Podcast appearances and mentions of kata containers

嘉宾

The Open Infrastructure FoundationJulia Kreger, Mark Collier, and Mohammed Naser are all part of the Open Infrastructure Foundation (OIF), a nonprofit that builds communities around IaaS, Infrastructure-as-a-Service. The OIF is vast and global — it spans 100,000 members across over 180 countries, and it focuses on projects in multiple areas, including:Edge computingContainer InfrastructurePublic/Private hybrid cloudAI and Machine LearningCI/CDThe OIF origin storyThe Foundation traces its roots to another open source project, OpenStack, which provides software for creating private and public clouds. Julia describes OpenStack. “OpenStack is a whole slew of projects that we've had to build, orchestrate, and integrate, which allow you to use software to manage your infrastructure.” These projects include Airship, Kata Containers, and Zuul, an open source CI/CD platform for gating changes across multiple systems.OpenStack accelerated and began to build a larger community. “Since its inception, over 8,500 developers have contributed to OpenStack.” says Mark. The team wanted to take their work with OpenStack even further. Mark explains the journey from OpenStack to OIF. “We wanted to apply the things we learned with OpenStack to make an even bigger impact, so we became the Open Infrastructure Foundation.”The Four OpensThe OIF follows a set of guiding principles dubbed “The Four Opens.” Mohammed explains them in the quotes below.Open source: “All the software we build is 100% open source — no paywalls and all with open source licenses.”Open design: “You have to have a public conversation about what you intend to do, you have to get that documented as a spec, that the community needs to all agree on together to make sure that it works for everybody. The community controls the roadmap of each project.” Open development: “All code commits and code review are done in public, nothing is behind any walls, nothing that you have to be invited to do.”Open community: “Any and all discussions are locked and made public. There's no discussion you can't be a part of.”Learn more about the Open Infrastructure Foundation or try one of their projects.Platform.shLearn more about us.Get started with a free trial.Have a question? Get in touch!Platform.sh on social mediaTwitter @platformshTwitter (France): @platformsh_frLinkedIn: Platform.shLinkedIn (France): Platform.shFacebook: Platform.shWatch, listen, subscribe to the Platform.sh Deploy Friday podcast:YouTubeApple PodcastsBuzzsproutPlatform.sh is a robust, reliable hosting platform that gives development teams the tools to build and scale applications efficiently. Whether you run one or one thousand websites, you can focus on creating features and functionality with your favorite tech stack.

話したネタ 高レベルランタイムとは何か？ デスクトップなどで使われる高レベルランタイム実装には何があるか？ containerd docker が containerd を活用するまでの流れ podman podman の特徴は? 補足: エピソード中で、PodmanとDockerの機能の主要な違いにひとつにPod作成機能を挙げていますが、これ以外にもいくつかあります。詳しい違いについては、mobyメンテナである須田瑛大氏の DockerとPodmanの比較(Container Runtime Meetup #3発表資料)に分かりやすくまとめられています conmon nerdctl nerdctl を利用するメリットは何か？ kubernetes から叩かれるCRIには何があるか？ CNCF(Cloud Native Computing Foundation) BuildKit CRI-O CRI-O は containerd と比べた場合の特徴は何か？ OCIランタイムの実装には何があるか？ runc runc の v1.0.0 リリース Open Container Initiative Runtime Specification OCIランタイムの実装はできるもの？ youki: A container runtime in Rust 2021年に今更コンテナ入門した僕の最初の一歩 セキュアなコンテナランタイム Kata Containers Kata Containers の特徴とは？ gVisor gVisor の特徴とは？ C言語による実装 crun 言語実装に差異はどの辺りにあるか？ パフォーマンスとコミュニティ Open Container Initiative OCI で規定される仕様には何があるか？ OCI Runtime Specification OCI Image Specification OCI Distribution Specification この先、コンテナ関連の仕様・実装はどのように発展していくか？ イラストでわかるDockerとKubernetes Software Design plus エピソードスポンサー 株式会社ゆめみ

Containers offer speed, performance, and portability, but do they actually contain? While they try their best, the shared kernel is a disturbing attack surface: a mere kernel vulnerability may allow containerized processes to escape and compromise the host. This issue prompted a new wave of sandboxing tools that use either unikernels, lightweight VMs or userspace-kernels to separate the host OS from the container's OS. One of these solutions is Kata Containers, a container runtime that spawns each container inside a lightweight VM, and can function as the underlying runtime in Docker and Kubernetes. Kata's virtualized containers provide two layers of isolation: even if an attacker breaks out of the container, he is still confined to the microVM. Joining us in this week's Research Saturday to discuss the research is Yuval Avrahami from Palo Alto Networks Unit 42. The research presented at Black Hat USA 2020 can be found here:  Escaping Virtualized Containers

