#openstack-meeting log

02:59:56 <hongbin> #startmeeting zun
02:59:57 <openstack> Meeting started Tue Nov  8 02:59:56 2016 UTC and is due to finish in 60 minutes.  The chair is hongbin. Information about MeetBot at http://wiki.debian.org/MeetBot.
02:59:58 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
03:00:00 <openstack> The meeting name has been set to 'zun'
03:00:02 <hongbin> #link https://wiki.openstack.org/wiki/Zun#Agenda_for_2016-11-08_0300_UTC Today's agenda
03:00:07 <hongbin> #topic Roll Call
03:00:11 <shubhams> shubhams
03:00:11 <mkrai> Madhuri Kumari
03:00:14 <kevinz> kevinz
03:00:25 <pksingh> Pradeep Singh
03:00:32 <Wenzhi> Wenzhi
03:00:52 <flwang> o/
03:00:57 <yanyanhu> hi
03:01:08 <hongbin> Thanks for joining the meeting shubhams mkrai kevinz pksingh Wenzhi flwang yanyanhu
03:01:18 <hongbin> #topic Announcements
03:01:24 <hongbin> 1. Welcome Shubham to join the core team
03:01:30 <hongbin> #link http://lists.openstack.org/pipermail/openstack-dev/2016-November/106750.html
03:01:33 <pksingh> congrate shubhams
03:01:35 <Wenzhi> welcome
03:01:37 <mkrai> Congratulation shubhams :)
03:01:42 <kevinz> congratulations
03:01:49 <mkrai> Welcome to the team!
03:01:50 <hongbin> shubhams: welcome. thanks for your contribution to Zun
03:01:57 <shubhams> Thanks hongbin pksingh mkrai kevinz :)
03:02:09 <shu-mutou> welcome!
03:02:15 <hongbin> 2. Plan to be an official OpenStack project
03:02:22 <hongbin> A requirement of joining OpenStack is to have an elected PTL, so I will find someone to hold a PTL election.
03:02:29 <mkrai> I have been waiting for this :)
03:02:35 <hongbin> yes
03:02:35 <Wenzhi> me too :)
03:02:46 <pksingh> :)
03:02:48 <kevinz> :)
03:02:57 <hongbin> after a ptl is elected, i will apply to be official
03:03:09 <hongbin> hopefully, everything is fine
03:03:17 <hongbin> 3. OpenStack Barcelona Summit recap
03:03:24 <hongbin> * We had a Zun presentation in the main summit.
03:03:30 <hongbin> #link http://www.slideshare.net/hongbin034/zun-presentation-openstack-barcelona-summit The slide
03:03:35 <hongbin> #link The video: https://www.youtube.com/watch?v=Go8_G3iLyl4 The video
03:03:39 <pksingh> hongbin: i watched the video, it is greate :)
03:03:53 <hongbin> pksingh: i was a bit nervous at that time
03:03:55 <hongbin> :)
03:03:56 <yanyanhu> cool
03:04:01 <hongbin> hope everything is clear
03:04:06 <kevinz> well done
03:04:09 <pksingh> yup
03:04:12 <hongbin> * We had a Zun session at design summit
03:04:19 <hongbin> #link https://etherpad.openstack.org/p/ocata-zun-worksession The etherpad
03:04:21 <shubhams> Yes it was a nice session
03:04:31 <hongbin> * The general public showed high interests in our project
03:04:37 <hongbin> #link http://www.internetnews.com/blog/skerner/openstack-zun-debuts-new-approach-to-cloud-containers.html An article about Zun
03:04:49 <hongbin> * Feedback/Wishlist
03:04:57 <hongbin> 1. Strong isolation between containers from different tenants
03:05:03 <hongbin> 2. Kubernetes integration
03:05:18 <hongbin> These are the main features that I heard several times
03:05:33 <hongbin> Will discuss it later in the agenda
03:05:44 <hongbin> #topic Review Action Items
03:05:50 <hongbin> Discuss with hongbin on features list for release o (In Progress)
03:05:58 <hongbin> Let's discuss this
03:06:03 <hongbin> #topic Plan features for Ocata release
03:06:09 <hongbin> #link https://etherpad.openstack.org/p/zun-ocata-planning The etherpad
03:06:36 <hongbin> We can either brainstorm ocata features here or work on the etherpad
03:06:53 <hongbin> What features you want?
03:07:20 <shubhams> I think on etherpad we can put our votes for each feature and then decide . What do you say ?
03:07:29 <pksingh> etherpad +1
03:07:31 <flwang> i would say just focus on the current list
03:07:45 <flwang> vote is a good idea here
03:07:46 <hongbin> shubhams: for sure, but let's wait for everything to have a input first
03:08:24 <hongbin> ok, do anyone want to add to the list at the last monent?
