22:06:27 <adrian_otto> #startmeeting containers 22:06:28 <openstack> Meeting started Tue Sep 23 22:06:27 2014 UTC and is due to finish in 60 minutes. The chair is adrian_otto. Information about MeetBot at http://wiki.debian.org/MeetBot. 22:06:29 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 22:06:31 <openstack> The meeting name has been set to 'containers' 22:06:42 <iqbalmohomed_> Hi .. 22:06:47 <iqbalmohomed_> Iqbal Mohomed, IBM Research 22:07:05 <adrian_otto> #link https://wiki.openstack.org/wiki/Meetings/Containers Our Agenda 22:07:11 <adrian_otto> #topic Roll Call 22:07:13 <adrian_otto> Adrian Otto 22:07:17 <adrian_otto> hi Iqbal! 22:07:41 <iqbalmohomed_> Hi Adrian .. hope the openstack meetup was fun last week! 22:08:04 <adrian_otto> yes, it was worth the trip up from LA to attend it 22:09:10 <adrian_otto> so I did not have today's date on the meeting schedule, so it stands to reason that we have thin attendance 22:09:23 <iqbalmohomed_> ah ok ... just us it seems 22:09:29 <adrian_otto> I will take a moment to fix that 22:10:23 <mtesauro> I was wondering about that - the schedule missing today 22:10:59 <adrian_otto> no worries, we can regroup next week, hopefully with more progress to report 22:11:22 <adrian_otto> Diga has been working on the API a bit, and expects to have the Pecan/WSME basics done this week 22:11:25 <mtesauro> works for me 22:11:28 <adrian_otto> #topic Announcements 22:11:38 <adrian_otto> Any announcements from the team? 22:12:50 <adrian_otto> #topic Review Action Items 22:13:09 <adrian_otto> #action adrian_otto to coordinate a follow-up about Gantt, to help the containers team understand its readiness plans, and how they may be applied in our work. 22:13:18 <adrian_otto> Status: in-progress. Awaiting response from bauzas 22:13:42 <adrian_otto> #topic Backlog 22:13:46 <adrian_otto> #link https://wiki.openstack.org/wiki/Meetings/Containers Containers Team Meeting Page 22:14:04 <adrian_otto> Any open subjects to add to the backlog? 22:15:18 <adrian_otto> #topic Open Discussion 22:16:48 <iqbalmohomed_> I have a question again :) 22:17:01 <adrian_otto> of course! 22:17:31 <iqbalmohomed_> I'm curious if we are depending on ironic for provisoning a bare metal host for docker containers (if the user wants bare metal of course) 22:18:19 <adrian_otto> yes, we would rely on Nova to produce the instance, so it would be Ironic in the bare metal case. 22:18:21 <iqbalmohomed_> My understanding is that we make use of vanilla nova mechanisms to provision the top-level instance 22:18:46 <adrian_otto> Doesn't Nova use a virt driver to talk to Ironic? 22:19:43 <iqbalmohomed_> IC ... I don't have any experience with ironic (good or bad) ... I was thinking another way to achieve what we need for the container service is perhaps with privilaged containers 22:20:10 <iqbalmohomed_> Right now, I don't believe nova-docker can create privilaged containers 22:20:31 <adrian_otto> adjusting it to allow that is not a major undertaking 22:21:10 <adrian_otto> that's probably a pretty small patch. 22:21:13 <iqbalmohomed_> That's what i figured ... if we have a special launcher privilaged container, we could use it to spawn child containers on a compute node 22:21:41 <iqbalmohomed_> I was thinking more about sets of containers as opposed to single containers 22:22:05 <iqbalmohomed_> i'm not sure how much the container service wants to think about groups of containers rather than singletons 22:22:06 <adrian_otto> yes, although we do not attempt to address multi-tenant security concerns, so you'd need to match it to use cases where you are not running hostile workloads on the same compute node 22:22:47 <adrian_otto> well, Magnum would allow containers to have a parent 22:22:53 <iqbalmohomed_> right ... multi-tenancy is a bit problematic if the privilaged container allows user access 22:22:58 <adrian_otto> so you could arrange them in a hierarchy 22:23:12 <adrian_otto> iqbalmohomed_: yes, exactly. 22:23:13 <iqbalmohomed_> anyways ... just wanted to through out a design which would not use ironic 22:24:20 <adrian_otto> yes, nested containers can work by either using a privileged container as the root entity, or awaiting Linux kernel features that allow nested unprivileged containers 22:24:37 <adrian_otto> that's technically possible, and I believe is in progress 22:24:45 <adrian_otto> although I have not confirmed that yet 22:24:51 <iqbalmohomed_> yup ... i've been reading this as well 22:25:06 <iqbalmohomed_> with the latter, the multi-tenancy concerns are much reduced 22:25:42 <adrian_otto> well, as long as the users recognize that the level of security isolation offered by type 1 hypervisors is not the same as the isolation provided by containers 22:26:46 <iqbalmohomed_> So in the case of ironic, the top-level host of containers is not shared by multiple tenants ... is that right 22:26:49 <adrian_otto> the fact that containers share a single kernel per host, and that all containers have access tot he full syscall table by default present a different risk profile for multitenancy 22:27:01 <adrian_otto> yes, that's correct. 22:27:24 <adrian_otto> the "instance" would belong to one tenant, and only his/her containers could land on it 22:27:43 <iqbalmohomed_> cool ... makes sense ... thx 22:27:46 <adrian_otto> whereas if the base instance is a container, you might have >1 per host 22:28:01 <adrian_otto> depending on the sizing of the container and the sizing of the host, etc. 22:28:35 <adrian_otto> Magnum could allow the ratio of instances to containers to be configurable 22:29:17 <adrian_otto> or just leave it up to the scheduler 22:29:48 <adrian_otto> ok, I put the next 4 meetings up on the calendar at https://wiki.openstack.org/wiki/Meetings/Containers#Weekly_Containers_Team_Meeting 22:30:24 <adrian_otto> any other discussion before we wrap up for today? 22:31:02 <adrian_otto> ok, thanks everyone for attending 22:31:13 <iqbalmohomed_> bye ... take care 22:31:18 <Slower> thanks! 22:31:34 <adrian_otto> our next meeting is Tuesday 2014-09-30 at 1600 UTC 22:31:41 <adrian_otto> #endmeeting