►
From YouTube: In the Clouds with Red Hat Leadership (S1 E2): Dan Walsh
Description
Red Hat’s senior leadership is having to execute at an ever-increasing pace. That means that today's technology decisions have to balance short-term risk with long-term gains. This unique series provides host Chris Short inviting thoughtful and candid discussions with each guest.
An hour with the one and only Dan Walsh, Senior Distinguished Engineer
https://openshift.tv
A
Good
morning,
good
afternoon,
good
evening,
welcome
to
another
episode
of
in
the
clouds
with
red
hat
leadership.
Today
we
are
joined
by
the
one
and
only
dan
walsh,
a
senior
distinguishing
engineer
here
at
red
hat,
I'm
chris
short
principal
technical
marketing
manager.
I
run
openshift
tv
dan
walsh.
Please
introduce
yourself
for
the
audience.
Let
them
know
who
we're
dealing
with
here.
B
Yeah
sure
so,
as
I
said,
my
name
is
dan
walsh.
I've
been
at
red
hat
for
over
19
years
now,
so
it's
been
a
long
time.
My
I'm
known
as
the
security
person.
I've
been
writing
security
software
for
many
many
years
when
I
started
a
red
hat
19
years
ago,
the
the
national
security
agency
came
to
red
hat
and
asked
us
to
work
with
them
to
get
essie
linux
into
the
upstream
kernel
and
to
get
into
a.
B
Operating
system
and
red
hat
looked
around
looking
for
someone
that
had
a
security
background
and
found
me,
and
I
became
the
se
linux
guy
so
for
probably
the
first
10
years
of
working
at
red
hat.
I
worked
on
sc
linux,
but
that
led
me
into
really
looking
at
how
we
can
find
processes
or
how
you
control
groups
of
processes
on
the
system.
So
over.
B
That
led
me
into
you,
know,
working
with
the
kernel
guys
and
developing
and
instrumenting,
and
trying
to
figure
out
how
we
could
use
different
features
that
they
were
adding
to
the
linux
kernel
to
really
control
what
processes
do
on
the
system
and
really
that
led
to
sort
of
containers.
You
know
what
everybody
thinks
is
of
this
containers,
so.
B
C
B
Idea
was
for
actually
for
rsv
linux
to
allow
users
to
log
into
a
system
and
have
different
home
directories
depending
on
what
security
level
they
were
logging
into
the
system.
Now,
that's
where
the
first
name
space,
the
mountain
namespace.
So
if
I
log
into
top
secret
I'd,
see
one
directory,
if
I
log
in
secret,
I
would
see
a
different
directory
later
on,
so
that
really
came
in
real
five
back
in
2006
later
on,
and
we
started
working
with
c
groups
around
the
time
of
rel.
Eight,
very
rather
bell.
B
Six
time
frame,
which
was
around
2008
started.
Looking
at
how
we
could
use
c
groups-
and
I
introduced
a
thing
called
the
what
I
called
the
sc
linux
sandbox
at
that
time
and
what
sc
linux
sandbox
did.
Is
it
took
advantage
of
the
namespace
stuff
to
basically
allow
you
to
set
up
different,
secure,
sandbox
environments
for
your
home
directory.
B
Running
is
secret,
running.
C
B
Internal
network
and
I
have
a
firefox,
that's
running
on
my
external
network
and
I
can
keep
the
two
separated
and
then
later
on,
I
started
working
on
openshift,
which
was
sort
of
openship
version,
one
which
was
really
using
some
of
the
technologies.
We
had
developed
to
isolate
processes
that
eventually
led
into
sort
of
the
darker
revolution
when
darker
started
coming-
and
I
could
put
onto
that
project
and
then
eventually,
where.
B
A
I
remember
sitting
there
like
during
one
of
our
joint
force,
expeditionary
experiments
like
you
know.
I
can
monitor
these
networks
better
with
the
linux
box.
We
use
the
linux
box
and
then
a
couple
months
later
I
start
reading
about
se
linux
and
I'm
like
light
bulb
now
I
can
run
linux
boxes
at
scale
here.
I
don't
necessarily
have
to
worry
about
some
of
these.
You
know
security
vulnerabilities
that
all
these
people
that
I
work
with
are
all
freaking
out
about.
If
we
enable
sc
linux
and
start
using,
you
know
the
approved
stigmas.
A
B
The
the
funny
that
I
actually
was
on
a
call
yesterday
with
some
people
looking
into
containers
and
really
the
the
most
secure
parts
of
the
federal
government.
I
mean
they're,
really
big
into
this
thing.
You're,
probably
familiar
with
it
called
mls,
which
is
multi-level
security.
Yeah
often
I
talk
about
top
secret
secret
and
the
government's
basically
wrote
up
these
standards
back
in
the
1970s
19,
maybe
in
the
60s,
70s
and
80s
for
basically.
B
Flows
across
a
computer
and
cross
networks,
and
so
now
the
government
is
standardized
on
this
technology.
But
to
me
it's
gotten
very
old
and
very
creaky,
and,
and
you
know
what
what
people
come
up
to
me
and
say:
okay,
I
want
to
use
that
mls
on
top
of
a
kubernetes.
You
know
openshift
kubernetes,
environment.
It's.
B
A
B
B
So
trying
to
explain
to
it
and
the
final
thing
is
I
actually
there's
a
couple
of
papers
we
put
out
in
the
last
month
that
talked
about
how
we're
doing
container
security
now
is
actually
better
than
mls.