Containers offer speed, performance, and portability, but do they actually contain? While they try their best, the shared kernel is a disturbing attack surface: a mere kernel vulnerability may allow containerized processes to escape and compromise the host. This issue prompted a new wave of sandboxing tools that use either unikernels, lightweight VMs or userspace-kernels to separate the host OS from the container's OS. One of these solutions is Kata Containers, a container runtime that spawns each container inside a lightweight VM, and can function as the underlying runtime in Docker and Kubernetes. Kata's virtualized containers provide two layers of isolation: even if an attacker breaks out of the container, he is still confined to the microVM. Joining us in this week's Research Saturday to discuss the research is Yuval Avrahami from Palo Alto Networks Unit 42. The research presented at Black Hat USA 2020 can be found here:  Escaping Virtualized Containers

Quel niveau d'isolation offre la conteneurisation ? Le marketing qui a eu lieu autour de Docker dès 2013 laissait entendre, pour simplifier les choses, qu'un conteneur était comparable à une machine virtuelle, mais en plus léger. Or du point de vue de la sécurité, il n'en est absolument rien : les conteneurs partagent tous le noyau de leur hôte, et sont principalement isolés au travers des namespaces et des cgroups, tandis que les machines virtuelles elles, sont isolées grâce à des technologies de virtualisation matérielle.Les risques liés à la faiblesse de cette isolation a pu ralentir l'adoption des conteneurs par certaines compagnies, les privant par là même des fabuleux atouts qu'apporte Kubernetes. Pourtant, dès 2015, hyper d'un côté et Intel de l'autre avaient commencé à travailler sur cette problématique pour tenter d'apporter une solution qui serait le meilleur des deux mondes. Ces projets ont par la suite fusionné pour n'en donner qu'un seul : les Kata Containers, qui sont aujourd'hui hébergés par l'Openstack foundation.Dans cet épisode, j'ai le plaisir de recevoir Samuel Ortiz. Samuel est principal engineer pour Intel, et il est l'un des contributeurs au projet Kata Containers, ainsi qu'à Rust-vmm qui est au coeur des micro VM telles que Amazon Firecracker. Avec lui nous allons découvrir ce que sont les Kata Containers ainsi que Rust-vmm, et discuter du modèle de sécurité qu'ils sont à même de nous apporter. Support the show (https://www.patreon.com/electromonkeys)

Mike Mondragon interviews Bret Fisher, who works as a freelance DevOps/sysadmin consultant, and who also has the designation of being a Docker Captain. Docker Captain is a distinction that Docker awards select members of the community that are Docker experts and are passionate about sharing their Docker knowledge with others. To that end, Bret walks us through the history of how he became involved in Docker, and indeed, the history of Docker itself: the problems it tried to solve, and the way the codebase evolved to provide those solutions. Much of the conversation centers around the confusing terminology and processes present in the Docker ecosystem: when to use Docker Compose, the differences between running Docker locally and in production, and when to consider adopting Kubernetes. There are also various container runtimes which developers can make use of, and Bret touches on the characteristics of each as well. Bret looks towards the future of Docker, the company, as they recently sold off a portion of their enterprise-focused business. Docker is returning to its original intent to provide developers with better tooling to deploy and isolate their applications. He urges caution to teams ready to move wholeheartedly to Docker and instead focus on solutions that match their problems, not those of immense enterprise corporations. Links from this episode An explanation of a Docker Captain's role DevOps in Docker Talk is Bret's podcast Kata Containers, containerd, and cri-o are just some of the container runtimes out there Kelsey Hightower's Kubernetes: the hard way is a tutorial that walks you through setting up Kubernetes

In this episode, we cover the following topics: We continue our discussion of microVMs with a look at Kata Containers. Kata Containers formed by the merger of two projects: Intel Clear Containers and Hyper runV. How does Kata Containers integrate with existing container tooling? How mature are Kata Containers - are they ready for production? We then take a look at unikernels, which take a dramatically different approach to solving the problem of providing high security with blazing performance. The benefits of unikernels along with a comparison on how they differ from containers. We discuss some of the most popular unikernel implementations, including OSv and MirageOS. Does the future point to a deathmatch between containers and unikernels, or will there be a need for both approaches to cloud-native apps? DETAILED SHOW NOTESWant the complete episode outline with detailed notes? Sign up here: https://mobycast.fm/show-notes/SUPPORT MOBYCASThttps://glow.fm/mobycastEND SONGPalm of Your Hand by BlynkwthMORE INFOFor a full transcription of this episode, please visit the episode webpage.We'd love to hear from you! You can reach us at: Web: https://mobycast.fm Voicemail: 844-818-0993 Email: ask@mobycast.fm Twitter: https://twitter.com/hashtag/mobycast Reddit: https://reddit.com/r/mobycast

