►
From YouTube: Kubernetes Resource Management Working Group 20170620
Description
Resource management workgroup meeting
A
Okay,
so
recording
has
started.
We
have
a
charlatan
that
really
helped
us
last
week,
set
up
a
slack
channel
and
also
amazing,
always
working
group.
It's
still
not
really
clear
and
exactly
water
working
group
actually,
and
so
she
was
suggesting
that
we
have
separate
lists
on
Sabbath
slack
channels
and,
if
necessary,
we
can
just
fold
it
back
to
all
this
legs.
So
we
have
it
now
and.
A
A
D
A
No.3
a
second
question
like
device
plug
in
order
and
like
it's
not
an
all
about
this
plugin,
its
meant
for
discovering
energy
hardware
like
oh
this
freezer
isolation
is
completely
different.
I
think
they
call
already
posted
wonderful.
The
first
corner
shows
about
like
completely
separating
out
the
container
manager
in
cubelet
and
like
making
it
an
extensible
entities.
We
decided
not
to
do
that
now,
because
then
it
would
sort
of
like
guys
do
it
the
value
proposition,
because
too
many
things
that
are
almost
considered
sign.
A
You
don't
really
never
work,
I'm,
not
reason
why
he
likes
fall
because,
like
secure
isolation
are
actually
happening
in
the
core
and
not
as
an
extension,
so
with
the
right
plugins
on
hoping
that
it
will
stick
to
just
exposing
hardware
devices
I
mean
at
the
end
of
the
day.
If
there
is
right
there
in
exclusive
that
are
available
to
that
API,
you
can
stop
people
from
doing
other
things
with
that.
But
at
least
fundamentally
mental
is.
E
A
The
goal
there
is
that
we
don't
want
the
core
to
keep
growing.
At
the
same
time,
we
also
enable
a
community
to
be
like
more
interesting
things
with
curators.
So
the
goal
is
that
data
sconce
up
on
once
and
I-
that's
gonna
supers
continually,
which
increases
the
allotment
increases,
each
of
them
when
I
to
the
first
bar,
if
I
understand
correctly
a
person
Louis
who
other
other
vendors
or,
like
other
hardware
provided
who
are
implying
tips
in
the
disposal.
You.
A
Gently
said:
do
it
off
you
want
to
take
that
I
think
it
was
posted
in
the
end
of
PR
person
was
like:
how
can
we
expose
KVL
devices
on
the
host
and
I?
Just
want
a
saying
like
safes.
Kvm
is
not
really
a
hardware
plugin
but
fan
question
that,
like
other
other
resource
requirements
like
other
requirements
other
than
the
ones
they
already
considered,
yeah
I.
F
Mean
I
definitely
are
and
I've
been
trying
to
get
those
examples.
Written
up,
I
think
Grumpy's
probably
got
some
some
work.
You
can
do
really
quickly
here.
I
think
you
guys
probably
met
at
least
once,
if
not
so
already
about
this
so
effectively,
but
be
to.
In
short,
the
additional
use
cases.
Are
there
going
to
be
network
adapters
to
start
whether
that's
a
it's
some
kind
of
accelerated
NIC,
whether
that
can
be
K
/,
DP,
DK
data
path,
it'll
it'll
be
a
fast
data
path
solution
with
all
this
endure,
but
that's
the
use
case.
A
I
think
we
need
to
collect
all
the
requirements,
the
future
requirements
or
not
I
had
a
few
in
my
mind
and
I
sort
of
posted
them.
They're
like
saying
saying
that,
like
we
need
to
be
the
drivers
and
we
need
to
be
with
like
injecting
some
device
files
or
like
network
interfaces
and
so
forth
in
the
pods.
A
But,
like
those
are
just
high-level
requirements,
we
need
to
also
like
figure
out
the
feasibility,
because,
like
adding
a
new
network
interface,
for
example,
requires
setting
up
CNI
plugins,
which
then,
which
then
requires
access
to
like
some
specific
directories
on
the
horse
and
then
like.
How
do
we
make
sure
that
that's
portable
across
current
installations
and
how
does
it
get
possible
via
right?
So.
F
Just
so
you
know
just
I
want
to
deduplicate
that,
because
there's
there's
a
the
multi
I
want
to
stay
away
from
the
multi
networking
debate.
That's
going
on
and
just
treat
this
as
like
a
raw
device.
