| *** oikiki has quit IRC | 00:01 | |
| *** LinuxMe has quit IRC | 00:03 | |
| *** annabelleB has quit IRC | 00:11 | |
| *** annabelleB has joined #kata-general | 00:20 | |
| *** LinuxMe has joined #kata-general | 00:36 | |
| *** LinuxMe has quit IRC | 00:40 | |
| *** annabelleB has quit IRC | 00:46 | |
| *** annabelleB has joined #kata-general | 00:52 | |
| *** annabelleB has quit IRC | 00:54 | |
| *** LinuxMe has joined #kata-general | 01:08 | |
| *** LinuxMe has quit IRC | 01:13 | |
| *** dlw has joined #kata-general | 01:36 | |
| *** LinuxMe_ has joined #kata-general | 01:38 | |
| *** LinuxMe_ has quit IRC | 02:26 | |
| *** GonZo2000 has joined #kata-general | 03:01 | |
| *** GonZo2000 has joined #kata-general | 03:01 | |
| *** GonZo2000 has quit IRC | 03:06 | |
| *** GonZo2000 has joined #kata-general | 03:07 | |
| *** LinuxMe has joined #kata-general | 03:27 | |
| *** GonZo2000 has quit IRC | 03:38 | |
| *** sjas_ has joined #kata-general | 04:30 | |
| *** sjas has quit IRC | 04:33 | |
| *** Guest34370 is now known as core | 05:41 | |
| *** LinuxMe has quit IRC | 05:48 | |
| *** jodh has joined #kata-general | 06:06 | |
| *** LinuxMe has joined #kata-general | 06:28 | |
| *** LinuxMe has quit IRC | 06:28 | |
| *** LinuxMe has joined #kata-general | 06:29 | |
| *** LinuxMe has quit IRC | 06:33 | |
| *** LinuxMe has joined #kata-general | 07:30 | |
| *** LinuxMe has quit IRC | 07:34 | |
| *** LinuxMe has joined #kata-general | 08:01 | |
| *** gwhaley has joined #kata-general | 08:02 | |
| *** LinuxMe has quit IRC | 08:06 | |
| *** LinuxMe has joined #kata-general | 08:38 | |
| *** LinuxMe has quit IRC | 08:42 | |
| *** LinuxMe has joined #kata-general | 09:09 | |
| *** kata-dev-irc-bot has quit IRC | 09:10 | |
| *** kata-dev-irc-bot has joined #kata-general | 09:10 | |
| *** LinuxMe has quit IRC | 09:13 | |
| *** LinuxMe has joined #kata-general | 09:40 | |
| *** LinuxMe has quit IRC | 09:45 | |
| *** LinuxMe has joined #kata-general | 09:59 | |
| *** LinuxMe has quit IRC | 10:03 | |
| *** LinuxMe has joined #kata-general | 10:35 | |
| *** LinuxMe has quit IRC | 10:40 | |
| *** LinuxMe has joined #kata-general | 11:11 | |
| *** dlw has quit IRC | 11:13 | |
| *** LinuxMe has quit IRC | 11:16 | |
| *** LinuxMe has joined #kata-general | 12:45 | |
| *** silvanoc has joined #kata-general | 12:52 | |
| *** silvanoc has quit IRC | 12:54 | |
| *** LinuxMe has quit IRC | 13:20 | |
| *** LinuxMe has joined #kata-general | 13:21 | |
| *** dlw has joined #kata-general | 13:36 | |
| *** annabelleB has joined #kata-general | 14:23 | |
| *** dlw has quit IRC | 14:27 | |
| *** annabelleB has quit IRC | 14:38 | |
| *** annabelleB has joined #kata-general | 14:38 | |
| kata-dev-irc-bot | <sudeep.batra> Thanks to all, especially @jonolson to put all this together, it worked for me. https://github.com/jon/kubeadm-single-node-cluster/tree/kata | 14:44 |
|---|---|---|
| kata-dev-irc-bot | <sudeep.batra> $ kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 19h nginx LoadBalancer 10.101.176.219 <pending> 80:32041/TCP 19h $ curl localhost:32041 <title>Welcome to nginx!</title> | 14:45 |
| kata-dev-irc-bot | <sudeep.batra> But now I have two more points : | 14:45 |
| kata-dev-irc-bot | <sudeep.batra> 1. I did not see any option to raise any Issue for this ( I dont have any right now though :slightly_smiling_face: ) | 14:46 |
| * gwhaley thinks maybe our github repos are currently configured so only 'members' of the github group can open Issues... maybe we need to discuss if we want to change that. | 14:47 | |
| gwhaley | for the moment @sudeep.batra, probably best route is to identify a member of the team who works on/understands your issue and ask them to open the Issue for you. They should then be able to | 14:48 |
| gwhaley | copy your github user account into that so you get updates etc. | 14:48 |
| gwhaley | (and yes, if you cannot find anybody else to do it - ping me ;-) ) | 14:48 |
| kata-dev-irc-bot | <sudeep.batra> sure .. 2. Now we have the pods running as Container VM. How do I do some security testing to validate this is more secured compared to generic docker pod. | 14:49 |