B
A
B
Essy
lynx
does,
and
you
know,
seo
linux
basically
treats
you
know
you
basically
label
a
process
as
a
cat,
and
then
you
label
the
content
as
cat
food,
and
then
you
label
the
process
of
the
dog
and
label
the
content
as
dog
food.
And
then
you
write
rules
that
says
cows
can
eat
cat
food
dogs
can
eat
dog
food
and
then,
if
the
cat
dog
tries
to
eat
the
cat
food,
it
blocks
it.
So
that's
basically
really
what
sc
linux
fundamentally
is
on
a
process.
B
But
if
you
get
to
containers
now
you
basically
say:
okay,
this
is
a
container,
so
that's
the
cat
and
then
you
put
the
container
content
and
that's
cat
food
and
that
works
fairly
well
for
one
container.
But
once
you
get
two
containers
now
you
want
to
make
sure
that
each
container
can't
eat
the
other
containers
content
right.
B
So
you
know,
if
you
have
two
three
four
or
five
cats
in
a
container
world
or
a
vmware
or
a
virtual
machine
world,
we
want
to
make
sure
that
those
processes
can't
attack
each
other,
even
though
they're
the
same
types
right
from
an
icelandic
point
of
view.
The
same
types,
so
what
we
did
is
we
we
have
the
concept
of
mcs.
B
We
had
the
concept
of
this
last
part
of
the
mls
part
of
the
seoleux
label
and
in
mls
worlds
again
it's
it's
fairly
complicated,
but
basically
they
have
a
hierarchy
that
says
that
you
have
dominance.
So
if
you,
if
you
have
a
certain
levels,
then
if
you
dominate
another
level,
you
can
basically
interact
with
the
level
levels
and
and
really
what
I'm
talking
about
getting
down
to.
Is
this
categories?
B
So,
if
you're
in
a
linux
system,
there's
1024
categories.
So
if
I
had
category
one
two
and
three
and
you
had
content
that
was
labeled
as
two
and
three,
I
could
dominate
it
right,
so
I
could
write
to
it
right
if
your
content,
that
was
two
three
four,
then
there
would
be
a
conflict.
So
what
we
did
is
is
instead
of
you,
know
putting
these
concepts
of
hierarchies
and
things
like
that
into
that's
an
mls
that
no
one
in
the
real
world
works
with
right.
Nobody
right!
B
Data
and
you
might
have
personnel
records,
and
but
you
don't
say,
the
personal
records
are
more
valuable
than
banking
data,
or
vice
versa.
Right
and
so,
and
so
what
we
did
was
mcs
was
basically
say:
all
we
want
to
do
is
we're
going
to
guarantee
separation.
So
we
want
to
make
sure
that
you
know
this.
Cat
cannot
attack
that
cat
and
all
cats
can't
attack
each
other
right
to
go
back
to
their
cats,
but.
C
B
C
B
Don't
allow
in
order
to
say
so,
if
I
one
and
two
two
and
one
that's
the
same
thing
from
an
scale's
point
of
view,
so
that
cuts
in
half
that
dress
was
down
to
about
500
000,
there's
a
few
more
that
are
taking
off,
because
we
don't
allow
s1
s1
categories.
C
B
B
What
we
do
you
know
is
that
I
discovered
this
hammer
back
in
2008
for
virtual
machines.
We
called
it
esperant.
Now
we
use
the
same
hammer
for
openshift
for
containers
for
yeah.
We
use
it
all
over
the
place,
but
basically
this
is
fundamentally
how
we
isolate
containers
from
an
sc-link's
point
of
view
right,
but
bottom
line.
This
whole
conversation
started
about
mls,
so
mls,
so
that
that's
mcs
mls
means
that
I
label
you
know.
B
B
So
now,
if
I
lose
one
container,
I
don't
lose
the
entire
thing,
so
so
talking
to
government
people
and
trying
to
go
through
this
and
explaining
cats
and
dogs
is,
you
know
a
little
difficult,
especially
with
their.
You
know,
they're
sitting
there
with
their
books
from
you
know.
We
wrote
this
book
right
2001
and
we
have
to
stick
to.
B
B
For
isolating
these
workloads,
you
know
and-
and
you
know
they're
looking
at
you
know,
how
can
I
you
know-
have
standards
of
scanning.
You
know
content
to
make
sure
the
bad
content's
in
there.
Well,
they
say
you
provide
the
content
right.
You
don't
have
to
worry
about
someone
going
in
you
in
a
container
world.
You
define
the
image
that
is
going
to
go
out
to
the
user,
so
we
know
that
the
you
know
you
didn't
put
anything
into
that
container.
You
can
actually
run
the
containers
read
only
so
no
one
can
ever.
C
B
B
A
Yeah,
so
the
I
think
one
of
the
biggest
topics
people
wanted
to
ask
you
about
was
like
just
container
security
like
table
stakes
right
like
what
are
the
requirements
right
like
bare
minimum
above
and
beyond,
you
know,
whatever
you
think
is
right,
is
kind
of
the
gospel
here.
So
this
is
your
chance
to
tell
a
lot
of
people
right
like
this
is
what
I
think
the
table.
B
C
B
Team
is
always
we're
always
looking
for.
How
can
we,
how
can
we
crank
up
the
the
security
a
little
bit?
How
can
I
add
new
features
from
the
linux
operating
system
to
further
secure
applications
on
so
se?
Linux
is,
you
know,
a
great
tool
for
preventing
file
system
attacks,
but
there's.
B
Other
types
of
attacks
that
I
also
have
to
worry
about,
so
so
I
actually
wrote
a
coloring
book
a
few
years
ago.
Another
coloring
book
called
container
security
where
we
talk
about
the
three
pigs
and
and
how
to
prevent
the
wolves
from
attacking
the
pigs
and
what
we
examine
there
is.
