1
00:00:00,900 --> 00:00:04,110
‫Left over on your screen is Dmitri.

2
00:00:04,110 --> 00:00:05,900
‫I think this is your first time on the show right.

3
00:00:06,490 --> 00:00:06,860
‫Yeah.

4
00:00:06,880 --> 00:00:07,260
‫All right.

5
00:00:07,260 --> 00:00:08,470
‫This is the first time on.

6
00:00:08,550 --> 00:00:09,720
‫So thanks for having me.

7
00:00:10,070 --> 00:00:10,310
‫Yeah.

8
00:00:10,320 --> 00:00:18,380
‫And he's right now in Greece but he's actually normally in Barcelona running the darker Barcelona meetup.

9
00:00:18,390 --> 00:00:23,390
‫He is the founder at Harbor cloud solutions and I'm super excited him on the show because he's going

10
00:00:23,390 --> 00:00:28,860
‫to talk to us about rootless Docker which is a brand new thing this year and we'll talk about why that's

11
00:00:28,860 --> 00:00:31,430
‫important and why you might want to check it out.

12
00:00:31,440 --> 00:00:36,270
‫Dimitri what's the elevator pitch to someone who knows containers and they know how to run Docker now

13
00:00:36,750 --> 00:00:39,920
‫why should they care about rootless Docker.

14
00:00:39,930 --> 00:00:42,040
‫Yeah so basically.

15
00:00:42,300 --> 00:00:45,380
‫First of all why do we need containers in the first place.

16
00:00:45,420 --> 00:00:50,310
‫Basically what we want to do with containers is that we want to isolate the applications inside their

17
00:00:50,310 --> 00:00:57,470
‫specific user space so that they can not do things outside of that space and isolate them.

18
00:00:57,480 --> 00:00:59,520
‫And in that context.

19
00:00:59,550 --> 00:01:08,400
‫But once someone once is able to run containers what we know is that if normally what we say if you

20
00:01:08,470 --> 00:01:13,620
‫have access to the doctors socket then basically you are out of the application of of the operating

21
00:01:13,620 --> 00:01:14,800
‫system.

22
00:01:15,120 --> 00:01:22,400
‫And basically this means that if someone can access the doctor so I can then choose a route on the on

23
00:01:22,410 --> 00:01:24,140
‫the operating system and we don't want that.

24
00:01:24,140 --> 00:01:32,610
‫You basically want someone to be able to have isolated thought and not being able to do these kinds

25
00:01:32,610 --> 00:01:42,330
‫of things and write with them with the story with a bat basically with truth that is what we can say

26
00:01:42,410 --> 00:01:44,630
‫we are able to do is that.

27
00:01:45,540 --> 00:01:48,570
‫Am sorry.

28
00:01:48,620 --> 00:01:48,970
‫Hang.

29
00:01:49,060 --> 00:01:49,780
‫Yeah.

30
00:01:50,470 --> 00:01:52,390
‫I would like a severe brain freeze right now.

31
00:01:52,410 --> 00:01:53,130
‫No that's okay.

32
00:01:53,160 --> 00:02:00,230
‫So yeah basically with rootkit is what we have is the ability in order to run containers but not with

33
00:02:00,570 --> 00:02:05,790
‫toxicity that the operating system so someone can not on some containers without being rude.

34
00:02:06,240 --> 00:02:14,030
‫So if someone breaks out of that container then he cannot access the operating system let's say so.

35
00:02:14,080 --> 00:02:14,570
‫Right.

36
00:02:14,580 --> 00:02:22,380
‫Basically what you do is is duplicate some kind of X and another layer of security on top of the containers.

37
00:02:22,510 --> 00:02:22,770
‫Right.

38
00:02:22,800 --> 00:02:27,450
‫So this means that also if I want to run a docker container if I'm running in ruthless mode does that

39
00:02:27,450 --> 00:02:30,530
‫mean I don't even need route I can just be a regular user.

40
00:02:30,540 --> 00:02:31,330
‫Yeah exactly.

41
00:02:31,350 --> 00:02:36,810
‫So basically if you you don't need the ruby in order to be able to install Docker in some machine and

42
00:02:36,810 --> 00:02:45,600
‫you can use Dr. Oz as a normal user of that that specific machine and you can create containers as if

43
00:02:45,600 --> 00:02:51,130
‫you are a route but and create some users some some containers.

44
00:02:51,320 --> 00:02:54,390
‫But you don't need to access that specific machine.

45
00:02:54,750 --> 00:02:55,110
‫Yeah.

