<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Matsuoka Seiji</title>
    <description>The latest articles on DEV Community by Matsuoka Seiji (@shizuku_198411).</description>
    <link>https://dev.to/shizuku_198411</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3972164%2F7ace7ba2-821a-4928-8c7c-8effed41e807.png</url>
      <title>DEV Community: Matsuoka Seiji</title>
      <link>https://dev.to/shizuku_198411</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/shizuku_198411"/>
    <language>en</language>
    <item>
      <title>“It Works in Docker” — But Will It Work in Kubernetes?</title>
      <dc:creator>Matsuoka Seiji</dc:creator>
      <pubDate>Mon, 22 Jun 2026 09:54:37 +0000</pubDate>
      <link>https://dev.to/shizuku_198411/it-works-in-docker-but-will-it-work-in-kubernetes-4hjj</link>
      <guid>https://dev.to/shizuku_198411/it-works-in-docker-but-will-it-work-in-kubernetes-4hjj</guid>
      <description>&lt;h2&gt;
  
  
  Introducing Raind Promote Strategy: a workflow for validating applications from containers to Pods
&lt;/h2&gt;

&lt;p&gt;Recently, I published an article introducing &lt;strong&gt;Raind&lt;/strong&gt;, a container runtime I have been building.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;GitHub: &lt;a href="https://github.com/shizuku198411/Raind" rel="noopener noreferrer"&gt;https://github.com/shizuku198411/Raind&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Raind is an experimental runtime that can run both Docker-like containers and Kubernetes-like Pods within a single runtime environment. In this article, I want to introduce one of the new features I recently implemented:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Promote Strategy&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Promote Strategy is a workflow for validating whether an application can actually start and run correctly across multiple deployment styles:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;as a single container&lt;/li&gt;
&lt;li&gt;as a multi-container application&lt;/li&gt;
&lt;li&gt;as Kubernetes-style resources and Pods&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In other words, it helps answer a question many developers have faced:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;“It works as a container, but will it still work when I move it toward Kubernetes?”&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h1&gt;
  
  
  What is Promote Strategy?
&lt;/h1&gt;

&lt;p&gt;Promote Strategy is a feature that lets you define and run an application validation workflow across multiple stages.&lt;/p&gt;

&lt;p&gt;A typical workflow looks like this:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Start the application as containers.&lt;/li&gt;
&lt;li&gt;Check whether each container is running.&lt;/li&gt;
&lt;li&gt;Validate application behavior, such as HTTP responses.&lt;/li&gt;
&lt;li&gt;Promote the running container state into a Compose-style configuration draft.&lt;/li&gt;
&lt;li&gt;Start the application again as a multi-container application.&lt;/li&gt;
&lt;li&gt;Promote it into Kubernetes-style resource manifests.&lt;/li&gt;
&lt;li&gt;Apply those resources.&lt;/li&gt;
&lt;li&gt;Validate that the application still behaves correctly as Pods.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The key point is that Raind does not simply convert static configuration files.&lt;/p&gt;

&lt;p&gt;It validates the application at each stage and generates reviewable configuration drafts based on the actual runtime state.&lt;/p&gt;




&lt;h1&gt;
  
  
  Why not just start with Kubernetes?
&lt;/h1&gt;

&lt;p&gt;If the goal is Kubernetes deployment, it may sound unnecessary to validate the application as a container first.&lt;/p&gt;

&lt;p&gt;But Kubernetes deployment assumes that the application image itself can already run correctly as a container.&lt;/p&gt;

&lt;p&gt;Kubernetes also introduces many additional concepts:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;readiness probes&lt;/li&gt;
&lt;li&gt;jobs&lt;/li&gt;
&lt;li&gt;ingress&lt;/li&gt;
&lt;li&gt;services&lt;/li&gt;
&lt;li&gt;CNI behavior&lt;/li&gt;
&lt;li&gt;resource manifests&lt;/li&gt;
&lt;li&gt;scheduling behavior&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For developers who are not deeply familiar with Kubernetes, starting directly with a Kubernetes deployment can make debugging harder.&lt;/p&gt;

&lt;p&gt;If something fails, it may not be immediately clear whether the issue is the application image, environment variables, container startup behavior, inter-container communication, Kubernetes manifests, service discovery, networking, or some other deployment-specific setting.&lt;/p&gt;

&lt;p&gt;Promote Strategy helps split this process into smaller stages.&lt;/p&gt;

&lt;p&gt;First, verify that the application works as containers.&lt;br&gt;&lt;br&gt;
Then verify that multiple containers can communicate.&lt;br&gt;&lt;br&gt;
Then verify that the same application can run as Kubernetes-style resources.&lt;/p&gt;

&lt;p&gt;This makes it easier to isolate where a problem appears.&lt;/p&gt;


&lt;h1&gt;
  
  
  Why not just use Docker and Kubernetes directly?
&lt;/h1&gt;

&lt;p&gt;This is a fair question.&lt;/p&gt;

&lt;p&gt;In many cases, using Docker and Kubernetes directly is the most reliable approach.&lt;/p&gt;

&lt;p&gt;However, there are situations where developers may not want to install or run both Docker and Kubernetes on the same development machine. For example:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;the development environment is fixed, such as inside a Dev Container&lt;/li&gt;
&lt;li&gt;Kubernetes is only available on another host&lt;/li&gt;
&lt;li&gt;the developer does not want to install heavy runtime infrastructure locally&lt;/li&gt;
&lt;li&gt;staging or sandbox environments exist, but are not easy to use casually&lt;/li&gt;
&lt;li&gt;testing requires pushing images to a registry before they can be used elsewhere&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Even when CI/CD pipelines exist, they are not always ideal for quick local validation.&lt;/p&gt;

&lt;p&gt;Raind is not trying to replace Docker or Kubernetes.&lt;br&gt;&lt;br&gt;
Instead, it focuses on a narrower goal:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;validating whether an application can start and communicate correctly before it is deployed to production-like infrastructure.&lt;/p&gt;
&lt;/blockquote&gt;


&lt;h1&gt;
  
  
  Why not use kind or minikube?
&lt;/h1&gt;

&lt;p&gt;For Kubernetes deployment testing, tools like kind and minikube are great options.&lt;/p&gt;

&lt;p&gt;But they primarily provide Kubernetes clusters. They are not designed to focus on the step-by-step transition from a single container to a multi-container application and then to Pods.&lt;/p&gt;

&lt;p&gt;In practice, developers may still move between:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Docker for container-level testing&lt;/li&gt;
&lt;li&gt;Docker Compose for multi-container behavior&lt;/li&gt;
&lt;li&gt;kind or minikube for Kubernetes behavior&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That means using multiple tools and multiple runtime models.&lt;/p&gt;