Is
you
know
one.
A
B
A
A
B
Of
where
should
these
pigs
live
and
if
you're,
if
you
want
to
run
your
applications,
you
know,
I
basically
said
a
pig
living
in
his
own
house
is
the
most
most
secure
way
of
running
it
and
the
pigs
and
the
analogy
is
applications.
So
if
you
want
to
run
an
application,
the
most
secure
way
possible,
you
want
to
put
it
on
a
physical
piece
of
machinery
and
have
that
machinery
as
isolated
as
possible
from
everybody
else.
Okay,
that
is
proven
to
be
way
too
expensive
and
everybody
boxes.
That
idea.
A
B
Are
if,
but
if
you
think
about
it,
if
I
my
my
network
has
been
hacked,
I
don't
reinstall
every
machine
in
the
network
right.
B
B
B
B
B
Yeah
and
the
more
distance
more
network
isolated
with
that,
so
the
next
the
next
level
was
to
basically,
in
my
opinion,
was
to
run
your
your
containers
inside
of
a
virtual
machine.
Okay,
so
in
the
virtual
machine
in
this
in
the
coloring
book
was
a
duplex
house.
So
if
you
think
about
duplex
house,
you
have
a
pig
living
in
one
side
of
the
house,
another
and
the
only
thing
that
she
had
between
the
house
is
sort
of
the
common
wall
right.
B
C
B
And
and
the
the
thing
about
the
vms
is
that
they're
isolated?
Basically,
they
get
a
small
sliver
of
the
kernel
that
they,
you
know
the
hype
called
hypervisor
and
that's
the
only
part
of
the
operating
the
host
operating
system
that
they
really
get
to
interact
with
right.
So,
in
a
way
that's
sort
of
the
wall
between
you
know
in
the
duplex
house,
it's
the
wall
between
the
two
families.
B
So
now,
if
we
go
to
the
next
step,
we
look
at
at
an
apartment,
building,
okay,
which
is
basically
we're
going
to
put
the
pigs
into
an
apartment
building
and
that's
basically,
what
containers
are
so
containers
are.
Basically,
you
know,
sharing
that
you
know
and.
B
The
containers
are,
you
know
a
lot
really
well
isolated,
but
there's
a
single
point
of
failure.
That's
so
the
the
maintenance
man
or
the
you
know
the
front
desk
or
whatever.
B
Whatever
yeah,
because
he
has
keys,
he
has
keys
to
all
the
apartments
right,
so
he
has
the
ability
to
get
into
any
apartment.
So
if
you
take
over
the
the
maintenance
man,
then
you
can
get
it
to
all
the
puppets
and
that's
what
it
can
happen.
If
I
can
take
over
the
olympics
colonel,
I
can
break
out
and
attack
all
the
cont
well,
the
host
systems.
B
Then,
if
we
continue
on
this
analogy,
if
we
get
to
the
next
thing,
which
is
you
know,
multiple,
multiple
processes
running
on
the
same
physical
machine
which
is
sort
of
the
way
people
traditionally
right,
you
run
a
web
service.
You
might
have
a
database
both
on
the
same
machine
running
at
the
same
time.
So
you
have
multiple
services
running
on
the
same
machine.
The
same.
A
B
People
that
said
in
force,
zero
was
like
pig
sleep
in
the
pack,
but
and
but
the
way
I
described
that
sounds
like
you
know,
containers
are
insecure
because
of
the
way
I
went
went
about
describing
it.
If
I
reverse
the
entire,
you
know
analogy,
and
I
said
you're
going
from
pig
sleep
into
the
park.
Your
systems
with
messy
linux,
turned
off
right,
two
systems
with
sc
links
on
and
then
I
go
from.
You
know
multiple
services
running
the
same
machine.
B
Now
I
take
those
multiple
services
and
I
stick
them
into
containers
the
level
of
security
in
isolation
of
those
containers.
Skyrockets
matter
of
fact,
I
would
say
the
biggest
jump
from
two
services
living
and
and
on
the
same
server
to
containers.
That's
the
biggest
jump
in
security.
There
is
and
and
the
other
thing.
B
B
Yeah
yeah,
so
I
can
stack
these
things
up
so
so
what
I
tell
people
is
okay,
I
want
to
run
my
content,
I
would
say
always
running
in
the
containers,
but
if
you
have
content
that
you
have
your
web
front
ends,
you
might
want
to
run
those
in
a
series
of
containers
in
a
series
of
vms
that
are
inside
of
physical
servers
that
are
inside
your
demolitionized
zone.
You
might.
C
B
C
B
At
there
is,
we
have
things
like
se
linux.
We
have
a
thing
called
linux
capabilities,
which
is
basically
the
power
of
root
was
divided
into
64,
different
subsections
of
root
and
what
we
do
with
containers
is
we
actually
by
default,
if
you're
running
as
root
in
a
container,
we
only
give
you
12
of
those
capabilities,
so
we
cut
down
the
instead
of
giving
you
64
capabilities,
we
give
you
12
capabilities,
I
mean
some
of
those
are
fairly
powerful,
but
we
eliminate
some
really
really
nasty
ones.
Like
capsules,
admin
cabinet
admin
right.
B
We
also
use
this
thing
called
secop,
which
is
a
filtering
tool
for
a
little
bit.
You
know
one
way
you
might
want
to
attack
the
linux
kernel
yeah.
I
should
have
dropped
back
a
little
bit.
So
when
we're
looking
at
containers,
we
we
talked
about
the
you
know,
attacking
the
maintenance,
man
or
the
tech
in
the
kernel.
