16:00:28 <adrian_otto> #startmeeting containers
16:00:30 <openstack> Meeting started Tue Feb  9 16:00:28 2016 UTC and is due to finish in 60 minutes.  The chair is adrian_otto. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:32 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:34 <adrian_otto> #link https://wiki.openstack.org/wiki/Meetings/Containers#Agenda_for_2016-02-09_1600_UTC Our Agenda
16:00:35 <openstack> The meeting name has been set to 'containers'
16:00:40 <adrian_otto> #topic Roll Call
16:00:42 <adrian_otto> Adrian Otto
16:00:55 <madhuri_> o/
16:00:59 <levi_b> o/
16:01:02 <rods> o/
16:01:03 <dane_leblanc> o?
16:01:06 <dane_leblanc> o/
16:01:12 <coreyob> o/
16:01:13 <eghobo> o/
16:01:15 <hongbin> o/
16:01:21 <strigazi> o/
16:01:45 <muralia> o/
16:02:12 <dimtruck> o/
16:02:15 <suro-patz> o/
16:03:14 <juggler> o/
16:03:19 <adrian_otto> hello madhuri_ levi_b rods dane_leblanc coreyob eghobo hongbin strigazi muralia dimtruck suro-patz and juggler
16:03:34 <bradjones> o/
16:04:35 <thomasem> o/
16:05:00 <adrian_otto> hello bradjones and thomasem
16:05:04 <adrian_otto> let's begin
16:05:16 <adrian_otto> #topic Announcements
16:05:36 <adrian_otto> 1) Reminder: Magnum Midcycle is Feb 18-19 in Sunnyvale, CA.
16:05:55 <adrian_otto> #link https://wiki.openstack.org/wiki/Magnum/Midcycle Midcycle Details
16:06:04 <adrian_otto> any other announcements from team members?
16:06:53 <juggler> Is the Google Hangout link as of this writing?
16:07:34 * adrian_otto looks for what juggler is referring to
16:08:17 <adrian_otto> juggler: We do not have remote participation sorted out yet
16:08:18 <juggler> keep the meet rolling and i'll see if I remember where that reference is...
16:08:22 <juggler> ah ok
16:08:29 <adrian_otto> I do have one more announcement
16:08:39 <juggler> cool
16:08:50 <adrian_otto> but it's not specific to Magnum, so I will mention it during open discussion
16:09:13 <adrian_otto> #topic Review Action Items
16:09:33 <adrian_otto> adrian_otto to produce a wiki page that explains Magnum's ability to support native API access and wrapped (limited) access to that functionality through our containers resource, and pointers to points of debate.
16:09:36 <adrian_otto> #link https://wiki.openstack.org/wiki/Magnum/NativeAPI
16:09:46 <adrian_otto> this is a first draft of this page
16:09:58 <adrian_otto> I'm planning to fill it in with additional rationale, but this is the main idea
16:10:30 <adrian_otto> If you have use cases for the /container API resource, please list them there.
16:10:47 <adrian_otto> questions/concerns about this?
16:10:52 <thomasem> reading
16:12:07 <adrian_otto> Im planning on expanding on our intent not to re-implement every feature of every COE, and keeping that resource to a minimum feature set, in accordance with our design sessions decisions in Tokyo.
16:12:38 <adrian_otto> we may also decide to make that resource pluggable (or even removable)
16:12:56 <adrian_otto> or possibly eliminate it, subject to discussion at our upcoming midcycle meetup
16:12:57 <thomasem> lgtm, few grammatical things I'll go fix.
16:13:04 <adrian_otto> tx, thomasem
16:13:24 <adrian_otto> once we are happy with that page, I'll link it up to the Magnum wiki.
16:13:29 <thomasem> cool
16:13:45 <juggler> what thomasem said :) some POV changes from sentence to sentence...
16:14:13 <adrian_otto> great, let's tighten it up.
16:14:23 <adrian_otto> next up for action items:
16:14:25 <adrian_otto> 2) bradjones and adrian_otto to work on a demo of the Magnum UI for publication on the Magnum project wiki page.
16:14:41 <adrian_otto> bradjones: I was unable to connect with you.
16:14:54 <adrian_otto> Let's regroup after the meeting to earmark time for this together.
16:15:10 <adrian_otto> #action bradjones and adrian_otto to work on a demo of the Magnum UI for publication on the Magnum project wiki page.
16:15:17 <adrian_otto> ok, that one is carried forward.
