0 1 00:00:00,900 --> 00:00:04,110 Left over on your screen is Dmitri. 1 2 00:00:04,110 --> 00:00:05,900 I think this is your first time on the show right. 2 3 00:00:06,490 --> 00:00:06,860 Yeah. 3 4 00:00:06,880 --> 00:00:07,260 All right. 4 5 00:00:07,260 --> 00:00:08,470 This is the first time on. 5 6 00:00:08,550 --> 00:00:09,720 So thanks for having me. 6 7 00:00:10,070 --> 00:00:10,310 Yeah. 7 8 00:00:10,320 --> 00:00:18,380 And he's right now in Greece but he's actually normally in Barcelona running the darker Barcelona meetup. 8 9 00:00:18,390 --> 00:00:23,390 He is the founder at Harbor cloud solutions and I'm super excited him on the show because he's going 9 10 00:00:23,390 --> 00:00:28,860 to talk to us about rootless Docker which is a brand new thing this year and we'll talk about why that's 10 11 00:00:28,860 --> 00:00:31,430 important and why you might want to check it out. 11 12 00:00:31,440 --> 00:00:36,270 Dimitri what's the elevator pitch to someone who knows containers and they know how to run Docker now 12 13 00:00:36,750 --> 00:00:39,920 why should they care about rootless Docker. 13 14 00:00:39,930 --> 00:00:42,040 Yeah so basically. 14 15 00:00:42,300 --> 00:00:45,380 First of all why do we need containers in the first place. 15 16 00:00:45,420 --> 00:00:50,310 Basically what we want to do with containers is that we want to isolate the applications inside their 16 17 00:00:50,310 --> 00:00:57,470 specific user space so that they can not do things outside of that space and isolate them. 17 18 00:00:57,480 --> 00:00:59,520 And in that context. 18 19 00:00:59,550 --> 00:01:08,400 But once someone once is able to run containers what we know is that if normally what we say if you 19 20 00:01:08,470 --> 00:01:13,620 have access to the doctors socket then basically you are out of the application of of the operating 20 21 00:01:13,620 --> 00:01:14,800 system. 21 22 00:01:15,120 --> 00:01:22,400 And basically this means that if someone can access the doctor so I can then choose a route on the on 22 23 00:01:22,410 --> 00:01:24,140 the operating system and we don't want that. 23 24 00:01:24,140 --> 00:01:32,610 You basically want someone to be able to have isolated thought and not being able to do these kinds 24 25 00:01:32,610 --> 00:01:42,330 of things and write with them with the story with a bat basically with truth that is what we can say 25 26 00:01:42,410 --> 00:01:44,630 we are able to do is that. 26 27 00:01:45,540 --> 00:01:48,570 Am sorry. 27 28 00:01:48,620 --> 00:01:48,970 Hang. 28 29 00:01:49,060 --> 00:01:49,780 Yeah. 29 30 00:01:50,470 --> 00:01:52,390 I would like a severe brain freeze right now. 30 31 00:01:52,410 --> 00:01:53,130 No that's okay. 31 32 00:01:53,160 --> 00:02:00,230 So yeah basically with rootkit is what we have is the ability in order to run containers but not with 32 33 00:02:00,570 --> 00:02:05,790 toxicity that the operating system so someone can not on some containers without being rude. 33 34 00:02:06,240 --> 00:02:14,030 So if someone breaks out of that container then he cannot access the operating system let's say so. 34 35 00:02:14,080 --> 00:02:14,570 Right. 35 36 00:02:14,580 --> 00:02:22,380 Basically what you do is is duplicate some kind of X and another layer of security on top of the containers. 36 37 00:02:22,510 --> 00:02:22,770 Right. 37 38 00:02:22,800 --> 00:02:27,450 So this means that also if I want to run a docker container if I'm running in ruthless mode does that 38 39 00:02:27,450 --> 00:02:30,530 mean I don't even need route I can just be a regular user. 39 40 00:02:30,540 --> 00:02:31,330 Yeah exactly. 40 41 00:02:31,350 --> 00:02:36,810 So basically if you you don't need the ruby in order to be able to install Docker in some machine and 41 42 00:02:36,810 --> 00:02:45,600 you can use Dr. Oz as a normal user of that that specific machine and you can create containers as if 42 43 00:02:45,600 --> 00:02:51,130 you are a route but and create some users some some containers. 43 44 00:02:51,320 --> 00:02:54,390 But you don't need to access that specific machine. 