B
Really
what
we're
looking
at
when
we
have
containers,
we
want
to
prevent
the
containers
from
attacking
the
host
operating
system,
either
the
file
system
or
the
kernel,
and
really
you
know.
So
all
the
container
technologies
is
basically
about
controlling
what
a
process
does
on
a
linux
box
and
how
it
can
interact
with
the
kernel
so
seo.
Linux
protects
file
systems.
If
you
have
to
run
root
inside
of
a
container,
we
eliminate
a
lot
of
the
power
of
root.
B
C
B
Syscalls
we
dropped
down
to
around
300
syscalls,
cutting
the
tax
surface
and
a
half.
We
do
read-only
kernel
file
systems.
We
mount
them,
read
only
so
there's
a
lot
of
technology
involved
in
that
and
to
really
limit
the
tax
service
and.
B
We've
been
relying
on
now,
what
I'm
looking
at
is
is
newer
technologies,
or
you
know
some
older
technology,
and
how
can
we
like
kbm
separation,
so
you
might
have
heard
of
kata
containers,
which
is
kind
of
containers,
is
basically
using
kvm
for
separation.
There's
a
really
cool
project
that
I'm
interested
in,
which
is
another
way
of
doing
similar
to
kind
of
containers.
It's
called
live
k
run
and
we're
we'll
be
announcing
it
and
showing
it
and
yeah
the
problem
with
cue.
B
The
the
problem
with
cover
containers
is
you
sort
of
in
a
container
environment.
You
can
see
the
process
you
can
interact
with
the
process
really
easy
to
from
the
host
operating
system.
The
problems
when
you
get
to
qmu
coders,
you
end
up
with
qmu,
and
so
you
lose
view
of
the
process
on
the
system
right.
There's.
B
B
So
you
have
all
these
processes
running
on
the
system,
but
they
inside
of
their
container
they're
talking
to
the
wrong
kernel,
they're,
not
talking
to
the
host
colonel
and
that
their
little
kernel
inside
of
their
group
of
processes
is
actually
you
know,
has
to
go
through
kbm
to
talk
to
the
host
colonel,
so
they're
isolated.
It's
really
really
cool,
no
one
in
the
world's
ever
used
this.
B
This
is
like
demoed,
and
you
know
right
three
times,
but
we're
going
to
be
debuting
it
probably
in
a
probably
before
the
end
of
the
year
and
actually
started
it's
time
to
play
with
them
just
as
an
open
source
project,
it's
just
yeah.
So
it's
yeah,
it's
part
of
we
have
a
thing
called
c
run,
which
is
a.
B
Run
is
is
so
we're
actually
adding
this
like
sea
runs.
Gonna
have
to
be
able
to
run
these
like
containers,
and
you
know,
as
just
if
you
had
scott
on
talking
he's,
probably
talked
about.
A
B
Right
right,
right,
right,
so
yeah
and
then
there's
you
know.
This.
Google
has
developed
a
thing
called
g
visor
d,
which.
C
A
B
Is
a
go
implementation
of
the
of
the
linux
kernel?
Basically,
they
they
intercept
instead
of
set
cop
which
basically
trims
down
the
these
number
sys
calls,
but
you're
still
talking
along
this
kernel.
What
g
visor
does
is
it
it
basically
intercepts
every
sys
call
and
and
sort
of
interprets
those
syscalls
before
they
get
to
the
linux
kernel,
and
so
a
lot
of
google
right
now
is
is
running
on
top
of
g
visor.
For
so,
if
you
go
to
google,
if
you
use
the
google's
version
of
openshift.
B
They
use
that
thing
for
isolation.
The
problem
with
that,
in
my
opinion,
the
problem
with
g
visor
is
that
it
takes
a
you
know,
it's
basically
doing
everything
in
emulation,
so
you
can
imagine
how
slow
it
is
for
your
processes
to
interact
with
this.
This
go-based
kernel
before
it
can
interact
with
the
host
currently
so
think
about
this.
As
being
so,
that's.
B
B
Yeah
but,
and
if
you
think
about
google
cloud,
you
know
anybody
running
if
you
wanted
to
go
to
a
to
a
bank,
you
know
to
the
stock
market
and
say:
are
you
going
to
run
this
thing
and
it's
going
to
run
your
processes
really
really
slow
compared
to
normal,
but
they'll
be
more
secure.
B
Speedboard
that
I
care
about
security
right
and
it's
going
to
use
up
much
more
cpu
on
the
machines.
It's
going
to
use
that
much
more
memory.
Things
like
that.
B
B
Yeah
yeah,
so
so
from
their
business
point
of
view,
it's
it's
probably
not
a
bad
thing
and,
and
it
is
going
to
be
more
secure,
but
it's
just
like.
Okay,
there
were
trade-offs,
yeah
and
so
other
things
we're
looking
at
are
remember,
I'm
giving
you
a
chocolate
today
happens
to
be
defconf
us
day
and
I'm
giving
attack.
B
To
talk
about
some
other
features,
so
I
talked
about.
B
Well,
I
I'll
jump
into
my
next
part
sort
of
my
next
coloring
book,
which
was,
if
you
look
at
so
that's.
Basically,
all
the
security
we
use
to
control
containers,
but
one
of
the
key
things
about
those
you
know
I
talked
about
the
security
around
containers
is
that
security
is
sort
of
defaulted
right.
So
that's
the
default
security
that
everybody
gets.
If
you
want
to
get
different
security
than
that,
the
user
has
to
be
smart
enough
to
override.
