►
Description
What's the best way to secure containers? Many people are rightly concerned about security in their Linux systems, particularly when introducing containers. Join us for a discussion with Dan Walsh, Mr. SELinux and Senior Distinguished Engineer at Red Hat, about securing containers on RHEL and Red Hat OpenShift.
Learn more at https://red.ht/leveluphour
A
Good
morning
good
afternoon
good
evening
and
welcome
to
another
edition
of
the
level
up
hour,
I
am
chris
short
executive
producer
of
openshift
tv.
I
am
joined
by
two
wonderful
red
hatters,
the
illustrious
langdon
white
and
the
always
brilliant
dan
walsh.
Welcome
both
of
you,
langdon
I'll.
Let
you
take
it
away
from
here.
If
you
want.
B
Sure
you
know
we
are
here
with
mr
walsh
or
as
self
referred
to
as
mr
sc
linux,
and
we
all
we
all
know
that
to
be
true.
As
always,
I
like
to
introduce
the
show
just
a
little
bit,
just
kind
of
say
what
we're
doing
here
and
why
and
and
maybe
share
some
slides,
but
so
this
in
case
you
are
lost,
is
the
level
up
hour
and
we'll
see
if
everything
is
laid
out
correctly
so
the
level
of
hour.
B
Here
we
talk
about
kind
of
containers
for
everyday
usage.
You
know
why
you
as
a
you
know,
systems
operator,
or
you
know,
a
linux
sysadmin
or
an
open
shift
operator
or
whatever
kind
of
role
you
have
not
just
developers
developers
are
welcome
too.
I
come
from
a
pretty
strong
development
background
too,
but
I
think
the
use
case
for
developers
using
containers
is
pretty
bit
been
pretty
well
made
in
a
lot
of
places.
B
I
use
containers
for
all
sorts
of
stuff
all
the
time,
so
that's
kind
of
what
we
talked
about
on
the
show
and
then,
but
to
that
kind
of
gives
us
a
little
introduction
to
the
show
you
can
find
myself
on
twitter,
with
at
langdon,
with
a
one
and
chris
short
at
chris
short
and
and
actually
dan's
twitter
handle
is
our
hat
dan.
If
you
want
to
follow
him
on
twitter,
we're
always
also
available
to
kind
of
chat.
B
To
share
it
in
the
in
the
channel
so
that
you
can
go
and
check
it
out
and
join
us
there,
a
little
bit
from
you
know,
kind
of
a
little
bit
more
introduction.
We
have
the
show
notes
from
last
time
are
at
that
url,
which
I
will
throw
in
the
chat
with
some
like
fancy
clicking.
Look
at
all
that
copy
pasting
that
I
didn't
look
at
you,
I'm
so
proud
of
you.
B
So
today
we
want
to
talk
about
se,
linux
containers
and
openshift,
and
that's
why
we
asked
mr
walsh
to
join
us
because
he
knows
stuff
and
yeah
so
we're
I
don't
know
so
yeah.
So
I
think
that's
where
we'll
we'll
stop
at
the
slides,
because
we
don't
want
to
give
away
the
internet
points
quite
yet
and
dan.
If,
if
you
are
unaware
of
what
the
sweet
sweet
internet
points
are
we
will
we
will
talk
about
them
later.
So,
as
I
sip
my
coffee.
B
First
up,
we
usually
try
to
do
some
announcements,
and
so
I
know
myself
and
dan
are
both
giving
talks
this
weekend
at
devcon
cz.
It
starts
on
thursday
ends
on
saturday.
I
don't
think
there's
anything
on
sunday
and
so
dan.
You
want
to
tell
us
a
little
bit
about
what
you're
talking
about
this
weekend.
B
C
At
the
schedule,
I
think
it's
around
9
30
eastern
standard
time,
whatever
that
is
and
see
csct
and
it's
basically
just
a
conversation
that
we
have
every
year
just
get
together.
People
talk
a
little
bit
about
what's
going
on
in
the
container
world
and
then
try
to
get.
You
know
answer
people's
questions.
I
bring
try
to
get
as
many
people
from
by
the
way,
I'm
the
architect,
the
chief
architect
of
all
containers
at
red
hat.
B
B
B
Exactly
exactly
so,
it
is
highly
recommended,
especially
if
you're
doing
something
kind
of
esoteric
with
containers.
You
know
it's
a
lot
of
good
discussion
there.
Unfortunately,
we
will
not
be
serving
beer
this
year
because
it's
hard
to
deliver,
but
you
know
please,
please
join
the
the
virtual
buff
at
least
yeah.
C
B
C
That
talk
is
just
basically
looking
at
it's
a
sort
of
like
a
year-round
view
of
podman
and
the
talk
is
talking
about
all
the
new
features
that
have
gone
to
podman,
we'll
be
talking
about
some
of
them,
probably
in
this
in
the
next
hour.
But
basically
it's
gonna
be
going
through
lots
of
demos
and
just
showing
you
all
the
cool
stuff.
That's.
B
Yeah
we're
pretty
excited
about
it
on
the
show.
Actually,
because
we
talk
about
podband
all
the
time
and
and
I
complain
about
it
and
then
I
go
file
bugs
and
then
sometimes
they
get
fixed.
Sometimes
they
get
closed
and
I'm
told
I'm
an
idiot.
You
know,
but
you
know,
whichever
works
I
also
I'll
just
pitch.
I
have
I'm
actually
hosting
a
keynote
of
some
student
research.
That's
going
on
around
understanding.
B
Sorry,
we
got
some
spam
in
the
chat
we
basically
looking
at
microservice,
architectures
and
trying
to
understand
what's
actually
going
on
in
them.
It's
this
open
source
project
called
profit,
so
that's
at
8
am
on
friday
and
then
my
talk
is
at
9.
