the
cluster
that
then
redirects
to
the
user.
G
C
Other
piece
of
it,
which
is
some
of
the
use
cases
that
I've
heard,
are
oh
I'm
running
a
third-party
monitoring,
sidecar
that
you
know
I,
don't
trust
the
vendor
or
whoever,
but
in
case
it
it's
a
monitoring
tool
and
it
needs
pretty
high
visibility
into
the
main,
the
main
container,
and
so
it's
hard
to
isolate,
they're
similar
around
like
say
B
is
do
proxy.
If
you
wanted
to
say
that
you
know
that's
from
a
different
trust
domain,
I
want
to
make
sure
that
that
cannot
inspect
my
idea
or
whatever.
C
Option
that
I'm
sort
of
thinking
about
it
yesterday
and
haven't
had
a
chance
to
talk
through
the
details,
yet
is
having
a
single
sandbox
per
pod,
and
so
this
is
kind
of
a
simplification
of
the
sub
pod
model.
Where
there's
one
sandbox
per
pod,
and
you
can
say
that
container
is
in
or
out,
and
so
this
sort
of
supports
that
you
know
the
container
is
outside
the
sandbox
are
isolated
from
the
ones
within
the
ones
with
in
the
sandbox
can't
see.
The
outside
containers
and
I
was
wondering
if
that
potentially
simplifies
the
the
networking
model.
C
G
C
Yeah
definitely
so
this
is
a.
This
is
another
sort
of
broader
question
which
is
how
backwards
compatible.
We
want
sand
boxes
to
be,
and
it
is
a
new
concept
that
we're
introducing
and
so
there's
some
opportunity
to
say.
Okay,
we're
gonna,
actually
change
the
semantics
of
you
know
around
the
sandbox
and
say
this
is
a
new
concept,
things
in
the
sandbox
and
things
out
of
the
sandbox
only
share
the
network
lair.
They
don't
share
the
other
resources
that
that
is
an
option.
G
G
To
some
physical
resources
that
the
the
other
containers-
the
empirical
agents,
can't
access
can
access
sorry,
so
this
is
it
it's
kind
of
so
you
have
this
privilege
container
here
inside
car
wants
that
that
do
not
see
the
hardware
resources
that
the
unprivileged
won't
have.
So
it
seems
a
little
awkward
to
me.
G
Talking
about
the
the
sub-cut
in
general,
or
even
that,
would
even
apply
to
to
D'amato
that
that
you
referred
to
where,
if,
if
your
sandbox
container
requests
access
to
or
do
have
the
direct
access
to
some
some
sort
of
device
through
path
tree
or
any
kind
of
virtualization
technology,
your
sandbox
containers
would
see
the
device
and
would
get
direct
access
to
the
device.
But
the
preview,
let's
continue
outside
of
the
sandbox,
would
not
so
they
are
privileged.
G
C
G
There
are
actually
a
lot
of
use
cases
for
this,
so
this
this
makes
perfect
sense.
You
want,
you
want
to
be
able
to
load
kernel
modules,
for
example
yeah
yeah,
so
that
that
is
a
valid
use
case.
That's
there
are
there's
privileged
information.
That's
in
that
case
where
your
container
would
be
allowed
to
to
mess
with
some
part
of
the
guest
OS,
but
would
not
be
allowed
to
see
anything
from
from
the
hostess.
You
know.
So
it's
it's
a
reduced
privilege,
but
do
you
know
I
would
say.
C
Now,
enabling
that
privileged
capability,
it
exposes
more
of
the
underlying
implementation.
So
if
you
say
you
know,
I
want
to
be
privileged,
so
I
can
install
kernel
modules.
You
know
what
happens
if
the
sandbox
is
not
based
on
a
traditional
virtual
machine
model.
I
think
this
is
kind
of
generally
true
like
it.
You
know
if
your
running
just
a
regular
pod
without
sandboxes
in
today's
world
and
you're
running
privileged
and
doing
things
with
the
host
OS,
then
you're
placing
a
lot
you're,
adding
some
dependencies
on
that
host
OS
implementation.