44 45 00:02:54,750 --> 00:02:55,110 Yeah. 45 46 00:02:55,170 --> 00:03:02,610 So basically there are two kinds of benefits in two different regions Jane two different type of users 46 47 00:03:02,640 --> 00:03:08,280 let's say ones are the users that there are developers maybe they don't share the route accessing that 47 48 00:03:08,340 --> 00:03:14,200 specific machine that they are working on and now with the characters they can install the doctor without 48 49 00:03:14,200 --> 00:03:20,900 giving route access and they can use that in order to put on containers in their own environment and 49 50 00:03:21,060 --> 00:03:26,080 the other one is if you are an operator or a if you're using that if you have a class there for example 50 51 00:03:26,080 --> 00:03:32,870 that you want to kind of in your own cluster and you don't go to run containers using a doctor in route 51 52 00:03:32,970 --> 00:03:38,880 mode but you want to use it being in a user long thing in a specific user so that even if someone breaks 52 53 00:03:38,880 --> 00:03:44,210 out of that specific container then you cannot access the route to that specific machine. 53 54 00:03:44,240 --> 00:03:45,770 So you have a basically. 54 55 00:03:45,870 --> 00:03:50,790 And one more layer of security contact specially from the scene right. 55 56 00:03:50,790 --> 00:03:57,280 And basically that's that's the idea and you say you should have some kind of restrictions. 56 57 00:03:57,300 --> 00:04:00,460 But we're going to see that on the demo. 57 58 00:04:00,480 --> 00:04:04,810 But basically you can do whatever you can do normally with containers. 58 59 00:04:04,860 --> 00:04:05,700 Yeah well let's go. 59 60 00:04:05,730 --> 00:04:07,310 Let's do it let's get to some demos. 60 61 00:04:07,580 --> 00:04:13,480 I think sometimes it's great to talk about something but it's also cool to see. 61 62 00:04:14,610 --> 00:04:16,170 Let's go to the demo there. 62 63 00:04:16,740 --> 00:04:17,560 OK. 63 64 00:04:17,880 --> 00:04:22,590 So basically what we have here is you've created a spaceship. 64 65 00:04:22,650 --> 00:04:25,760 My machine is a Mac so I can there. 65 66 00:04:25,830 --> 00:04:31,060 So the doctor ruthless in my max because basically we want to have a Linux kernel on it. 66 67 00:04:31,170 --> 00:04:38,220 And so what I'm using is I'm using a vagrant and virtual box in order to run virtual machines and virtual 67 68 00:04:38,220 --> 00:04:41,960 boxes a virtual machine runtime and what kind is it. 68 69 00:04:41,970 --> 00:04:46,730 Basically a provider for which all machines in my in vitro box. 69 70 00:04:46,770 --> 00:04:48,980 And this is basically my configuration. 70 71 00:04:48,990 --> 00:04:52,590 I have two specific machines that I'm creating. 71 72 00:04:52,590 --> 00:05:01,640 One is a ruthless which is born two of the Sanyo version 64 and the other is four basically. 72 73 00:05:01,700 --> 00:05:08,830 So what we want these ruthless is I'm going to do an installation of in the ruthless mode in the road 73 74 00:05:08,840 --> 00:05:09,120 for. 74 75 00:05:09,140 --> 00:05:14,990 Basically I'm going to do a normal installation of Docker and I shave them already running 75 76 00:05:18,400 --> 00:05:20,070 and there's tattoos. 76 77 00:05:20,090 --> 00:05:22,780 You'll see that these machines are running 77 78 00:05:30,980 --> 00:05:31,610 once. 78 79 00:05:33,060 --> 00:05:40,850 Okay so on the touch screen I'm going to log into a ruthless machine and the bottom screen I'm going 79 80 00:05:40,850 --> 00:05:43,790 to say it's too little too late. 80 81 00:05:43,940 --> 00:05:49,160 I like rueful Yeah I don't know if it's written like that but that's sounds. 81 82 00:05:49,180 --> 00:05:53,790 We just made up a new word rueful that wasn't a thing it's now a thing. 82 83 00:05:54,320 --> 00:05:55,050 OK. 83 84 00:05:55,230 --> 00:05:59,600 So how are we going to install ruthless mode here. 84 85 00:05:59,630 --> 00:06:02,970 So I'm just going to show you what are the commands for it. 85 86 00:06:02,970 --> 00:06:10,280 And then I have a script which is the set up here which basically what I the only thing that they need 86 87 00:06:10,400 --> 00:06:17,560 in order to prepare the operating system the Born to send young 64 version is I want to activate the 87 88 00:06:17,570 --> 00:06:20,540 IP tables in the cabinet. 88 89 00:06:20,780 --> 00:06:28,790 I want to have that then basically what I want to do is I want to install Docker with these these command. 89 90 00:06:29,240 --> 00:06:32,800 Basically this is a script that said yeah let's call ruthless. 