B
Going
to
do,
and
so
the
the
talk
I
give
later
on
today,
talks
about
goldilocks
and
the
three
bears
and
that
you
know
so
so
really
what
we're
talking
about
this
didn't
work.
Well,
I
gave
this
talk
back
in
in
czech
republic
back
when
we
could
leave
our
houses
right.
C
B
Yeah,
I
guess
it's
an
english
story,
so
if
you're
not
descended
from
you
know,
basically,
english
colonies,
you
don't
know
the
story
of
goldilocks,
but
basically
the
idea
was
goldilocks
is
sort
of
the
middle
right.
We
could
only
give
you
if
we
give
you
too
much
security,
it's
going
to
cause
things
to
break,
so
people
are
going
to
turn
it
off,
and
so
almost
all
security
we
do
in
in
container
world
is
sort
of
that.
B
You
know
what
we're
trying
to
do
is
get
that
we're
trying
to
work
the
fine
line
where
we
get
things
as
secure
as
possible,
but
we
don't
go
overboard,
which
is
right,
so
your
workloads
won't
work.
So
what
I've
been
looking
at
is
you
know?
And
then
this
talk
talks
about?
How
can
we
move
goldilocks
towards
papa
bear
where
papa
bear
is
more
secure?.
B
B
C
B
B
C
B
Container
engine
most
people,
think
of
docker
or
kubernetes,
you
know
if
they
think
about
it,
but
and
then
you
have
the
user,
so
the
user
isn't
gonna
turn
it
up.
He's
just
gonna
turn
it
down
right,
he's
right,
he's
always
gonna
move
goldilocks
to
mama.
Bear
right,
he's
just
gonna!
You
know.
Oh,
my
app
doesn't
work
and.
B
So
so
a
couple
things
over
the
last
few
years
we
started
looking
at
this
and
said:
you
know
originally
everybody
in
the
world.
You
know
they
didn't
talk,
containers
they
talked
docker
and
and
really
what
it
came
down
was.
Docker
became
sort
of
the
standard
way
that
everybody
thought
about
running
containers,
but
docker
is
actually
a
tool
for
running
containers
in
production
for
building
containers
right
it's
for
running.
You
know
it's
just.
B
It
basically
all,
but
all
those
tools
basically
go
through
one
centralized
demon,
so
they
all
interacted
with
the
one
uber
demon,
and
I
I
used
to
tweet
a
lot
of
time,
no
big
fat
demons
and
and
that
demons
running
as
root
on
your
host.
And
if
I'm
running,
containers
inside
kubernetes
they're
going
to
run
the
same
way
as
if
I'm
just
playing
with
containers.
If
I'm
building
containers
and
because
of
that,
the
least
common
denominator
of
security
got
built
into
what
it
meant
to
run
docker
when.
B
Can
we
break
this?
Can
we
break
docker
apart
into
different
types
of
container
engines,
so
I
could
say:
have
one
container
engine
that's
just
specialized
for
kubernetes,
just
lock
down
as
much
as
possible,
so
it
only
you
know,
because
I'm
not
going
to
allow
you
to
build
container
images
right
by
default,
I'm
not
going
to
allow
you
to
play
with
containers
in
a
kubernetes
environment
right.
It's
just.
You
are
you're
going
to
kubernetes
you're,
just
launching
containers
yeah.
The
next
thing
is
looking
at
difference
between
playing
with
containers
and
building
containers.
B
Right
building
containers
requires
certain
privileges,
whereas
playing
with
containers
requires
different
privileges.
So
what
I
we
did
is
I
put
together
my
team
and
we
broke
basically
docker
apart,
and
so
we
built
a
an
engine
container
engine
just
for
kubernetes,
that's
called
cryo.
We
built
a
an
engine
for
just
playing
with
containers,
that's
podman,
and
then
we
built
an
engine
just
for
building
containers
and
that's
that's
builder,
and
we
also
added
another
tool
called
scopio
which
is
sort
of
the
unheralded
yeah.
B
Right
scorpio
is
great
because
it's
it's
main
thing
is
you:
have
these
images
sitting
out
at
registries
and
people
want
to
move
them
around
right?
They
want
to
move
them
from
public
registries
to
private
registers,
and
that's
really
what
scope
is.
Scopia
was
just
basically
copyr
a
copy
tool
for
moving
images
from
different
types
of
container
storage.
So
we
broke
these
out
into
these
different
tools
and
after
we
broke
them
out
into
different
tools.
Some
of
the
really
smart
engineers
in
my
team
started.
B
Looking
at
them
said
you
know
we
could
do
a
lot
of
this
stuff
without
being
rude,
so
dr
demon
runs
his
route.
Is
this
big
fat
demon
that
everybody
talks
to,
and
so
we
we
started
running
podman
containers
without
being
rude?
We
started
taking
advantage
to
use
the
namespace
and
all
these
other
technologies
and
then,
as
I
said,
we
started
to
really
look
at
how
we
can
run
containers
in
different.
B
B
Go
out
and
look
at
podman,
it's
it's
just
skyrocketing.
The
number
of
people
that
are
playing
with
and
using
it
cryo
is
the
way
openshift
runs.
Now
we
don't
use
docker
at
all,
underneath
to
launch
container
engines
any
longer
and
a
lot
of
interest.
B
There's
a
ton
of
interest
in
builder
and
people
experimenting
with
you
know,
build
a
building
using
docker
files,
so
just
building
using
you
know
just
anything
to
create
a
directory
on
my
disk
and
put
some
content
in
it,
create
an
image,
push
it
off
to
a
registry
and
I'm
done,
and
so
the
bottom
line
there
is.