30
am
on
friday,
talking
about
event,
driven
architecture
really
using
service
mesh
serverless,
I'm
gonna
try
to
work
in
some
demos.
I
didn't
realize
how
short
the
talks
are
this
year,
so
I
may
be
doing
less
demos
than
I
expected.
B
20
minutes
I
was
thinking
it
was
more
like
30,
35
and
but
so
I'm
gonna,
I'm
gonna,
that's
tight
yeah.
So
so
that
should
be
good,
there's
lots
and
lots
of
other
stuff.
You
know
obviously
we're
gonna.
We
can't
highlight
too
much
of
it
here,
but
I
threw
the
link
to
the
website,
which
has
a
link
to
the
schedule.
It's
free,
it's
virtual.
B
It
is
on
central
european
time.
So
you
know
if
you're
on
eastern
you're
going
to
miss
a
bunch,
but
if
you're
in
europe,
which
I
know
some
of
our
audience,
members
are
or
you
know,
in
asia-
parts
of
asia,
maybe
the
time
zone
will
work
out
better,
so
definitely
recommend
that
the
other
thing
we
were
going
to
talk
about
was
container
plumbers
conference.
B
C
A
C
C
Not
I
want
to
avoid
kubernetes,
open
shift
and
all
the
high
level
you
know,
orchestrators
and
stuff
like
that,
but
really
talk
about
what's
happening
at
the
really
at
the
operating
system
level
to
make
containers
better.
You
know,
there's,
there's
lots
of
changes
in
the
file
systems.
There's
lots
of
changes
and
you
know
systemd
lots
of
change,
features
being
added,
and
so
our
goal
was
to
really
get
a
deep
low-level.
Look
at
some
of
you
know
some
of
those
core
technologies
for
running
containers.
C
B
B
So,
for
example,
it
was
held
in
new
orleans
during
a
hurricane
season
a
couple
years
ago,
and
I
was
like
you
know
that
whole
vp
rule
of
like
you,
can't
put
two
vps
on
a
plane
together,
let's
put
all
of
our
top
kernel
developers
in
one
place
during
hurricane
season
and
just
see
what
happens
so
yeah.
Sometimes
I
I
wonder
about
the
choices
we
make,
but
so
we
so
I
I
actually
think
that'll
be
really
interesting.
B
So,
like
overlay
file
systems,
you
know
or
like
the
concept
of
them
being
in
the
kernel
level,
really
didn't
materialize
until
containers
started,
pushing
them
into
the
kernel,
and
so
I'm
not
sure,
what's
our
what's
our
current
favorite
kind
of
the
what's
the
current
choice
for
the
overlay
file
system,
I
know
it's
not.
Is
it
overlayoffs,
no
right,
yeah.
C
So
well
overlay,
so
right
now
I
mean
to
give
you
an
idea.
What's
going
to
be
talked
about
at
the
conference,
going
back
overlay
file
system
is
the
thing
that
almost
everybody
uses
for
containers
in
the
world
right
now,
and
one
of
the
interesting
things
with
with
the
prideman
effort
is
broadman
is,
is
rootless.
Containers
right
so
basically
allow
you
new
containers
is
rootless.
C
One
issue,
that's
always
been
in
the
linux
kernel,
is,
is
controlling
who's
able
to
mount
file
systems
and
with
with
the
advent
of
username
space
which
what
podman
takes
advantage
of
in
running
gluteless
containers.
There's
certain
file
systems
that
are
allowed
to
be
mounted
by
inside
of
usernamespace.
So.
C
Space,
you
were
able
to
mount
the
sysfs
procfs,
slash,
typefs,
bind
mounts
and
fuse
file
systems,
so
over
the
last
few
years
we've
been
using
fuse
overlay.
So
basically,
one
of
the
guys
in
my
team,
giuseppe
squaban,
rewrote
the
overlay
file.
Systems
from
the
kernel
is
a
fuse
file
system
and
that's
what
everybody
in
the
world
has
been
rude.
This
world
is
taking
advantage
for
containers.
B
C
Again,
as
you
just
said,
to
support
new
security
features
or
new
features
of
the
operating
system,
now
we're
going
to
continue
to
give
you
another
idea.
One
of
the
issues
we
have
with
rootless
containers
is
using
nfs
as
a
home
the
emphasis
of
the
home
directory.
This
comes
out
with
enterprise
customers.
More
than
non-enterprise.
C
C
To
work
in
our
environment,
I
don't
want
to
get
too
deep
into
it,
but
basically,
when
you're
running
a
container
in
your
home
directory,
you
actually
get
allocated
multiple
uids
to
run
your
processes.
So
just
imagine
you're
doing
a
pull
of
a
pull
of
an
image.
So
when
I
pull
down
an
image
that
image
is
going
to
have
multiple
uids
inside
of
it,
so
you
can
have
a
uid
of
you
know.
C
Most
muscle
files
say
wrong
by
root
inside
of
your
image,
but
say
you
have
one
that's
owned
by
the
apache
user
say
that
batch
user
60..
So
when
I'm
pulling
down
an
image
into
my
home
directory
what's
happening,
is
I
have
a
process
running
as
my
user,
dan
walsh,
but
inside
of
usernamespace,
so
it
looks
like
uid
0.
and
when
it's
pulling
down
the
xero
files,
it's
it's
writing
them
to
disk,
and
you
know
everything's
fine.
A
C
A
A
C
Know
about
username
space,
and
so
therefore
it
denies
it
and
everything
blows
up
which
causes
anybody.
That's
trying
to
run
our
containers,
you
know
podman
and
builder,
and
all
the
container
tools
is
rootless,
won't
work
on
if
you
have
an
nfs
home
directory
and
turns
out
lots
of
enterprise,
customers
still
use
nfs
home
directories,
so
we
have
a.
We
have
a
issue.