In this episode, we cover the following topics: We revisit a misunderstanding from last week's show to find out exactly what the Firecracker team means when they list "Single VM per Firecracker process" as a security benefit. We discuss what's next on the Firecracker product roadmap, with particular emphasis on support for snapshot/restore. We learn how AWS uses Firecracker in production today with AWS Lambda. AWS is currently working on updating Fargate to use Firecracker. We look at why they are doing this and the design details of updating Fargate to use Firecracker. We finish by looking at how you can use Firecracker for your own containers, by incorporating Firecracker-aware tooling into your container infrastructure. Specifically, we look at firecracker-containerd and Weave Ignite. DETAILED SHOW NOTESWant the complete episode outline with detailed notes? Sign up here: https://mobycast.fm/show-notes/SUPPORT MOBYCASThttps://glow.fm/mobycastEND SONGThing Is by Public AddressMORE INFOFor a full transcription of this episode, please visit the episode webpage.We'd love to hear from you! You can reach us at: Web: https://mobycast.fm Voicemail: 844-818-0993 Email: ask@mobycast.fm Twitter: https://twitter.com/hashtag/mobycast Reddit: https://reddit.com/r/mobycast

In this episode, we cover the following topics: We review virtual machines (full virtualization) and their benefits and tradeoffs. We then revisit containers (OS-level virtualization) and briefly recap how they use OS kernel features to enable virtualization. Containers provide great performance and resource efficiency, but at the cost of losing strong isolation. Can we have the performance and efficiency benefits of containers but with the strong isolation of VMs? There are some promising technologies that aim to combine the best of both VM and container worlds: microVMs, unikernels and container sandboxes. What are microVMs? What are unikernels? What are container sandboxes? AWS Firecracker is one of the most talked about microVMs. We discuss what it is, and the key benefits of using Firecracker. DETAILED SHOW NOTESWant the complete episode outline with detailed notes? Sign up here: https://mobycast.fm/show-notes/SUPPORT MOBYCASThttps://glow.fm/mobycastEND SONGSmooth Modulator by aMIGAaMIGOMORE INFOFor a full transcription of this episode, please visit the episode webpage.We'd love to hear from you! You can reach us at: Web: https://mobycast.fm Voicemail: 844-818-0993 Email: ask@mobycast.fm Twitter: https://twitter.com/hashtag/mobycast Reddit: https://reddit.com/r/mobycast

containerd was born from community desire for a core, standalone runtime to act as a piece of plumbing that applications like Kubernetes could use. It sits between command line tools like Docker, which it was spun out from, and lower-level runtimes like runC or gVisor, which execute the container’s code. This week’s guest is Derek McGowan, a Software Engineer at Docker and a containerd maintainer-d. Along with the news of the week, Adam and Craig discuss the many Vancouvers. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Vancouver, Vancouver, and George Vancouver South Bend, North Bend, and Bend Cosmpolis “50 Year Sensation: the Dave McMacken Retrospective” (album art show in Astoria, Oregon) News of the week Istio 1.3 is out Google’s Anthos now incudes Anthos Service Mesh, Cloud Run for Anthos and more Cloud Native Application Bundles hit 1.0 Episode 61 with Ralph Squillace and Jeremy Rickard Nominations for the annual CNCF Community Awards Bloomberg hits 90% utilization with Kubernetes Mistakes that “cost” thousands by Gajus Kuizinas Kubernetes Edge working group publishes whitepaper Isopod, by Cruise Pulumi 1.0 5 RBAC mistakes you must avoid (number 4 will shock you) OpenShift 4.2 disconnected install Red Hat Quay 3.1 Microsoft AKS brings Scale Sets and Standard LB to GA Upstream kernel bugs Amazom EKS adds cluster tagging and IAM roles for service accounts Deep dive into AWS Fargate by Abhisheck Ray from Amazon Kong introduces Kuma, “universal service mesh” Google introduces Cloud Dataproc for Kubernetes Apache Flink operator from Google Cloud Container runtime security bypasses on Falco by Mark “Antitree” Manning Rafay Systems lands $8m in Series A funding Links from the interview containerd Original announcement The many meanings of ‘container runtime’ kubelet and Container Runtime Interfaces runC, gVisor, Kata Containers, and the Windows Host Compute Service (HCS) ctr debug tool containerd’s graduation from the CNCF containerd shim API gVisor shim Firecracker containerd integration Kata Containers shim Windows Container shim rkt announced in 2014 with appC spec Open Container Initiative libcontainer, which became runC Web Assembly (WASM) BuildKit 1.3.0 releases are coming Contribution opportunities: Reporting issues Plugin ecosystem Derek McGowan and containerd on Twitter

Quentin Adam (CEO de Clever Cloud) et Emmanuel discutent la stack de bas en haut, du physique au software sous l’angle de la virtualisation. Et bien sûr, une petite dérive de la conversation de temps en temps, parce qu’on le vaut bien. Enregistré le 27 mars 2019 Téléchargement de l’épisode LesCastCodeurs-Episode–211.mp3 Interview Ta vie, ton oeuvre @waxzce Clever Cloud Pourquoi virtualise-t-on ? Para-virtualisation Xen Le processeur physique CPU, registres, caches, bus mémoire GPU ASIC CPU FPGA Protection ring Le microcode Un petit détour sur spectre et meltdown Un OS et la virtualisation Abstraction au hardware Separation du temps CPU, memoire Address virtuelle QEMU VirtIO Spectre and Metldown Container (“Isolateur”) Container vs zones vs jails vs VMs Noyau en espace utilisateur gVisor ReiserFS Kata Containers WebAssembly Et par rapport à Kata Containers par exemple ? ou KVM ? Quels sont les avantages / inconvénients ? (mémoire, sécurité/sandboxing, rapidité de démarrage…) Modèle économique, recompilation pour le matériel physique et conclusion Exherbo Nous contacter Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Faire un crowdcast ou une crowdquestion Contactez-nous via twitter https://twitter.com/lescastcodeurs sur le groupe Google https://groups.google.com/group/lescastcodeurs ou sur le site web https://lescastcodeurs.com/  