16:15:25 <adrian_otto> Magnum UI Subteam Update (bradjones)
16:15:27 <bradjones> adrian_otto: sounds good
16:15:30 <adrian_otto> #topic Magnum UI Subteam Update (bradjones)
16:15:57 <bradjones> don't really have anything to update on this week
16:16:01 <adrian_otto> ok
16:16:09 <adrian_otto> #topic Blueprint Review
16:16:15 <adrian_otto> Essential Blueprint Review
16:16:39 <adrian_otto> #link https://blueprints.launchpad.net/magnum/mitaka Mitaka Blueprints
16:17:04 <adrian_otto> #link https://blueprints.launchpad.net/magnum/+spec/magnum-troubleshooting-guide (Tango)
16:17:10 <adrian_otto> I think Tango may be on vacation?
16:17:21 <hongbin> Yes he is
16:17:26 <adrian_otto> #link https://blueprints.launchpad.net/magnum/+spec/user-guide (Tango)
16:17:37 <adrian_otto> ok, does anyone have remarks on these two BP's to share?
16:18:03 <adrian_otto> #link https://blueprints.launchpad.net/magnum/+spec/magnum-tempest (dimtruck)
16:18:24 <dimtruck> in review.  one patch is about to get merged.  the other i just rebased.
16:18:29 <adrian_otto> this is in "Needs Code Review" status
16:18:46 <adrian_otto> ok, give me a heads up when all related code merges.
16:18:52 <dimtruck> will do!
16:19:06 <adrian_otto> #link https://blueprints.launchpad.net/magnum/+spec/resource-quota (vilobhmm11)
16:19:12 <adrian_otto> thanks dimtruck
16:19:16 <dimtruck> thank you :)
16:19:30 <vilobhmm11> #1. https://review.openstack.org/#/c/266662/ - Spec for Resource Quota got merged last week #2. Patches out for review https://review.openstack.org/#/c/259201/
16:19:46 <vilobhmm11> will submit few more patches this week
16:19:56 <adrian_otto> thanks vilobhmm11
16:19:58 <vilobhmm11> adrian_otto : ^^
16:20:02 <adrian_otto> any concerns to address with the team?
16:20:52 <adrian_otto> Subtopic: Blueprints, Bugs, Specs, and other work items to be discussed as a team
16:21:04 <vilobhmm11> adrian_otto : no I think I am good
16:21:06 <adrian_otto> #link https://blueprints.launchpad.net/magnum/+spec/async-container-operations (suro-patz)
16:21:07 <vilobhmm11> thanks!
16:21:10 <adrian_otto> thanks vilobhmm11
16:21:37 <suro-patz> I have been receiving thorough review on the spec
16:21:56 <suro-patz> the spec has gone through some revisions - but mostly for phase1
16:22:17 <suro-patz> I will request the team to review the phase0 implementation too
16:22:33 <suro-patz> https://review.openstack.org/#/c/275003/
16:23:00 <suro-patz> https://review.openstack.org/#/c/267134/
16:23:36 <suro-patz> adrian_otto:^^
16:24:10 <adrian_otto> thanks so much for your work on this, suro-patz. This is a really important improvement.
16:24:42 <adrian_otto> I made a note to be sure to review this today
16:24:43 <suro-patz> adrian_otto: happy to contribute!
16:25:30 <adrian_otto> ok, any additional remarks on this one?
16:25:48 <suro-patz> so far I have got a very good response on the review for the spec …  love this community's effort to get things better!
16:26:09 <adrian_otto> super
16:26:26 <adrian_otto> ok, so thins brings us to our next item for team discussion.
16:26:33 <adrian_otto> #link https://bugs.launchpad.net/magnum/+bug/1543308 We must not disable selinux (Triaged, Critical)
16:26:36 <openstack> Launchpad bug 1543308 in Magnum "We must not disable selinux" [Critical,In progress] - Assigned to Corey O'Brien (coreypobrien)
16:26:54 <adrian_otto> I voted -2 on a patch this week because it contained code to disable selinux
16:27:08 <adrian_otto> with respect, this is something that I simply can not allow.
16:27:36 <adrian_otto> and I'm looking for others to join me in fixing Magnum so it works properly with selinux enabled.
16:27:39 <coreyob> I went back in the history and it looks like it was only disabled so that cloud-init configuration would work. I turned it back on at the end of cloud-init stuff and everything seems to work locally. I put a patch up and it is going through the checks now
16:27:59 <coreyob> #link https://review.openstack.org/#/c/277883/
16:28:00 <adrian_otto> coreyob: that's terrific
16:28:11 <adrian_otto> would you be willing to claim ownership of the bug mentioned above?
16:28:35 <coreyob> sure. that patch submission auto-assigned it to me anyway
16:28:52 <adrian_otto> I'm thrilled to hear that, thanks!
16:29:11 <adrian_otto> I am prepared to explain why this is such an important issue if anyone is interested
16:29:58 <suro-patz> adrina_otto: If you have time, please explain ...
16:30:11 <adrian_otto> We do have a little time, so let's address it, suro-patz
16:30:38 <vilobhmm11> coreyob : good work! thanks for working on gate problems as well last week it was a great help for the team
16:30:40 <adrian_otto> neighboring containers have less security isolation between them than neighboring vms do.