90 91 00:06:32,890 --> 00:06:39,990 And normally you should not accept scripts from the Internet like and like that. 91 92 00:06:40,010 --> 00:06:45,780 But let's say that we would know the audience in Okay it's. 92 93 00:06:45,800 --> 00:06:53,780 We are at least SSL over to Dockers you are ell so it would have to require someone to take advantage 93 94 00:06:53,990 --> 00:06:54,770 of that. 94 95 00:06:54,830 --> 00:06:56,970 But you can always always pull it down. 95 96 00:06:57,370 --> 00:06:58,040 Exactly. 96 97 00:06:58,160 --> 00:06:59,510 You can not pull it down. 97 98 00:06:59,930 --> 00:07:01,550 If you eat and then execute it right. 98 99 00:07:01,910 --> 00:07:02,340 Yeah. 99 100 00:07:02,420 --> 00:07:07,770 So I already executed in the start before so it basically knows that I already installed it. 100 101 00:07:07,790 --> 00:07:12,890 But if you're in the first machine with this should be sufficient in order to install the ruthless mode 101 102 00:07:13,490 --> 00:07:22,610 and what their Kozmo does is create their service in the System D which basically runs inside your home 102 103 00:07:22,700 --> 00:07:23,330 directory. 103 104 00:07:23,330 --> 00:07:29,570 So you see this is the other service inside my home background which is my user name and in that machine 104 105 00:07:29,660 --> 00:07:34,310 and there is there where the the system the service is installed. 105 106 00:07:34,730 --> 00:07:41,150 And if you see the binary for example use these the background being the the ruthless in experimental 106 107 00:07:41,150 --> 00:07:47,990 mode and these terms that I was overlay and once I have these installed if I like it appears it will 107 108 00:07:47,990 --> 00:07:53,000 not do anything because I don't show having device on the [REMOVED] it I don't ever run into anything there 108 109 00:07:53,540 --> 00:07:59,850 because my socket right now is inside this user space in the wrong user a thousand Docker socket. 109 110 00:08:00,640 --> 00:08:06,770 So I need to export these Docker host and now had the bigger Piers then you can see that I can I can 110 111 00:08:06,770 --> 00:08:14,420 use that can I get a ticket if I do care for the world for example you can see that now I can run things 111 112 00:08:14,510 --> 00:08:20,490 inside the container and there appears for example and don't have anything. 112 113 00:08:20,510 --> 00:08:27,860 And see here you can see that the containers that already run in the full environment that do the same 113 114 00:08:27,860 --> 00:08:28,580 thing here. 114 115 00:08:29,690 --> 00:08:38,120 And in order to install it they're basically the command is this one and it's the get Docker and then 115 116 00:08:38,150 --> 00:08:43,610 you download the script you execute it and once you execute it 116 117 00:08:48,880 --> 00:08:52,340 and you have everything but I already have it installed so I'm just going to stop it now. 117 118 00:08:53,080 --> 00:08:57,120 And once you have it installed then you can see a doctor is running. 118 119 00:08:57,910 --> 00:09:01,420 So let's see now what are the difference between these two environments. 119 120 00:09:01,540 --> 00:09:11,740 If I do a B.S. here and speak about the care you will see that my doctor is running US route and it's 120 121 00:09:11,740 --> 00:09:19,780 running in these with these command instead and here if I said for a doctor you will see that there 121 122 00:09:19,780 --> 00:09:26,000 are some other commands that because it's using brutalist kit and if you see all of those commands running 122 123 00:09:26,170 --> 00:09:28,070 in user background. 123 124 00:09:28,120 --> 00:09:31,140 So there is no road user are running anything. 124 125 00:09:31,720 --> 00:09:38,650 And that's that's basically the biggest difference between those two and so let's try and run the same 125 126 00:09:38,650 --> 00:09:41,800 commands on both machines that you're on. 126 127 00:09:41,880 --> 00:09:43,270 Hello world. 127 128 00:09:43,830 --> 00:09:54,490 You will see that this runs the same thing and let's see some other things that we can run at. 128 129 00:09:54,960 --> 00:09:57,440 First of all I would like to say some one. 129 130 00:09:57,450 --> 00:10:01,950 One other difference a if you are in the 130 131 00:10:04,510 --> 00:10:10,240 in the road for my scene here right now you can see that Dr. Pierce is running directly but this is 131 132 00:10:10,240 --> 00:10:13,780 because if we're taking the groups you can see that. 132 133 00:10:13,920 --> 00:10:15,570 I have the doctor group here. 133 134 00:10:16,210 --> 00:10:24,000 And if I go and log in as I think there's another bone to use here and if I do that Europeans I cannot 134 135 00:10:24,010 --> 00:10:26,400 do anything with the socket. 