46
00:02:55,170 --> 00:03:02,610
‫So basically there are two kinds of benefits in two different regions Jane two different type of users

47
00:03:02,640 --> 00:03:08,280
‫let's say ones are the users that there are developers maybe they don't share the route accessing that

48
00:03:08,340 --> 00:03:14,200
‫specific machine that they are working on and now with the characters they can install the doctor without

49
00:03:14,200 --> 00:03:20,900
‫giving route access and they can use that in order to put on containers in their own environment and

50
00:03:21,060 --> 00:03:26,080
‫the other one is if you are an operator or a if you're using that if you have a class there for example

51
00:03:26,080 --> 00:03:32,870
‫that you want to kind of in your own cluster and you don't go to run containers using a doctor in route

52
00:03:32,970 --> 00:03:38,880
‫mode but you want to use it being in a user long thing in a specific user so that even if someone breaks

53
00:03:38,880 --> 00:03:44,210
‫out of that specific container then you cannot access the route to that specific machine.

54
00:03:44,240 --> 00:03:45,770
‫So you have a basically.

55
00:03:45,870 --> 00:03:50,790
‫And one more layer of security contact specially from the scene right.

56
00:03:50,790 --> 00:03:57,280
‫And basically that's that's the idea and you say you should have some kind of restrictions.

57
00:03:57,300 --> 00:04:00,460
‫But we're going to see that on the demo.

58
00:04:00,480 --> 00:04:04,810
‫But basically you can do whatever you can do normally with containers.

59
00:04:04,860 --> 00:04:05,700
‫Yeah well let's go.

60
00:04:05,730 --> 00:04:07,310
‫Let's do it let's get to some demos.

61
00:04:07,580 --> 00:04:13,480
‫I think sometimes it's great to talk about something but it's also cool to see.

62
00:04:14,610 --> 00:04:16,170
‫Let's go to the demo there.

63
00:04:16,740 --> 00:04:17,560
‫OK.

64
00:04:17,880 --> 00:04:22,590
‫So basically what we have here is you've created a spaceship.

65
00:04:22,650 --> 00:04:25,760
‫My machine is a Mac so I can there.

66
00:04:25,830 --> 00:04:31,060
‫So the doctor ruthless in my max because basically we want to have a Linux kernel on it.

67
00:04:31,170 --> 00:04:38,220
‫And so what I'm using is I'm using a vagrant and virtual box in order to run virtual machines and virtual

68
00:04:38,220 --> 00:04:41,960
‫boxes a virtual machine runtime and what kind is it.

69
00:04:41,970 --> 00:04:46,730
‫Basically a provider for which all machines in my in vitro box.

70
00:04:46,770 --> 00:04:48,980
‫And this is basically my configuration.

71
00:04:48,990 --> 00:04:52,590
‫I have two specific machines that I'm creating.

72
00:04:52,590 --> 00:05:01,640
‫One is a ruthless which is born two of the Sanyo version 64 and the other is four basically.

73
00:05:01,700 --> 00:05:08,830
‫So what we want these ruthless is I'm going to do an installation of in the ruthless mode in the road

74
00:05:08,840 --> 00:05:09,120
‫for.

75
00:05:09,140 --> 00:05:14,990
‫Basically I'm going to do a normal installation of Docker and I shave them already running

76
00:05:18,400 --> 00:05:20,070
‫and there's tattoos.

77
00:05:20,090 --> 00:05:22,780
‫You'll see that these machines are running

78
00:05:30,980 --> 00:05:31,610
‫once.

79
00:05:33,060 --> 00:05:40,850
‫Okay so on the touch screen I'm going to log into a ruthless machine and the bottom screen I'm going

80
00:05:40,850 --> 00:05:43,790
‫to say it's too little too late.

81
00:05:43,940 --> 00:05:49,160
‫I like rueful Yeah I don't know if it's written like that but that's sounds.

82
00:05:49,180 --> 00:05:53,790
‫We just made up a new word rueful that wasn't a thing it's now a thing.

83
00:05:54,320 --> 00:05:55,050
‫OK.

84
00:05:55,230 --> 00:05:59,600
‫So how are we going to install ruthless mode here.

85
00:05:59,630 --> 00:06:02,970
‫So I'm just going to show you what are the commands for it.

86
00:06:02,970 --> 00:06:10,280
‫And then I have a script which is the set up here which basically what I the only thing that they need

87
00:06:10,400 --> 00:06:17,560
‫in order to prepare the operating system the Born to send young 64 version is I want to activate the

88
00:06:17,570 --> 00:06:20,540
‫IP tables in the cabinet.

89
00:06:20,780 --> 00:06:28,790
‫I want to have that then basically what I want to do is I want to install Docker with these these command.

90
00:06:29,240 --> 00:06:32,800
‫Basically this is a script that said yeah let's call ruthless.