&lt;p&gt;Raind’s goal is to provide a single runtime where the application startup path can be validated consistently from container to Pod.&lt;/p&gt;


&lt;h1&gt;
  
  
  What Raind is trying to solve
&lt;/h1&gt;

&lt;p&gt;Raind is not intended to be fully compatible with Docker or Kubernetes.&lt;/p&gt;

&lt;p&gt;It is also not meant to be a toy runtime that simply imitates both systems.&lt;/p&gt;

&lt;p&gt;The goal is more focused:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;before deploying to production, verify that the application can at least start correctly as a Container, as a Compose-style multi-container application, and as a Pod.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;There is an important difference between:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;“the deployment is production-ready”&lt;/li&gt;
&lt;li&gt;“the application can start and behave correctly”&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Raind focuses on the second part.&lt;/p&gt;

&lt;p&gt;Promote Strategy exists to validate that application startup behavior across stages.&lt;/p&gt;


&lt;h1&gt;
  
  
  Generating reviewable configuration drafts
&lt;/h1&gt;

&lt;p&gt;Promote Strategy does more than run tests.&lt;/p&gt;

&lt;p&gt;It also generates reviewable configuration files while promoting the application across stages.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;after the container stage passes, Raind generates a Compose-style &lt;code&gt;compose.yaml&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;after the Compose-style stage passes, Raind generates Kubernetes-style manifests&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;These generated files are not intended to be production-ready.&lt;/p&gt;

&lt;p&gt;Instead, they provide a validated starting point.&lt;/p&gt;


&lt;h1&gt;
  
  
  Runtime-based generation
&lt;/h1&gt;

&lt;p&gt;The generated files are based on runtime state.&lt;/p&gt;

&lt;p&gt;Raind checks things such as:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;whether the containers are actually running&lt;/li&gt;
&lt;li&gt;what environment variables are applied inside the containers&lt;/li&gt;
&lt;li&gt;what command or entrypoint is being used&lt;/li&gt;
&lt;li&gt;what ports and mounts are active&lt;/li&gt;
&lt;li&gt;what communication occurs between containers&lt;/li&gt;
&lt;li&gt;what network policies are required&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This makes the generated configuration more useful than a simple static conversion.&lt;/p&gt;

&lt;p&gt;For example, a generated Compose draft may include the actual command, environment variables, ports, mounts, and dependencies observed from the running containers.&lt;/p&gt;

&lt;p&gt;Secret-like values are masked in the reviewable output, so the generated files can be inspected more safely.&lt;/p&gt;


&lt;h1&gt;
  
  
  Example: WordPress + MySQL
&lt;/h1&gt;

&lt;p&gt;A Promote Strategy definition describes the initial containers, communication policy, and validation checks.&lt;/p&gt;

&lt;p&gt;Here is a simplified example using WordPress and MySQL:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;raind.io/v1alpha1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;PromoteStrategy&lt;/span&gt;

&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress-stack&lt;/span&gt;

&lt;span class="na"&gt;source&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;mode&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;create&lt;/span&gt;
  &lt;span class="na"&gt;containers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;mysql&lt;/span&gt;
      &lt;span class="na"&gt;image&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;mysql:8&lt;/span&gt;
      &lt;span class="na"&gt;env&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="na"&gt;MYSQL_ROOT_PASSWORD&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;root-password&lt;/span&gt;
        &lt;span class="na"&gt;MYSQL_DATABASE&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress-db&lt;/span&gt;
        &lt;span class="na"&gt;MYSQL_USER&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress-user&lt;/span&gt;
        &lt;span class="na"&gt;MYSQL_PASSWORD&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress-password&lt;/span&gt;
      &lt;span class="na"&gt;volume&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;/mnt/mysql:/var/lib/mysql&lt;/span&gt;

    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress&lt;/span&gt;
      &lt;span class="na"&gt;image&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress:latest&lt;/span&gt;
      &lt;span class="na"&gt;env&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="na"&gt;WORDPRESS_DB_HOST&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;mysql&lt;/span&gt;
        &lt;span class="na"&gt;WORDPRESS_DB_NAME&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress-db&lt;/span&gt;
        &lt;span class="na"&gt;WORDPRESS_DB_USER&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress-user&lt;/span&gt;
        &lt;span class="na"&gt;WORDPRESS_DB_PASSWORD&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress-password&lt;/span&gt;
      &lt;span class="na"&gt;ports&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;9850:80"&lt;/span&gt;

  &lt;span class="na"&gt;policies&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;ew&lt;/span&gt;
      &lt;span class="na"&gt;source&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress&lt;/span&gt;
      &lt;span class="na"&gt;destination&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;mysql&lt;/span&gt;
      &lt;span class="na"&gt;protocol&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;tcp&lt;/span&gt;
      &lt;span class="na"&gt;destPort&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;3306&lt;/span&gt;
      &lt;span class="na"&gt;comment&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;allow wordpress database access&lt;/span&gt;

&lt;span class="na"&gt;stages&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;container&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;checks&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;runtime&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;mysql-running&lt;/span&gt;
          &lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;containerStatus&lt;/span&gt;
          &lt;span class="na"&gt;target&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;mysql&lt;/span&gt;
          &lt;span class="na"&gt;expect&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;state&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;running&lt;/span&gt;
          &lt;span class="na"&gt;timeout&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;60s&lt;/span&gt;
          &lt;span class="na"&gt;interval&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;2s&lt;/span&gt;

        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress-running&lt;/span&gt;
          &lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;containerStatus&lt;/span&gt;
          &lt;span class="na"&gt;target&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress&lt;/span&gt;
          &lt;span class="na"&gt;expect&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;state&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;running&lt;/span&gt;
          &lt;span class="na"&gt;timeout&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;60s&lt;/span&gt;
          &lt;span class="na"&gt;interval&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;2s&lt;/span&gt;

  &lt;span class="na"&gt;bottle&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;checks&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;runtime&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;bottle-running&lt;/span&gt;
          &lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;bottleStatus&lt;/span&gt;
          &lt;span class="na"&gt;target&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress-stack&lt;/span&gt;
          &lt;span class="na"&gt;timeout&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;60s&lt;/span&gt;
          &lt;span class="na"&gt;interval&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;2s&lt;/span&gt;

      &lt;span class="na"&gt;application&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress-http&lt;/span&gt;
          &lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;http&lt;/span&gt;
          &lt;span class="na"&gt;target&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;http://127.0.0.1:9850/wp-admin/login.php&lt;/span&gt;
          &lt;span class="na"&gt;expect&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;status&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;200&lt;/span&gt;
          &lt;span class="na"&gt;timeout&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;90s&lt;/span&gt;
          &lt;span class="na"&gt;interval&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;2s&lt;/span&gt;