135 136 00:10:26,410 --> 00:10:32,010 And this is because I don't belong to the doctor group. 136 137 00:10:32,140 --> 00:10:38,290 So this is one of the difference that if you belong to the doctor group then basically you have access 137 138 00:10:38,290 --> 00:10:39,710 to the doctor socket. 138 139 00:10:39,850 --> 00:10:44,900 And if you don't belong to the group then basically you need to do a show to do that. 139 140 00:10:45,040 --> 00:10:46,270 Yes. 140 141 00:10:46,270 --> 00:10:54,790 And this is one way of accessing the socket in the wrathful machine and another and other ways to use 141 142 00:10:54,790 --> 00:10:56,150 the group. 142 143 00:10:56,290 --> 00:11:01,300 And the big difference here on the ruthless is that you don't need both neither of those. 143 144 00:11:01,300 --> 00:11:06,700 You don't need to have and so do to some kind of socket that belongs to another user. 144 145 00:11:06,700 --> 00:11:10,880 You just ran it in your own user space everything and. 145 146 00:11:11,230 --> 00:11:18,110 OK so let's see some other commands for example the two were eyes. 146 147 00:11:19,140 --> 00:11:21,940 Things that are running inside the room full. 147 148 00:11:22,290 --> 00:11:32,840 If we took to the virally the clear overlay this is where our overlays are running inside the edit for 148 149 00:11:32,850 --> 00:11:39,400 the environment but if we check the same thing here you will see that they don't have anything there. 149 150 00:11:40,380 --> 00:11:43,790 And this is because everything is running in our own user space. 150 151 00:11:44,220 --> 00:11:51,000 And I can find these things in this directory which is the local Sir Doctor. 151 152 00:11:51,060 --> 00:11:56,660 And then here you can see the overlay that occurs and you can see that these are inside the same user 152 153 00:11:56,670 --> 00:11:57,150 patient. 153 154 00:11:57,150 --> 00:11:59,440 My own user. 154 155 00:11:59,790 --> 00:12:04,380 So in our defense that we can find for example use that. 155 156 00:12:05,100 --> 00:12:07,040 Let's run something now. 156 157 00:12:07,150 --> 00:12:09,100 She's exposing a board. 157 158 00:12:10,350 --> 00:12:18,660 So I am running an engine X and I'm running it and exposing it in the thirty two thousand seven hundred 158 159 00:12:18,660 --> 00:12:23,020 sixty eight port and then went into the same shit. 159 160 00:12:23,080 --> 00:12:23,520 So 160 161 00:12:27,520 --> 00:12:30,580 yeah that's something like this 161 162 00:12:36,630 --> 00:12:37,040 okay. 162 163 00:12:37,070 --> 00:12:38,500 So if I don't know. 163 164 00:12:38,940 --> 00:12:39,810 Okay. 164 165 00:12:41,090 --> 00:12:47,160 Now I'm sure you can see the ends in X and the same thing happens here. 165 166 00:12:47,280 --> 00:12:48,170 Okay. 166 167 00:12:48,200 --> 00:12:49,260 Until now it's the same. 167 168 00:12:49,700 --> 00:12:57,070 But if we go and we try to do so exposure port 168 169 00:13:01,910 --> 00:13:11,120 let's stop this one and due to exposure bought in the 80s you can see that because I mean the user land 169 170 00:13:11,300 --> 00:13:14,730 I cannot expose report on there the thousand. 170 171 00:13:14,750 --> 00:13:23,210 No right at least because the only route user can expose on the right number and in their full environment. 171 172 00:13:23,210 --> 00:13:25,720 You can see that this is possible. 172 173 00:13:26,120 --> 00:13:27,860 Just like some writers. 173 174 00:13:27,890 --> 00:13:29,660 Yeah that's there's no limitation. 174 175 00:13:29,690 --> 00:13:30,240 Yeah exactly. 175 176 00:13:30,250 --> 00:13:37,830 So it's because as a normal user you cannot go in that kind of portal I mean it's impossible to go over 176 177 00:13:39,170 --> 00:13:41,180 and more or less. 177 178 00:13:41,180 --> 00:13:42,630 That's the differences. 178 179 00:13:42,630 --> 00:13:46,400 And I don't have any more demos for it. 179 180 00:13:46,440 --> 00:13:54,010 I know if you want we can do with some questions or discussion a bit more about the different the route 180 181 00:13:54,160 --> 00:13:55,250 to this mode. 181 182 00:13:55,820 --> 00:13:56,920 Yeah I. 182 183 00:13:57,020 --> 00:13:58,760 There's a there's definite some questions. 