It
does
not
yet
a
kernel
network
stack
in
either
scenario
that
I
described
it's
a
kernel
bypass
technology,
so
we'll
be
putting
it
in
on
our
own,
and
so
in
that
way
it's
different
than
what
it's
different
than
the
debate
that
is
occurring
inside
network
I
mean.
G
That
said,
Jeremy,
though,
if
there's
ever
a
case
where
we
would
want
to
record
two
network
details
of
the
adapter
back
to
kubernetes,
we're
going
to
have
some
overlap
between
other
and
resource
management,
I
mean
obviously
the
containerized
app
would
have
control
over
this
particular
hardware
device.
But
I
can
see
a
case
where
we
want
to.
You
know,
push
back
near
the
IP
address
for
management
and
status
and
even
package
statistics,
and
things
like
that.
G
Yeah
and
I
think
for
something
like
this
direct
device
assignment
the
rest
are
ilv
or
something
like
that.
There's
obviously
a
lot
more
to
do
with
the
resource
management
tips
you
mix
and
we
have
a
certain
number
of
Silv
VF
and
nob
viously.
It's
a
resource
management
issue
because
we
have
so
many
rigs
machine,
so
I
think
you're,
probably
right,
there's
much
more
the
case
we
may
hear
for
this
as
a
resource
management
thing.
It's
just
kind
of
you
know
once
it
is
all
set
up.
C
C
H
D
C
Guess:
yep,
okay,
so
I'm
in
the
process
of
bringing
up,
Solar
Flare
advanced,
make,
and
you
know
the
TCC
sac
in
the
user
space.
So
pretty
much
I
mean
from
this
kernel
anything
else
which
we
needed
is
more
on
the
management
side,
but
all
the
intelligence
is
upstairs
so
and
I'm
trying
to
get
that
going
on
Renard's
codebase
to
keep
it
all
common
rather
than
you
know,
creating
my
own.
A
Okay,
so
just
to
just
to
like
restate
what
I
said,
Ron
is
saying
that
you're
working
on
prototyping
adding
support
for
a
very
specific
NIC
that
should
sort
of
help
us
validate
this
requirements
or
harder
plug-in
interface
and
also
identify
whatever
interfaces.
We
would
need
with
the
Kuebler.
That's
exactly.
C
Right
I
mean
kind
of
the
variety
I
mean
one
is
we're
talking
the
compute
side,
but
not
we're
talking
like
advanced
make
more
Network
focused,
but
but
still
the
all,
the
networking
stack
the
use
phase.
It
gives
a
good
variety
on.
You
know
the
type
of
plugins
I
mean
des
requirements.
We
need
from
plugins,
okay,.
A
G
Okay,
I
mean
it
to
me.
It
seems
like
if
you're
talking
about
IP
over
infinite
bands,
that's
just
another
kernel
module
that
you
essentially
load.
It
definitely
obviously
requires
a
hardware
device,
but
there
is
no
real.
The
network
interface
is
sort
of
like
a
virtual
interface
kind
of
like
VLAN
or
etc.
So
it's
not
really
a
hardware
based
you
can
look
backed
by
hardware,
but
it
just
kind
of
seems
to
me
like
that's
getting
a
little
bit
more
into
network
territory,
especially
since
it's
an
IP
interface.
G
Alright,
excuse
me
an
IP
net
and
that
would
probably
for
more
on
the
networking
side
of
things,
but
if
you're
just
mapping
the
InfiniBand
device
into
the
pod
and
then
expecting
the
pot
itself
to
create
the
IP
over
infinite
band
stuff.
On
that
I
mean
it
seems
largely
related
to
key
line.
I
think
right.
A
D
A
That's
that's
fine
and,
unlike
we
can
always
iterate
on
this
device
plugin,
and
the
second
question
is
that
what
what
happens
that
the
requirements
require
us
to
inject
a
new
IP
device,
then
how
do
we
facilitate
that
via
the
hardware
plug-in
interface?
I,
think
this
is
not
relevant
the
colors
requirement
here,
so
we
can.
G
In
it
I'm,
not
necessarily,
you
know,
arguing
against
it.
Just
kind
of
seems
like
getting
to
that
level
is
kind
of
a
workaround
for
some
of
all
T
Network
stuff.
That's
blocked
and
Signet
work
right
now.