  &lt;span class="na"&gt;resources&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;checks&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;application&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;wordpress-http&lt;/span&gt;
          &lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;http&lt;/span&gt;
          &lt;span class="na"&gt;target&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;http://127.0.0.1:9850/wp-admin/login.php&lt;/span&gt;
          &lt;span class="na"&gt;expect&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;status&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;200&lt;/span&gt;
          &lt;span class="na"&gt;timeout&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;90s&lt;/span&gt;
          &lt;span class="na"&gt;interval&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;2s&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The strategy defines the seed containers, the allowed communication between containers, runtime checks, application checks, and the stages that should be validated.&lt;/p&gt;

&lt;p&gt;Then the workflow can be executed with:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind promote strategy
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h1&gt;
  
  
  Example output
&lt;/h1&gt;

&lt;p&gt;When the strategy succeeds, Raind generates files under &lt;code&gt;raind_promote&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Typical outputs include:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;raind_promote/
  bottle/
    bottle.yaml
  compose/
    compose.yaml
  resources/
    00-namespace.yaml
    01-configmap.yaml
    02-secret.example.yaml
    03-pvcs.yaml
    04-deployments.yaml
    05-services.yaml
    07-networkpolicies.yaml
    REVIEW.md
    all.yaml
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The generated manifests may still need tuning.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;secret values should be replaced or managed properly&lt;/li&gt;
&lt;li&gt;production readiness probes may need to be added&lt;/li&gt;
&lt;li&gt;exposure strategy may need to change from NodePort to Ingress&lt;/li&gt;
&lt;li&gt;resource limits may need to be defined&lt;/li&gt;
&lt;li&gt;operational jobs may need to be added&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;But the important part is that the generated files are based on a configuration that has already passed application startup validation.&lt;/p&gt;

&lt;p&gt;They are a foundation, not the final production deployment.&lt;/p&gt;




&lt;h1&gt;
  
  
  Roadmap
&lt;/h1&gt;

&lt;p&gt;Promote Strategy is still in an early stage.&lt;/p&gt;

&lt;p&gt;Future improvements may include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;more validation check types&lt;/li&gt;
&lt;li&gt;richer generated configuration&lt;/li&gt;
&lt;li&gt;broader Kubernetes-style resource support&lt;/li&gt;
&lt;li&gt;better policy generation&lt;/li&gt;
&lt;li&gt;deeper integration with AI agents or MCP-based workflows&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;One idea I am exploring is allowing an AI agent to review and generate deployment drafts based on real application validation results, without giving the agent direct access to Docker or Kubernetes itself.&lt;/p&gt;




&lt;h1&gt;
  
  
  Closing thoughts
&lt;/h1&gt;

&lt;p&gt;Raind is still experimental, and it is not intended to replace Docker or Kubernetes.&lt;/p&gt;

&lt;p&gt;But I believe there is value in a runtime that focuses specifically on validating application startup before production deployment.&lt;/p&gt;

&lt;p&gt;Promote Strategy is a step toward that goal.&lt;/p&gt;

&lt;p&gt;It helps bridge the gap between:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;“the container starts”&lt;/li&gt;
&lt;li&gt;“the multi-container application works”&lt;/li&gt;
&lt;li&gt;“the application can run as Kubernetes-style resources”&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you are interested, the project is available on GitHub:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://github.com/shizuku198411/Raind" rel="noopener noreferrer"&gt;https://github.com/shizuku198411/Raind&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Stars, feedback, and issues are very welcome.&lt;/p&gt;

</description>
      <category>docker</category>
      <category>kubernetes</category>
      <category>containers</category>
      <category>devops</category>
    </item>
    <item>
      <title>Introducing Security Profiles for Container Permission Management</title>
      <dc:creator>Matsuoka Seiji</dc:creator>
      <pubDate>Tue, 16 Jun 2026 10:38:19 +0000</pubDate>
      <link>https://dev.to/shizuku_198411/introducing-security-profiles-for-container-permission-management-47np</link>
      <guid>https://dev.to/shizuku_198411/introducing-security-profiles-for-container-permission-management-47np</guid>
      <description>&lt;h2&gt;
  
  
  Introduction
&lt;/h2&gt;

&lt;p&gt;In this article, I want to introduce &lt;strong&gt;Security Profiles&lt;/strong&gt;, a feature I added to &lt;code&gt;Raind&lt;/code&gt;, a container runtime I have been developing.&lt;/p&gt;

&lt;p&gt;In a previous article, I introduced Raind as a runtime that aims to handle Docker-like standalone container execution and Kubernetes-style resources such as Pod, Deployment, Service, and Ingress as part of a single runtime stack.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;GitHub repository: &lt;a href="https://github.com/shizuku198411/Raind" rel="noopener noreferrer"&gt;https://github.com/shizuku198411/Raind&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;This time, I would like to talk about one of the main features in the recent release: &lt;strong&gt;Security Profile&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;A Security Profile is a reusable profile that manages security-related container settings such as Linux capabilities, seccomp, and AppArmor.&lt;/p&gt;

&lt;p&gt;In Docker, capability management is usually done through command-line options such as &lt;code&gt;--cap-add&lt;/code&gt; and &lt;code&gt;--cap-drop&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;docker run &lt;span class="nt"&gt;--cap-drop&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;ALL &lt;span class="nt"&gt;--cap-add&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;NET_BIND_SERVICE nginx
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is flexible, but when the same security configuration needs to be maintained across multiple containers or environments, it can gradually become harder to manage.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;It becomes difficult to see which container has which capabilities&lt;/li&gt;
&lt;li&gt;Development and production environments may end up with different settings&lt;/li&gt;
&lt;li&gt;Unexpected capabilities may remain enabled without being noticed&lt;/li&gt;
&lt;li&gt;Capabilities, seccomp, and AppArmor settings are not easy to view as one security policy&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;To solve this, Raind introduces &lt;strong&gt;Security Profiles&lt;/strong&gt; as a way to visualize, reuse, and manage these settings as a single unit.&lt;/p&gt;

&lt;h2&gt;
  
  
  What is a Security Profile?
&lt;/h2&gt;

&lt;p&gt;A Security Profile is a named configuration that groups container security settings together.&lt;/p&gt;

&lt;p&gt;Currently, a profile mainly manages the following settings:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Security Profile
  ├── Linux capabilities
  ├── seccomp deny filter
  └── AppArmor profile name
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;When creating or running a container, you can specify a profile with &lt;code&gt;--security-profile&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind container run &lt;span class="nt"&gt;--security-profile&lt;/span&gt; deploy nginx:latest
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Instead of directly listing fine-grained capabilities for every container, you can express the intent like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Run this container with the deploy profile
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Raind aims to handle containers, Pods, traffic policies, and network observability inside the runtime itself.&lt;/p&gt;