183 184 00:13:58,760 --> 00:14:06,950 One of them is about the rootless can't share the darker socket for example so and I I gave a you might 184 185 00:14:06,950 --> 00:14:11,780 want expand on this I kind of gave a an answer saying Well they're different sockets the darker demon 185 186 00:14:11,810 --> 00:14:18,020 that's in root root for mode is isn't a different you are L in the filesystem right it's a different 186 187 00:14:18,020 --> 00:14:18,370 path. 187 188 00:14:18,380 --> 00:14:24,270 So I guess technically you could could you run both of these at the same time. 188 189 00:14:24,340 --> 00:14:25,510 I suppose so. 189 190 00:14:25,600 --> 00:14:30,520 I don't know why you would but you could if you were something you didn't have Docker if you didn't 190 191 00:14:30,520 --> 00:14:34,360 have a root access or Docker group access and you wanted to run Docker on a machine that already had 191 192 00:14:34,690 --> 00:14:38,730 Docker and I guess you I mean all the files and everything around the different paths. 192 193 00:14:38,740 --> 00:14:38,980 Right. 193 194 00:14:38,980 --> 00:14:46,450 So I mean even if you have a say truthful mode I don't care. 194 195 00:14:46,470 --> 00:14:53,410 Running in the viral directory then normally that is for all the users but if you are running it in 195 196 00:14:53,410 --> 00:14:56,860 your own user land then basically just a single user. 196 197 00:14:56,860 --> 00:14:57,130 Right. 197 198 00:14:57,220 --> 00:15:01,230 So you probably you should be able to say that's okay. 198 199 00:15:01,270 --> 00:15:05,360 If you give access to some other users but normally that that's not the case. 199 200 00:15:06,650 --> 00:15:07,950 Yeah yeah. 200 201 00:15:08,060 --> 00:15:09,200 Another question on that is 201 202 00:15:12,420 --> 00:15:16,910 saying that can I use mounts and volumes only with files on my user has permission to. 202 203 00:15:16,910 --> 00:15:21,630 And yes that is true because everything here is scoped to your user account. 203 204 00:15:21,630 --> 00:15:21,960 Right. 204 205 00:15:21,960 --> 00:15:24,950 So it's it's only for you. 205 206 00:15:24,950 --> 00:15:25,170 Yeah. 206 207 00:15:26,070 --> 00:15:27,560 Yeah exactly. 207 208 00:15:27,570 --> 00:15:33,710 So basically what your user can do basically what is what your containers can do yeah. 208 209 00:15:33,920 --> 00:15:38,630 And I mean now technically you could have like you. 209 210 00:15:38,660 --> 00:15:42,860 Since you mean you technically could be someone who has route and you're just choosing to run this in 210 211 00:15:42,860 --> 00:15:47,990 your user account but because the docker demon in this case is running under your user account it's 211 212 00:15:48,020 --> 00:15:52,790 only gonna have access and permissions to the things in there. 212 213 00:15:53,330 --> 00:15:53,820 Yeah. 213 214 00:15:54,050 --> 00:15:54,800 Yeah exactly. 214 215 00:15:56,200 --> 00:15:58,500 See what else. 215 216 00:15:58,500 --> 00:16:01,020 Marcus from yesterday Margo's nose is on the call. 216 217 00:16:01,030 --> 00:16:03,110 He's easy. 217 218 00:16:03,150 --> 00:16:04,220 He has many questions. 218 219 00:16:04,260 --> 00:16:05,030 How about. 219 220 00:16:05,070 --> 00:16:06,700 Does that work. 220 221 00:16:06,700 --> 00:16:07,870 Good question. 221 222 00:16:07,870 --> 00:16:09,270 Mm hmm mm hmm. 222 223 00:16:09,270 --> 00:16:11,760 It should be able to work work I haven't tested it. 223 224 00:16:11,790 --> 00:16:11,960 Yeah. 224 225 00:16:11,970 --> 00:16:12,540 Yeah. 225 226 00:16:12,600 --> 00:16:16,050 So what if you just try to sucker swarm in it in the dark one. 226 227 00:16:16,590 --> 00:16:17,720 Yeah love. 227 228 00:16:17,790 --> 00:16:18,730 Yeah let's see that. 228 229 00:16:18,990 --> 00:16:24,750 And then maybe run do a service create maybe on a you know we're going to rent we're gonna make random 229 230 00:16:24,750 --> 00:16:33,020 demos so it says it's a manager maybe service creates outrage and eggs or something running on port 230 231 00:16:33,020 --> 00:16:34,490 80 80 or something. 231 232 00:16:38,580 --> 00:16:43,230 I mean in theory I would think that it would work because it as long as you don't try to publish on 232 233 00:16:43,230 --> 00:16:49,800 ports one thing might be interesting is will it allow the virtual the vest that it creates. 