Okay,
so
I
feel
like
we
should
widen
the
conversation.
If
we
start
talking
about
putting
IP,
you
know
interfaces
in
pods
through
news
management,
stuff.
A
Have
a
working
group
I'm
not
like
thing
is
that
we
want
to
facilitate
these
conversations
right
right,
I,
don't
think
our
goal
is
to
just
like
to
find
a
place
with
another
six
I
think
the
goal
is
to
like
facilitate
conversation
across
legs.
So
if
you
get
to
appoint
the
we
end
up,
dealing
with
at
work
interfaces,
I
think
they're
going
to
reach
out
to
the
head
for
things
like
and
okay
to
you
as
well,
and
then
I
think
we
figure
out
a
way
to
facilitate.
G
A
Yeah
sure
I
think
that,
like
as
a
working
group,
we
need
to
put
in
more
effort
or
like
figuring
out
what
our
exact
requirements
are
and
what
what
value
we
are
going
to
add
to
end-users,
which
was
I
make.
The
conversation
like
civilizations,
are
happening
based
on
like
engineering
inputs
and
not
really
like.
G
Yeah
and
I
would
say
that
most
of
the
multi
network
type
use
cases
that
we
found
in
cig
network
are
primarily
driven
by
network
function,
virtualization,
which
often
implies
s
r
io
v.
So
that's
where
a
lot
of
the
people
are
coming
from
and
probably
where
a
lot
of
the
people
are
coming
from
here
with
you
know,
is
the
device
assignments
into
containers
as
well,
so
I
think
there's
there's
quite
a
bit.
A
A
C
Okay,
so
what
I
wanted
to
add
was
like,
for
example,
when
you
get
to
high-performance
networking
use
cases
like
the
cases
we
talked
about,
our
DMA
king
of
InfiniBand,
or
it
could
be
rocky
Rd
may
converge
Internet.
All
of
them
follow
the
model
of
character
devices
right
so
just
want
to
add
that
we
have
a
reasonable
set
of
use
cases
the
we
can
proceed
without
involving
networking.
Maybe
that
could
be
a
reasonable
start
and
then,
with
those
two
concepts,
then
start
engaging.
You
know
the
networking
sake.
A
So
that's
why
I
think
we
should
keep
making
progress
on
things
that
we
understand
and
then
and
then
figure
out
the
rest
we
don't
understand.
The
main
thing
is
like
we
need
to
have
a
good
handle
on
the
API
before
we
can
take
it
beyond
alpha,
which
I
assume
would
be
necessary
Forks,
because
the
data
and
API
can
change
any
day.
So
there's
like
lot
of
maintenance
overhead
for
you.
A
So
the
way
I
imagine
it
like
if
you
have
to
support
device,
installation
and
containers
for
four
GPUs,
for
example,
we
have
to
deal
with
like
shared
more
namespaces
and
like
propagating
on
devices
between
containers
and
so
forth,
so
those
are
features
that
are
still
in
the
book.
So,
unlike
identify,
what
are
the
things
we
need,
and
it
might
not
be
things
that
we
do
know
if
everything's
big
deal
with
a
year
from
now,
but
we
still
need
to
have
an
accurate
stuff.
C
Vishna,
maybe
is
a
good
time
to
kind
of
share.
I
mean
our
discussions
on
the
sync
up.
We
had
because
it's
a
nice
document,
maybe
we
can
walk
the
team
through
what
what
are
we
converged
on
and
get
some
feedback
yeah
so
yeah.
C
D
One
see
my
screen
yeah
and
so,
and
this
document
is
about
the
meeting
we
had
last
Thursday
with
fish
Christopher.
You
know
I,
guess
the
attendees
are
all
in
the
dress
so
and
I
think
the
first
thing
and
the
most
important
thing
we
laid
out
during
that
meaning
is
a
vision
that
for
devices
we
want
the
user
to
be
able
to
say
well,
I
know,
I
have
FPGAs,
GPUs
or
X
device
in
my
cluster
and
I
will
just
create
I
would
I
would
type
one
command
so
keep
still
create.
D
That
F
would
be
an
example
that
come
in
and
the
devices
would
appear
the
the
different
the
device
going
in
with
a
would
be
like
distributed
on
every
node
and
for
the
user.