03:08:33 <pksingh> I think first we should focus on docker runtime, and support all operations
03:08:53 <eliqiao> hi , I am late
03:08:58 <hongbin> pksingh: ack
03:09:17 <hongbin> eliqiao: we are working on the etherpad https://etherpad.openstack.org/p/zun-ocata-planning
03:09:28 <eliqiao> hongbin: thx
03:09:39 <hongbin> ok, then let's vote
03:11:11 <mkrai> Please add any feature which you feel is left
03:11:43 <hongbin> So far, it looks k8s integration and functional tests have a lot of votes
03:11:46 <Qiming> em, what does this mean -- "Kubernetes integration"?
03:11:55 <mkrai> Yes hongbin
03:11:57 <Qiming> having zun acting as a proxy to kubernetes?
03:12:06 <hongbin> Qiming: sort-of
03:12:32 <hongbin> Qiming: right now, we have docker + nova as the first driver
03:12:42 <hongbin> Qiming: I think k8s can be the second driver
03:13:06 <hongbin> Qiming: you have a concern?
03:13:09 <Qiming> ... they are different layer things, container engine and container orchestrator
03:13:18 <Qiming> my concern ^
03:13:46 <hongbin> Qiming: In the summit, people said we considered nova as a COE :)
03:14:04 <Qiming> if nova can be a COE, there won't be zun
03:14:27 <hongbin> Qiming: Zun is driving nova as a COE (that is what I mean)
03:14:50 <Qiming> IMO, nova is not suitable for orchestration, and zun is the orchestrator
03:15:19 <hongbin> Qiming: ok, we could discuss that
03:15:25 <Qiming> then zun is about a unified COE abstraction, right?
03:15:45 <hongbin> Qiming: yes, that is my understanding
03:15:58 <Qiming> thanks, just for clarification, sorry for interrupt
03:16:13 <hongbin> Qiming: let me know if you have any concern
03:16:27 <hongbin> However, we could discuss this offline
03:16:54 <hongbin> OK, let's move on
03:17:10 <hongbin> #topic Support interactive mode (adisky)
03:17:15 <hongbin> #link https://blueprints.launchpad.net/zun/+spec/support-interactive-mode The BP
03:17:24 <kevinz> I've done some investigation , will use dockerpty to realize this.
03:17:25 <kevinz> https://github.com/d11wtq/dockerpty
03:17:33 <pksingh> hongbin: i would like to work on this
03:17:44 <kevinz> Could I re use this library? Or copy its code to Zun.
03:17:44 <kevinz> I will write a spec before next team meeting.
03:17:45 <pksingh> if noone is working
03:18:12 <hongbin> it looks kevinz also wanted to work on this :)
03:18:24 <hongbin> pksingh vs kevinz
03:18:56 <hongbin> pksingh: it looks the BP has been assigned to kevinz
03:19:10 <pksingh> ok will help kevinz in reviews :)
03:19:14 <hongbin> kevinz: sure, looking forward to the spec
03:19:18 <kevinz> pksingh: :-) Thanks～
03:19:30 <kevinz> hongbin: OK
03:19:31 <hongbin> you two can pair up to work on this if you want
03:19:41 <shubhams> kevinz: I  checked github repo of dockerpty and bit worried as last commit on this was in Feb. I am afraid if this repo is maintained well
03:20:18 <pksingh> kevinz can we work on this?
03:20:31 <kevinz> shubhams: Yeah I also concerned about that. So maybe we can re realize this in Zun
03:21:08 <hongbin> ok, let's move on
03:21:15 <hongbin> #topic Container image store (mkrai)
03:21:15 <shubhams> kevinz: ok
03:21:20 <hongbin> #link https://blueprints.launchpad.net/zun/+spec/glance-integration The BP
03:21:26 <hongbin> #link https://review.openstack.org/#/c/383678/ Madhuri's patch
03:21:31 <hongbin> #link https://review.openstack.org/#/c/380298/ Shubham's patch
03:21:32 <kevinz> pksingh Thanks~
03:21:43 <mkrai> hongbin: the base patches were merged.
03:22:02 <hongbin> mkrai: any other patches you plan to submit?
03:22:14 <mkrai> I guess few more patches are required which are just needed for finishing off
03:22:14 <shubhams> hongbin: mkrai , I will start working on python-magnumclient for image api
03:22:18 <mkrai> Yes one
03:22:38 <mkrai> That is to store images in glance when we pull it from docker
03:22:39 <hongbin> shubhams: ack
03:22:59 <mkrai> And then we can close this bp
03:23:05 <hongbin> great
03:23:06 <flwang> mkrai: store the un-layered image in glance?