C
F
F
Speculative
value
that
you
could
tie
to
that
use
case,
but
I
guess
I
get
nervous
that
you
know
we're
many
years
into
the
project
and
then
adding
this
at
the
later
date
seems
like
a
big
fundamental
change
and
so
like
I
feel
like
I,
want,
like
a
an
overwhelming
number
of
like
things
that
are
unlocked.
If
this
is
done,
we're
like
right
now,
I
feel
like
it's
a
lot
of
like
it's
more
speculum
like.
Oh,
that
would
be
useful
type
of
thing,
but
not
asleep.
F
Calling
out
that
it's
fundamentally
required
could
could
we
have
like
I
know.
I
can
enumerate
the
the
openshift
image
building
use
case
as
like
one
example,
and
then
I
we've
spent
a
lot
of
time.
Trying
to
think
about
how
to
get
out
of
having
that
need.
Is
anyone
for
the
folks
who
are
demanding
the
change
like
is?
Is
there
a
way
that
we
can
just
collect
all
the
use
cases
that
have
been
presented
and
like
see
why
or
what
alternatives
were
considered
like?
A
B
A
It's
not
especially
all
those
use
cases,
I
heard
so
far
and
I
have
the
long
discussion
with
the
team
and
I
missed.
Every
single
one.
I
have
to
come
so
I
think
there's
that
either
they
need
to
change
their
architect
or
it
is
they
ask
her
some
neck.
The
use
cases
Bianca
Venegas
could
offer
I
miss
the
front,
looks
so
fat
disgusting,
so
I
was
the
only
things
is
neck.
I,
don't
understand
that
the
open
ship
to
use
kisses
I'm
looking
for
for
that
one.
So
then
we
can
continue
discussing
this
so
far.
F
C
So
it's
kind
of
what
you
were
just
saying:
it's
consistent
with
the
current
model
and
move
forward
with
that,
and
then,
if
at
some
future
later
date,
we
find
that
actually,
there
are
no
well
number
of
use
cases
for
the
sidecar
isolation.
Then
we
can
extend
this
by
sort
of
building
up
and
building
this
you
know
some
sort
of
sharing
model
above
the
pod,
which
is
a
big
change
from
the
current
model.
But
at
that
point
it
would
have
to
be
kind
of
read
the
story
for
it.
C
It
would
have
to
have
the
driving
news
cases
at
that
point,
and
so
this
is
this
idea
of.
Like
you
know,
we
can
build
that
on
top
of
the
pod,
instead
of
kind
of
starting
with
that
and
building
it
underneath
the
pod
layer.
So
it's
not
like
if
we
choose
pod
as
the
sandbox
model,
then
there's
no
path
forward
or
we
have
to
kind
of
review
the
API
or
something
yeah.
A
The
only
constraint
is,
is
just
introduce
the
dependency
between
we
turn
off
the
parts
in
which
we
try
to
avoid
it
from
the
beginning
and
yeah,
but
it
looks
yeah.
This
is
the
one
possibility
we
can
go
forward
if
we
just
decide
there
the
powder,
the
problem
is,
we
we
talk
about.
We
discuss,
needs
to
start
with
the
pod,
then
we
think
about
the
furnace
start
from
God,
extended
it
to
the
sub
pot
or
container.
Your
API
is
panicked.
It's
not
that
compatible.
A
It's
much
easy
to
go
forward,
so
the
metal
part
actually
could
be
at
API
level.
If
we
think
about
that
kind
of
that,
if
you
later,
we
want
to
start
something
like
the
senior
to
the
sub
part,
then
you
can
read
these
find
your
father
and
then
put
it
into
the
mecha
part,
and
so
then,
but
then,
which
means
right
now
we
need
to
open
to
the
path
for
the
metabolic
at
API
level.
That's
also
instinct
API
design,
I.
H
E
H
To
say
that,
like
when
we
extend
the
pod
concept,
I
mean
that
that's,
it
really
does
add
a
lot
of
cognitive
overhead
to
working
on
the
cubelet.
