Running application containers within Kubernetes presents a challenge to the operator for quickly handling security updates - every container must be patched, rebuilt and re-tested, and then updated separately. The slowest dev turnaround of all your containers is the fastest you can fully update your cluster.
However, for many fixes, the application likely will not care which compatible version of a system library it is using.
Using AtomFS, operators can update individual libraries inside app containers without a rebuild. Containers using an AtomFS storage backend can simply be restarted after a fix is applied, and they will see it reflected in their filesystems.
The AtomFS storage backend requires minor changes to your container runtime, and we demonstrate it with the LXC runtime and crio-lxc, an adapter to enable using LXC-based containers in Kubernetes using CRI-O.
In this talk Tycho will cover how AtomFS works, what changes are needed to make application container builds work with AtomFS, and fix an exploit live without a rebuild.