It
would
be
very
transparent,
the
devices
would
appear
and
a
different
notes,
descriptions
and
the
long
term,
and
in
the
long
term
we
want
the
user
to
be
able
to
select
those
devices
and
resource
classes.
Is
that
does
that
bishop
vision
make
sense
with
everyone.
I
D
A
So
all
the
all
the
different
entities
we
would
be
introducing
into
a
pause
environment
I
think
we
should
probably
call
it
out
here.
It
could
be
like
character
devices,
it
could
be
both
devices
or
it
could
be
like
network
interfaces
and
so
forth.
So
I
think
we
should,
in
general,
like
all
out
what
are
the
different
environment
pieces
that
we
would
be
injecting
and
please
help
here.
A
necklace
if
you
have
like
other
use
cases,
are
giving
this
API
help
them.
Please
contribute.
D
So
that
would
mean
that
the
device
to
plugin
would
be
able
to
replace
in
some
in
some
shape,
GPU
support,
so
he
would
be
able
to
deploy
the
GPU
device
plug-in
and
people
would
decide
which
device
to
choose
and
send
the
request
to
the
device
bullion
and
the
device
plugin
would
do
the
work
to
be
able
and
do
the
different
operations
needed
to
be
able
to
enable
GPUs
in
the
container
I
think
the
short
cam
part
they
can
see.
Only
document
explains
how
we
would
integrate
that.
D
Think
what
we
also
decided
with
during
this
meeting
is
the
different
scope.
Is
the
scope
of
the
device
for
ian's?
We
find
it
a
bit.
We
decided
with
fish,
Ram,
etc
that
installing
drivers
is
something
that
we
want
to
see
ended
the
diced
onion
and
we
want
to
see
in
the
proposal,
and
we
also
talked
about
the
different
subsidies
or
an
API
be
API
that
we
wanted
to
expose
during
that
meaning.
D
So
one
of
the
main
concern
was
about
the
fury,
spec
I
think
this
is
mostly
addressed
in
the
in
the
new
version
of
the
device
plug
in
the
rest
of
it
is
I.
Think
well,
I
think
this
document
presents.
Is
there?
Is
there
anything
that
I
think
a
or
Ram?
Do
you
think
that
that
I'm
missing
so
I'm
forgetting
something
hile.
C
A
That's
that's
basically
up
to
us
basically
get
to
the
vendor
ID
equivalent
center,
because
in
theory
you
can
just
install
them
correctly
or
or
you
might
want
to
bundle
them
for
various
reasons.
So
I
feel
like
that's
more
often
like
a
final
packaging
role
than
like
beginning
goal,
right
or
I.
Think
and
moving
some
of
your
other
reports.
C
No
I
I
was
also
thinking
of
more
of
a
packaging
goal,
but
the
point
to
note
this
I
mean
we
definitely
want
to
coach
hydrogenous
deployment
trequan
in
the
use
cases
we
are
thinking
about.
So
it
means
how
we
present
an
automated
story,
for
you
know
installing
all
the
plugins
or
the
relevant
mix
or
other
types
of
devices
like
keep
use
and
then
make
it
happen
right.
It's
basically
a
simple
script,
but
is
it
worth
just
providing
a
holistic
solution?
You
know
basically,
our
own
philosophy.
A
C
Definitely
not
a
prototype,
but
as
part
of
a
relief
I
would
I
mean
to
me
too
valuable,
not
as
not
initially
later
ominous
when
you're
releasing
it.
You
know
basically
some
plugins
for
certain
Nick's
or
you
know
GPUs,
and
that's
at
that
at
that
point,
if
we
worth
having
that
tool
to
have
the
whole
story,
at
least
that's
my
viewpoint
initially,
not
so.
D
C
A
D
And
so,
and
I
did
have
a
question
with
regard
to
the
device
goin
so
and
I'm
not
sure
how
people
are
how
familiar
people
are
with
the
device
plug-in.
But
I
was
wondering
if
the
deployment
through
a
demon
site
as
the
correct
way
to
go-
and
my
question
is
more
about
the
fact
that
if
we
deploy
through
a
demon
set,
Sheila
does
not
know
what
container
matches
what
device
plug
in
and
it
might
be
worth
to
have
qubits
understand.
This
container
is
associated
to
this
device
plugin.
Why.
