competition-container-runtime
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCompetition Container Runtime
竞赛容器运行时
Use this skill only as a downstream specialization after is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to first.
$ctf-sandbox-orchestrator$ctf-sandbox-orchestratorUse this skill when the challenge is really about what the live container or pod is doing now, not what the checked-in manifest claims it should do.
Reply in Simplified Chinese unless the user explicitly requests English.
仅可在已激活并完成沙箱假设、节点归属及证据优先级确立后,作为下游专用技能使用。若尚未满足前述条件,请先返回。
$ctf-sandbox-orchestrator$ctf-sandbox-orchestrator当挑战的核心是运行中的容器或Pod当前的实际行为,而非已提交的manifest声明的预期行为时,使用本技能。
除非用户明确要求使用英文,否则请使用简体中文回复。
Quick Start
快速开始
- Split intent from reality: manifest, image, startup, live mount, live route, live process.
- Map host -> proxy -> container or pod -> mounted volume -> consuming process.
- Keep secrets, rendered config, init output, and sidecar output separate from static manifests.
- Prove one minimal live path from mounted or injected state to reachable behavior.
- Reproduce the effect with the smallest runtime-specific chain.
- 区分预期与实际状态:manifest、镜像、启动过程、运行时挂载、运行时路由、运行时进程。
- 映射链路:主机 -> 代理 -> 容器或Pod -> 挂载卷 -> 消费进程。
- 将密钥、渲染后的配置、init输出、sidecar输出与静态manifest分开管理。
- 证明从挂载或注入状态到可访问行为的最短有效运行链路。
- 使用最小的运行时专属链路复现对应效果。
Workflow
工作流
1. Map The Live Runtime
1. 映射运行时实际状态
- Compare compose or kube manifests against running containers, pods, mounted volumes, env, sidecars, init containers, and entrypoints.
- Identify which process actually consumes the mounted secret, rendered config, or shared volume output.
- 对比compose或kube manifest与正在运行的容器、Pod、挂载卷、环境变量、sidecars、init containers及入口点的差异。
- 确定实际消费挂载密钥、渲染后配置或共享卷输出的进程。
2. Trace Route And Mount Boundaries
2. 追踪路由与挂载边界
- Map virtual host, reverse proxy, service, container port, filesystem mount, and runtime-generated file paths together.
- Record whether the decisive state is image-baked, env-injected, mounted later, or written by an init/sidecar process.
- 统一映射虚拟主机、反向代理、服务、容器端口、文件系统挂载及运行时生成的文件路径。
- 记录关键状态的来源:是镜像内置、环境变量注入、后续挂载,还是由init/sidecar进程写入的。
3. Report The Runtime Deviation
3. 上报运行时偏差
- State the earliest point where live runtime diverges from checked-in intent.
- Keep one compact evidence chain from manifest or compose intent to live consumer behavior.
- 说明运行时状态与提交的预期最早出现差异的节点。
- 保留从manifest或compose预期到实际运行消费行为的完整精简证据链。
Read This Reference
参考指引
- Load for the runtime checklist, mount-chain checklist, and common live-vs-static pitfalls.
references/container-runtime.md - If the hard part is kube API permissions, service-account trust, RBAC edges, admission mutations, or controller-created workload drift, prefer .
$competition-k8s-control-plane - If the hard part is Host-header routing, path-prefix rewriting, or route-to-service mapping across nodes, prefer .
$competition-runtime-routing - If the hard part is proving container-to-host crossover, kernel attack-surface preconditions, or stable escape primitives, prefer .
$competition-kernel-container-escape - If the hard part is replaying Linux secrets, socket trust edges, or host-to-host pivots after container foothold, prefer .
$competition-linux-credential-pivot
- 加载查看运行时检查清单、挂载链路检查清单及常见的运行态vs静态配置陷阱。
references/container-runtime.md - 若核心难点是kube API权限、服务账户信任、RBAC边界、准入变更或控制器创建的工作负载漂移,请优先使用。
$competition-k8s-control-plane - 若核心难点是Host-header路由、路径前缀重写或跨节点的路由到服务映射,请优先使用。
$competition-runtime-routing - 若核心难点是证明容器到主机的穿透、内核攻击面前置条件或稳定逃逸原语,请优先使用。
$competition-kernel-container-escape - 若核心难点是拿到容器权限后重放Linux密钥、套接字信任边界或主机间横向移动,请优先使用。
$competition-linux-credential-pivot
What To Preserve
需留存的内容
- Compose/Kubernetes fragments tied to live mounts or routes
- Container IDs, pod names, mount paths, sidecar outputs, rendered config paths, and consuming processes
- The exact route or file path that becomes reachable only at runtime
- 与运行时挂载或路由关联的Compose/Kubernetes片段
- 容器ID、Pod名称、挂载路径、sidecar输出、渲染后的配置路径及消费进程
- 仅在运行时才可访问的精确路由或文件路径