16:31:20 <adrian_otto> that's because rather than using a hardware interface (relatively simple) they are separated by the kernel's syscall interface.
16:31:35 <adrian_otto> that interface has hundreds of calls, some of which are not simple.
16:32:10 <suro-patz> the area of attack surface is larger
16:32:24 <adrian_otto> and Madatory Access Control (the kernel feature that both selinx and apparmor use) is how containers can be more securely isolated from eachother by narrowing this attack surface
16:32:54 <adrian_otto> so if we simply disable selinux blidly, we are disabling the most suitable security feature we have
16:33:13 <adrian_otto> now, we can argue that because bays are isolated from eachother that containers don't need to be
16:33:21 <adrian_otto> because no two containers will be in the same nova node.
16:33:23 <adrian_otto> but...
16:33:41 <adrian_otto> that logic only applies when nova is delivering vm's or full bare metal machines
16:34:00 <adrian_otto> if nova is configured to deliver containers as the basis for the nova nodes, then we *really* need selinux to be working
16:34:16 <adrian_otto> because then we have a multi-tenancy security expectation to meet
16:34:19 <adrian_otto> make sense?
16:34:35 <suro-patz> adrian_otto: thanks for the explanation!
16:35:00 <suro-patz> wondering, why did we disable it?
16:35:03 <adrian_otto> my pleasure. If anyone else is concerned about this and does not feel comfortable asking about it now, please feel free to find me privately and I will be happy to address it.
16:35:23 <adrian_otto> suro-patz: I don't have the original commit log, so I could not identify the original contributor to ask them
16:35:36 <adrian_otto> but I think it was imported from heat-kubernetes code
16:35:45 <coreyob> here's the original commit: https://github.com/openstack/magnum/commit/784643e142bfaccd762e487077a34e12e4a49da3
16:35:49 <adrian_otto> so I doubt someone in the Magnum project actively made thtat choice
16:35:51 <hongbin> FYI. Here is the origin commit https://github.com/larsks/heat-kubernetes/commit/6a203edd7a7523f3e69a5d61514a1df8197dae96
16:35:55 <coreyob> "Disable selinux so that cloud-init works"
16:36:02 <adrian_otto> gasp
16:36:14 <juggler> wow, that was quick [the original commits]. :)
16:36:20 <adrian_otto> ok, so let's not do that anymore
16:36:52 <adrian_otto> thanks everyone for your attention to this. I won't harp on it more today.
16:37:09 <suro-patz> adrian_otto: in absence of 'selinux enabled' if a container gets compromised, the chance of the bay-node being compromised would also arise. right?
16:37:09 <coreyob> I haven't tested to be sure, but I'm guessing we do have to disable it temporarily for our cloud-init configuration scripts to work. but it seems we can turn it on again after that.
16:37:23 <adrian_otto> it did not come from a Magnum contributor originally, which is a small relief.
16:37:25 <juggler> does not feel like harping. this is a matter of importance
16:38:32 <adrian_otto> suro-patz: yes, the security of Bay nodes is important. It's just as important as the security of a compute node would be.
16:39:40 <adrian_otto> we will be covering this in the Midcycle
16:39:50 <adrian_otto> oh, I did not mention that I assembled a schedule
16:39:52 <adrian_otto> here:
16:40:08 <vilobhmm11> adrian_otto : its an important point to discuss in midcycle IMHO
16:40:15 <adrian_otto> #link https://etherpad.openstack.org/p/magnum-mitaka-midcycle-topics
16:40:41 <adrian_otto> this was based on your input, and can be adjusted still if we see anything important that was overlooked
16:41:24 <adrian_otto> ok, we are currently in task item review
16:41:45 <vilobhmm11> schedule looks good..thanks adrian_otto !
16:41:50 <adrian_otto> next is all about Gate status
16:42:02 <adrian_otto> #link https://bugs.launchpad.net/magnum/+bug/1541964 k8s gate job
16:42:04 <openstack> Launchpad bug 1541964 in Magnum "K8s bay creation intermittently timing out" [High,Confirmed]
16:42:45 <coreyob> I think that k8s intermittent failure is the only regularly occurring gate issue that needs to be addressed
16:43:13 <coreyob> the memory issue that is next is in the gate now I think
16:43:56 <adrian_otto> ok, let's paste that one in...
16:44:06 <adrian_otto> #link https://review.openstack.org/#/c/276958/ memory consumption
16:44:38 <coreyob> does anyone have any insight on the k8s failure?
16:45:01 <hongbin> coreyob: no idea, until we get the logs when it failed
16:45:04 <adrian_otto> I am upgrading the k8s bug to critical
16:45:56 <coreyob> so maybe this bug needs to be prioritized? https://bugs.launchpad.net/magnum/+bug/1542390 too?