233 234 00:16:49,800 --> 00:16:50,260 Can it. 234 235 00:16:50,550 --> 00:16:54,420 Oh that's a good point because does Docker Tucker's 235 236 00:16:58,080 --> 00:17:03,890 rootless Docker doesn't have access to create virtual interfaces does it. 236 237 00:17:03,900 --> 00:17:04,890 I don't see why not. 237 238 00:17:05,920 --> 00:17:08,620 I'm trying to think I shouldn't be able to create new return. 238 239 00:17:08,980 --> 00:17:09,340 Yeah. 239 240 00:17:09,370 --> 00:17:13,390 So what happens when you do a list of the networks on there like a or network less on the 240 241 00:17:17,310 --> 00:17:18,180 dance. 241 242 00:17:18,990 --> 00:17:20,150 Yeah it does have them. 242 243 00:17:20,420 --> 00:17:26,250 Mean maybe it's maybe I can't maybe I can't use host mode or something I've remembered reading something 243 244 00:17:26,250 --> 00:17:27,090 about. 244 245 00:17:27,090 --> 00:17:32,700 There was something in networking that it couldn't do without root because that was changing the neck 245 246 00:17:33,100 --> 00:17:34,250 basically. 246 247 00:17:34,410 --> 00:17:36,360 Yeah I remember using host network. 247 248 00:17:36,800 --> 00:17:39,440 Yeah I remember hearing something about that to me. 248 249 00:17:40,270 --> 00:17:40,820 Yeah. 249 250 00:17:41,760 --> 00:17:49,850 What you probably cannot do is for example with because of the limitation of this less than a thousand 250 251 00:17:49,860 --> 00:17:55,710 bought you probably cannot you have a proxy running and doing a balancing between your own services 251 252 00:17:55,800 --> 00:18:01,680 below that so you cannot expose basically a port on the ground that no means or model either. 252 253 00:18:02,330 --> 00:18:02,880 Yeah I don't know. 253 254 00:18:02,900 --> 00:18:06,200 Fingers need something like that. 254 255 00:18:07,170 --> 00:18:11,290 Marcus is asking about demon lists as well as is it possible for us to. 255 256 00:18:11,350 --> 00:18:13,980 Yeah but that's a different thing. 256 257 00:18:14,010 --> 00:18:19,220 I mean this is not demon unless this is ruthless and the basically the difference is that demon. 257 258 00:18:19,240 --> 00:18:23,690 You should not be needing any demon behind that and we don't care. 258 259 00:18:23,700 --> 00:18:24,840 We don't share with anyone else. 259 260 00:18:24,840 --> 00:18:30,690 I think that we could do something with container and the maybe. 260 261 00:18:30,750 --> 00:18:31,000 Right. 261 262 00:18:31,190 --> 00:18:31,500 Yeah. 262 263 00:18:31,680 --> 00:18:32,830 Yeah that's true. 263 264 00:18:33,240 --> 00:18:35,310 I mean I guess fundamentally that would be. 264 265 00:18:35,430 --> 00:18:41,080 I can see how that would be a little tricky because the democracy allied just talks to you. 265 266 00:18:41,470 --> 00:18:41,720 Yeah. 266 267 00:18:41,790 --> 00:18:48,010 Basically a duck or shall I say the way it is being ends in the design is that the client server. 267 268 00:18:48,030 --> 00:18:49,740 So yeah we have a demo. 268 269 00:18:49,740 --> 00:18:55,830 It would almost be like their lead would be there need to be a SEAL I add on that in the background 269 270 00:18:55,830 --> 00:18:58,000 is just really running a docker. 270 271 00:18:58,050 --> 00:19:02,790 The Docker D process but not technically running it as a demon and it's just running into the heart 271 272 00:19:02,790 --> 00:19:04,310 of the docker run. 272 273 00:19:04,440 --> 00:19:08,360 And yeah because you couldn't do that around d d right. 273 274 00:19:08,370 --> 00:19:10,260 You'd have to do it. 274 275 00:19:11,570 --> 00:19:11,770 Okay. 275 276 00:19:11,810 --> 00:19:16,350 Yeah that would be an interesting use case for you actually be for example. 276 277 00:19:16,380 --> 00:19:17,550 So initiation. 277 278 00:19:17,580 --> 00:19:21,450 Basically what you want is you want to be able to create containers. 278 279 00:19:21,660 --> 00:19:26,760 But the problem is that if you share VCA should do that you want to write anything container as well. 279 280 00:19:26,770 --> 00:19:33,110 Then you basically need containers inside the container and then this makes it more complicated. 280 281 00:19:33,120 --> 00:19:38,240 One way of overriding that is basically you can do containers alongside containers. 281 282 00:19:38,270 --> 00:19:46,100 So basically exposing your dog so get inside your container and you can draw more containers inside. 282 283 00:19:46,220 --> 00:19:51,120 But in the same deck and engine and the other thing that you can do is you get on the docket inside 283 284 00:19:51,120 --> 00:19:51,750 the doctor. 