B
You
know
for
going
back
to
my
goldilocks
and
the
three
beers
now
I
can
actually
have
different
goldilocks
depending
on
you
know,
so
I
can
move
you
a
little
bit
towards
security
towards
papa
bear
for
my
kubernetes
workloads.
So
my
instead
of
running
purely
with
everybody
running
the
same
in
kubernetes
world,
we
run
with
a
tighter,
so
for
our
far
open
shift
out
of
the
box.
We
run
with
slightly
tighter
so
slightly
tighter
security
than
you
do
when
you're
doing
play.
B
For
instance,
you
know
some
of
the
capabilities
that
you
need
to
to
build
containers
aren't
available
and
and
even
the
other
tools
that
now
can
run
much
more
securely,
because
they're
running
is
non-root
on
the
systems
and
and
stuff.
So
that's
what
we
did
over
the
last
two
years
has
built
up
these
these
new
tools
and
now
lots
and
lots
of
people
using
it
and,
if
you're
using
relate
you
know
there
is
no
docker
from
red
hat
anymore.
It's
just
these
tools
and
and.
A
C
B
Want
to
type
the
darker
command
podman
is:
is
a
direct
copy,
a
much
more
secure
way
of
doing
docker,
but
you
know
docker
was,
was
you
know,
casely
was
our
our.
You
know
the
thing
we
copied
right
to
really
look
at
how
docker
did
things
and
we
didn't
want
people
googling?
How
do
you
do
this
with
podman
versus?
How
do
you
do
this
with
docker,
and
that's
really
some
of
the
so
docker
said
this
is
the
way
you
do
it
this
command.
C
B
So
there's
a
there's:
a
docker
has
this
concept
of
a
thing
called
a
volume
and
you
basically
can
do
a
doc.
Daca
volume
create
fubar.
B
You
know
volume
create
fubar.
If
you
do
pardon
me
and
create
foobar
twice,
it
basically
gives
you
an
error
saying
the
second
time
you
do
it.
You
know,
you're
already.
Full
bar
already
exists.
C
B
If
I
do
daca
create
fubar
twice,
it
silently
does
nothing,
and
so
I'm
I'm
going
back.
Okay,
should
we
match
what
I
think
is
broken
functionality,
or
should
I
just
do
this
the
correct
thing
and,
and
so
I've
been
interacting
with
the
community
people
saying
oh,
I
have
scripts
that
you
rely
on
this
behavior
of
docker.
Being
you
know
this
broken
behavior
of
daca
right.
B
So
there's
certain
types
you
get
to
that
like
I'm,
not
sure.
I
want
to
fix
this
one.
B
With
them,
so
I
actually
asked
them
to
open
up
a
issue
with
docker
to
say,
fix
your
code,
because
you
know
I,
if
I
didn't
make
their
own.
B
You
know
some
kind
of
yeah
he
exists
or
whatever
yeah
the
code
code
is
for
that
that
you
could
then
check
and
and
move
on,
but
anyways
the
so
those
those
things
are
interesting.
So,
finally,
the
things
we're
working
on
now
I'm
trying
to
work
on
now
is
to
get
more
information
from
the
developer
to
so
we
talked
about
the
three
people
of
input,
so.
B
The
middle
ones
is
the
container
engines
and
we've
given
up
on
the
users,
although
I'm
going
to
get
back
to
the
users,
but
and
so
the
developers
right,
a
developer
should
understand
how
his
application
would
work,
so
he
should
theoretically
be
able
to
figure
out
things
like
okay,
my
application,
remember.
I
talked
about
those
12
capabilities
that
I
have
you
know
we
give
everybody
by
default
right.
B
B
Would,
and
so,
if
he
put
some
kind
of
documentation
or
some
kind
of
information
into
his
container
image,
that
said,
my
application
will
run
fine
with
just
these
two
capabilities.
Then
we
could
have
the
container
engines
be
smart
enough
to
pull
down
the
image.
Look
at
this
label
that
says
I
can
run
with
these
two
capabilities.
B
Those
capabilities
that
are
part
of
the
12
that
was
going
to
give
by
default.
If
they
are,
then
we
say
all
right:
let's
throw
away
the
other
10
and
just
run
with
these
two
and
now
I
can
run
in
more
securely
right,
so
I
can
move
quite
a
bit
towards
it.
Similarly,
with
set
cops,
so
if
you,
if
you
could
figure
out
which
sys
calls
your
container
uses,
you
could
put
that
into
your
image.
B
Your
your
application
is
going
to
right
the
syscall
table
so
right
now
we
allow
all
containers
to
run
with
300
cis
costs.
There
was
a
report
by
a
security
team
that
said
that
most
containers
probably
can
run
with
about
75
cis
calls,
but
wouldn't
it
be
nice
if
you
could
figure
out
that
these
are
the
only
75
cisco's
that
my
application
needs
right
and
put
that
into
your
container
image
and
have
the
container
engines
again.
B
You
know
from
a
security
point
of
view,
they
have
to
look
and
make
sure
that
it's
a
subset
of
the
rules
that
it
allows
and
then
it
would
just
allow
it
to
run
with
that
subset.
So
those
are
the
things
we
work
on,
but
we're
also
working
on
tools.
You
know
my
team's
looking
at
developing
tools
to
allow
someone
to
figure
out
what
are
the
sys
calls
available.
So
we
have
penguins.
B
B
To
figure
out
what
it
is,
but
at
a
certain
point
you
could
run
you're,
basically
tracing
all
the
things.
Well,
there's
just
going
to
be
your
application
work.