16:45:57 <openstack> Launchpad bug 1542390 in Magnum "Copy logs on test failure" [High,New]
16:46:16 <hongbin> +1
16:47:20 <adrian_otto> I upgraded that one to critical as well, as it could clear the critical path to resolution
16:47:21 <dimtruck> fyi - i'm doig a similar change in my certs patch to copy nova logs on error based on eghobo's suggestion.
16:47:33 <dimtruck> (since we could have similar issues for functional-api)
16:48:19 <coreyob> i think there are enough pieces laying around that we just need to make sure they're enabled for any failure on any job and cover all the logs we need
16:48:33 <dimtruck> +1
16:49:02 <dimtruck> i'll assign this bug to myself since i'm kind of down this road already if nobody minds
16:49:10 <adrian_otto> thanks dimtruck
16:49:34 <adrian_otto> ok, do we have enoguh muscle lined up to succeed on these gate issues?
16:49:37 <juggler> cheers dimtruck
16:49:54 <adrian_otto> please let me know where I can help
16:49:54 <coreyob> I think so yep
16:49:59 <adrian_otto> ok, good.
16:50:11 <adrian_otto> that concludes the prepared agenda for work items
16:50:30 <suro-patz> adrian_otto: regarding https://etherpad.openstack.org/p/magnum-mitaka-midcycle-topics, two occurrences of 'Heat Tempalte Versioning' is by design I guess
16:50:38 <adrian_otto> does anyone have other work items (blueprints, bugs, reviews) that need ream discusison before we proceed to open discussion
16:50:57 <adrian_otto> suro-patz: I am having a look at that
16:51:01 <suro-patz> day1: 11am, day2: 13hrs
16:51:21 <adrian_otto> good catch
16:51:30 <adrian_otto> I am going to drop the day 2 one and expand the parking lot
16:51:38 <suro-patz> cool!
16:51:39 <adrian_otto> we can address it there if needed
16:53:11 <adrian_otto> #topic Open Discussion
16:53:22 <vilobhmm11> adrian_otto : if possible, would be nice to have a seperate session for production readiness for magnum right now seems to be part of parking lot discussion
16:53:31 <dane_leblanc> Does anyone know the status of using smaller images in upstream testing (e.g. ubuntu?)
16:53:35 <hongbin> adrian_otto: back to the wiki page you mentioned earlier (https://wiki.openstack.org/wiki/Magnum/NativeAPI), I think it would be better to put it in a etherpad, so that we can work on the use cases together
16:53:58 <vilobhmm11> hongbin : +1
16:55:08 <hongbin> adrian_otto: if you agreed, you can assign an AI to me for creating the etherpad
16:55:08 <adrian_otto> hongbin: good suggestion
16:55:45 <adrian_otto> vilobhmm11: I expected we would touch on production readiness during the Magnum Use Cases and Adoption
16:55:53 <dane_leblanc> I'm trying to use Fedora Atomic in baremetal environment, but its size in raw format (roughly 9 GB) is a pain.
16:56:02 <adrian_otto> do we have a full 45 minutes or 60 minutes of discussion for that topic?
16:56:43 <adrian_otto> #action hongbin to create an etherpad for collaborative development of our NativeAPI wiki page
16:56:48 <adrian_otto> thanks hongbin
16:56:56 <hongbin> my pleasure
16:57:15 <adrian_otto> #link http://containerevent.com/container-day-meetup/ Open Container Night
16:57:30 <vilobhmm11> adrian_otto : that also works..thanks!
16:57:43 <vilobhmm11> covering as part of Magnum Use Cases and Adoption
16:57:44 <adrian_otto> I agreed to deliver the keynote for this. I had though we'd have a team dinner on that evening (day before Midcycle) but this will contend for that time
16:58:02 <hongbin> dane_leblanc: I think coreyob is upgrading to Atomic23, which should be smaller than right now
16:58:12 <adrian_otto> so instead I'd like us to get together as a team between 5pm and 7pm on the 18th
16:58:26 <adrian_otto> for drinks
16:58:40 <dane_leblanc> hongbin: Thanks.
16:58:58 <adrian_otto> if you want to attend Open Container Night, it is free, and you need to register. See link above.
16:59:02 <coreyob> dane_leblanc here's the atomic 23 change https://review.openstack.org/#/c/276232/
16:59:13 <adrian_otto> We are approaching the end of our scheduled time.
16:59:31 <dane_leblanc> coreyob: Great, thanks!
16:59:59 <adrian_otto> our next team meeting will be on Tuesday 2016-02-16 at 1600 UTC here on IRC. See you then!
17:00:08 <adrian_otto> thanks everyone for attending today.
17:00:14 <juggler> thanks all
17:00:20 <adrian_otto> #endmeeting