So
one
of
the
things
we're
looking
at
going
forward
is:
how
do
we?
How
do
we
get
you
know,
continue,
potentially
use
the
fuse
overlay
file
system
and
have
fused
overlay?
A
C
That
it's
writing
out:
uid
yeah
one
hundred
thousand
and
sixty,
but
basically
use
an
extended
attribute
to
write
out
a
file,
and
so
that's
the
type
of
stuff
we're
investigating
and
working
on
all
the
time
to
solve
these
sort
of
tricky
issues
that
you
know,
don't
really
exist
when
you're
running
root,
full
containers.
But
it's
you
know
how
do
we?
How
do
we
continue
to
improve
our
security
by
allowing
more
and
more
workloads
to
write,
running
ruthless
mode.
B
C
A
C
A
C
C
A
C
B
I
mean
yeah
and
I
it's
like
it's
fundamentally
wrong
right,
I
mean,
like
you
know,
like
a
user,
should
have
a
user
id
not
a
set
of
them,
hence
user
id.
So
you
know
I
could
see
why
it
would
take
a
while,
for
you
know,
kind
of
the
rest
of
the
software
to
kind
of
respond
to
that.
You
know,
like
that's
a
pretty.
You
know
conceptual
change
to
your.
You
know
your
software
did.
Did
I
see
some
other
questions
go
by
or.
A
It
please
just
re-ask
it
and
I
will
get
it
caught,
but
I
don't
see
any
necessary
questions.
Just
more
comments
on
nfs,
v3
versus
v4
right
right,
xcd
needs
faster
disks
than
what
nfs
can
really
provide.
So
I
dropped
a
link
to
that
ncd
fio
article
from
ibm
that
really
kind
of
saved
my
butt.
When
I
was
standing
up
my
cluster
here
at
home,
so
yeah.
B
So
I
mean,
I
think,
long
story
short,
though,
is
that
if
this
conversation
is
interesting
and
you
want
to
kind
of
really
delve
into
it,
you
should
definitely
check
out
the
container
plumbers
day.
Right,
I
mean
like
this
is
the
kind
of
conversation
that's
taking
place
there
and
it
would
be
real.
Like
you
know,
I
I
am
now
more
convinced
to
want
to
go,
because
I
do
like
some
of
this
stuff
kind
of
talking
about.
B
C
C
If
the
y
and
z
change,
then
you,
theoretically,
just
everybody
should
be
able
to
upgrade
and
there's
no
breakage,
so
existing
tooling
should
always
work
if
the
x
changes.
That
means
that
you
know,
there's
a
breaking
change
right,
that
that's
something
we're
going
to
break
something
in
previous
versions
by.
B
C
So
so
we
had
a
when
pogman
was
first
started
out.
We
we
decided,
it
was
the
first
remote
client,
the
remote
capability
in
podman
was
we
used
a
tool
called
biolink
and
firelink
was
the
mechanism
for
us
to
be
able
to
start
sort
of
remote
containers.
We
have
podman
on
a
mac
and
it
could
talk
file
link
to
a
linux.
A
C
And
it
would
talk
to
on
demand
podman
instance
on
there
and
launch
it,
and
so
we
were
sort
of
the
cutting
edge
with
par
with
violin,
and
but
we
ended
up
having
a
lot
of
issues
with
valinc
and
simultaneously,
with
this,
a
lot
of
people
were
trying
to
push
podman
to
you
know.
Padme
was
originally
announced
as
a
replacement
for
docker
at
the
cli
level.
The
command
line
and
a
lot
of
people
said
well.
We
need
podman
to
support
the
ability
to
do
darker
type
stuff,
basically
implement
the
darker
socket.
C
C
Can
cover
now
lots
and
lots
of
people
built
into
the
cicd
systems?
You
know
basically,
tools
that
talk
to
the
docker
socket
and
now
we
can
just
put
podman
in
there
listening
to
the
socket
and
implement
it.
So
since
we
wanted
to
go
to
one
remote
api,
we
were
dropping
var
link
as
support.
So
one
of
the.
C
C
C
C
B
C
A
C
C
B
C
So
this
is
things
like
that,
and
our
goal
now
is
to
take
it
beyond.
You
know,
take
take
it
way
beyond
what
doc
docker
had
capabilities
do
and
we've
already
driven
that
through
our
support
for
originally
c
groups,
see
groups
v2,
I
met
speaking
of
devkov
two
years
ago
with
devkov
I
I
announced
that
fedora
was
going
to
move
to
signal
32,
even
though
darker
won't
run
on
it
and
that
caused
a
little
bit
of
a
stink
in
the
in
the
world,
and
I'm.
C
Pronounce
that
two
years
later,
you
know
pretty
much.
The
whole
world
is
moving
to
see.
Gru's
v2
darker
works
on
sigma's
v2
now
and
kubernetes.
I
think
either
the
summer
release
or
the
fall
release
is
going
to
finally
support
secrets,
v2
and
it
was
all
driven
by
pushing
fedora
to
turn
it
on
by
default.
B
C
And
the
container
world
was
stuck
at,
you
know,
secrets
v1
and
you
know
it.
It
needed
a
a
nudge
or
a
shove
off
a
cliff
or
whatever
to
finally
force
us
through
and
podman
was
the
the
solution
to
this,
because
pogman
worked
instantaneously
with
secrecy
too,
and
we
gave
people
a
way
to
to
to
move
forward
and.
A
C
A
A
B
B
I
can
never
say
her
last
name,
but
who
is
one
of
the
co-chairs
of
dev
conf
us,
but
is
also
a
contributor
to
podman,
so
we
we
think
she
may
also
be
on
the
show.
I
have
to
finish
twisting
her
arm
to
be
on
the
show
with
brent,
but
we'll
see.
So,
let's
see
what
I
did
want
to
talk
about.