&lt;p&gt;Security Profile follows the same direction: instead of treating security settings as scattered command-line options, Raind treats them as something closer to a runtime-managed resource.&lt;/p&gt;

&lt;h2&gt;
  
  
  Built-in Profiles
&lt;/h2&gt;

&lt;p&gt;Raind provides several built-in profiles.&lt;/p&gt;

&lt;p&gt;Here is the current list of built-in profiles:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Profile&lt;/th&gt;
&lt;th&gt;Use case&lt;/th&gt;
&lt;th&gt;Summary&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;default&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Standard execution&lt;/td&gt;
&lt;td&gt;Raind's default capability set + seccomp + AppArmor&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;dev&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Development&lt;/td&gt;
&lt;td&gt;Currently similar to &lt;code&gt;default&lt;/code&gt;, intended as a development baseline&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;deploy&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Application deployment&lt;/td&gt;
&lt;td&gt;Drops &lt;code&gt;CAP_NET_RAW&lt;/code&gt; and &lt;code&gt;CAP_MKNOD&lt;/code&gt; from &lt;code&gt;default&lt;/code&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;restricted&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Stronger restriction&lt;/td&gt;
&lt;td&gt;Uses an empty base capability set&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;privileged&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Workloads that require broad privileges&lt;/td&gt;
&lt;td&gt;Enables a wide set of known capabilities and disables seccomp / AppArmor&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;unconfined&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Keep default capabilities but remove confinement&lt;/td&gt;
&lt;td&gt;Keeps default capabilities while disabling seccomp / AppArmor&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;If no profile is specified, &lt;code&gt;default&lt;/code&gt; is used.&lt;/p&gt;

&lt;p&gt;The profiles I personally consider especially important are &lt;code&gt;deploy&lt;/code&gt; and &lt;code&gt;restricted&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;deploy&lt;/code&gt; profile is intended for typical application workloads. It removes &lt;code&gt;CAP_NET_RAW&lt;/code&gt; and &lt;code&gt;CAP_MKNOD&lt;/code&gt; from the default capability set.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;CAP_NET_RAW&lt;/code&gt; is related to raw sockets, which are often unnecessary for typical web applications.&lt;br&gt;&lt;br&gt;
&lt;code&gt;CAP_MKNOD&lt;/code&gt; is related to creating device files, which is also not usually required for general application containers.&lt;/p&gt;

&lt;p&gt;So the intended usage is to start with &lt;code&gt;deploy&lt;/code&gt; as a baseline for application workloads, and only add extra capabilities when they are actually needed.&lt;/p&gt;
&lt;h2&gt;
  
  
  Listing Profiles
&lt;/h2&gt;

&lt;p&gt;Security Profiles can be listed from the CLI.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind security profile &lt;span class="nb"&gt;ls&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;code&gt;list&lt;/code&gt; is also available as an alias.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind security profile list
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The output looks like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;NAME          TYPE      CAPABILITIES  SECCOMP   APPARMOR
default       built-in  14 caps       enabled   raind-default
dev           built-in  14 caps       enabled   raind-default
deploy        built-in  12 caps       enabled   raind-default
restricted    built-in  0 caps        enabled   raind-default
privileged    built-in  41 caps       disabled  -
unconfined    built-in  14 caps       disabled  -
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This makes it possible to check the number of capabilities, whether seccomp is enabled, and which AppArmor profile is used.&lt;/p&gt;

&lt;p&gt;Instead of having to inspect each container's launch command to understand its security settings, Raind exposes them as profiles.&lt;/p&gt;

&lt;h2&gt;
  
  
  Inspecting a Profile
&lt;/h2&gt;

&lt;p&gt;You can inspect the details of a profile with &lt;code&gt;show&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind security profile show deploy
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This shows the actual capabilities, seccomp configuration, and AppArmor profile used by the profile.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;deploy&lt;/span&gt;
&lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;built-in&lt;/span&gt;
&lt;span class="na"&gt;capabilities&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;base&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_CHOWN&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_DAC_OVERRIDE&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_FSETID&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_FOWNER&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_SETGID&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_SETUID&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_SETFCAP&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_SETPCAP&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_NET_BIND_SERVICE&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_SYS_CHROOT&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_KILL&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_AUDIT_WRITE&lt;/span&gt;
&lt;span class="na"&gt;seccomp&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;defaultAction&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;SCMP_ACT_ALLOW&lt;/span&gt;
    &lt;span class="na"&gt;defaultErrnoRet&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;1&lt;/span&gt;
    &lt;span class="na"&gt;architectures&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;SCMP_ARCH_AARCH64&lt;/span&gt;
    &lt;span class="na"&gt;syscalls&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;names&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;bpf&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;perf_event_open&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;kexec_load&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;open_by_handle_at&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;ptrace&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;process_vm_readv&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;process_vm_writev&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;userfaultfd&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;reboot&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;swapon&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;swapoff&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;open_by_handle_at&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;name_to_handle_at&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;init_module&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;finit_module&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;delete_module&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;kcmp&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;mount&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;unshare&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;setns&lt;/span&gt;
          &lt;span class="na"&gt;action&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;SCMP_ACT_ERRNO&lt;/span&gt;
          &lt;span class="na"&gt;errnoRet&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;1&lt;/span&gt;
&lt;span class="na"&gt;apparmorProfile&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;raind-default&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This profile-based approach is important from a security perspective.&lt;/p&gt;

&lt;p&gt;If you only keep stacking &lt;code&gt;--cap-add&lt;/code&gt; and &lt;code&gt;--cap-drop&lt;/code&gt; options, the final permission set becomes harder to understand. As the number of added or dropped capabilities grows, it becomes easier to accidentally end up with a capability set that was not intended.&lt;/p&gt;

&lt;p&gt;By managing these settings as a profile, it becomes easier to explain:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;This workload runs with this permission baseline
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That makes the configuration more readable and easier to audit.&lt;/p&gt;

&lt;h2&gt;
  
  
  Applying a Profile to a Container
&lt;/h2&gt;

&lt;p&gt;A Security Profile can be specified when creating or running a container.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind container run &lt;span class="nt"&gt;--security-profile&lt;/span&gt; deploy nginx:latest
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It can also be used with &lt;code&gt;container create&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind container create &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--name&lt;/span&gt; web &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--security-profile&lt;/span&gt; restricted &lt;span class="se"&gt;\&lt;/span&gt;
  nginx:latest

raind container start web
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;When a Security Profile is specified, the profile is used as the base capability set.&lt;/p&gt;

