21:00:47 <strigazi> #startmeeting containers 21:00:48 <openstack> Meeting started Tue Feb 12 21:00:47 2019 UTC and is due to finish in 60 minutes. The chair is strigazi. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:00:49 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 21:00:51 <openstack> The meeting name has been set to 'containers' 21:00:59 <strigazi> #topic Roll Call 21:01:02 <eandersson> o/ 21:01:07 <schaney> o/ 21:01:08 <strigazi> o/ 21:01:15 <jakeyip> o/ 21:01:17 <colin-> \o 21:01:24 <imdigitaljim> o/ 21:02:02 <strigazi> #topic stories/tasks 21:02:43 <strigazi> 1. Regarding CVE-2019-5736 in fedora atomic host, looks like we are covered 21:03:04 <colin-> nice 21:03:15 <strigazi> the fs of fedora atomic is immutable so an exploit can not overwrite the runc binary 21:03:53 <strigazi> also selinux protects users against an exploit of it. 21:04:18 <colin-> oh, i thought you meant you had patched for it 21:04:23 <colin-> i'm not as sure about those things 21:04:27 <strigazi> unfortunately we have it disabled on k8s. I'm testing if we can enable it 21:04:57 <strigazi> I'm checking with the fedora community 21:05:08 <strigazi> I'll let you know 21:06:05 <strigazi> 2. For the the cluster autoscaler, we have a branch public which is fully functional and we'll push it kubernetes/autoscaler. https://github.com/cernops/autoscaler/tree/magnum-autoscaler-release-1.0 21:06:13 <colin-> cool. there's some sample exploit code attached to this report if anyone needs to test https://www.openwall.com/lists/oss-security/2019/02/11/2 21:06:21 <colin-> (very generic) 21:06:34 <strigazi> colin-: I'll try to repro 21:07:26 <strigazi> 1 and 2 were a bit generic. next: 21:07:52 <strigazi> eandersson: and others can you have a quick look into these two so we can take them: 21:08:06 <strigazi> k8s_fedora: Deploy tiller https://review.openstack.org/#/c/612336/ 21:08:39 <strigazi> [k8s_fedora] Add heat-agent to worker nodes https://review.openstack.org/#/c/561858/ oh, flwang approved it 21:09:41 <strigazi> That's it from me. Does anyone else want to bring something up? 21:10:22 <schaney> mind if I add some comments and questions to the CA PR? 21:11:02 <strigazi> schaney: go for it 21:11:46 <strigazi> schaney: I was thinking we can open the PR to k/a first, but we can bring the discussion there when it is open 21:11:56 <schaney> that works as well 21:12:35 <strigazi> but it is public for that reason, so as you want :) 21:12:49 <strigazi> better comment now so you don't forget :) 21:12:56 <colin-> strigazi: did you ever try using the ipvs transport layer on your clusters? 21:13:00 <colin-> as opposed to iptables or similar 21:13:03 <strigazi> nope 21:13:10 <colin-> ok 21:13:47 <schaney> is this PR up to date? https://github.com/cernops/autoscaler/pull/3 not sure the differences between that and the release branch 21:14:18 <strigazi> the release branch is up to date 21:14:36 <strigazi> not sure where Thomas left the pr. lemme check 21:15:58 <strigazi> schaney: sorry I can not tell with certainty 21:17:13 <schaney> ok, I'll use the existing PR but make sure the code is consistent with the branch, unless that PR is known to be out of date? 21:17:22 <imdigitaljim> one random question with your autoscaler, have you tried on templates >= queens? 21:17:42 <imdigitaljim> since resources have had some changes since juno 21:18:03 <imdigitaljim> https://github.com/openstack/magnum/blob/master/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml#L1 21:18:47 <strigazi> schaney: maybe this helps https://github.com/cernops/autoscaler/compare/magnum-autoscaler-release-1.0...tghartland:openstack-provider 21:19:37 <imdigitaljim> well 21:19:38 <strigazi> imdigitaljim: no 21:19:44 <imdigitaljim> if you didnt have the PR with vendor folder 21:19:48 <imdigitaljim> it would be reviewable /shrug 21:19:59 <imdigitaljim> 1307 files is a lot to browse through 21:20:50 <schaney> looks like a lot of extra gophercloud stuff yeah 21:20:54 <strigazi> imdigitaljim: it is reviewable, you can ignore the vendor files 21:21:54 <strigazi> the gopherloud changes are very clear here: https://github.com/cernops/autoscaler/commits/magnum-autoscaler-release-1.0 21:22:31 <imdigitaljim> well we cant really comment on this PR effectively https://github.com/cernops/autoscaler/pull/3/files 21:22:35 <imdigitaljim> is all i mean 21:22:55 <imdigitaljim> in fact it hardly loads 21:22:57 <imdigitaljim> :P 21:25:21 <strigazi> I'll ping you tmr then, when we the PR will be up 21:25:36 <strigazi> github nicks? 21:25:49 <strigazi> same as here? 21:25:59 <imdigitaljim> jim-bach 21:26:03 <imdigitaljim> or jabach@blizzard.com 21:26:09 <imdigitaljim> i can forward to others 21:26:14 <schaney> scott-chaney or schaney@blizzard.com 21:26:32 <strigazi> excellent 21:26:39 <schaney> thanks! 21:28:50 <strigazi> anything else for the meeting? 21:29:08 <colin-> itsc0lin on git 21:29:10 <colin-> nope 21:29:26 <strigazi> thanks colin- 21:29:36 <jakeyip> nope 21:30:11 <imdigitaljim> thanks spyros!@ 21:30:27 <strigazi> thanks everyone. see you next week o/ 21:30:32 <imdigitaljim> \o 21:30:37 <strigazi> #endmeeting