Phil Estes - https://twitter.com/estespContainerD - https://containerd.io/ContainerD Maintainer Michael Crosby - https://twitter.com/crosbymichaelCERN - https://home.cern/Tim Berners-Lee's First Web Browser 1993 - http://info.cern.ch/NextBrowser.htmlBirth of the Web at CERN - https://home.cern/science/computing/birth-webEpisode TranscriptBrian Christner: Welcome back to The Byte. In this episode, we're going to be interviewing Phil Estes. Phil Estes, correct?Phil Estes: Yes that's correct.Brian Christner: He is an IBM Distinguished Engineer for IBM Cloud, ContainerD maintainer, correct?Phil Estes: Yeah.Brian Christner: Member of the Technical Oversight Board for open containers, recently Cloud Native Ambassador, and home-based in Virginia. That is quite an impressive resume to be honest.Phil Estes: Yeah, yeah. Especially that I live in Virginia and do all that.Brian Christner: That tops off the cake, right? So we're here in Switzerland today, Phil is actually flying through for a conference that he's attending later this week, or tomorrow actually. And he came by and he's visiting us at Spaces here in Zurich, so that's really cool of you to join us. Now, where are you going after his?Phil Estes: So this week, got a really neat opportunity to go to CERN. Initially just was going to talk about ContainerD with interested parties there and actually, we've got few other maintainers coming in because KubeCon is next week. There was some ability to kind of add this to people's schedule. So we're going to talk some about ContainerD on Friday but then Jess Frazelle, who I've been working with way back in the Docker open source community days, she had always wanted to visit CERN. So anyway, one thing led to another and now we're both speaking tomorrow in kind of the main auditorium just what they call an IT seminar, give a talk on some topics so I'm going to talk about open source and containers. So yeah it'll be fun.Brian Christner: Now for those who don't know CERN, they trying to make a black hole with a giant particle collider. And they're actually trying to find what particles make up human beings and all the matter around us, which is quite interesting. And they probably have one of the largest IT infrastructures in the world.Phil Estes: Yeah, yeah. And actually some pretty interesting historic infrastructure. You know, they've got the NeXT first web server that Tim Berners-Lee ran, that sat at CERN and ran the first few websites. And I think when you visit their data center, you can kind of look through the glass and there's a sign hanging over a certain spot, like the first internet router was here, so it's a pretty interesting place. And like you said, an amazing amount of compute and storage because of all the experiments going on there and they're obviously very interested in cloud and modern technologies to help them kind of operate this infrastructure for the scientists and the researchers.Brian Christner: I mean that's an impressive facility and it's going to be an amazing event that you get to attend.Phil Estes: Yeah.Brian Christner: Now next up, I want to ask you about your first computer. Can you tell us way back when your first computer and what it was and what you did with this first computer?Phil Estes: Sure. Yeah, so at the time I was in junior high I lived in kind of a rural, not a tiny town but a small town in Illinois. We had the one like a local mall with like a Radio Shack and I would actually walk there after school and play around on theses TRS80 computers which were kind of the early modern PC that you could actually off-the-shelf buy. I know there was some earlier computer equipment you could buy but the TRS80 was kind of commercialized and Radio Shack was pushing it pretty hard. And so anyway, one Christmas my grandfather went in with my parents knowing that I had a strong interest in ... a TRS80 showed up with a two like five and a quarter floppy drives and I think we even had the acoustic coupler for like tape. Anyway, all the hilarious gizmos of that era of computing. And it came with Frogger, a couple of other games.Phil Estes: But I pretty quickly learned the commands for MS-DOS and got a book on Basic and thought, you know, I just want to see what I can program. So I was just writing silly programs trying to paint things on the screen, make noises. And so yeah that was my first exposure to computers and programming and I guess you could I say I never kind of lost that bug. Just the interest of trying to see what you can make it do. So yeah.Brian Christner: Nice. I mean, it's incredible when we think back to our first computers and where we're sitting today, it's always a nice journey. So now you're working IBM for quite a long time, actually I remember we discussed this and you what, about two years ago, became a distinguished engineer, or year and a half ago or so.Phil Estes: Yeah just a year ago.Brian Christner: So tell us about that journey, how you became a distinguished engineer.Phil Estes: Yeah, so the cool thing about IBM is that they have, especially as you advance in your career, there's a very clear and discreet path for technical advancement. So for example, there are websites that detail kind of the skills expected, lots of materials to help you kind of understand how to grow and find gaps where you need to work with your manager to find out okay, to be this next level on the technical ladder, I need to do these things or have this kind of scope of my visibility to the rest of IBM. And so distinguished engineer is kind of the culmination of a lot of that because it's the first sort of executive rung on the technical ladder at IBM. And there's really only one above that and it's IBM Fellow, which is a pretty significant accomplishment. There are only a hundred or so active IBM Fellows in the entire company, which if you're in a small company a hundred is a big number if you're in IBM a hundred is a very small number.Phil Estes: But yeah, so I would say that distinguished engineer is not only about being smart or being technically astute, there needs to be a breadth of something that you're seen as a leader on. And thankfully I'd say I'm lucky that containers and open source and all these things kind of came together at a time when I just happened to get involved and become known as the guy who knew about Docker and containers and then IBM decided to build kind of our cloud platform around that. And so yeah, I mean the timing was perfect for me to kind of