You
know
kind
of
we've.
B
We've
been
talking
a
lot
about
kind
of
the
general
world
of
containers,
but
I'm
kind
of
curious
about
like
what
do
you
see
as
like,
like
what
is
openshift
and
kubernetes
in
a
sense?
What
is
its
relationship
to
kind
of
security,
and
what
I
mean
that
like
how?
Where
where
does
that
security
come
from?
Is
it
coming
from
linux?
Is
it
coming
from
the
containers?
Is
it
coming
from
run
c?
Is
it
coming
from?
Something
else?
Is
it
a
combination
of
all
of
them
like
how
does
how
does
that
stuff
kind
of
work?
B
C
So
security
comes
especially
in
something
like
open
shift
to
kubernetes.
It
comes
at
different
levels
and
obviously
things
like
role-based
access,
control
at
who's
allowed
to
launch
what
kind
of
containers
and
what
kind
of
systems
and
that's
all
stuff,
that's
way
above
my
my
head.
So
I
don't.
I
don't
deal
in
that
level
because
that's
that's
sort
of
apis
and
stuff,
like
that.
I.
A
C
C
C
C
So
we
we're
giving
you
a
little
less
root
than
you
traditionally
did
so
another
way
of
looking
at
containers,
or
you
know
if
you,
if
I'm
in
a
container-
and
I
want
to
I'm
a
bad
guy
inside
of
a
container
one
of
the
things
I
want
to
do
is
I
want
to
check
the
operating
system
right.
I
want
to
attack
the
kernel,
so
you
can
take
a
journal
and
so
there's
mechanisms
of
attacking
the
kernel
through
file
systems,
so
kernel.
A
C
Systems
things
like
slash,
system,
proc
and
stuff
like
that,
and
so
what
one
of
the
things
we
do
in
that
environment?
Is
we
basically
take
those
file
systems
we
mount
them
as
as
read
only,
and
so
you
know,
process
inside
of
a
container
need
to
be
able
to
work
with
read.
Only
work
need
to
be
able
to
work
with
slash
and
slash
proc,
but
they
don't
need
to
write
to
them.
A
C
And
then,
with
the
the
limited
power
of
root,
even
though
you
might
be
rude
inside
your
container,
you
know
we
take
away
the
ability
to
mount
and
unmount,
and
so
so
just
those
mechanisms.
The
other
thing
is
certain.
Parts
of
the
file
system
were
never
intended
to
be
hidden
from
users,
but
what
we
can
do
is
we
can
mount
devnet
over
certain
types
of
files
in
the
slash
system,
slash
proc,
and
we
can
also
mount
empty
directories
over
some
directory
structures
that
that
most
processes
don't
need.
C
Second,
another
thing
we
do
is
is
controlling
which
devices
so
another
way
to
attack.
The
operating
system
is
through
you
know,
kernel
devices,
and
so
we
we
eliminate
the
amount
of
devices
that
your
container
can
see.
So
you
don't
see
so
dev,
sd,
zero
and
stuff
like
that.
Lastly,
another
way
you
can
attack
the
operating
system
is
through
syscalls
and
we
take
advantage
of
a
thing
called
secop.
C
So,
instead
of
you
know,
x86
64,
machining,
there's
about
seven
or
eight
hundred
syscalls
available
to
you
and
what
we
do
with
secop
rules
is.
We
can
actually
cut
down
the
amount
of
syscalls
that
are
allowed
to
your
processes,
down
to
say,
300,
syscalls
and
so
now,
if
there's
a
bug
in
a
linux
kernel.
A
A
C
C
C
So,
but
if
I'm
able
to
break
out
of
my
container,
maybe
I
can
get
out
to
the
parts
of
the
operating
system
to
to
be
able
to
read.
So,
if
you
think
of
just
a
time
sharing
system
right,
how
often
do
people
have
world
readable
files
in
their
home
directory
and
if
I
have
two
users
running,
I
might
be
able
to
read
that
file
in
your
directory
or
your
home
directory.
C
There's
lots
and
lots
of
files
all
over
the
operating
system.
That
probably,
are
you
don't
intend
to
be
written,
read
by
other
entities
and
you
especially
don't
expect
them
to
be
written
to.
So
how
do
you
protect
the
file
system
if
I'm
able
to
break
out
the
container
and
get
out
of
the
file
system
and
the
best
tool
in
the
world
to
do
that
is?
Is
seo
linux,
so
sc?
Linux
is
all
really
about
controlling
access
to
the
file
system.
A
C
A
C
Protects
the
operating
system,
you
know
the
entire
file
system
from
it.
The
second
part
of
sc
linux
is
that
not
only
can
we
say,
you're
a
dog
but
can
actually
name
the
dog,
so
I
can
say
your
your
dog
and
your
fido,
and
then
this
is
the
dog
food
for
flockado
and
and
then
we
could
block
you
know,
say
another
dog
named
spot
from
being
able
to
fight
his
dog
food
and
that's-
and
this.
A
C
Actually
pick
a
random
mcs
label.
Basically,
it's
a
little
indicator
that
names
the
container
and
in
sd
linux
we
can
label
the
content.
Similarly,
and
now
we
say
if
a
container
breaks
out,
it
can't
read
other
containers
data
because,
right
again,
this
is
the
dark.
Spot
can
only
read
and
the
container
spots
content
and
so
fundamentally,
there's
no
other
tool
in
the
world
that
at
the
operating
system
level
that
protects
the
file
system
and
that's
where
sc
linux
rules
now.
C
B
C
The
other
coloring
book
talked
about
it's
actually
based
on
the
three
pigs
and
and
the
whole
idea
there
is.