&lt;p&gt;You can also apply container-specific differences with &lt;code&gt;--cap-add&lt;/code&gt; and &lt;code&gt;--cap-drop&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind container run &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--security-profile&lt;/span&gt; deploy &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--cap-add&lt;/span&gt; CAP_NET_BIND_SERVICE &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--cap-drop&lt;/span&gt; CAP_NET_RAW &lt;span class="se"&gt;\&lt;/span&gt;
  nginx:latest
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In this case, Raind first resolves the &lt;code&gt;deploy&lt;/code&gt; profile, then applies the container-specific capability changes on top of it.&lt;/p&gt;

&lt;p&gt;In other words:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Profile = baseline policy
cap-add / cap-drop = per-container difference
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This separation makes it easier to keep shared security policies in profiles, while still allowing small per-container adjustments when necessary.&lt;/p&gt;

&lt;h2&gt;
  
  
  Creating a Custom Profile
&lt;/h2&gt;

&lt;p&gt;If you frequently need to combine &lt;code&gt;--security-profile&lt;/code&gt;, &lt;code&gt;--cap-add&lt;/code&gt;, and &lt;code&gt;--cap-drop&lt;/code&gt;, it usually means that the built-in profiles are not enough for that use case.&lt;/p&gt;

&lt;p&gt;For that reason, Raind also supports custom profiles.&lt;/p&gt;

&lt;p&gt;A custom profile can extend an existing built-in profile or another custom profile, then adjust the capability set with &lt;code&gt;add-cap&lt;/code&gt; and &lt;code&gt;drop-cap&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;For example, here is a custom development profile that extends &lt;code&gt;dev&lt;/code&gt;, adds &lt;code&gt;CAP_SYS_PTRACE&lt;/code&gt;, and drops &lt;code&gt;CAP_NET_RAW&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;raind.io/v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;SecurityProfile&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;custom-dev&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;extends&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;dev&lt;/span&gt;
  &lt;span class="na"&gt;add-cap&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_SYS_PTRACE&lt;/span&gt;
  &lt;span class="na"&gt;drop-cap&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;CAP_NET_RAW&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;You can register it with:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind security profile register &lt;span class="nt"&gt;-f&lt;/span&gt; custom-dev.yaml
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;After registration, it can be used in the same way as built-in profiles.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind container run &lt;span class="nt"&gt;--security-profile&lt;/span&gt; custom-dev alpine:latest sh
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Currently, custom profiles mainly handle capability differences.&lt;/p&gt;

&lt;p&gt;seccomp and AppArmor settings are inherited from the parent profile. In the future, I would like to make seccomp and AppArmor more configurable from custom profiles as well.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Manage This as a Profile?
&lt;/h2&gt;

&lt;p&gt;Container security settings may look like small launch options when viewed individually.&lt;/p&gt;

&lt;p&gt;However, in practice, they are strongly related to the nature of the workload and the security policy of the environment.&lt;/p&gt;

&lt;p&gt;For example, the profiles can represent different baselines:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;dev
  Baseline that prioritizes development convenience

deploy
  Baseline for typical application workloads

restricted
  Strongly restricted baseline

privileged
  Explicitly privileged workload baseline
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If these are expressed only through repeated &lt;code&gt;--cap-add&lt;/code&gt; and &lt;code&gt;--cap-drop&lt;/code&gt; options, the command becomes longer and the meaning of the configuration becomes harder to understand.&lt;/p&gt;

&lt;p&gt;A profile gives a name to the security intent, not just to the list of capabilities.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind container run &lt;span class="nt"&gt;--security-profile&lt;/span&gt; deploy nginx:latest
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;From this command, you can immediately tell that the container is intended to run with the &lt;code&gt;deploy&lt;/code&gt; baseline.&lt;/p&gt;

&lt;p&gt;Then, by running &lt;code&gt;raind security profile show deploy&lt;/code&gt;, you can inspect the actual capability set, seccomp settings, and AppArmor profile.&lt;/p&gt;

&lt;p&gt;The main purpose of Security Profile is to bring the security intent and the actual runtime configuration closer together.&lt;/p&gt;

&lt;h2&gt;
  
  
  How This Differs from Docker
&lt;/h2&gt;

&lt;p&gt;Docker already supports security-related mechanisms such as Linux capabilities, seccomp profiles, and AppArmor profiles.&lt;/p&gt;

&lt;p&gt;For example, capabilities can be adjusted with &lt;code&gt;--cap-add&lt;/code&gt; and &lt;code&gt;--cap-drop&lt;/code&gt;, and seccomp or AppArmor can be configured with security options.&lt;/p&gt;

&lt;p&gt;However, these are usually specified as individual container launch options.&lt;/p&gt;

&lt;p&gt;Raind's Security Profile is different in that it groups capabilities, seccomp, and AppArmor into a named runtime-level profile.&lt;/p&gt;

&lt;p&gt;The difference is not that Docker lacks security features. Docker already has many of them.&lt;/p&gt;

&lt;p&gt;The difference is that Raind tries to manage these settings as a reusable profile that represents the security baseline of a workload.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Docker:
  container run options
    ├── --cap-add
    ├── --cap-drop
    ├── seccomp option
    └── AppArmor option

Raind:
  security profile
    ├── capabilities
    ├── seccomp
    └── AppArmor
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This makes it easier to ask questions such as:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Which security baseline is this workload using?
What capabilities does this profile allow?
Is seccomp enabled for this profile?
Which AppArmor profile is applied?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  The Raind Direction
&lt;/h2&gt;

&lt;p&gt;As mentioned in the previous article, Raind already handles traffic policies and netflow logs inside the runtime.&lt;/p&gt;

&lt;p&gt;Security Profile is another step in the same direction.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Raind
  ├── Container / Pod execution
  ├── Service / Ingress
  ├── Traffic Policy
  ├── Netflow Observability
  └── Security Profile
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Raind is not only trying to run containers.&lt;/p&gt;

&lt;p&gt;The goal is to let the runtime manage:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Which communication is allowed&lt;/li&gt;
&lt;li&gt;Which communication actually happened&lt;/li&gt;
&lt;li&gt;Which permissions a container has&lt;/li&gt;
&lt;li&gt;Which seccomp / AppArmor settings are applied&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is still experimental, but Raind is gradually becoming more like a workload runtime rather than just a &lt;code&gt;docker run&lt;/code&gt; alternative.&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;In this article, I introduced Security Profile in Raind.&lt;/p&gt;

&lt;p&gt;With Security Profile, container security settings such as capabilities, seccomp, and AppArmor can be managed as named profiles instead of being scattered across command-line options.&lt;/p&gt;