91
00:06:32,890 --> 00:06:39,990
‫And normally you should not accept scripts from the Internet like and like that.

92
00:06:40,010 --> 00:06:45,780
‫But let's say that we would know the audience in Okay it's.

93
00:06:45,800 --> 00:06:53,780
‫We are at least SSL over to Dockers you are ell so it would have to require someone to take advantage

94
00:06:53,990 --> 00:06:54,770
‫of that.

95
00:06:54,830 --> 00:06:56,970
‫But you can always always pull it down.

96
00:06:57,370 --> 00:06:58,040
‫Exactly.

97
00:06:58,160 --> 00:06:59,510
‫You can not pull it down.

98
00:06:59,930 --> 00:07:01,550
‫If you eat and then execute it right.

99
00:07:01,910 --> 00:07:02,340
‫Yeah.

100
00:07:02,420 --> 00:07:07,770
‫So I already executed in the start before so it basically knows that I already installed it.

101
00:07:07,790 --> 00:07:12,890
‫But if you're in the first machine with this should be sufficient in order to install the ruthless mode

102
00:07:13,490 --> 00:07:22,610
‫and what their Kozmo does is create their service in the System D which basically runs inside your home

103
00:07:22,700 --> 00:07:23,330
‫directory.

104
00:07:23,330 --> 00:07:29,570
‫So you see this is the other service inside my home background which is my user name and in that machine

105
00:07:29,660 --> 00:07:34,310
‫and there is there where the the system the service is installed.

106
00:07:34,730 --> 00:07:41,150
‫And if you see the binary for example use these the background being the the ruthless in experimental

107
00:07:41,150 --> 00:07:47,990
‫mode and these terms that I was overlay and once I have these installed if I like it appears it will

108
00:07:47,990 --> 00:07:53,000
‫not do anything because I don't show having device on the [REMOVED] it I don't ever run into anything there

109
00:07:53,540 --> 00:07:59,850
‫because my socket right now is inside this user space in the wrong user a thousand Docker socket.

110
00:08:00,640 --> 00:08:06,770
‫So I need to export these Docker host and now had the bigger Piers then you can see that I can I can

111
00:08:06,770 --> 00:08:14,420
‫use that can I get a ticket if I do care for the world for example you can see that now I can run things

112
00:08:14,510 --> 00:08:20,490
‫inside the container and there appears for example and don't have anything.

113
00:08:20,510 --> 00:08:27,860
‫And see here you can see that the containers that already run in the full environment that do the same

114
00:08:27,860 --> 00:08:28,580
‫thing here.

115
00:08:29,690 --> 00:08:38,120
‫And in order to install it they're basically the command is this one and it's the get Docker and then

116
00:08:38,150 --> 00:08:43,610
‫you download the script you execute it and once you execute it

117
00:08:48,880 --> 00:08:52,340
‫and you have everything but I already have it installed so I'm just going to stop it now.

118
00:08:53,080 --> 00:08:57,120
‫And once you have it installed then you can see a doctor is running.

119
00:08:57,910 --> 00:09:01,420
‫So let's see now what are the difference between these two environments.

120
00:09:01,540 --> 00:09:11,740
‫If I do a B.S. here and speak about the care you will see that my doctor is running US route and it's

121
00:09:11,740 --> 00:09:19,780
‫running in these with these command instead and here if I said for a doctor you will see that there

122
00:09:19,780 --> 00:09:26,000
‫are some other commands that because it's using brutalist kit and if you see all of those commands running

123
00:09:26,170 --> 00:09:28,070
‫in user background.

124
00:09:28,120 --> 00:09:31,140
‫So there is no road user are running anything.

125
00:09:31,720 --> 00:09:38,650
‫And that's that's basically the biggest difference between those two and so let's try and run the same

126
00:09:38,650 --> 00:09:41,800
‫commands on both machines that you're on.

127
00:09:41,880 --> 00:09:43,270
‫Hello world.

128
00:09:43,830 --> 00:09:54,490
‫You will see that this runs the same thing and let's see some other things that we can run at.

129
00:09:54,960 --> 00:09:57,440
‫First of all I would like to say some one.

130
00:09:57,450 --> 00:10:01,950
‫One other difference a if you are in the

131
00:10:04,510 --> 00:10:10,240
‫in the road for my scene here right now you can see that Dr. Pierce is running directly but this is

132
00:10:10,240 --> 00:10:13,780
‫because if we're taking the groups you can see that.

133
00:10:13,920 --> 00:10:15,570
‫I have the doctor group here.

134
00:10:16,210 --> 00:10:24,000
‫And if I go and log in as I think there's another bone to use here and if I do that Europeans I cannot

135
00:10:24,010 --> 00:10:26,400
‫do anything with the socket.