Is
you
know
you
have
your
applications
and
the
pigs
and
the
analogy
and
and
you're
basically
choosing
where
the
pig
should
live,
and
we
talk
about
the
difference
you
know,
pigs
should
live,
the
most
secure
is
going
to
be
on
physical,
different
machines,
and
then
you
have
them
live
in.
C
A
A
C
B
C
C
Is
you
usually
want
to
be
able
to
write
to
something
right?
You
want
to
write
to
storage
of
the
operating
system,
and
so
this
is
what's
in
docker,
calling
the
term
volumes
right.
So
this
is
volume
mounting
in
so
I
I'm
running
a
database.
I
might
have
an
image
say:
mariadb,
that
is
the
maria
dvd
executable
and
all
the
stuff
used
to
support
that,
but
I
actually
don't
want
the
database
in
the
container.
I
want
the
database
stored
on
local
storage
so.
C
What
I
do
is
I
I
volume
mount
in
into
into
that
in
storage.
In
this
case
we
talked
earlier
about
overlay
right.
I
don't
want
to
have
a
copy
and
write
file
system
for
my
database.
I
want
to
have
this
great
the
best
best
file
system.
I
can
so
when
I
volume
mount
in
content
into
a
container.
This
is
where
all
of
a
sudden,
the
security
becomes
a
concern.
A
C
Food,
but
now
I've
taken
something
from
the
operating
system
and
stuck
it
in
the
container,
and
that
is
not
labeled
as
cat
food.
So
I
need
a
way
to
basically
re-label
that
content
to
be.
You
know
the
content
that
this
container
can
use
and
in
the
etsy
linux
case,
that
that's
using
the
there's,
a
special
colon
z
and
colon
capital
z
that
I
can
put
on
a
volume
mount
to
cause
the
container
engine
docker
or
a
pod
man
to
go
out
and
relabel
the
content.
So
now
it's
it
becomes
cat
food
content
right.
C
A
C
Well,
when
we
move
to
virtual
machines
just
like
that
right
in
virtual
machine
container
separation,
how
do
I
handle
volumes
right
and-
and
in
the
case
of
you
know,
when
you're
running
in
a
virtual
machine
environment,
you
have
a
different
kernel
in
the
host
kernel.
So
I
can't
just
use
standard
bind
mounts
to
take
a
volume
in
like
we
do
in.
C
C
Yeah
right
yeah,
so
vert
ios
is
basically
realizing
that
you
know
this
is
all
happening
inside
the
same
kernel.
You
know
virtual,
even
though
it's
a
virtual
kernel,
you
know
how
can
we
take
advantage
of
the
the
tight
communications
path
there
and,
and
so
virtio
fs
is
a
really
cool
feature
for
using
things
like
how
to
containers
and
taking
volumes
off
a
disk
and
putting
into
it
there's
going.
C
Containers
plumbing
on
vertiofs,
it's
really
kind
of
cool
to
to
look
at
that,
but
as
soon
as
so
dropping
back
to
se,
linux
again
as
soon
as
I
take
that
file
system
right,
so
I
have
vertifs,
which
is
running
a
little
demon,
a
fused
demon
on
host
and
that's
communicating
with
the
kernel
inside
of
the
container.
The
kbm
separated
container.
C
B
C
A
C
C
We
even
though
we
have
kvm
separation
that
ends
up
being
you
end
up
having
to
pull
walls
through.
You
know
these
better
separations,
so
we
end
up
having
to
take
advantage
more
and
more
of
the
operating
system.
So
that's
all
features
that
we're
taking
advantage
of
right
now
in
in
open
shift
and
containers
and
and
and
and
stuff
like
that
and
that's
all
different
parts
of
the
operating
system
I
deal
with
and
work
with.
C
With
you
know,
running
containers
with
different
groups
of
uids
and
so
they're
separated
again
using
the
traditional
uids
and
when
we
have
a
container
that
requires
multiple
uids
or
requires
something
like
root
inside
of
a
container
using
any
space,
because
it's
the
ability
to
do
that
in
a
more
secure
way.
Well,
using
any
space,
has
never
made
it
into
kubernetes.
C
C
C
It
will
it
can,
it
can
do
it,
we
can
do
it
like
a
side
door,
so
we
can
do
things
called
attributes,
so
we
could
say
that
special
attributes
to
say
I
want
this
thing,
but
kubernetes
doesn't
know
what's
happening,
it's
just
cryo
underneath
the
covers
is
doing
it.
So
we're
you're
going
through
the
standards
process
and
go
through
the
kubernetes
teams
to
get
use
the
namespace
to
be
a
full
first-class
citizen
in
the
world
of
of
of
that,
and
I
I
think
that'll
be
out
by
the
fall.
C
A
C
Conference
I
go
to
every
year
called
defense
and
depth,
the
federal
team
who's
is
and
and
military
they're
always
looking
at.
You
don't
have
just
one
wall,
you
have
multiple
walls,
you
have
mines
and
you
have
your
different
types
of
stuff.
So
in
container
security
or
any
type
of
security,
you
want
to
have
as
many
levels
of
defense
as
possible
so
that
the
bad
guy
might
get
through
the
first
line,
but
he
can't
get
through
the
second
line.
C
B
If
you
could
just
take
those
capabilities
away,
is
because
you're
going
from,
I
have
a
high
level
of
power
and
then
taking
away
abilities
versus
having
a
low
level
of
power
and
adding
abilities,
and
so
when
you
do
the
root
full
container,
you're
you're
extracting
privilege,
which
you
may
make
a
mistake
on,
whereas
if
you're
taking
the
root
list,
container
you're,
adding
privileges-
and
the
mistake
will
only
result
in
that
process
suffering,
not
the
system
being
compromised
is
that
is
that
a
good
understanding
of
kind
of?
Why
root
full.