E
D
A
D
D
A
Go
on
your
plugin,
at
which
point
you're
going
to
like
all
the
devices
as
unavailable
or
unhappy
or
like
say
that
devices
are
no
longer
accessible
and
then
wait
for
Cupid
to
pick
that
up
and
give
it
some
time
on.
Anyone
safely
then
remove
those
devices
so,
like
I,
think
I.
Think
unit
API
is
already
provide
you
enough
primitives
to
achieve
that,
but
whether
that
holds
meet
every
plugins.
D
A
D
A
C
Expect
that
being
commander
now
one
thing
came
up:
was
the
performance
monitoring
story?
I?
Think
we
see
right
now
there
see
advisor
trying
to
cover
that
area,
but
as
we
make
progress,
the
thought
was.
We
should
have
native
integration
performance
monitoring
the
plug-in
itself,
because
you
know
different
vendors
write,
these
performance
monitoring
paradigms
and
different
programming
languages,
and
it
was
best
to
have
that
native
integration
right
right.
D
My
question
was:
should
we
address
that
in
a
follow-up
char,
I.
A
C
A
C
A
C
C
A
C
D
So,
with
regard
to
performance,
this
is
not
something
else
could
be
addressed.
I
think
I
would
so
right
now
I
have
a
park
for
GPUs
with
the
device
Balian
there
might
be
something
I
could
present
in
the
next
meeting.
I
can.
C
F
A
F
A
H
Had
a
lot
of
problems
with
audio
for
the
packaging
schema
and
whatnot
in
external
steps,
that
kind
of
need
to
be
taken,
I
think
we
briefly
touched
on
this,
but
the
expected
format
our
daemon
sets.
But
what
about
components
like
GPUs
that
at
least
not
when
you're,
installing
the
app
packages
require
reboot
to
load
the
kernel
modules.
A
Record
good
question:
the
last
I
last
I
asked
this
question
again
in
a
different
forum
to
a
media
folks
here
that
they
don't
respect
with
their
driver
team
and
get
back
to
us
as
to
whether
it's
absolutely
necessary
to
perform
a
node
reboot
for
dynamically
loading.
That
comes
on
still
not
obvious
like
why
that
would
be
necessary.
I.
B
They
told
us
that
apparently,
in
the
case
where
you
run
a
VM
and
the
container
went
into
the
VM,
that
probably
was
defined
but
I
say
many
example
of
issues
that
came
up
when
the
device
was
not
owned
by
the
Nvidia
Kelly
module
add
boots,
then
decalin
module
tries
to
require
this
device,
so
it
looks
like
in
the
bare
metal
case.
They
don't
recommend
it.
Okay,.
A
B
B
D
So
in
my
current
proof
of
concept,
I'm
expecting
the
driver
to
be
already
installed
that
doesn't
mean
that
other
device
plugins
cannot
install
their
drivers.
I'm.
Just
saying
that
it
is
possible
right
now
to
have
both
cases,
a
device
plug-in
that
would
install
the
drivers
and
a
device
plug-in.
They
would
expect
the
drivers
to
be
already
on
their
hosts.
H
B
I
really
think
we
need
to
support
cases
where
the
same
image
or
again,
some
people
might
want
to
install
a
driver
who
isn't
zener,
but
it's
safer
if
the
and
we
get
driver
is
the
first
thing
that
touches
the
device.
So
if
you
have
the
luxury
of
creating
a
customized
image,
then
you
should
definitely.
B
D
A
D
D
A
Think
that
so
it's
going
to
depend
a
little
bit
on
mechanisms
right,
like
people
need
and
you
need
a
means
to
collect,
distribute
Hewlett,
authentication
information
in
like
a
reliable
way,
because
Cupid
also
gets
like
rotate.
So
it
gets
rotated.
So
they
go
into
your
like.
So
that's
not
about
you
either
get
like
flow
access
to
some
network
interface
or
like
some
socket
or
pop
need
to
figure
out.
Some
other
means,
if
that's
a
requirement
or
we
call
it
out.
D
A
B
I
A
We
are
like
other
tools,
so
I
don't
know
if
you
can
doing
that
right
like
it's.
It's
only
a
question
of
like
what
are
the
API
requirements
on
an
API
not
requirement
on
getting
such
like
free
running
demons
to
work
on
that
note.
I
also
I
just
noticed
that
the
discovery
phase
charge
that
is
having
a
proposal.