136
00:10:26,410 --> 00:10:32,010
‫And this is because I don't belong to the doctor group.

137
00:10:32,140 --> 00:10:38,290
‫So this is one of the difference that if you belong to the doctor group then basically you have access

138
00:10:38,290 --> 00:10:39,710
‫to the doctor socket.

139
00:10:39,850 --> 00:10:44,900
‫And if you don't belong to the group then basically you need to do a show to do that.

140
00:10:45,040 --> 00:10:46,270
‫Yes.

141
00:10:46,270 --> 00:10:54,790
‫And this is one way of accessing the socket in the wrathful machine and another and other ways to use

142
00:10:54,790 --> 00:10:56,150
‫the group.

143
00:10:56,290 --> 00:11:01,300
‫And the big difference here on the ruthless is that you don't need both neither of those.

144
00:11:01,300 --> 00:11:06,700
‫You don't need to have and so do to some kind of socket that belongs to another user.

145
00:11:06,700 --> 00:11:10,880
‫You just ran it in your own user space everything and.

146
00:11:11,230 --> 00:11:18,110
‫OK so let's see some other commands for example the two were eyes.

147
00:11:19,140 --> 00:11:21,940
‫Things that are running inside the room full.

148
00:11:22,290 --> 00:11:32,840
‫If we took to the virally the clear overlay this is where our overlays are running inside the edit for

149
00:11:32,850 --> 00:11:39,400
‫the environment but if we check the same thing here you will see that they don't have anything there.

150
00:11:40,380 --> 00:11:43,790
‫And this is because everything is running in our own user space.

151
00:11:44,220 --> 00:11:51,000
‫And I can find these things in this directory which is the local Sir Doctor.

152
00:11:51,060 --> 00:11:56,660
‫And then here you can see the overlay that occurs and you can see that these are inside the same user

153
00:11:56,670 --> 00:11:57,150
‫patient.

154
00:11:57,150 --> 00:11:59,440
‫My own user.

155
00:11:59,790 --> 00:12:04,380
‫So in our defense that we can find for example use that.

156
00:12:05,100 --> 00:12:07,040
‫Let's run something now.

157
00:12:07,150 --> 00:12:09,100
‫She's exposing a board.

158
00:12:10,350 --> 00:12:18,660
‫So I am running an engine X and I'm running it and exposing it in the thirty two thousand seven hundred

159
00:12:18,660 --> 00:12:23,020
‫sixty eight port and then went into the same --.

160
00:12:23,080 --> 00:12:23,520
‫So

161
00:12:27,520 --> 00:12:30,580
‫yeah that's something like this

162
00:12:36,630 --> 00:12:37,040
‫okay.

163
00:12:37,070 --> 00:12:38,500
‫So if I don't know.

164
00:12:38,940 --> 00:12:39,810
‫Okay.

165
00:12:41,090 --> 00:12:47,160
‫Now I'm sure you can see the ends in X and the same thing happens here.

166
00:12:47,280 --> 00:12:48,170
‫Okay.

167
00:12:48,200 --> 00:12:49,260
‫Until now it's the same.

168
00:12:49,700 --> 00:12:57,070
‫But if we go and we try to do so exposure port

169
00:13:01,910 --> 00:13:11,120
‫let's stop this one and due to exposure bought in the 80s you can see that because I mean the user land

170
00:13:11,300 --> 00:13:14,730
‫I cannot expose report on there the thousand.

171
00:13:14,750 --> 00:13:23,210
‫No right at least because the only route user can expose on the right number and in their full environment.

172
00:13:23,210 --> 00:13:25,720
‫You can see that this is possible.

173
00:13:26,120 --> 00:13:27,860
‫Just like some writers.

174
00:13:27,890 --> 00:13:29,660
‫Yeah that's there's no limitation.

175
00:13:29,690 --> 00:13:30,240
‫Yeah exactly.

176
00:13:30,250 --> 00:13:37,830
‫So it's because as a normal user you cannot go in that kind of portal I mean it's impossible to go over

177
00:13:39,170 --> 00:13:41,180
‫and more or less.

178
00:13:41,180 --> 00:13:42,630
‫That's the differences.

179
00:13:42,630 --> 00:13:46,400
‫And I don't have any more demos for it.

180
00:13:46,440 --> 00:13:54,010
‫I know if you want we can do with some questions or discussion a bit more about the different the route

181
00:13:54,160 --> 00:13:55,250
‫to this mode.

182
00:13:55,820 --> 00:13:56,920
‫Yeah I.

183
00:13:57,020 --> 00:13:58,760
‫There's a there's definite some questions.