&lt;p&gt;This makes it easier to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;List and inspect security settings&lt;/li&gt;
&lt;li&gt;Define workload-specific baselines&lt;/li&gt;
&lt;li&gt;Reduce configuration differences between environments&lt;/li&gt;
&lt;li&gt;Notice unexpected capability grants&lt;/li&gt;
&lt;li&gt;Understand the execution intent from the container command&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In the future, I would like to improve custom profiles so that they can manage seccomp and AppArmor in a more flexible way. I also want to integrate Security Profiles more deeply with Kubernetes-style resources such as Pod and Deployment.&lt;/p&gt;

&lt;p&gt;Raind is still under development, but I will continue building it toward a runtime that can manage workload execution, networking, observability, and security together.&lt;/p&gt;

</description>
      <category>docker</category>
      <category>security</category>
      <category>kubernetes</category>
    </item>
    <item>
      <title>What if Docker-like local containers and Kubernetes-like workload resources shared the same runtime path?</title>
      <dc:creator>Matsuoka Seiji</dc:creator>
      <pubDate>Tue, 16 Jun 2026 09:41:33 +0000</pubDate>
      <link>https://dev.to/shizuku_198411/what-if-docker-like-local-containers-and-kubernetes-like-workload-resources-shared-the-same-runtime-1k4k</link>
      <guid>https://dev.to/shizuku_198411/what-if-docker-like-local-containers-and-kubernetes-like-workload-resources-shared-the-same-runtime-1k4k</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;Github Repository: &lt;a href="https://github.com/shizuku198411/Raind" rel="noopener noreferrer"&gt;https://github.com/shizuku198411/Raind&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Docker-like containers, Kubernetes-inspired resources, and runtime-level observability in one local runtime
&lt;/h2&gt;

&lt;p&gt;Container tooling is usually split across several layers.&lt;/p&gt;

&lt;p&gt;Docker-style tools are great when you want to build an image, run a single container, publish a port, mount a directory, or quickly inspect logs.&lt;/p&gt;

&lt;p&gt;Kubernetes-style systems are great when you want to describe workloads as Pods, Services, Deployments, and network-oriented resources.&lt;/p&gt;

&lt;p&gt;But in local development and runtime experimentation, these layers often feel disconnected. A single container, a multi-container application, and a Kubernetes-style workload are usually treated as separate worlds, even though they eventually depend on the same Linux primitives: namespaces, cgroups, mounts, networking, process execution, and runtime state.&lt;/p&gt;

&lt;p&gt;Raind is an experimental project that tries to connect these layers.&lt;/p&gt;

&lt;p&gt;Raind is a local container runtime and lightweight workload orchestrator for Linux. It provides Docker-like container commands, Kubernetes-inspired workload resources, runtime-managed networking, traffic visibility, security policy, and rootless container support through one runtime stack.&lt;/p&gt;

&lt;p&gt;The project is still early and under active development, but the goal is clear:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Make container-level and workload-level execution testable, controllable, and observable through one consistent runtime path.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Why I Built Raind
&lt;/h2&gt;

&lt;p&gt;Modern container workflows are powerful, but they can also become fragmented.&lt;/p&gt;

&lt;p&gt;When using Docker-like tools, the experience is simple and direct:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;docker run nginx
docker &lt;span class="nb"&gt;exec&lt;/span&gt; ...
docker logs ...
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;But once the workload grows beyond a single container, the user often moves to another layer: Compose, Kubernetes, service meshes, network policy engines, observability tools, and runtime-specific debugging tools.&lt;/p&gt;

&lt;p&gt;Each tool solves a real problem, but the overall development experience can become harder to reason about:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Where is the workload state managed?&lt;/li&gt;
&lt;li&gt;Which component owns networking?&lt;/li&gt;
&lt;li&gt;Which layer applies policy?&lt;/li&gt;
&lt;li&gt;Where can I see container-to-container traffic?&lt;/li&gt;
&lt;li&gt;Can I test Kubernetes-like resources locally without leaving the runtime model?&lt;/li&gt;
&lt;li&gt;Can single containers and Pod-style workloads share the same execution foundation?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Raind was started as an experiment to answer these questions from the runtime side.&lt;/p&gt;

&lt;p&gt;Instead of treating container execution, workload resources, network policy, and traffic logs as unrelated systems, Raind tries to make them part of the same runtime architecture.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Runtime Stack
&lt;/h2&gt;

&lt;p&gt;Raind is split into three main layers:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;raind CLI
  -&amp;gt; condenser
    -&amp;gt; droplet
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  &lt;code&gt;raind&lt;/code&gt; CLI
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;raind&lt;/code&gt; is the user-facing command-line tool.&lt;/p&gt;

&lt;p&gt;It exposes workflows for containers, images, networks, resources, Bottles, policies, and logs:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind image ...
raind container ...
raind network ...
raind resource ...
raind bottle ...
raind security policy ...
raind logs ...
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Condenser
&lt;/h3&gt;

&lt;p&gt;Condenser is the high-level runtime service.&lt;/p&gt;

&lt;p&gt;It owns image handling, container state, networking state, Kubernetes-style resource stores, controllers, policy state, DNS handling, netflow logs, Service and Ingress behavior, and the generation of low-level runtime specs.&lt;/p&gt;

&lt;p&gt;Condenser does not directly become a container process. Instead, it manages workload intent and delegates low-level container execution to Droplet.&lt;/p&gt;

&lt;h3&gt;
  
  
  Droplet
&lt;/h3&gt;

&lt;p&gt;Droplet is the low-level OCI-style runtime layer.&lt;/p&gt;

&lt;p&gt;It is responsible for Linux container mechanics such as namespace setup, mount setup, &lt;code&gt;pivot_root&lt;/code&gt;, cgroups, capabilities, seccomp, AppArmor on-exec handling, runtime state, attach, and exec.&lt;/p&gt;

&lt;p&gt;This split allows Raind to keep high-level workload management and low-level container execution separate, while still making them part of one runtime path.&lt;/p&gt;

&lt;h2&gt;
  
  
  Docker-Like Container Workflows
&lt;/h2&gt;

&lt;p&gt;At the container level, Raind supports a familiar Docker-like workflow.&lt;/p&gt;

&lt;p&gt;For example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind container run &lt;span class="nt"&gt;--name&lt;/span&gt; web &lt;span class="nt"&gt;-p&lt;/span&gt; 8080:80 nginx:latest
raind container &lt;span class="nb"&gt;exec &lt;/span&gt;web /bin/sh
raind container logs web
raind container stop web
raind container &lt;span class="nb"&gt;rm &lt;/span&gt;web
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A Raind container can use image references, published ports, bind mounts, environment variables, commands, logs, lifecycle operations, and exec.&lt;/p&gt;

&lt;p&gt;Under the hood, the container is executed through Droplet. That means container lifecycle operations eventually pass through the same low-level runtime path used by higher-level workload resources.&lt;/p&gt;