C
That's
a
a
great
way
of
looking
at
this
is:
is
it's
always
harder
to
you
know
in
the
selenius
world
I
used
to
you
know
people
wanted
to
have
an
admit
and
they
used
to
say
I
want
an
admin
that
can
cannot
do
this
right.
I
said
no,
no,
no
yeah!
You
can't
define
something
he
can't
do.
What
you
have
to
define
is
what
he
can
do
and
and
if
you
start
with
the
assumption,
you
know
this
is
a
user
that
can,
you
know,
send
a
ping
message.
Then
that's
easy
for
me.
C
C
To
do
can
turn
off
the
security
that
prevents
them
sending
the
ping
message
now
so
yeah,
that's
a
good
way
of
thinking,
but
I
want
to
go
back
to
your
first
assumption.
You
talked
about
root
full
versus
rootless.
Now,
when
you
talk
about
linux
capabilities,
this
is
a
kernel
concept
right,
so
the
kernel
has
divided
out
the
power
of
root.
C
C
C
Capabilities
secondary
to
that
is.
The
colonel
has
basically
said
that
you
know
I'm
lowering
the
power
of
root.
The
problem
is
anytime,
you
do
a
process
to
process
communication
in
user
space
user
space
has
made
huge
huge
assumptions
about
a
process
on
the
other
end
of
a
unix
domain
socket
is
being
owned
by
uid
zero
right
they're,
not
looking.
If
you
look
at
even
system
d,
it
is
not
looking
at
which
capabilities
the
process
that's
connecting
you
to
it
is,
is
running
at
it.
C
Just
sees
the
uid
equals
zero
and
says
oh
you're
root,
so
I'm
going
to
allow
you
to
do
stuff,
and
you
know,
even
if
that,
even
if
that
route
had
all
its
capability
of
the
only
thing
it
was
allowed
to
do
was
do
ping.
So
fundamentally,
getting
rid
of
you
know.
Uid
xero
has
is,
has
merged
itself
into
the
operating
system,
even
though
it's
not
really
much
different
than
right
e1000.
B
Yeah,
so
I
suspected
that
I
mean
because
you
know
like
I
see
it
all
the
time
right
I
mean,
even
if
you're
writing
a
bash
script,
that
you
want
to
run
as
root,
and
you
want
to
test
for
it.
You
know
you
basically
look
for
uid
0.,
you
don't
there's!
No!
You
know
there's
no
like
easy
bash
command.
That
says,
is
this
person
root
so
yeah
and.
C
C
So,
there's
no
way
to
inside
the
single
communication
to
be
able
to
figure
out
whether
or
not
which
capabilities
are
available
to
a
process
on
the
system.
And
so
every
effort
in
linux
has
been
torn
down
by
linus
tabalis
because
he
doesn't
like
he's
not
going
to
allow
any
racy
security
assumptions
to
be
built
into.
B
B
I
I
literally
just
filed
a
bug
against
systemd
the
other
day,
saying
it'd
be
really
nice.
If
I
was
not
privileged
user.
If
I
did
system
control,
you
know
status
some
service
name,
it
would
assume
dash
dash
user,
because
I
I'm
not
root
right.
So
why
would
I
be
asking
anything
else
and
yeah?
And
so
it's
it's
kind
of
funny,
because
yeah
we
we
fundamentally
don't
really
have
that
understanding.
B
B
C
There
chiaco
is,
is
more
about
building
container
images
right
and
the
real
question
that
would
have
been
builder
versus
canada
is
probably
the
correct
thing.
So
podman
has
podman,
build
and
and
podman
build
under
the
covers
is
basically
build
the
code
sucked
into
into
podman.
So
most
of
the
time
when
people
report
bugs
on
podman
built,
we
always
redirect
them
to
builder
and
builders.
So.
A
C
Is
a
tool
so
the
so,
if
I'm
going
to
compare
builder
to
canaco
builder
mechanical
do
somewhat
similar
things,
especially
when
it
comes
to
handling
of
docker
files
and
and
builder's
term.
Now
we
have.
We
also
support
container
file,
because
I
want
to
get
the
word
that
the
d-o-c-k-e-r
adjective
out
of
the
out
of
the
world
as
much
as
possible,
but
basically
so
the
format,
the
docker
files
sort
of
standardized.
C
C
Lots
of
tools
to
be
able
to
to
do
that.
What
fundamentally
we
wanted
to
do
with
builder,
you
know,
so
we
wanted
that
support,
obviously,
because
that's
the
vast
majority,
but
we
also
wanted
to
experiment
with
builder
to
be
able
to
create
images
from
scratch
without
requiring
you
to
build
the
darker
file.
The
secondary
thing
I
wanted
to
do
is
be
able
to
take
advantage
of
the
operating
system.
So
you
know,
if
you
ever
see
me,
give
a
talk
on
builder.
I
talk
about
you,
create
a
directory,
you
copy
some
content
into
it.
C
You
create
an
image
and
push
it
off
to
a
registry.
There's
no
reason
to
have
a
docker
file
to
do
that.
If
you
want
and
then
so
builder
has
all
of
the
sort
of
the
low
level
intrinsic
commands
to
create
a
container
image
without
having
to
go
through
a
docker
file,
so
you
could
use
bash
scripting
or
you
could
use
higher
level
tools.
C
To
build
using
fundamental
tools,
so
some
ways
builder
is
sort
of
like
a
library
and
when
we've
entered
into
podman
as
a
library,
and
then
we
also
it's
also
gone
into
openshift.
So
any
of
the
openshift
source
game
image.
Builders
and
things
like
that
are
using
build
around
the
covers.
It's
been
pulled
into
ansible
and
and
lots
and
lots
of
people
use
builder
as
a
low-level
tool.
But
probably
the
vast
majority
are
still
using
it.
As
a
mechanism
for
building
docker
file,
which
can
echo,
is
doing
the
same
thing
and.