184
00:13:58,760 --> 00:14:06,950
‫One of them is about the rootless can't share the darker socket for example so and I I gave a you might

185
00:14:06,950 --> 00:14:11,780
‫want expand on this I kind of gave a an answer saying Well they're different sockets the darker demon

186
00:14:11,810 --> 00:14:18,020
‫that's in root root for mode is isn't a different you are L in the filesystem right it's a different

187
00:14:18,020 --> 00:14:18,370
‫path.

188
00:14:18,380 --> 00:14:24,270
‫So I guess technically you could could you run both of these at the same time.

189
00:14:24,340 --> 00:14:25,510
‫I suppose so.

190
00:14:25,600 --> 00:14:30,520
‫I don't know why you would but you could if you were something you didn't have Docker if you didn't

191
00:14:30,520 --> 00:14:34,360
‫have a root access or Docker group access and you wanted to run Docker on a machine that already had

192
00:14:34,690 --> 00:14:38,730
‫Docker and I guess you I mean all the files and everything around the different paths.

193
00:14:38,740 --> 00:14:38,980
‫Right.

194
00:14:38,980 --> 00:14:46,450
‫So I mean even if you have a say truthful mode I don't care.

195
00:14:46,470 --> 00:14:53,410
‫Running in the viral directory then normally that is for all the users but if you are running it in

196
00:14:53,410 --> 00:14:56,860
‫your own user land then basically just a single user.

197
00:14:56,860 --> 00:14:57,130
‫Right.

198
00:14:57,220 --> 00:15:01,230
‫So you probably you should be able to say that's okay.

199
00:15:01,270 --> 00:15:05,360
‫If you give access to some other users but normally that that's not the case.

200
00:15:06,650 --> 00:15:07,950
‫Yeah yeah.

201
00:15:08,060 --> 00:15:09,200
‫Another question on that is

202
00:15:12,420 --> 00:15:16,910
‫saying that can I use mounts and volumes only with files on my user has permission to.

203
00:15:16,910 --> 00:15:21,630
‫And yes that is true because everything here is scoped to your user account.

204
00:15:21,630 --> 00:15:21,960
‫Right.

205
00:15:21,960 --> 00:15:24,950
‫So it's it's only for you.

206
00:15:24,950 --> 00:15:25,170
‫Yeah.

207
00:15:26,070 --> 00:15:27,560
‫Yeah exactly.

208
00:15:27,570 --> 00:15:33,710
‫So basically what your user can do basically what is what your containers can do yeah.

209
00:15:33,920 --> 00:15:38,630
‫And I mean now technically you could have like you.

210
00:15:38,660 --> 00:15:42,860
‫Since you mean you technically could be someone who has route and you're just choosing to run this in

211
00:15:42,860 --> 00:15:47,990
‫your user account but because the docker demon in this case is running under your user account it's

212
00:15:48,020 --> 00:15:52,790
‫only gonna have access and permissions to the things in there.

213
00:15:53,330 --> 00:15:53,820
‫Yeah.

214
00:15:54,050 --> 00:15:54,800
‫Yeah exactly.

215
00:15:56,200 --> 00:15:58,500
‫See what else.

216
00:15:58,500 --> 00:16:01,020
‫Marcus from yesterday Margo's nose is on the call.

217
00:16:01,030 --> 00:16:03,110
‫He's easy.

218
00:16:03,150 --> 00:16:04,220
‫He has many questions.

219
00:16:04,260 --> 00:16:05,030
‫How about.

220
00:16:05,070 --> 00:16:06,700
‫Does that work.

221
00:16:06,700 --> 00:16:07,870
‫Good question.

222
00:16:07,870 --> 00:16:09,270
‫Mm hmm mm hmm.

223
00:16:09,270 --> 00:16:11,760
‫It should be able to work work I haven't tested it.

224
00:16:11,790 --> 00:16:11,960
‫Yeah.

225
00:16:11,970 --> 00:16:12,540
‫Yeah.

226
00:16:12,600 --> 00:16:16,050
‫So what if you just try to sucker swarm in it in the dark one.

227
00:16:16,590 --> 00:16:17,720
‫Yeah love.

228
00:16:17,790 --> 00:16:18,730
‫Yeah let's see that.

229
00:16:18,990 --> 00:16:24,750
‫And then maybe run do a service create maybe on a you know we're going to rent we're gonna make random

230
00:16:24,750 --> 00:16:33,020
‫demos so it says it's a manager maybe service creates outrage and eggs or something running on port

231
00:16:33,020 --> 00:16:34,490
‫80 80 or something.

232
00:16:38,580 --> 00:16:43,230
‫I mean in theory I would think that it would work because it as long as you don't try to publish on

233
00:16:43,230 --> 00:16:49,800
‫ports one thing might be interesting is will it allow the virtual the vest that it creates.