&lt;p&gt;The container unit is useful for:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;testing a single image&lt;/li&gt;
&lt;li&gt;debugging runtime behavior&lt;/li&gt;
&lt;li&gt;checking lifecycle behavior&lt;/li&gt;
&lt;li&gt;running local services&lt;/li&gt;
&lt;li&gt;validating namespace, mount, networking, and exec behavior&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Bottles: Local Multi-Container Application Units
&lt;/h2&gt;

&lt;p&gt;Raind also includes a concept called a Bottle.&lt;/p&gt;

&lt;p&gt;A Bottle is a local multi-container application unit. It is intended for workloads that are larger than one container but do not necessarily need a full Kubernetes-style manifest.&lt;/p&gt;

&lt;p&gt;A Bottle can describe multiple services, ports, mounts, dependencies, environment variables, and policy behavior in one YAML file.&lt;/p&gt;

&lt;p&gt;Typical commands look like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind bottle create &lt;span class="nt"&gt;-f&lt;/span&gt; bottle.yaml
raind bottle start wordpress
raind bottle show wordpress
raind bottle stop wordpress
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The idea is similar in spirit to local multi-service application definitions, but Raind keeps the Bottle inside its runtime model. That means Bottle workloads can share the same container lifecycle, networking, policy, and observability mechanisms as other Raind workloads.&lt;/p&gt;

&lt;p&gt;This is especially useful when testing communication between containers.&lt;/p&gt;

&lt;p&gt;For example, instead of only asking “did the containers start?”, Raind can also help answer:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Which container is talking to which other container?&lt;/li&gt;
&lt;li&gt;Is that communication expected?&lt;/li&gt;
&lt;li&gt;Should this east-west traffic be allowed?&lt;/li&gt;
&lt;li&gt;Can I observe the traffic from the runtime?&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Kubernetes-Inspired Resources
&lt;/h2&gt;

&lt;p&gt;Raind also supports Kubernetes-style resource workflows.&lt;/p&gt;

&lt;p&gt;The goal is not to replace Kubernetes. Instead, Raind provides a local runtime path for experimenting with Kubernetes-inspired workload concepts.&lt;/p&gt;

&lt;p&gt;Raind currently supports resources such as:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;Namespace&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Pod&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ReplicaSet&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Deployment&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Service&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Ingress&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Example workflow:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind resource apply &lt;span class="nt"&gt;-f&lt;/span&gt; app.yaml
raind resource pod &lt;span class="nb"&gt;ls
&lt;/span&gt;raind resource replicaset &lt;span class="nb"&gt;ls
&lt;/span&gt;raind resource deployment &lt;span class="nb"&gt;ls
&lt;/span&gt;raind resource service &lt;span class="nb"&gt;ls
&lt;/span&gt;raind resource &lt;span class="nb"&gt;rm&lt;/span&gt; &lt;span class="nt"&gt;-f&lt;/span&gt; app.yaml
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A Pod groups one or more containers into a shared runtime unit. ReplicaSet and Deployment add reconciliation behavior. Service provides stable traffic handling for matching Pods. Ingress provides external routing through Raind’s local runtime layer.&lt;/p&gt;

&lt;p&gt;The important part is that these resources are not managed by a completely separate execution path. They eventually map back to the same low-level container runtime foundation.&lt;/p&gt;

&lt;p&gt;This makes Raind useful for testing transitions between:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;a single local container&lt;/li&gt;
&lt;li&gt;a multi-container local application&lt;/li&gt;
&lt;li&gt;a Pod-like workload&lt;/li&gt;
&lt;li&gt;a Deployment-like reconciled workload&lt;/li&gt;
&lt;li&gt;a Service-routed workload&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Runtime-Level Policy and Netflow
&lt;/h2&gt;

&lt;p&gt;One of the most important goals of Raind is to make workload communication visible and controllable from the runtime.&lt;/p&gt;

&lt;p&gt;Raind includes runtime-managed policy and netflow logging.&lt;/p&gt;

&lt;p&gt;Policy types include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;east-west container-to-container policy&lt;/li&gt;
&lt;li&gt;namespace egress observation&lt;/li&gt;
&lt;li&gt;namespace egress enforcement&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Example policy command:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind security policy add &lt;span class="nt"&gt;--type&lt;/span&gt; ew &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--source&lt;/span&gt; frontend &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--destination&lt;/span&gt; backend &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--protocol&lt;/span&gt; tcp &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--dport&lt;/span&gt; 8080 &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--comment&lt;/span&gt; &lt;span class="s1"&gt;'allow frontend to backend'&lt;/span&gt;

raind security policy commit
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Raind also records network flow logs:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind logs netflow &lt;span class="nt"&gt;--line&lt;/span&gt; 50
raind logs netflow &lt;span class="nt"&gt;--json&lt;/span&gt;
raind logs netflow &lt;span class="nt"&gt;-t&lt;/span&gt; web
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The runtime can enrich traffic logs with metadata such as container ID, container name, IP address, interface, and identity information when available.&lt;/p&gt;

&lt;p&gt;This is one of the areas where Raind’s workload-centric model becomes useful.&lt;/p&gt;

&lt;p&gt;In many local environments, a workload may start correctly, but traffic visibility is still difficult. You might know that a frontend cannot reach a backend, but you may not immediately know whether the traffic was sent, where it went, whether it matched a policy, or how it maps back to runtime entities.&lt;/p&gt;

&lt;p&gt;Raind tries to make those questions part of the runtime experience.&lt;/p&gt;

&lt;h2&gt;
  
  
  Rootless Containers
&lt;/h2&gt;

&lt;p&gt;Raind also supports rootless execution for standalone containers.&lt;/p&gt;

&lt;p&gt;Rootless support is currently focused on containers created through &lt;code&gt;raind container run&lt;/code&gt; and &lt;code&gt;raind container create&lt;/code&gt;. Pod-managed rootless containers are not supported yet.&lt;/p&gt;

&lt;p&gt;Raind currently provides two rootless mapping modes.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;code&gt;shifted-root&lt;/code&gt;
&lt;/h3&gt;

&lt;p&gt;This is the default rootless mode.&lt;/p&gt;

&lt;p&gt;In this mode, container UID/GID ranges are shifted into a subordinate host ID range.&lt;/p&gt;

&lt;p&gt;Conceptually:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;container 0..65535 -&amp;gt; host 100000..165535
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This isolates container root from the login user, but files written to bind mounts by container root may appear as subordinate host IDs.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;code&gt;login-root&lt;/code&gt;
&lt;/h3&gt;

&lt;p&gt;The &lt;code&gt;login-root&lt;/code&gt; mode is designed for a more Docker-rootless-like local development experience.&lt;/p&gt;