A
A
C
B
A
C
C
The
low-level
functions
that
would
go
in
there,
the
other
thing
is
violin,
didn't
seem
to
have
great
upstream
support
at
the
time.
And,
lastly,
we,
you
know
so
probably
the
biggest
one
is.
We
didn't
want
to
have
two
ways
of
doing
this,
and
most
people
were
demanding
that
we
did.
You
know
an
api
based
on
the
docker
socket
api,
and
so
you
know
it
was
just
like
it
just
made
it.
C
C
C
An
activator
yeah
we
have
a
system
d.
Will
a
systemd
service
that,
when
you
connect
to
a
certain
socket,
will
activate
a
podman
instance
and
that
body
man
instance
will
service.
You
will
basically
launch
a
container
or
give
you
a
list
of
containers
or
whatever,
but
basically
each
one
of
these
communications
causes
a
podman
instance
to
be
fired
up
and
then
communicate
back
over
the
channel
saying
you
know:
here's
my
containers.
B
B
I
don't
yeah
for
some
reason.
I
don't
think
I
ever
realized
that
the
soccer
communication
that
docker
was
doing
was
like
hdb
kind
of
rest.
You
know
socket
communication.
I
always
assumed
it
was
like
a
loopback
kind
of
binary
socket.
You
know
that
was
yeah,
that's
interesting!
Okay,
so
was
there
another
question
or
anything
chris.
C
The
answer
to
that
is
is
not
yet
so
again
we
were
rushing
to
get
the
thing
out,
so
we
got
the
full
support
for
root
full
and
no
one's
ever
looked
at
running
compose
rootless
because
it
was
always
talking
to
the
docker
socket.
But
since
we
are
the
champions
of
the
routeless
container,
we
will
make
it
work.
The
the
biggest
issue
we
have
right
now
is
is
composed
as
a
lot
of
network
configuration
when
it
starts
up,
so
most
people
don't
ever
configure
and
do
stuff
with
the
network.
C
B
So
one
of
the
things
that
I
actually
think
was
really
cool
and
didn't
realize
about
podman.
You
know
before
I
actually
started
doing
the
show
was
the
basically
being
able
to
describe
you
know
a
pod.
You
know
like
a
kubernetes
pod,
as
the
ammo
and
kind
of
you
know
essentially
do
the
equivalent
of
podman
compose,
but
using
yaml.
That
would
also
be
translatable
to
kubernetes
or
openshift.
B
Is
there
a
consideration
around
how
like
what
I
thought
was
kind
of
cool
about
that
is?
I
could
on
my
local
machine
then
I
could
set
up.
You
know
my
little
database,
my
little
web
server,
whatever
and
kind
of
set
it
up
all
correctly,
to
eventually
be
deployed
in
kubernetes,
with
the
same
syntax,
going
to
docker
compose
syntax
to
kind
of
semi-accomplish.
The
same
goal
means
I
lose
that
kind
of
translatableness
to
kubernetes
have.
Has
the
team
been
thinking
at
all
about
how
what
is
my
migration
look
like
from
okay?
B
C
It's
always
like,
oh
god,
I
got
this
yaml
file
which
basically
I
go
out
somewhere
and
I
download
someone
else's
pre-prepared
yaml
file,
and
now
I
go
start
mucking
around
with
it
and
trying
and
failing
miserably
trying
to
figure
out
how
to
write
a
container
to
run
such
communities.
So
one
of
the
fundamental
things
we
did
with
pogman.
C
We
said:
let's,
let's
sort
of
build
the
best
practices
to
run
our
containers
into
it,
and
and
we
we
have
a
thing
called
podman
generate
coupe,
and
what
that
does
is
takes
you
running,
containers
or
running
pods
on
your
system
and
takes
the
takes,
what
those
are
and
translates
them
into
a
kubernetes
gmo
file.
Oh.
A
C
That's
basically
what
you
talked
about
here
and,
and
one
of
the
goals
with
pod
man
is
to
make
the
road
map
onto
openshift
and
kubernetes
easier
right
to
to
allow
you
to
transfer
from
your
sort
of
darker
knowledge
to
your
kubernetes
knowledge.
So
reasons
interesting.
The
question
you
asked
about
compose
is
actually
brent
who's.
Coming
up
to
give
a
talk
with
you,
guys
he's
also
giving
a
talk
at
the
containers,
plumbing
called
going
from
compose
to
kubernetes
and
and
what
he.
C
A
B
A
C
A
C
And
so
you
know,
at
least
with
the
kubernetes
play
you
know,
generate
coupe
apartment
generate
coupe.
I
get
to
the
point
where
I
have
a
kubernetes
ammo.
That's
you
know
that
I
can
sort
of
map
back
to
what
I
understand
here
and
now
I
can
stop
looking
at
deployments
and
so
the
advanced
features
of
kubernetes.
From
that
point
on.
C
C
C
A
B
So,
just
kind
of
on
the
note
of
never
writing
your
own
code
from
scratch.
I
have
to
plug
one
of
my
favorite
pieces
of
software
of
all
time,
which
is
a
little
python.
Script
called
how
do
I,
which,
on
the
command
line,
will
actually
search,
stack,
stack,
overflow
and
all
that
stuff?
For
how
do
you
do
this
thing
that
you
can
you
can
cut
and
paste
from?
I
will
throw
that
in
the
chat.
B
B
A
A
B
A
B
So
much
I
will
point
out.
Noah
friction
made
a
big
jump
this
time.
I
can't
remember
exactly
what
he
had
before,
but
he
did
make
a
big
jump
over
this.
This
notch
and
yes,
noah,
I'm
assuming
it's
a
male.
I
apologize
if
I'm
incorrect,
but
then
we
also
have
joe
fuzz
and
detective
conan,
kudo
and
bacon
fork
still
going
strong,
it's
starting
to
catch
up.