234
00:16:49,800 --> 00:16:50,260
‫Can it.

235
00:16:50,550 --> 00:16:54,420
‫Oh that's a good point because does Docker Tucker's

236
00:16:58,080 --> 00:17:03,890
‫rootless Docker doesn't have access to create virtual interfaces does it.

237
00:17:03,900 --> 00:17:04,890
‫I don't see why not.

238
00:17:05,920 --> 00:17:08,620
‫I'm trying to think I shouldn't be able to create new return.

239
00:17:08,980 --> 00:17:09,340
‫Yeah.

240
00:17:09,370 --> 00:17:13,390
‫So what happens when you do a list of the networks on there like a or network less on the

241
00:17:17,310 --> 00:17:18,180
‫dance.

242
00:17:18,990 --> 00:17:20,150
‫Yeah it does have them.

243
00:17:20,420 --> 00:17:26,250
‫Mean maybe it's maybe I can't maybe I can't use host mode or something I've remembered reading something

244
00:17:26,250 --> 00:17:27,090
‫about.

245
00:17:27,090 --> 00:17:32,700
‫There was something in networking that it couldn't do without root because that was changing the neck

246
00:17:33,100 --> 00:17:34,250
‫basically.

247
00:17:34,410 --> 00:17:36,360
‫Yeah I remember using host network.

248
00:17:36,800 --> 00:17:39,440
‫Yeah I remember hearing something about that to me.

249
00:17:40,270 --> 00:17:40,820
‫Yeah.

250
00:17:41,760 --> 00:17:49,850
‫What you probably cannot do is for example with because of the limitation of this less than a thousand

251
00:17:49,860 --> 00:17:55,710
‫bought you probably cannot you have a proxy running and doing a balancing between your own services

252
00:17:55,800 --> 00:18:01,680
‫below that so you cannot expose basically a port on the ground that no means or model either.

253
00:18:02,330 --> 00:18:02,880
‫Yeah I don't know.

254
00:18:02,900 --> 00:18:06,200
‫Fingers need something like that.

255
00:18:07,170 --> 00:18:11,290
‫Marcus is asking about demon lists as well as is it possible for us to.

256
00:18:11,350 --> 00:18:13,980
‫Yeah but that's a different thing.

257
00:18:14,010 --> 00:18:19,220
‫I mean this is not demon unless this is ruthless and the basically the difference is that demon.

258
00:18:19,240 --> 00:18:23,690
‫You should not be needing any demon behind that and we don't care.

259
00:18:23,700 --> 00:18:24,840
‫We don't share with anyone else.

260
00:18:24,840 --> 00:18:30,690
‫I think that we could do something with container and the maybe.

261
00:18:30,750 --> 00:18:31,000
‫Right.

262
00:18:31,190 --> 00:18:31,500
‫Yeah.

263
00:18:31,680 --> 00:18:32,830
‫Yeah that's true.

264
00:18:33,240 --> 00:18:35,310
‫I mean I guess fundamentally that would be.

265
00:18:35,430 --> 00:18:41,080
‫I can see how that would be a little tricky because the democracy allied just talks to you.

266
00:18:41,470 --> 00:18:41,720
‫Yeah.

267
00:18:41,790 --> 00:18:48,010
‫Basically a duck or shall I say the way it is being ends in the design is that the client server.

268
00:18:48,030 --> 00:18:49,740
‫So yeah we have a demo.

269
00:18:49,740 --> 00:18:55,830
‫It would almost be like their lead would be there need to be a SEAL I add on that in the background

270
00:18:55,830 --> 00:18:58,000
‫is just really running a docker.

271
00:18:58,050 --> 00:19:02,790
‫The Docker D process but not technically running it as a demon and it's just running into the heart

272
00:19:02,790 --> 00:19:04,310
‫of the docker run.

273
00:19:04,440 --> 00:19:08,360
‫And yeah because you couldn't do that around d d right.

274
00:19:08,370 --> 00:19:10,260
‫You'd have to do it.

275
00:19:11,570 --> 00:19:11,770
‫Okay.

276
00:19:11,810 --> 00:19:16,350
‫Yeah that would be an interesting use case for you actually be for example.

277
00:19:16,380 --> 00:19:17,550
‫So initiation.

278
00:19:17,580 --> 00:19:21,450
‫Basically what you want is you want to be able to create containers.

279
00:19:21,660 --> 00:19:26,760
‫But the problem is that if you share VCA should do that you want to write anything container as well.

280
00:19:26,770 --> 00:19:33,110
‫Then you basically need containers inside the container and then this makes it more complicated.