But
when
I
see
this
I
think
about
init
containers
and
how
yep
those
were
simple
to
reason
about,
like
just
conceptually
but
and
in
the
code,
they
really
make
it
difficult
to
work
with
because
they
they
have
to
be
executed,
sequentially
and
they
can
fail.
And
what
order
do
you
do
them
in
and
they're
supposed
to
be
idempotent
and
it
like?
H
A
C
So
one
of
my
concerns
with
adding
the
sandbox
pod
concept
is
the
pod.
Now
becomes
more
than
just
a
collection
of
more
than
just
kind
of
an
organizing
concept
and
the
kernel
you
now
have
potentially
a
guest
OS
running
in
that
pod
sandbox,
which
means
you
now
need
to
sort
of
maintain
that
lifecycle
of
the
pod
in
a
little
more
detail,
and
so
one
kind
of
example
I
gave
somewhere
in
this
document.
C
Is
you
know
if
you
run
into
a
kernel,
panic
or
an
issue
that
causes
that
guest
OS
to
fail,
and
you
need
to
restart
the
pod?
How
how
do
we
surface
that
in
the
API?
How
do
we
deal
with
that
and
one
potential
answer
again?
This
kind
of
simplest
answer
is
that
should
be
very
rare
and
if
it
happens,
then
we
just
treat
it
as
a
pod
failure
and
wait
for
a
controller
to
delete
and
recreate
that
pod,
potentially
elsewhere
in
the
cluster.
C
A
It
is
depend
on
the
policy
like
the
restart.
The
policy
is
library
and
there's
a
couple
things
you
may
feel
the
power,
but
the
majority
kisses
it's
a
reset
policy.
It
is
lower
and
I.
Think
I
know
I.
Think
that
me
I,
think
what
team
is
here.
It
is
because
the
possibility
of
which
today
to
send
about
technology-
so
you
end
up
after
you
running
the
party,
there's
the
what
we
add
and
it
so
there's
the
introduced
new
finger
mode.
A
The
VM
is
a
failed,
so
how
we
are
going
to
capture
that
feel
model,
this
impetus
model
it
is
accumulated
already.
No
human.
A
decided
incident
on
feel
so
have
the
full
full
real
about
that
powder
and
the
container
I
sir,
so
it's
not
a
nother
effect
to
the
cuban
and
today's
because
it's
all
done
esteem
of
unity,
but
the
english
today
to
send
the
box
technology.
What
we
are
talking
about
most
is
the
way
I
thought
about
that.
I
provide
our
solution
and
we
am
solution
here
and
so
that's
the
object
to
the
turbulence.
A
G
And
it's
it's
also
because
we're
thinking
of
some
about
the
solution,
bait,
space
and
and
thinking
about
in
terms
of
VMs
and
hypervisor.
But
now,
if
we
introduce
a
Sandberg
concept
shouldn't
shouldn't,
we
also
have
a
sandbox
lifecycle
with
a
failure
for
sandbox
is
to
be
handle
as
well
by
controllers.
Yes,.
G
G
C
Yeah
again,
so,
if
we
went
with
a
sub
pod
isolation
model,
then
there's
yeah
there's
a
lot
of
life
cycles.
Here,
I
need
to
be
extended
and
whatnot.
If
we're
talking
about
box
is
that
the
pod
layer
then
yeah,
the
number
is
they're
a
lot
smaller
like
fill.
Some
changes
that
need
to
be
made
around
I
think
how
the
pod
lifecycle
is
managed.
I
thought
was,
they
were
kind
of
adding
new
failure.
Modes
and
I
need
to
take
a
look
at
the
CRI,
but
I.
Don't
think
there's
a
way
for
I.
C
C
G
For
what
it's
worth,
if
we,
if
we're
thinking
about
sand
boxes
as
as
virtual
machines,
typically,
the
the
guest
curve
would
be
either
very
similar
or
at
least
maintained
by
the
same
entity
as
the
host
Colonel.