Maybe
after
three
months
you
feel
you
know,
I'm
pretty
sure
that
this
thing's
gonna
work,
preferably
fine
in
this
environment,
yeah
just
switch
it
to
lockdown.
B
Other
tools,
but
you
know
we're
we're
going
to
go
way
over.
You
know
way
over
time
and
you
know,
but
basically,
if
you
follow
it's
fine
yeah.
B
B
Although
we
do
blogs
at
pub
podman.I
o
and
build
io,
and
we
have
all
the
links
to
all
the
different
blogs
that
we
write,
I
actually
started
blogging
back
back
15
to
20
almost
yeah
over
50.
B
C
C
B
You
know
in
college
I
was
a
math
major,
so
I
in
college,
my
anytime,
I
do
any
writing
type
courses.
The
professors
used
to
scream
at
me
that
I
couldn't
write
and
you
know-
and
you
know
it
just
was
so
I
hated
writing
and
everything
else,
but
you
know
for
500.
B
You
know
I'll
write
an
article
so
especially
back
then
so
I
started
writing
the
articles
and
quickly
that
500
disappeared,
but
I
sort
of
got
hooked
and
people
liked
the
the
information
I
was
writing
about.
So
I
wrote
for
the
next.
You
know
15
years,
I've
been
writing
constantly
about
technology
and
you
know
sort
of
what
I
always
try
to
do.
Obviously
from
the
coloring
book
talks
and
things
like
we've
talked
today
has
always
been
trying
to
dumb
it
down
or
find
an
analogy.
Finder
find
a
way
that
people
could
sort
of
understand.
B
B
I
get
lost,
but
if
someone
comes
in
and
basically
gives
you,
you
know
this.
B
B
Doing
and
and
so
that's
that's
you
know
some
of
the
blogging
and
some
of
the
information
but
anyways.
A
B
B
A
So
yeah,
this
is
what
I
envisioned
now
whenever
burst,
says:
podman
is
a
rapper.
Is
you
and
your
mafioso
mode
or
whatever
so
some
questions
from
chat,
and
I
think
they've
been
kind
of
answered
by
other
people
in
chat,
but
I
just
want
to
put
it
out
there
to
you
right,
like
podman,
is
becoming
a
more
and
more
wanted
tool.
What
kind
of
cross
os
support
windows
mac
os?
B
Yeah
so
one
of
the
things,
so
we
want
to
dig
a
little
bit
further
into
podman
one
of
the
interesting
the
podman's
available
just
about
on
any
linux
distribution.
C
B
Package
now
it's
because
it's
in
debian
it's
getting
it's
available
in
ubuntu,
but
all
of
the
you
know
we
deal
with
you
know
we're
actually
getting
a
lot
of
community
input
in
this,
but
you
know
I'm
finding
out
about
all
these
random
distributions
that
I
have
have
never
heard
of.
I
believe
that
everybody
should
just
use
foot
order
and
be
done
with
it,
but.
B
And,
of
course
rel,
so
if
you
know
that,
that's
what
pay
that's?
What
pays
the
bills
for
me
but
anyway,
so
it
runs
on
every
distribution,
so
we
often
get
asked.
So
let
me
go,
we
often
get
asked
about
you
know
running.
I
want
to
run
this
on
top
of
a
mac,
or
I
want
to
run
this
on
top
of
a
windows.
B
A
C
B
Talking
tcp
to
a
docker
demon
somewhere
running
in
the
environment,
usually
it
has
to
be
on
a
linux
box
and,
and
then
it's
launching
contains
so
when
we
were
first
doing
podman
we
at
that
time
there
was
a
new
effort
called
violink
that
was
coming
along
and
violin
was
gonna,
be
the
new
hotness,
or
at
least
that's
what
we
were
told.
So
we
we
built.
B
We
wanted
to
have
a
remote
api
so
that
we
could
basically
launch
pod
man
remotely
so
basically
one
a
pod
man,
what
we
call
podman
remote
talk
to
a
podman
instance
on
a
remote
machine,
but
since
I've
been
railing
against
big
fat
demons,
I
didn't
want
to
have
a
demon
running.
You
know
potman
running
as
a
demon,
so
my
big
fat
demon
is
systemd.
B
So
with
socket
activation,
you
were
able
to
talk
between
one
podman
instance
to
another
podman
instance.
In
a
socket
activated
environment
it
would
kick
off
a
podman
to
you
know,
basically
do
it
for
whatever
you
wanted
and
that's
how
pogba
works
so
the
first
protocol
we
used
was
this
thing
called
valinc.
Well,
violink
sort
of
died
on
the
vine,
so.
C
B
I
think
there's
still
some
people
using
it,
but
we
had
lots
and
lots
of
issues
with
it.
So
over
the
last
year
we've
been
rewriting
podman,
they're,
probably
not
rewriting
podman
itself,
but
rewriting
the
remote
api.
A
B
You
know
originally
podman
matched
docker
cli,
but
a
lot
of
people
wanted
to
use
podman
to
to
replace
docker
api.
So
docker
api
is
the
things
that's
built
into
things
like
docker
compose
and
to
docker
py.
So
lots
of
people
built
calls
to
talk
directly
to
the
docker
demon
to
get
to
do
things.
So
we
did.
We
have
what's
called
docker
2.0
podman
2.0
now,
which,
instead
of
using
via
link,
is
using
the
docker
api
for
remote
and.
B
We've
demonstrated
people
using
a
docker
client
to
talk
to
podman
containers,
so
it's
it's.
Basically
what
we're
trying
to
do
is
implement
all
of
them.
So
with
that
being
said,
we
originally
had
a
podman
client
for
america
windows
that
was
talking
violin
and
again.