281
00:19:33,120 --> 00:19:38,240
‫One way of overriding that is basically you can do containers alongside containers.

282
00:19:38,270 --> 00:19:46,100
‫So basically exposing your dog so get inside your container and you can draw more containers inside.

283
00:19:46,220 --> 00:19:51,120
‫But in the same deck and engine and the other thing that you can do is you get on the docket inside

284
00:19:51,120 --> 00:19:51,750
‫the doctor.

285
00:19:51,810 --> 00:19:58,020
‫So basically you can share a demon inside your CIC the container and the other one.

286
00:19:58,080 --> 00:20:04,140
‫Basically this shelter in order to eliminate more of the restriction that the doctor initiated the shares

287
00:20:04,140 --> 00:20:10,170
‫because previously you needed to ship privileges more dating and if you are using user long maybe these

288
00:20:10,310 --> 00:20:14,970
‫people mod is not necessary in order to do -- inside your own container.

289
00:20:14,970 --> 00:20:17,140
‫But having tested that nice either.

290
00:20:17,310 --> 00:20:18,320
‫Yeah.

291
00:20:19,380 --> 00:20:23,280
‫And if you could have demand less then that would simplify a lot.

292
00:20:23,280 --> 00:20:29,280
‫Euros a city in order to not share a demon don't get inside your endocrine system.

293
00:20:32,450 --> 00:20:34,150
‫Lots more questions.

294
00:20:35,540 --> 00:20:41,600
‫I don't actually think that's a question in there about checking binaries or applications inside a container

295
00:20:41,600 --> 00:20:42,850
‫or working perfectly or not.

296
00:20:42,860 --> 00:20:44,490
‫Any Docker features in there.

297
00:20:44,510 --> 00:20:50,850
‫No there are no new features related to that and that's not related to demon lists or rootless Docker

298
00:20:50,870 --> 00:20:52,530
‫rather.

299
00:20:52,770 --> 00:20:58,070
‫There's really Dockers already already has all the features you really need to check binaries or applications

300
00:20:58,070 --> 00:20:59,960
‫for working perfectly.

301
00:21:00,680 --> 00:21:05,870
‫You have Docker logs you have Docker events you have the docker demon logs.

302
00:21:05,900 --> 00:21:11,420
‫You might want to check on my YouTube channel for that because we talked about last week.

303
00:21:11,420 --> 00:21:16,700
‫We actually have sysadmin show we talked all through the different levels of logging and and events

304
00:21:16,730 --> 00:21:20,210
‫and monitoring stuff in Docker so check that out.

305
00:21:20,210 --> 00:21:25,850
‫That's Brett Fisher dot com slash YouTube and then search in there for sysadmin and you can find that

306
00:21:25,850 --> 00:21:29,000
‫question that was a good question though.

307
00:21:30,870 --> 00:21:32,620
‫What from a security perspective.

308
00:21:32,630 --> 00:21:37,040
‫What's the difference between using a rootless containers and user name spaces

309
00:21:42,210 --> 00:21:48,210
‫depending how are you going to create your user name spaces if you need to have root access in order

310
00:21:48,210 --> 00:21:51,140
‫to create them then basically you don't get ruthless.

311
00:21:51,150 --> 00:21:56,120
‫But the question is not where do you run them is how you create them.

312
00:21:56,130 --> 00:22:01,320
‫And basically they're ruthless models that you create your user name spaces below your own user namespace

313
00:22:03,540 --> 00:22:10,340
‫Yeah I mean I guess technically it's funny depending on how technically you want to get I think sweetened

314
00:22:10,380 --> 00:22:15,750
‫rootless containers and user name spaces is that in user name spaces which I'm a big fan of but that

315
00:22:15,750 --> 00:22:16,910
‫the rootless stuff right.

316
00:22:17,100 --> 00:22:18,350
‫That's gonna be.

317
00:22:19,650 --> 00:22:27,340
‫That's gonna be more about only things being in my user and the user name spaces means the docker demons

318
00:22:27,360 --> 00:22:32,190
‫still running root which means I have to have root access I have to build a run Docker as root I have

319
00:22:32,190 --> 00:22:37,440
‫to be in the docker group at least to get access to that and then the user name spaces means that the

320
00:22:37,440 --> 00:22:43,800
‫user running in the container and the container itself are not running under the root process but if

321
00:22:43,800 --> 00:22:50,070
‫there were some like zero day bug and that dog or demon that allowed you to somehow hop into the demon

322
00:22:50,610 --> 00:22:55,580
‫from the container then maybe the username spaces wouldn't help you with that.

323
00:22:55,770 --> 00:22:59,720
‫Maybe I don't know it's from a security perspective.