expand my scope in IBM to be seen as a leader to where my management and those who supported me could honestly take it forward to, kind of first the Cloud Unit Review Board, and then it's actually a corporate recognition so DE is an appointment at the corporate level.Phil Estes: You know, it's not something you can sneak into, you got to have a ton of support across IBM, you got to have the right people kind of pulling for you, and so I'm just thankful I had some amazing people around me, management that brought that together. Because it's something I never necessarily thought I would reach at IBM and it's a cool thing.Brian Christner: I mean it's really an amazing achievement. I mean considering the size of IBM, I don't know how many employees, must be a hundred thousand-Phil Estes: 400,000.Brian Christner: 400,000.Phil Estes: Worldwide.Brian Christner: So I mean, it's a small, smallest percentage of actually become distinguished engineers. So I mean, that's really an accomplishment. Now you mentioned the open source and how you started with Docker, let's talk a little bit about ContainerD and how you got involved in ContainerD.Phil Estes: Yeah, so I was working on Docker, the open-source project, obviously 2014, 2015 into 2016 it was hugely popular as an open-source project. It was also under a lot of stress from just the amount of people wanting to kind of give their input, make their mark on Docker, you know, whether it's vendors or independent people. It was being pulled in a lot of directions and of course Docker the company also had specific ideas and strong opinions on Docker the open-source project. And it was causing some tension, Kubernetes Swarm, that was kind of a big excitement in 2016. And ContainerD really came out of a set of discussions with many players at the time, you know, there'd been some public calls for we just need a stable core run time, that's not opinionated, that we can all build on. Docker can continue to build their platform, people that love Kubernetes can build on it.Phil Estes: So ContainerD, you know again, came out of Docker. Michael Crosby had a huge hand in kind of putting that together. It originally showed up in 2016 as kind of a management layer over runc, which is the OCI layer that also appeared that year. But it was really late that year that, through my involvement with Docker and talking to Solomon (Docker Founder) and all the people at Docker, that we really agreed this is something that should be outside of Docker, should be in CNCF or wherever you guys think is best. And so, you know, early 2017 it was donated to the CNCF. And so again, I felt like it just made sense for IBM to continue involvement to get even more involved in ContainerD than we had in Docker because we built, again, our cloud platform around Kubernetes and having ContainerD as this core runtime across all our platform, which we use Cloud Foundry, which has a container runtime. We have functions and service platform which now uses ContainerD.Phil Estes: So it's become kind of this underpinning underneath all these layers of [inaudible 00:10:17], you know containers as a service. So yeah, that's kind of the history of how it came to be and why IBM decided that it made sense for us to be involved and why I continued as a maintainer there to be that connection point between IBM product and the open-source side of ContainerD development.Brian Christner: I mean, ContainerD, I mean within IBM is becoming the standard, but also outside of IBM, I mean Google, Amazon, everybody is relying on ContainerD as the runtime. Is that correct? I mean, how do you see that going forward?Phil Estes: Yeah, I mean I feel like our adoption has been phenomenal and the cool thing is because, and again I can't take credit for this, Michael Crosby, Stephen Day, Derek McGowan, they had lived through the entire Docker development lifetime and ContainerD was almost a chance to rethink a few pieces to make sure that the abstractions were really, really clean. And so now what's cool to see is it's not just about Docker using ContainerD or Kubernetes using ContainerD, but like AWS Firecracker or gVisor or you know all these kind of new ideas about container isolation. ContainerD just happens to be a perfect vehicle for bringing new kind of ideas around containers and isolation that don't necessarily have to live on top of Kubernetes or the Docker engine.Phil Estes: So yeah, I think because of that you're seeing, you know, wide adoption. Alibaba Cloud, I like to point at them because they're using it like everywhere in their cloud. They've built their own Pouch Container open source project that sits on ContainerD, that's like a Swiss Army Knife of runtime and registry interactions. And so I think all these things clearly show that it's simple to use, very extensible, and people love how simple it is to start with ContainerD.Brian Christner: I have to agree with that. I mean it's extremely easy to use, it's understandable, it's documented well. Now for next up for ContainerD, where do you see the direction heading for ContainerD?Phil Estes: Yeah, you know I think we never want the scope to have this creep of becoming another huge monolithic engine that has every contraption. So we've tried to build in pluggability, we've resisted PRs that want to add a lot of new function directly in it because like the Firecracker team built all their functionality as plug-ins. Most of their code doesn't need to be in ContainerD, so that's the way we see ContainerD growing in functionality is not by us adding function but the pluggability and extensibility allow that outside of the core project.Phil Estes: So really the core project, stability, performance, better Windows support, which the Microsoft team is working on for our next major release. Again making sure this runtime layer, it allows, not just runc, but all these other variants of Kata Containers and Nabla and gVisor, to have the best possible kind of support for how they use the platform. You know things like multiple containers per VM like we had to shift around the API to make sure that was well supported. But yeah, outside of that I don't see us having major functional additions other than making sure ContainerD stays ... The reason people like it, it maintains that simplicity and usability.Brian Christner: I mean that's something that's very important in today's age is that not always do we need to keep adding features, sometimes just stable products is what