So
I
think
it's
a
safe
assumption
that
to
assume
that
the
the
failure
rates
would
be
fairly
identical
between
the
host
and
the
guest
colonel,
because
you're
gonna
have
it's
fixed.
It's
basically
coming
from
going
to
come
from
the
same
same
sources
and
the
same
OS,
lease
and
so
on.
F
Tim
another
question:
I:
have
it
I'm
just
jogging
three
years
of
horrible
discussions
when
you
discuss
the
sidecar
container
with
distinct
privileges?
Is
that
separate
in
your
mind,
then,
like
I've
had
some
requests
of
folks
wanna
run
and
Nick
containers
with
higher
privileges
than
the
other
containers?
Do
you
think
of
that
as
a
separate
use
case,
or
something
within
these,
like
our
container
use
case,.
C
F
C
Sdo
is
an
example
that
I
know
off
the
top
of
my
head.
They
run
a
container
that
sets
up
the
IP
tables
rules
in
the
pod,
Network
namespace,
to
redirect
all
traffic
to
the
sto
sidecar,
and
then
that
sidecar,
actually,
because
the
the
IP
tables
rules
are
already
set
up,
that
sidecar
doesn't
need
any
extended
privileges.
C
C
C
G
Makes
sense
if
some
privileged
containers
inside
the
guests
OS
should
be
allowed
to
do
that
yeah,
but
it's
I
mean
we.
We
need
to
understand
if,
if
setting
the
IP
tables
inside
the
guest
to
us
would
be
sufficient
for
40
specific
use
case
yeah,
so
maybe
we
can
we
can.
We
can
play
with
that
on
our
site
and
see
if,
if
we
could
set
up
an
SEO
pod
with
Kara
containers,.
E
C
G
Say
you
have
two
two
possibilities:
either
they're
emulated
them
you,
you
gets,
you
typically
get
say
a
vertical
device
showing
up
in
the
guest
and
your
hypervisor
does
the
emulation.
But
it's
it's
an
emulation
on
the
host
where
you,
the
hypervisor
talks
directly
to
the
to
the
other,
to
go
to
send
commands
and
packets.
That's
the
that's
at
least
performance
performant
way
to
do
that
and
the
the
more
performant
one
is
the
hardware
virtualization
for
devices
where
you
can
directly
in
securely
assignment
hardware
resources
directly
into
the
virtual
machine
there.
G
G
No
there
so,
the
first
time
you
see
is
agnostic
sites.
You're,
just
gonna
see
a
virtual
device
which
is
not
even
Brandon.
It's
it's
a
red
hots
and
PCI
ID.
But
if
you,
if
you
do
the
direct
device
assignments
you
you
get,
you
literally
gets
access
to
the
to
the
hardware
resources.
So
you
see
all
the
PCI
a
config
space
and
everything
in
you.
You
see
the
entire
device,
the
real
one.
So.
G
Yeah
differently,
so
so
your
device
plugin,
is
basically
going
to
enumerate
and
initialize
the
device
on
the
host
and
talk
with
cuba
wise
for
for
doing
so
system.
It's
just
another
device.
That's
either
you
you,
you
pass
directly
into
the
virtual
machine
through
hardware
virtualization
or
you
emulate
through
something
like
portal.
So
from
from
a
cat
a
containers
perspective,
they
won't
be
there
wouldn't
be
any
much
much
of
the
interaction
between
vice
plug
in
and
and
the
sandbox.
It
would
just
be
another
device
that
that
shows
up
in
there.
C
A
Last
week
the
hierarchy
of
talk
discussed
share
a
dog
also
about
the
the
option
of
how
we're
going
to
integrate
with
the
CR.
So
there's
the
three
options.
So
we
didn't
so
I'm
not
sure
how
many
people
review
that
well
I'm,
not
sure
Harry.
It
was
here,
but
I
think
this
Samuel
you
can
represent
because
it
is
also
talked
to
the
cotta
container
integration.