324
00:22:59,730 --> 00:23:01,440
‫I think you could sit here and debate that all day.

325
00:23:01,470 --> 00:23:03,060
‫Which one's better.

326
00:23:03,060 --> 00:23:08,130
‫I'd say it's more about the use cases right like if this is more about like I don't I don't even want

327
00:23:08,130 --> 00:23:11,200
‫to have anything even possibly being rude.

328
00:23:11,430 --> 00:23:15,960
‫The one thing we don't have in rootless user name spaces by the way for Dr. demon yet which I'm hoping

329
00:23:15,960 --> 00:23:22,920
‫we'll get to someday is where you can run duck or demon then run user name spaces and what that means

330
00:23:22,980 --> 00:23:27,780
‫fundamentally is that every container is running as a non root user but right now they're not different

331
00:23:27,780 --> 00:23:28,290
‫users.

332
00:23:28,290 --> 00:23:34,380
‫So every container running in user name spaces is the same user account and it would be super cool for

333
00:23:34,380 --> 00:23:39,180
‫security if we ran that where every single container you launch was a different user which means they

334
00:23:39,180 --> 00:23:45,660
‫could if someone had a container or exploit they could they couldn't get it contained on a different

335
00:23:45,660 --> 00:23:46,180
‫container.

336
00:23:46,250 --> 00:23:52,430
‫Yeah yeah that was a I think because the user namespace feature was largely written by another doctor

337
00:23:52,440 --> 00:24:01,650
‫captain and Phil Estes who's been on the show talked about that last year actually on username spaces

338
00:24:01,650 --> 00:24:07,440
‫and I kind of asked him like are we going to get to the user in user name spaces user per container

339
00:24:07,470 --> 00:24:16,350
‫thing which they call that like like user name spaces 2.0 and WI and he was like I don't know if anyone

340
00:24:16,650 --> 00:24:21,560
‫is anyone want to build that feature and so it would it would be a cool feature but I don't think it

341
00:24:21,610 --> 00:24:23,330
‫is working out yet.

342
00:24:24,000 --> 00:24:31,200
‫Oh so Marcus is saying swarm acquires loading kernel modules and usually add routes so you can't use

343
00:24:31,200 --> 00:24:35,520
‫overlay I think is one of the limitations overlay requires kernel modules.

344
00:24:35,520 --> 00:24:37,010
‫Maybe the virtual thingy here.

345
00:24:37,340 --> 00:24:40,440
‫Yeah I think overlaying works in the 1.

346
00:24:40,710 --> 00:24:49,030
‫There is plans attacking I think they are thinking about dreaming about but about of their failing systems.

347
00:24:51,310 --> 00:24:55,010
‫Bikers asking if I exist into a rootless container.

348
00:24:55,060 --> 00:25:00,460
‫Is there a password to access route or pseudo de route or is route completely unavailable

349
00:25:03,090 --> 00:25:12,890
‫I think the routes inside the container is basically the a user of the course of the a demon but I think

350
00:25:13,200 --> 00:25:14,120
‫that's awesome.

351
00:25:14,280 --> 00:25:14,650
‫Yeah.

352
00:25:14,690 --> 00:25:15,620
‫So yeah.

353
00:25:15,670 --> 00:25:16,190
‫That's it.

354
00:25:16,340 --> 00:25:17,180
‫I like that answer.

355
00:25:17,180 --> 00:25:18,620
‫That's yeah.

356
00:25:18,650 --> 00:25:23,060
‫If you so if you're in the container and you are the root user in the container you still have no more

357
00:25:23,060 --> 00:25:28,020
‫privileges than what the docker demon's running out on the host which is your user account.

358
00:25:28,550 --> 00:25:30,220
‫So in the container you could.

359
00:25:30,470 --> 00:25:33,350
‫I mean technically you could give route in a container or password.

360
00:25:33,350 --> 00:25:38,870
‫You could make budget users in the container but on the host file system they wouldn't have you know

361
00:25:39,200 --> 00:25:44,150
‫other words because that would be an escalation and privileges beyond what you're allowed to do right.

362
00:25:44,150 --> 00:25:45,840
‫So thank you so much Dmitri.

363
00:25:45,850 --> 00:25:51,950
‫That's really cool stuff that I didn't realize it was that easy to install with the script now that

364
00:25:52,490 --> 00:25:57,530
‫the original post that was put out by the docker team was a little daunting to look at because I like

365
00:25:57,550 --> 00:25:57,930
‫to.

366
00:25:58,010 --> 00:26:02,480
‫This is a this is an hour of my time to get it installed but now that I've got an install script like

367
00:26:02,480 --> 00:26:05,060
‫you have for regular Docker it goes yeah it goes great.