&lt;p&gt;In this mode, container root maps to the invoking login user:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;container 0        -&amp;gt; host login UID/GID
container 1..65535 -&amp;gt; host subordinate UID/GID range
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is useful when a development container writes into a bind-mounted project directory and the host user should be able to edit or remove the files without manual &lt;code&gt;chown&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;mkdir&lt;/span&gt; &lt;span class="nt"&gt;-p&lt;/span&gt; /tmp/raind-login-root

raind container run &lt;span class="nt"&gt;--name&lt;/span&gt; login-root-demo &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--rootless-mode&lt;/span&gt; login-root &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-v&lt;/span&gt; /tmp/raind-login-root:/data &lt;span class="se"&gt;\&lt;/span&gt;
  alpine:latest /bin/sh &lt;span class="nt"&gt;-c&lt;/span&gt; &lt;span class="s1"&gt;'id; echo hello &amp;gt; /data/hello.txt; sleep 60'&lt;/span&gt;

&lt;span class="nb"&gt;ls&lt;/span&gt; &lt;span class="nt"&gt;-lan&lt;/span&gt; /tmp/raind-login-root
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Raind also separates rootless image layer caches by mapping policy, so &lt;code&gt;shifted-root&lt;/code&gt; and &lt;code&gt;login-root&lt;/code&gt; do not overwrite each other.&lt;/p&gt;

&lt;p&gt;Rootless support is still evolving, but it is already an important part of the project direction.&lt;/p&gt;

&lt;h2&gt;
  
  
  Container Exec and Namespace Handling
&lt;/h2&gt;

&lt;p&gt;&lt;code&gt;raind container exec&lt;/code&gt; is also implemented as part of the runtime model.&lt;/p&gt;

&lt;p&gt;Exec must enter the target container’s namespaces, adopt the target root filesystem, use the correct working directory, and resolve commands against the container environment rather than the host environment.&lt;/p&gt;

&lt;p&gt;This sounds simple, but it is one of the areas where runtime details matter.&lt;/p&gt;

&lt;p&gt;For example, a bare command such as:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind container &lt;span class="nb"&gt;exec &lt;/span&gt;web nginx &lt;span class="nt"&gt;-v&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;should resolve &lt;code&gt;nginx&lt;/code&gt; inside the container root filesystem, not on the host. It also has to work consistently for rootful and rootless containers.&lt;/p&gt;

&lt;p&gt;Raind’s exec path uses namespace entry and container rootfs handling so that exec behavior matches the container’s runtime context.&lt;/p&gt;

&lt;p&gt;This is one of the reasons Raind is interesting as a runtime experiment: features that look like simple CLI commands often force the runtime to make precise decisions about namespaces, rootfs, UID/GID mappings, environment variables, and process execution.&lt;/p&gt;

&lt;h2&gt;
  
  
  Current Status
&lt;/h2&gt;

&lt;p&gt;Raind is experimental.&lt;/p&gt;

&lt;p&gt;It is not intended to be a production container runtime today.&lt;/p&gt;

&lt;p&gt;The current focus is:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;container runtime stability&lt;/li&gt;
&lt;li&gt;rootless execution&lt;/li&gt;
&lt;li&gt;image handling&lt;/li&gt;
&lt;li&gt;Dockerfile build support&lt;/li&gt;
&lt;li&gt;Kubernetes-style resource compatibility&lt;/li&gt;
&lt;li&gt;local workload networking&lt;/li&gt;
&lt;li&gt;policy and netflow visibility&lt;/li&gt;
&lt;li&gt;runtime security profiles&lt;/li&gt;
&lt;li&gt;developer documentation and project maturity&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The project already includes documentation for architecture, containers, rootless modes, networking, resources, manifests, runtime layout, testing, and security profiles.&lt;/p&gt;

&lt;p&gt;But many areas are still evolving. Dockerfile parsing, image manifest handling, Kubernetes manifest compatibility, rootless networking, and production-grade hardening are all active areas of development.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why This Project Matters
&lt;/h2&gt;

&lt;p&gt;Raind is not trying to be “another Docker” or “a replacement for Kubernetes.”&lt;/p&gt;

&lt;p&gt;It is a runtime experiment around a specific idea:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;What if container execution, local workload orchestration, network policy, and runtime observability were designed as one connected system?&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;That idea matters because local container workflows often sit between two worlds.&lt;/p&gt;

&lt;p&gt;On one side, Docker-like tools are easy to use but mostly container-centric.&lt;/p&gt;

&lt;p&gt;On the other side, Kubernetes-like systems are powerful but often too large when the goal is local runtime experimentation.&lt;/p&gt;

&lt;p&gt;Raind explores the space between them.&lt;/p&gt;

&lt;p&gt;It provides:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Docker-like container ergonomics&lt;/li&gt;
&lt;li&gt;Kubernetes-inspired workload resources&lt;/li&gt;
&lt;li&gt;Bottle-based local multi-container application units&lt;/li&gt;
&lt;li&gt;runtime-managed network policy&lt;/li&gt;
&lt;li&gt;netflow-based communication visibility&lt;/li&gt;
&lt;li&gt;rootless container execution modes&lt;/li&gt;
&lt;li&gt;a low-level OCI-style runtime layer implemented in Go&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For developers interested in containers, Linux namespaces, cgroups, networking, policy, or local Kubernetes-style testing, Raind is a project worth exploring.&lt;/p&gt;

&lt;h2&gt;
  
  
  Getting Started
&lt;/h2&gt;

&lt;p&gt;The repository is available on GitHub:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;https://github.com/shizuku198411/Raind
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A typical local flow looks like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind image pull nginx:latest
raind network create devnet
raind container run &lt;span class="nt"&gt;--name&lt;/span&gt; web &lt;span class="nt"&gt;-p&lt;/span&gt; 8080:80 nginx:latest
raind container logs web
raind container &lt;span class="nb"&gt;exec &lt;/span&gt;web nginx &lt;span class="nt"&gt;-v&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For Kubernetes-style resources:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind resource apply &lt;span class="nt"&gt;-f&lt;/span&gt; app.yaml
raind resource pod &lt;span class="nb"&gt;ls
&lt;/span&gt;raind resource service &lt;span class="nb"&gt;ls&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For runtime traffic visibility:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;raind logs netflow &lt;span class="nt"&gt;--line&lt;/span&gt; 50
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Raind is still young, but the project is moving quickly. Feedback, issues, ideas, and contributions are welcome.&lt;/p&gt;

&lt;p&gt;If you are interested in container runtimes, Linux workload isolation, local Kubernetes-style workflows, or runtime-level traffic visibility, I would be happy if you tried Raind or followed the project.&lt;/p&gt;

</description>
      <category>docker</category>
      <category>container</category>
      <category>kubernetes</category>
    </item>
  </channel>
</rss>