we need. And so that's a brilliant way to go about it. And the last question I have about ContainerD is how can people contribute? So even if you're not a developer, I mean where do you recommend starting with ContainerD if someone wants to get involved?Phil Estes: Yeah, so I think, you know a lot of the last few months have been busy with some releases and also because we maintain compatibility and release cycles. You know, something we never were able to pull off in Docker is having multiple lines of support, you know, bug fixes or being backported. So that keeps the maintainers fairly busy. So I think anyone who wants to come in and kind of start to look through ways the documentation may be lagging, code, that's always a huge area. We have a website that just has basic information that could be extended with a lot more examples, especially these plug points, like smart people from AWS just came in a figured it out, but I'd be great to have clear documentation. Like how would I add a plug-in to do this? So those are non-development areas that could always use extra hands.Brian Christner: Absolutely. Now I want to kind of transition this into the next phase, is like conferences. Now you're kind of like a professional on the conference circuit and what're your tips for conferences? I mean, you attend a lot of conferences, you see a lot of them, so I mean, what can you ... And you're going to KubeCon next week, you're going to CERN. Do you have any tips for people and like submitting CFPs to conferences?Phil Estes: Yeah, I mean CFPs, I've always found, you know just to be honest, I found to be tough because it's ... Especially if we're talking about at KubeCon level or even DockerCon, where there's significant contention over a number of slots that are small and a number of submissions that can be extremely large. And I've even been on review teams for DockerCon, for KubeCons, for other smaller conferences, and you know it can be overwhelming to try and think how do I pick the best talks because the numbers are so large, there are lots of great ideas. So I think some of the best insight that is not necessarily just from me, I've heard it from others as well, is because people are busy, reviewers especially, you have a sentence or two to grab their attention. So, not that you want to over promise, but you need to pack those first few sentences with like what's the real value you're going to give to people coming to this talk. Because a lot of people spend a lot of time kind of with backstory and it's like people just don't have the time to get to where you're going. So yeah.Brian Christner: It's really like fire sale or as a resume, you know, you really want to catch somebody with a cover letter and just really pull them in.Phil Estes: Yeah.Brian Christner: Now, since you're also going, what are some conference concepts that you really enjoy, that you've seen? Like open spaces or like at DockerCon we saw like a, what was it, they open space that you can submit talks to on the side. I mean, that's kind of a new concept that's taking over conferences. Do you see anything else grabbing attention?Phil Estes: Yeah, so like you're saying, I think Hallway Track is an old term of just standing around in the hall that's been formalized, we've seen at conferences like a DockerCon. Which is really valuable. I mean, I think there's a slight bit of abuse of ... Like you see a lot of sales pitches being put into Hallway Track like, you know, come let me tell you about our product. Which is fine, I mean people can self select out of that obviously. I think the other thing, again, that is at DockerCon but I've seen other similar ideas around it is just connecting people because it's very interesting, like you said, when I attend a conference that's my community, so to speak, it's a ton of fun because I'm going to see a lot of people I know.Phil Estes: When I go to a conference that's not necessarily ... You know I was just at CraftConf in Budapest last week, which is a huge cross-industry conference, and so it's not a bunch of container people. And it is a different feeling to walk in and like oh man I don't really know anybody, how do I connect? And thankfully if you're a speaker, sometimes there's a speaker event where you start to mingle. But anything that a conference can provide to connect people in, like, at DockerCon, it's very specific, the Pals program. I think that anything like that to try and help people that their company may have paid good money for them to be there and yeah if they feel disconnected they may just go back to their hotel and really miss out on connecting with people or listening to the talks. So I think that's area conferences, especially really large conferences, it's overwhelming for like a total newbie.Brian Christner: I mean I feel that also, I mean the talks are amazing but the talks are always online so if you miss something you always go online, but I find the networking and talking to people actually building things, I mean you get just tons of value out of this.Phil Estes: Yeah. And, you know, I guess being an introvert of sorts myself, I was never in to kind of walking the booths of like an expo hall, but I've learned, and I've sort of forced myself to learn, that's a great way to actually find out what's happening in the industry. Because people at those booths would love to tell you, you know maybe it's a product pitch in some sense, but it can be really valuable to kind of get a pulse for what people are ... If it's a container conference, what are different people doing with containers, what's the view on security, and what people think about the value of containers for industry such and such, you know finance or. So that's another way, it takes a kind of stepping may be outside your comfort zone at times but just strolling around an expo haul and connecting with people there.Brian Christner: That's a great tip, thank you very much. Well, that's all the time we have for this episode. We really appreciate Phil coming on our first interview of The Byte and we wish him success at CERN and KubeCon. Any last words you want to tell us?Phil Estes: No, it's sort of becoming a habit to stop in Zurich, sadly Brian always sees me right after an international flight when I'm still a little out of sorts, but it's always cool to be welcomed here and go off to some other beautiful place in Switzerland. But yeah, thanks for having me.Brian Christner: Absolutely, thank you, Phil.