That
was.
It
was
very
difficult
for
us
to.
B
So
now
we've
we
actually
replacing
that
now
with
docker
for
mac
and
windows
boxes
that
will
talk
to
a
a
podman,
so
podman
for
windows
and
max
can
talk
to
a
podman
running
in
in
the
cloud
or
in
the
vm
or
you
know
whatever.
So
the
equivalence
of
boot
to
darker
now
is
boot.
To
pod
man,
I
mean
that's
available
now
you
can
brew,
install.
A
B
Yeah
yeah
I've
got
it
on
my
box
here,
yeah
yeah,
and
so
you
can
actually
do
all
the
stuff
you
want
to
do
with
podman
on
a
mac
and
pod
manager
and
windows
works.
Similarly,
windows
also
has
this
thing
called
wsl2
yep,
which
is
a
it's
it's
microsoft,
trying
to
say.
Oh
we're
running
your
containers,
natively
on
the
host
and
what
wsl-2
basically
is
is
sort
of
this
tight
hypervisor.
B
For
for
that
as
well,
so
so
you
can.
C
B
Podman
in
your
client
and
server
now
that
we
support
the
api,
people
are
working
with
docker
compose
against
podman
they're
working
with
you
know
some
of
their
python
scripts
we're
we're
working
with
gitlab
right
now
to
get
podman
as
a
back
end
for
that,
so
lots
of
people
are
looking
to
where
they've.
B
Docker,
as
a
back
end
now
to
to
implement
podman
in
the
same
way
and
get
advantage
of
the
additional
technologies,
other
things
podman
didn't
just
copy,
docker
right,
docker,
implemented
containers.
What
we
really
wanted
is
it's
called
podman
and
for
those
that
don't
know
a
pod
is
a
concept
for
kubernetes.
A
B
There's
one
or
more
containers
running
in
the
same
environment
and
bundle
it
together,
and
so
what
we
want
is
pod
manager,
that's
what
podman
stands
for,
and
so
podman
also
manages
parts
and
what
we
wanted
people
to
do
is
start
to
play
with
pods
and
sort
of
have
the
you
know:
pod
manager
be
the
entry-level
drug
or
the
entry
drug
to
something
like
openshift
to
kubernetes.
B
So
in
podman
we
not
only
support
containers
traditionally,
the
way
you
rent
them
under
docker,
but
we
also
support
parts
and
we
can
take
a
you
run
three
or
four
containers
or
three
or
four
pods
in
your
host
using
soda
traditional.
The
way
you
did
it
with
docker,
and
then
we
have
this
thing
called
podman
generate
coupe
and
we'll
take
that
entire
environment.
It
will
actually
generate
all
the
kubernetes
gmo
files
and
all
the
kubernetes
deployments
things
like
that
that
you
want
so
you
have,
and
then
you
can
take
those.
B
That
you've
been
playing
with
locally
and
let
them
look
different.
We
also
have
to
go
in
the
reverse
order.
Where
you
have
say
you
have
a
container,
that's
not
running
well
inside
of
open
shift,
and
you
want
to
really
get
play
with
it
locally
on
your
host,
so
we
have
partner
and
play
coupe,
so
you
could
take
the
kubernetes
gmo
file
that
you've
written
for.
B
A
B
Transition
from
from
one
environment
to
the
other
right
because
you
go
from
you-
know,
command
line
tool
to
writing
this
complex
yaml
file.
And
if
I
can
give
you
the
complex,
yml
file,
already
pre
pre-created
now
you
can
go
in
and
start
to
toggle
around
little
fields
inside
of
the
eml
file
and
see
oh.
B
Line
is
your
podman.
We
want
podman
available
everywhere.
We
want
it
available
in
all
services
and
we
need
any
anybody
in
the
community
wants
to
help
us.
You
know
we're
fully
open
if
people.
B
Tied
to
red
hat
or
anything
else,
you
read
how
we
use
it
quite
a
bit
we're
you
know,
funding
a
lot
of
the
development,
but
it's
also
a
major
thing
and
susie
now
says:
he's
totally
bought
into
podman
and,
as
I
said,
it's
now
available
in
lots
of
a
lot.
A
lot
of
people
are
running
it
on.
You
know,
ubuntu
it's
available
in
alpine,
it's
available
debbie
and.
A
Save
everywhere
so
well,
dan,
it's
been
great
having
you
on,
I
really
appreciate
you
taking
the
time
to
join
us
today,
we're
just
going
to
call
kubernetes
a
chukka
yaml
from
now
on.
Jp
date
is
in
chat.
He
he
really
appreciates
you
coming
on.
A
So
does
our
normal
narendev,
our
normal
guests,
and
I
can't
thank
you
enough
for
just
bringing
your
knowledge
here
folks,
if
you're
interested
in
the
cube
parts
of
podman,
that's
what
we're
going
to
be
discussing
next
week
in
langdon
white,
show
the
level
up
hour
on
wednesday
at
9
00
a.m,
eastern
time.
A
So
if
you
want
to
learn
what
dan
was
just
talking
about,
dealing
with
the
kubernetes
bits
of
podman
come
join
us
for
that
show
next
week,
but
right
now
we
got
to
cut
over
to
dev
nation
burst
utters
up
next
and
dan.
I
want
to
thank
you
again.
I
want
to
thank
everybody
in
the
audience
for
joining
us,
but
we've
got
to
clear
the
airways
for
the
wonderful
burst.
Sutter.
Okay,
we'll
be
talking
about
open
api.
Three
and
vertex,
so
that'll
be
interesting.
So.