You
know
we
got
to
see
some
get
some
more
points.
We
have
on
the
screen
right
now.
A
B
It's
it's
definitely
neck
and
neck.
You
know
do
remember.
There
are
other
ways
to
earn
points.
Besides,
just
watching
the
shows
you
can
file
issues
on
the
episodes
you
know
with.
Like
topic
suggestions,
you
can
do
pr's
you
can,
and
now,
if
you
remember
from
last
episode,
I
think
I
was
talking
about
the
openshift
clients
container.
You.
B
B
There's
no
external
reward
as
well,
I'm
sorry
to
say,
but
we
do
have
three
new
people
that
I
I
saw.
You
know
there
may
be
others
and
I
just
didn't
realize
they
were
all
new.
But
so
thank
you
and
I
hope
you're
back
from
last
time-
and
I
I
don't
know-
walker
triple
dub
walker,
maybe
and
dj-
follow
and
alex
77
g.
Well,
wait,
seven
would
be
lee
would
be
l
so
I'll,
no
still
not
pronounceable.
So
thanks
so
much
for
coming.
B
I
hope
you
are
back
this
time.
I
hope
you
come
and
watch
more
shows.
You
know
we
do.
We
have
a
pretty
solid
schedule.
I
think
out
through
may
we're
doing
credential,
not
credentials
subscriptions
and
licensing.
I
think
next
time.
Oh
actually
good
note.
We
are
dark
next
week
because
I
will
be
in
a
weird
time
zone,
even
though
I'll
be
at
home,
so
we're
not
gonna
do
the
show
next
week,
but
the
week
after
that,
we're
gonna.
B
A
B
Actually,
we
have
a
couple
of
experts
and
maybe
some
more
yeah.
It
takes
a
large
number
of
experts,
so
we're
going
to
talk
about
subscriptions
next
time.
I
think
we're
going
to
talk
about
helm
the
one
after
that
and
then
after
that,
we're
going
to
have
that's
when
brent
is
on
and
that
we'll
be
talking
about
podman
v3
in
particular,
and
maybe
some
deep
dive
stuff
into
the
compose
components.
B
Yeah
then,
after
that
we
actually
are
gonna,
be
doing
another
we'll
do
it
a
deep
dive
into
ubi
and
what's
involved
in
ubi
and
then
and
then
actually
right
after
that,
we're
going
to
be
talking
about
summit
and
at
least
summit,
maybe
kubecon
as
well,
with
chris
wright,
the
red
hat
cto.
That's
coming
up
in,
let's
see
what's
the
date
for
that
looks
like
april
21st,
so
about
a
month
from
now
or
no
two
months
from
now.
Oh.
B
Month,
it
is
sometimes
yeah.
We've
I've
been
talking
to
a
bunch
of
people
lately
about
you
know
like
there's
various
kind
of
people
involved
in
the
red
hat
ecosystem.
You
know
so
like
partners,
customers,
casual
users,
you
know
whatever,
but
a
lot
of
them.
They
like
feeling
like
insiders.
You
know
with
kind
of
like
insider
knowledge
and
stuff
like
that
and
I'm
like,
are
they
watching
the
openshift
stream?
You
know
the
openshift
tv,
because
that's
where
you
get
knowledge
of
the
future,
so
definitely
thanks
so
much
for
coming.
B
I
hope
you
enjoyed
the
show.
I
hope
we
weren't.
You
know
if,
if
that
wasn't
what
you
wanted
to
talk
about
with
containers
and
security
and
that
kind
of
stuff,
let
us
know
either
on
discord
or
file
an
issue
or
whatever,
and
let
us
know
what
other
aspects
of
security
you'd
like
to
talk
about
or
hear
about,
and
we
can
either
invite
dan
back
or
we
could
invite
others
to
to
discuss
those
things.
You
know
we're
we're
here
for
you.
A
B
B
It
happens,
I
mean
you
know
like
usually
there's
a
you
have
to
set
sc
linux
booleans.
Sometimes
I
certainly
don't
know
how
often,
but
it
is
that
is
interesting.
You
know
feel
free
to
bring
that
back
for
when
brent's
on
and
maybe
talk
about
it
a
little
bit
more.
You
know,
but
you
know,
let
us
know
yeah.
A
So
yeah,
let's
wrap
this
thing
up
and
send
it
home
definitely
check
out
the
developer
sandbox.
If
you
haven't
used
openshift
for
or
if
you
have,
and
you
want
to
learn
a
little
bit
more
right.
We've
got
free
developer,
sandboxes
we're
handing
out
it's
in
beta,
so
it's
kind
of
resource
constrained,
but
we
have
seen
it
stand
up.
What
was
it
we
stood
up
our.
A
B
You
can
do
kind
of
you
know
like
online
ide
inside
the
same
environment
that
you're
actually
gonna
deploy
the
thing
that
you're
playing
with
or
building
directly
into
the
same
kind
of
environment.
So
it's
kind
of
one
big
integrative
environment
of
here
is
a
text
editor
that
looks
like
vs
code,
and
you
know
it
will
deploy
an
application
directly
into
the
containers
running
inside
openshift
yeah.
It's
pretty
slick.
A
So
yeah
so
expect
more
like
expect
more
in
the
future
right
like
it
just
launched
what
last
week
I
mean
yeah
yeah,
pretty
pretty
recent
yeah
yeah,
so
yeah,
regardless
check
out
the
show
later
today
subscribe
to
the
calendar,
and
we
appreciate
you
tuning
in
and
we
want
you
to
stay
as
safe
as
possible
out
there
and
more
coffee
drink
more
coffee,
because
lord
knows
I
need
it.
I
know
mine's
gone,
oh
sad,
so
sad,
all
right
folks,
thank
you
very
much.
Well
see
you
next.