#openstack-meeting log

11:01:17 <oneswig> #startmeeting scientific-sig
11:01:18 <openstack> Meeting started Wed Feb 24 11:01:17 2021 UTC and is due to finish in 60 minutes.  The chair is oneswig. Information about MeetBot at http://wiki.debian.org/MeetBot.
11:01:19 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
11:01:21 <openstack> The meeting name has been set to 'scientific_sig'
11:02:07 <oneswig> #link agenda for today https://wiki.openstack.org/wiki/Scientific_SIG#IRC_Meeting_February_24th_2021
11:02:19 <oneswig> eliaswimmer: hi!
11:02:32 <eliaswimmer> hi Stig!
11:03:15 <oneswig> Thanks for coming along
11:04:45 <oneswig> (Just concluding another meeting)
11:07:22 <oneswig> How's things?
11:08:40 <oneswig> #topic use of glance image metadata for inter-cloud portability
11:09:15 <oneswig> In the topic of inter-cloud portability, image naming is probably square one
11:11:10 <oneswig> #link Listed properties in Glance docs https://docs.openstack.org/glance/latest/admin/useful-image-properties.html
11:11:33 <oneswig> Setting lots of these is helpful to people trying to port their deployment to your cloud
11:13:58 <eliaswimmer> is there some naming convention for images yet?
11:14:06 <oneswig> In practice we could probably set more, for example here's table stakes
11:14:13 <oneswig> os_type: "linux"
11:14:13 <oneswig> os_distro: "centos"
11:14:13 <oneswig> os_version: "7.5"
11:14:15 <oneswig> hw_rng_model: "virtio"
11:14:37 <oneswig> Ah, naming, I think there are only informal conventions there.
11:15:15 <oneswig> This is where the discovery process comes in - how do I ask Glance, "What is the latest best CentOS 8 image" for example
11:15:33 <oneswig> a metadata-driven lookup
11:16:03 <oneswig> Alas we didn't get details ahead on Chris Layton's thoughts on this.
11:16:43 <eliaswimmer> ok, now I get it! For me a patch level tag would be an important label.
11:17:21 <eliaswimmer> cause centos 8 can be a lot off different versions
11:17:31 <oneswig> so true
11:19:31 <oneswig> eliaswimmer: are you providing infrastructure-as-a-service on your system?
11:19:35 <oneswig> (or planning to?)
11:20:04 <eliaswimmer> that's the plan! Currently only in an early stage
11:20:57 <eliaswimmer> There is still a lot to do, like CD of images to OpenStack, image scanning etc
11:22:31 <eliaswimmer> Another question is how to lock images with vulnerabilities
11:22:45 <oneswig> To prevent further deployments with it?
11:22:54 <oneswig> Sounds like a good idea
11:22:54 <eliaswimmer> exactly
11:23:26 <eliaswimmer> one can't remove them as long as the used, at least not when using ceph
11:23:39 <oneswig> Just delete the image perhaps?  Deployed instances would only lose the name of the image they used
11:24:16 <oneswig> eliaswimmer: are you sure?  could that be a copy-on-write detail
11:24:54 <eliaswimmer> oneswig: Not 100%, maybe it was a permission issue
11:26:07 <eliaswimmer> But when deleting, users miss the metadata from the images
11:32:43 <oneswig> That's true, but perhaps they don't need it after the VM is deployed.
11:34:39 <eliaswimmer> About image scanning. Even if it is a bit off topic now, but we should also do so with Kolla images.
11:37:06 <oneswig> The container images?
11:37:25 <oneswig> We've done some interesting exploration with using Clair
11:38:13 <eliaswimmer> ah, yes. that is what I was thinking
11:38:34 <oneswig> It was enough to convince us that it is a very useful function - we'll definitely use it
11:40:15 <eliaswimmer> I do so with my images for jupyterhub, it's quite easy and the recent sudo bug shows how important that is
11:40:56 <eliaswimmer> same can be done for all types of images, even live systems
11:48:36 <oneswig> On the image tags, there was an effort to set some standards as part of the IRIS federation in the UK, but I don't know if anything has been adopted by that group
11:52:55 <oneswig> Anyway, I don't think we'll progress much further today, between us :-)
11:58:41 <verdurin> I've also looked at Anchore for image scanning.
11:59:43 <oneswig> Hi verdurin, just in time...
11:59:57 <oneswig> Can you compare and contrast?
12:03:26 <oneswig> Ah, we should wrap up.  Thanks eliaswimmer verdurin
12:03:30 <oneswig> #endmeeting