Open Source Voices: Eric Ernst, the lead Kata Software Engineer at Intel, and Anne Bertucio, Community Manager for Kata Containers who works at the OpenStack Foundation, talk about the impetus for Kata Containers, what problem the team was looking to solve, how the community has evolved, and what lies ahead.

We bring in Amy Marrich to break down the building blocks of OpenStack. There are nearly an overwhelming number of ways to manage your infrastructure, and we learn about one of the original tools. Plus a few warm up stories, a war story, and more. Special Guest: Amy Marrich.

Let’s talk container security! This week, Melanie and Mark learn all about the three main pillars of container security and more with our guest, Maya Kaczorowski. Maya Kaczorowski Maya is a Product Manager in Security & Privacy at Google, focused on container security. She previously worked on encryption at rest and encryption key management. Prior to Google, she was an Engagement Manager at McKinsey & Company, working in IT security for large enterprises and before that, completed her Master’s in mathematics focusing on cryptography and game theory. She is bilingual in English and French. Cool things of the week What a week! 105 announcements from Google Cloud Next ‘18 blog Keynotes, Keynote Fireside Chats, & Spotlight Sessions: Google Cloud Next ‘18 videos All Sessions: Google Cloud Next ‘18 videos Sign up for NEXT ‘19 updates site GKE On-Prem site Edge TPU site Interview Def Con site Black Hat site BSides Las Vegas site Cloud KMS site Kubernetes site GCPPodcast Episode 46: Borg and Kubernetes with John Wilkes podcast Large-scale cluster management at Google with Borg research Open-sourcing gVisor, a sandboxed container runtime blog Kata Containers site Nabla Containers site Google Container Registry site GKE security overview doc KubeCon site Container security blog series blog GKE hardening guide doc Seccompsandbox wiki Docker seccomp profile site Using RBAC in Kubernetes blog Terraform site Helm site Google Container Registry: Getting Image Vulnerabilities doc Container security overview site GCPPodcast Episode 110: CPU Vulnerability Security with Matt Linton and Paul Turner podcast Question of the week How do I setup SSL termination on Kubernetes with Let’s Encrypt? GitHub: Tutorial for installing cert-manager to get HTTPS certificates from Let’s Encrypt site Ahmet Alp Balkan, DPE on Google Cloud Where can you find us next? Mark will be at Pax Dev and Pax West starting August 28th. Melanie will be at the 2018 Nuclear Innovation Bootcamp at Berkeley on August 6th.

OpenStack Summit Vancouver is officially in the books, and one of the most exciting elements of the week was undoubtedly the release of Kata Containers, v1.0. In this episode, Anne Bertucio of the OpenStack Foundation, also Community Manager for Kata, explains where Kata came from, what Kata does, why the 1.0 release is such a big deal, and how it fits into the larger mission of the OpenStack Foundation.

Show: 30Show Overview:Brian and Tyler talk about the biggest trends that will shape the Kubernetes community in 2018, with a focus on five critical areas of stability, innovation and experimentation. Show Notes: Topic 1 - Open Service Brokers - who is delivering them, who maintains them, how are they evolving, etc.Topic 2 - Improved Ops Experiences - Operators, Fargate, Container InstancesTopic 3 - Virtualization + Containers - KubeVirt, Kata Containers, does Network Policy overlap SDN/SecurityTopic 4 - Developer Experiences - big area of evolution (Istio, Draft, SpringCloud-Kubernetes, Helm v3, Source-to-Image like capabilities)Topic 5 - Breadth of Supported Applications - Databases, Windows Containers, Serverless,Feedback?Email: PodCTL at gmail dot comTwitter: @PodCTL Web: http://podctl.com