284 285 00:19:51,810 --> 00:19:58,020 So basically you can share a demon inside your CIC the container and the other one. 285 286 00:19:58,080 --> 00:20:04,140 Basically this shelter in order to eliminate more of the restriction that the doctor initiated the shares 286 287 00:20:04,140 --> 00:20:10,170 because previously you needed to ship privileges more dating and if you are using user long maybe these 287 288 00:20:10,310 --> 00:20:14,970 people mod is not necessary in order to do shit inside your own container. 288 289 00:20:14,970 --> 00:20:17,140 But having tested that nice either. 289 290 00:20:17,310 --> 00:20:18,320 Yeah. 290 291 00:20:19,380 --> 00:20:23,280 And if you could have demand less then that would simplify a lot. 291 292 00:20:23,280 --> 00:20:29,280 Euros a city in order to not share a demon don't get inside your endocrine system. 292 293 00:20:32,450 --> 00:20:34,150 Lots more questions. 293 294 00:20:35,540 --> 00:20:41,600 I don't actually think that's a question in there about checking binaries or applications inside a container 294 295 00:20:41,600 --> 00:20:42,850 or working perfectly or not. 295 296 00:20:42,860 --> 00:20:44,490 Any Docker features in there. 296 297 00:20:44,510 --> 00:20:50,850 No there are no new features related to that and that's not related to demon lists or rootless Docker 297 298 00:20:50,870 --> 00:20:52,530 rather. 298 299 00:20:52,770 --> 00:20:58,070 There's really Dockers already already has all the features you really need to check binaries or applications 299 300 00:20:58,070 --> 00:20:59,960 for working perfectly. 300 301 00:21:00,680 --> 00:21:05,870 You have Docker logs you have Docker events you have the docker demon logs. 301 302 00:21:05,900 --> 00:21:11,420 You might want to check on my YouTube channel for that because we talked about last week. 302 303 00:21:11,420 --> 00:21:16,700 We actually have sysadmin show we talked all through the different levels of logging and and events 303 304 00:21:16,730 --> 00:21:20,210 and monitoring stuff in Docker so check that out. 304 305 00:21:20,210 --> 00:21:25,850 That's Brett Fisher dot com slash YouTube and then search in there for sysadmin and you can find that 305 306 00:21:25,850 --> 00:21:29,000 question that was a good question though. 306 307 00:21:30,870 --> 00:21:32,620 What from a security perspective. 307 308 00:21:32,630 --> 00:21:37,040 What's the difference between using a rootless containers and user name spaces 308 309 00:21:42,210 --> 00:21:48,210 depending how are you going to create your user name spaces if you need to have root access in order 309 310 00:21:48,210 --> 00:21:51,140 to create them then basically you don't get ruthless. 310 311 00:21:51,150 --> 00:21:56,120 But the question is not where do you run them is how you create them. 311 312 00:21:56,130 --> 00:22:01,320 And basically they're ruthless models that you create your user name spaces below your own user namespace 312 313 00:22:03,540 --> 00:22:10,340 Yeah I mean I guess technically it's funny depending on how technically you want to get I think sweetened 313 314 00:22:10,380 --> 00:22:15,750 rootless containers and user name spaces is that in user name spaces which I'm a big fan of but that 314 315 00:22:15,750 --> 00:22:16,910 the rootless stuff right. 315 316 00:22:17,100 --> 00:22:18,350 That's gonna be. 316 317 00:22:19,650 --> 00:22:27,340 That's gonna be more about only things being in my user and the user name spaces means the docker demons 317 318 00:22:27,360 --> 00:22:32,190 still running root which means I have to have root access I have to build a run Docker as root I have 318 319 00:22:32,190 --> 00:22:37,440 to be in the docker group at least to get access to that and then the user name spaces means that the 319 320 00:22:37,440 --> 00:22:43,800 user running in the container and the container itself are not running under the root process but if 320 321 00:22:43,800 --> 00:22:50,070 there were some like zero day bug and that dog or demon that allowed you to somehow hop into the demon 321 322 00:22:50,610 --> 00:22:55,580 from the container then maybe the username spaces wouldn't help you with that. 322 323 00:22:55,770 --> 00:22:59,720 Maybe I don't know it's from a security perspective. 323 324 00:22:59,730 --> 00:23:01,440 I think you could sit here and debate that all day. 324 325 00:23:01,470 --> 00:23:03,060 Which one's better. 