G
A
I'm
talking
about
that
one,
so
we
do
the
rest
of
the
community
review
and
give
opinion.
This
is
more
like
the
information
in
implementation,
detail
and
Ernie's,
and
but
also
we
need
a
method
Congress,
the
so
there's
those
three
option
is
listed
there,
and
so,
when
it
ends
just
Punk
to
the
Cuban
aims
to
make
all
the
decisions
and
options
and
another
one
it
is
introduced
on
another
CRI
like
a
proxy
like
of
things
deciding
what
kind
of
the
see
how
you
want
evolve
based
on
a
sec,
you
contain
their
option
and
then
last
one.
A
It
is
which
I
most
prefer,
but
I'm
not
sure
so
it
is
just
needs
not
introduce.
The
new
continent
run
her
in
easily
in
stand
up
here.
We
already
have
you
so
far,
or
maybe
more
and
in
that
one
but
the
neck.
This
is
chemical
extra
feature
to
those
two
doses
container
and
time
next
example
actual
feature
to
the
CI
continuity
actual
feature
to
the
Henry
Henry
diagnosis.
Third,
from
discussing,
and
also
have
the
pros
and
cons
and
I
just
want
to
make
sure
this
is
co-opted
for
the
community
and
opinion
I.
G
Think
one
important
input
that
it
would
be
for
us
to
get
his
are
the
CRI
maintained
errs
the
CRI
Xin
containers
view
on
this.
So
what
do
people
from
cryosphere
are
continually
and
in
fact,
do
you
think
about
about
this
and
what
would
be
because
in
in
all
three
cases,
they're
they're
gonna
be
implementing
the
changes
in
some
cases
less
than
than
others.
That's.
It
would
be
interesting
to
get
their
opinion
on
this.
Yes,.
E
So
our
Haman
out
here
so
I
think
I
like
the
way
the
integration
works
and
cryo
today,
because
the
single
demon
and
we're
using
the
ocl
layer
to
communicate
with
clear
containers
kata.
So
that
way
we
don't
have
to
maintain
our
run.
Two
different
stems.
We
just
have
one
demon
to
worry
about
and
as
long
as
I
mean
clear
containers
understand,
0ci
calls
you
can
just
plug
in
and
run
C
or
clear
containers
or
any
other
Rossiya
compatible.
Runtime.
A
So
I
believe
the
CI
continuity
have
not
the
same
inner
span,
so
I
I
personally
feel
this
is
a
monocot
a
container
perspective.
So
how
easy
to
integrate
processing
and
is
the
N
mean
at
the
actual
functioning
here
we
want
to
preserve
them.
So
then
we
want
to
have
the
complete
of
the
runtime
instant.
Do
we
have
that
and
of
these
only
in
the
OCI
compatible?
A
There
look
like
you
could
have
the
clear
container
or
you
could
just
just
the
direct
native
fix
on
that
one
see
I
understand,
there's
the
secure
container
and
then
you
could
run
we
all
in
world
currency.
So
that's
kind
of
the
decision.
We
need
a
mini
tiller.
The
reason
I
think
even
this
is
improve
the
detail.
I
still
want
to
have
the
basic
agreement.
It
is
because
we
are
a
factor.
Actually
we
are
a
factor.
Well,
okay
and
also
the
witch
mayor
can
handle
that
API
how
we
are
going
to
pass
that
technology
yeah.
B
A
G
So
so
wouldn't
be
the
this,
wouldn't
they
that
the
sandbox
features
be
made
part
of
the
end-to-end
testing,
for
example,
I
mean
if
they
do
then
in
production.
You
I
mean
before
deploying
your
latest
version
of
CI
contain
to
your
cryo.
You
would
know
if,
if
this
specifics,
your
implementation
supports
the
sandbox
features
in
one
way
or
another.
This
is
transparent
to
the
user,
but
at
least
this
would
be
a
guarantee
that
you
you,
your
sierra
implementation
supports
this
yeah.
It
supports
that
this
unboxing,
yes,.