| gwhaley | @sudeep.batra - ideally you'd want to find a docker exploit, and then try that out on a kata container. Finding an exploit could be 'challenging' though ;-) Previously we did use DirtyCOW for this on Clear Containers: https://clearlinux.org/blogs/how-intel-clear-containers-protects-against-root-kernel-exploits-dirty-cow | 14:52 |
| kata-dev-irc-bot | <sudeep.batra> I know I have to do some more study to understand the security differences between Container VM and generic docker containers, and then list down the steps to execute the tests to confirm Container VM. But in case there is some already documentation, concepts known :slightly_smiling_face: | 14:52 |
| gwhaley | or, you maybe can run up a '--privileged' docker container and show that it cannot get to the VM kata containers | 14:53 |
| gwhaley | that is a little artificial, as the --priv container probably has full root access to the host so can just to diddle with the VMs anyhow - but it could be used to prove a point maybe? | 14:53 |
| kata-dev-irc-bot | <sudeep.batra> u mean if I run a privileged docker container, it cannot access the Container VM created using KataContainer ? | 14:54 |
| gwhaley | it cannot 'trivially' access the VM. I would say it would be 'harder' to access the VM than it is to access the namespace/soft containers that you'd normally have - but maybe | 14:55 |
| gwhaley | this is not the best example, as a priv container is so powerful it can basically do what it wants :-( | 14:55 |
| gwhaley | so, maybe forget that one - and have a read of that DirtyCOW example page | 14:56 |
| kata-dev-irc-bot | <sudeep.batra> ok , I will thanks :slightly_smiling_face: | 14:56 |
| *** jodh has quit IRC | 15:03 | |
| kata-dev-irc-bot | <eric.ernst> Sudeep, are you using docker or k8s or..? | 15:07 |
| *** annabelleB has quit IRC | 15:16 | |
| *** sjas_ is now known as sjas | 15:19 | |
| kata-dev-irc-bot | <sudeep.batra> K8s | 15:23 |
| kata-dev-irc-bot | <sudeep.batra> I followed the steps https://github.com/jon/kubeadm-single-node-cluster/tree/kata | 15:23 |
| kata-dev-irc-bot | <sudeep.batra> yes | 15:23 |
| kata-dev-irc-bot | <eric.ernst> with CRIO or Containerd? | 15:36 |
| *** fiddletwix has joined #kata-general | 18:22 | |
| *** fiddletwix has quit IRC | 18:32 | |
| *** fiddletwix has joined #kata-general | 18:34 | |
| *** gwhaley has quit IRC | 19:32 | |
| *** LinuxMe has quit IRC | 20:40 | |
| kata-dev-irc-bot | <jdandrea> Possibly naïve question (haven't found any info in the docs just yet): Can I tire-kick kata containers using minikube? I have but one server to try stuff out on. | 20:41 |
| kata-dev-irc-bot | <raravena80> Was thinking about that the other day, but haven't tried it. You should be able to, as long as you run on a hypervisor that supports nested virtualization. Basically in minikube your slaves run in a VM and then your Kata Containers (in a VM too) should be able to run in the slave VM. kvm and hyperv support nested virtualization and are supported by minikube. | 20:54 |
| kata-dev-irc-bot | <eric.ernst> I shamefully admit I haven't used minikube for Kata. I just use kubeadm. | 20:54 |
| kata-dev-irc-bot | <eric.ernst> you could always just create another VM (I often use the tool ccloudvm for this kind of dev work) | 20:55 |
| kata-dev-irc-bot | <eric.ernst> I think it should be straight forward for minikube though, assuming you start it with crio | 20:57 |
| *** LinuxMe has joined #kata-general | 21:37 | |
| *** LinuxMe has quit IRC | 21:37 | |
| *** LinuxMe has joined #kata-general | 21:37 | |
| *** LinuxMe has quit IRC | 21:39 | |
| kata-dev-irc-bot | <sudeep.batra> used this link https://github.com/jon/kubeadm-single-node-cluster/blob/kata/startup.sh | 22:05 |
| kata-dev-irc-bot | <sudeep.batra> so same containerd I suppose | 22:05 |
| *** LinuxMe has joined #kata-general | 22:19 | |
| *** LinuxMe has quit IRC | 22:24 | |
| *** LinuxMe has joined #kata-general | 22:59 | |
| *** LinuxMe has quit IRC | 23:04 | |
| *** LinuxMe has joined #kata-general | 23:36 | |
| *** LinuxMe has quit IRC | 23:41 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!