We finally get to the bottom of what this kubernetes thing is and is not, thanks to guest co-host, Andrew Clay Shafer (https://twitter.com/littleidea). There is no co-host shortage. Pre-roll SDT news & hype Jan 16th, first Live Recording (https://www.meetup.com/CloudAustin/events/mzfzwnyxcbvb/) in Austin Texas - guest co-host Tasty Meats Paul (https://twitter.com/pczarkowski). Join us in Slack (http://www.softwaredefinedtalk.com/slack), subscribe the newsletter (https://softwaredefinedtalk.us1.list-manage.com/subscribe?u=ce6149b4008d62a08093a4fa6&id=5877922e21), and pay-up for our members only podcast (https://www.patreon.com/sdt). This week In k8s - Confularity at Kublecon KubeCon (http://events.linuxfoundation.org/events/kubecon-and-cloudnativecon-north-america) - that a thing? As Kubernetes matures, the cloud-native movement turns its attention to the service mesh (https://www.geekwire.com/2017/kubernetes-matures-cloud-native-movement-turns-attention-service-mesh/) - climb the stack! List of announcements (https://www.theregister.co.uk/2017/12/07/kubernetes_tasting_menu_for_devops_types/), from The Register. “We’ve built Conduit from the ground up to be the fastest, lightest, simplest, and most secure service mesh in the world” (https://buoyant.io/2017/12/05/introducing-conduit/) - well, I guess we can all pack it up and go home. Intel and Hyper partner with the OpenStack Foundation to launch the Kata Containers project (https://techcrunch.com/2017/12/05/intel-and-hyper-partner-with-the-openstack-foundation-to-launch-the-kata-containers-project/) Datadog survey (https://www.datadoghq.com/container-orchestration/). Heptio has DR in Azure (https://siliconangle.com/blog/2017/12/07/heptio-brings-disaster-recovery-tool-ark-microsofts-azure-container-service/) - file under, “oh, I assumed k8s already did that kind of thing…” Relevant to your interests You’re not doing agile (http://www.theregister.co.uk/2017/12/11/you_say_you_are_doing_devops/) - Coté’s Christmas bonus column. Whole bunch of SpringOne Platform videos being posted (https://www.youtube.com/playlist?list=PLAdzTan_eSPQ2uPeB0bByiIUMLVAhrPHL&mkt_tok=eyJpIjoiWVdGak9URXdPVGxrTTJSbCIsInQiOiJQcXNRc3RWZFRXVTlDbnhuNWYwWmV3a2p3V0ZtVkkrZ1pBdGcxcTlUR1Z5WERIRFgrMnd4N0Q3WE9qWTQ4MzhVQ0I3NThDS1ZRM2VpYnNraGRBMXhcLzE0eHpYNWZvYWtkSlJWQkZWUDVQUm1rTXZpaGNBc3liVzg4Rnh4WmJzRXgifQ%3D%3D&disable_polymer=true) - hey, obviously there’s some hustle, but it’s rich in actual case studies and enterprises talking about how they figured out sucking less. Related: receipts considered stupid (http://www.businessinsider.com/american-express-mastercard-kill-receipt-signatures-2017-12) - Matt gets tremendous eye rolls from everywhere outside the US when it asks for a signature Planview buys LeanKit (http://www.planview.com/company/press-releases/planview-extends-work-and-resource-management-platform-into-lean-and-agile-with-acquisition-of-leankit/). Why do I keep seeing “quantum computing” everywhere. Shouldn’t we figure out “computing” first? Update on Dell financials (http://www.crn.com/slide-shows/data-center/300096621/crn-exclusive-michael-dell-on-completing-the-emc-integration-ma-strategy-vmware-nsx-synergies-and-refocusing-on-storage-in-2018.htm/pgno/0/7): "You look at our balance sheet, you see $18 billion in cash and investments. We paid down to close $10 billion since the combination with EMC and VMware. For the third quarter, we had $19.6 billion in revenue and $2.3 billion in EBITDA.” Conferences, et. al. It’s the end of the year, not many conferences left. Dec 19th, 2017 - Coté will be doing a tiny talk at CloudAustin on December 19th (https://www.meetup.com/CloudAustin/events/244459662/). Jan 16th, 2018 - live SDT recording at CloudAustin on Jan 16th, 2018 (https://www.meetup.com/CloudAustin/events/244102686/), Coté, Brandon, Tasty Meats Paul](https://twitter.com/pczarkowski). May 15th to 18th, 2018 - Coté talking EA at Continuous Lifecycle London (https://continuouslifecycle.london/sessions/the-death-of-enterprise-architecture-defeating-the-devops-microservices-and-cloud-native-assassins/). Recommendations Brandon: Long Shot (https://www.netflix.com/title/80182115), Netflix; Presentations: Ten Year Futures (https://www.ben-evans.com/benedictevans/2017/11/29/presentation-ten-year-futures?utm_source=Benedict%27s+newsletter&utm_campaign=74e4152c08-Benedict%27s+Newsletter&utm_medium=email&utm_term=0_4999ca107f-74e4152c08-70424493), Ben Evans. Coté: finally got that AAdvantage Executive (https://thepointsguy.com/guide/citi-aadvantage-executive-review/) card. Andrew: principals sections in the Google SRE book (http://amzn.to/2z3Odti) (still free (https://landing.google.com/sre/book.html)!). Kubernetes Up and Running (http://amzn.to/2yiI9JK). Badass (http://amzn.to/2z4rn4J). Paper on ML indexing stuff (https://arxiv.org/abs/1712.01208). Special Guest: Andrew Clay Shafer.