It's
not
reflecting
the
state
that
we
agreed
upon
in
our
previous
meeting,
we're
not.
A
I
mean
is
that
the
workaround,
like
external
Isolators,
that
said
Nicholas
and
Connor
did
a
couple
of
months
earlier.
The
way
they
did
is
that
they
had
they
had
the
extended
isolator
resistance
of
the
cubelet
and
then
liquid
will
then
talk
to
so
just
you
know
you
didn't
have
to
like
manually
configure
the
cubelet,
the
doctor
component,
so.
D
E
C
One
thing
wonder:
dad
was
you're
also
seeing
how
we
can
minimize
the
cases
where
the
application
containers
need
to
be
done
in
a
privileged
mode.
Keep
it
minimum,
as
we
you
know,
go
through
the
plugin
exercise.
Try
to
minimize
that
in
some
cases
it
may
not
be
possible,
for
example.
Anyway,
no
the
device
plug-in
itself
is
running
in
tribulation,
more
like,
for
example,
driver
indentation.
All
those
make
it
happen
in
the
device
plug-in,
so
application
container
may
not
need
to
run
try
to
at
least
minimize
the
cases.
Yes,.
A
I
I
A
B
On
outside,
we
don't
need
privilege
if
we
just
find
the
right
cap
LEDs,
if
you
don't
learn
the
kernel
module
or
if
you
have
the
right
cataloging.
These
are
saying
we
will
start
looking
into
this
and
yeah.
If
you
just
add
a
few
diabetes
which
could
be
fine
on
our
side.
We
don't
need
to
war,
privilege
and
other
critical.
It
is
when
you
really
don't
want
to
do
this
Java,
finding
which
character
you
need
open.
I
F
So
the
only
thing
so
I,
it's
a
key
piece
for
us
to
have
almost
no
privilege
escalation
at
all.
When
we
do
this
with
a
daemon
set,
we
need
to.
We
need
at
least
the
mod
module
loading
capability
and
the
other
potential
is
I,
don't
know
if
we
need,
even
as
an
additional
capability
to
pass
through
the
character
device
so
and
if
we're
controlling
them
and
only
doing
them
in
in
daemon
sets-
and
we
have
some
kind
of
a
gate
around
deploying
these
daemon
sets.
D
F
The
way
all
this
needs
to
get
wired
into
our
back
like
we
can't
go
GA,
but
that
was
one
of
my
comments
on
these
socks.
Is
it
the
we
have
to
require
escalated
privileges
to
deploy
these
types
of
pods?
So
while
the
mechanism
is
a
daemon
set
there,
there
has
to
be
some
control.
With
this
system.
Administrators
have
like
you,
can't
deploy
a
privilege
pods
on
open
ship
by
default.
Unless
you
have
dis
escalators
our
back
role,
okay,
so
similar
to
that
we
would
have,
we
would
gate
these
pods
deployment
of
these
pods.
F
That
said,
we
do
have
privileged.
We
do
have,
unfortunately,
like
use
cases
right
now
for
privilege,
where
it's
a
workaround
for
not
having
multi
network
support,
and
the
second
piece
is
when
we
need
to
posts
about
a
host
volume.
So
unfortunately,
like
right
now
for
hyper-converged
storage,
we
have
both
of
those,
and
so
we
have
to
run,
unfortunately
with
elevated
privileges.
F
Just
because
of
the
way
the
security
works
out
for
talker
now
constantly
like
I,
don't
know
who
is
speaking
earlier,
but
we
have
developed
some
system
PAP
scripts
to
help
us
come
up
with
the
exact
list
of
capabilities
or
set
comp
policy
that
we
need.
So
we
can
have
a
fine-grained
role,
but
that
doesn't
mean
we
get
away
with
all
with
no
elevated
privileges
and
thus
I
keep
going
back
to
the
our
back
requirement.
D
B
A
B
A
Okay,
yeah,
that's
an
important
point,
not
the
other
point
that
was
mentioned
here
was
like.
If
accessing
these
devices
requires
elevated
privileges
for
application,
containers,
I
think
we
should
call
it
out
too,
because
I
don't
think
it's
it's
okay
to
dynamically
increase
the
privileges
or
for
a
fall
as
far
as
this
device
plug-in
appear,
because
they're
sort
of
defeats
the
rest
of
the
security
policies
that.