325 326 00:23:03,060 --> 00:23:08,130 I'd say it's more about the use cases right like if this is more about like I don't I don't even want 326 327 00:23:08,130 --> 00:23:11,200 to have anything even possibly being rude. 327 328 00:23:11,430 --> 00:23:15,960 The one thing we don't have in rootless user name spaces by the way for Dr. demon yet which I'm hoping 328 329 00:23:15,960 --> 00:23:22,920 we'll get to someday is where you can run duck or demon then run user name spaces and what that means 329 330 00:23:22,980 --> 00:23:27,780 fundamentally is that every container is running as a non root user but right now they're not different 330 331 00:23:27,780 --> 00:23:28,290 users. 331 332 00:23:28,290 --> 00:23:34,380 So every container running in user name spaces is the same user account and it would be super cool for 332 333 00:23:34,380 --> 00:23:39,180 security if we ran that where every single container you launch was a different user which means they 333 334 00:23:39,180 --> 00:23:45,660 could if someone had a container or exploit they could they couldn't get it contained on a different 334 335 00:23:45,660 --> 00:23:46,180 container. 335 336 00:23:46,250 --> 00:23:52,430 Yeah yeah that was a I think because the user namespace feature was largely written by another doctor 336 337 00:23:52,440 --> 00:24:01,650 captain and Phil Estes who's been on the show talked about that last year actually on username spaces 337 338 00:24:01,650 --> 00:24:07,440 and I kind of asked him like are we going to get to the user in user name spaces user per container 338 339 00:24:07,470 --> 00:24:16,350 thing which they call that like like user name spaces 2.0 and WI and he was like I don't know if anyone 339 340 00:24:16,650 --> 00:24:21,560 is anyone want to build that feature and so it would it would be a cool feature but I don't think it 340 341 00:24:21,610 --> 00:24:23,330 is working out yet. 341 342 00:24:24,000 --> 00:24:31,200 Oh so Marcus is saying swarm acquires loading kernel modules and usually add routes so you can't use 342 343 00:24:31,200 --> 00:24:35,520 overlay I think is one of the limitations overlay requires kernel modules. 343 344 00:24:35,520 --> 00:24:37,010 Maybe the virtual thingy here. 344 345 00:24:37,340 --> 00:24:40,440 Yeah I think overlaying works in the 1. 345 346 00:24:40,710 --> 00:24:49,030 There is plans attacking I think they are thinking about dreaming about but about of their failing systems. 346 347 00:24:51,310 --> 00:24:55,010 Bikers asking if I exist into a rootless container. 347 348 00:24:55,060 --> 00:25:00,460 Is there a password to access route or pseudo de route or is route completely unavailable 348 349 00:25:03,090 --> 00:25:12,890 I think the routes inside the container is basically the a user of the course of the a demon but I think 349 350 00:25:13,200 --> 00:25:14,120 that's awesome. 350 351 00:25:14,280 --> 00:25:14,650 Yeah. 351 352 00:25:14,690 --> 00:25:15,620 So yeah. 352 353 00:25:15,670 --> 00:25:16,190 That's it. 353 354 00:25:16,340 --> 00:25:17,180 I like that answer. 354 355 00:25:17,180 --> 00:25:18,620 That's yeah. 355 356 00:25:18,650 --> 00:25:23,060 If you so if you're in the container and you are the root user in the container you still have no more 356 357 00:25:23,060 --> 00:25:28,020 privileges than what the docker demon's running out on the host which is your user account. 357 358 00:25:28,550 --> 00:25:30,220 So in the container you could. 358 359 00:25:30,470 --> 00:25:33,350 I mean technically you could give route in a container or password. 359 360 00:25:33,350 --> 00:25:38,870 You could make budget users in the container but on the host file system they wouldn't have you know 360 361 00:25:39,200 --> 00:25:44,150 other words because that would be an escalation and privileges beyond what you're allowed to do right. 361 362 00:25:44,150 --> 00:25:45,840 So thank you so much Dmitri. 362 363 00:25:45,850 --> 00:25:51,950 That's really cool stuff that I didn't realize it was that easy to install with the script now that 363 364 00:25:52,490 --> 00:25:57,530 the original post that was put out by the docker team was a little daunting to look at because I like 364 365 00:25:57,550 --> 00:25:57,930 to. 365 366 00:25:58,010 --> 00:26:02,480 This is a this is an hour of my time to get it installed but now that I've got an install script like 366 367 00:26:02,480 --> 00:26:05,060 you have for regular Docker it goes yeah it goes great.