03:23:11 <mkrai> One question
03:23:22 <hongbin> flwang: yes, it is a tarball
03:23:28 <flwang> ok, got it
03:23:31 <mkrai> flwang: Yes. Do we want to support layering in glance also?
03:23:46 <flwang> mkrai: no, since it's basically impossible :D
03:23:56 <mkrai> The same way nova-docker does it
03:24:21 <flwang> i will take a look the patch this week
03:24:33 <flwang> putting my glance hat
03:24:50 <hongbin> flwang: i like your hat :)
03:25:04 <mkrai> hongbin: What do you think about it?
03:25:26 <hongbin> mkrai: i agree with flwang that it is hard to work on layering image at this stage
03:25:37 <mkrai> Ok so I will leave that
03:25:42 <hongbin> mkrai: it requires a lot of work, maybe a new project
03:26:08 <hongbin> yes, it might be a priority in the future, but i don't think it is now
03:26:13 <mkrai> I meant storing new tarball of changed image which the nova-docker way
03:26:32 <flwang> mkrai: that's alright
03:26:40 <mkrai> I think we can leave it for now as Glare aims to do it
03:26:46 <flwang> onething we need to do is
03:27:14 <flwang> using tags or image custom properties to tag the image clearly
03:27:40 <flwang> Glare is good, but don't expect much at this stage
03:27:52 <flwang> at the lay off of Mirantis
03:28:09 <mkrai> Ohh I didn't know about this
03:28:28 <flwang> I don't think there are people working on that, unless current Glare cores still want to maintain that after got a new job
03:28:32 <hongbin> marantis is laying off people, this is a hot discussion in the summit
03:29:00 <hongbin> ok, let's move on
03:29:02 <hongbin> #topic Container network (hongbin)
03:29:07 <flwang> pls take it as rumor
03:29:09 <flwang> ;D
03:29:11 <hongbin> #link https://blueprints.launchpad.net/zun/+spec/neutron-integration The BP
03:29:17 <hongbin> #link https://review.openstack.org/#/c/365754/ The proposed spec (merged)
03:29:23 <hongbin> #link https://review.openstack.org/#/c/380646/ The patch
03:29:49 <hongbin> i tried to resolved all the conflicts in the patch and addresses most of hte comments
03:30:00 <hongbin> i think it is ready for another round of reviews now
03:30:18 <hongbin> (remind: this is a large patch)
03:30:26 <mkrai> Yes I will revisit the patch
03:30:32 <hongbin> mkrai: thx
03:30:49 <hongbin> ok, then move to open discussion
03:30:51 <hongbin> #topic Open Discussion
03:31:09 <hongbin> 1. Multi-tenancy isolation between containers in the same host
03:31:49 <hongbin> This is the top wishlist in the summit according to the feedback
03:32:06 <mkrai> hongbin: I am not sure whether it will be feasible or not. But how about adding namespaces concept?
03:32:41 <hongbin> mkrai: right now, we can hide containers from other tenants
03:32:51 <hongbin> mkrai: which is basically a namespace
03:32:59 <mkrai> K8s also has similar concept of namepsace
03:33:21 <hongbin> mkrai: yes, consider openstack tenant is similar as k8s namespace
03:33:26 <pksingh> thats i think just for hinding resources from ane and other
03:33:32 <mkrai> Yes
03:33:32 <yanyanhu> maybe they are different I think. Currently, namespace only controls the visibility of resources while multi-tenancy is more about isolation?
03:33:55 <yuanying> How host file systems is hidden by zun?
03:34:15 <hongbin> yanyanhu: yes, i should say openstack tenant is a stronger than namespace
03:34:38 <yanyanhu> yes
03:34:58 <hongbin> yuanying: zun didn't expose the -v flag, so it is impossible to use docker run -v to mount host file system
03:35:20 <yuanying> hongbin: I got it
03:35:34 <hongbin> however, the issue is: if there are two containers from two tenants scheduled to the same host, how to do isolation
03:35:49 <hongbin> this is the concern from people
03:36:01 <hongbin> there are several ways to solve it
03:36:10 <hongbin> 1. using vm as isolators
03:36:23 <hongbin> 2. use secure container (i.e. hyper, clear container)
03:36:30 <hongbin> anything else?
03:36:41 <Qiming> wait for kernel improvement
03:36:49 <hongbin> Qiming: :)
03:37:09 <yanyanhu> or isolating containers by running them on different physical hosts?
03:37:23 <hongbin> yanyanhu: yes, that is also an option
03:37:28 <yanyanhu> although the isolation granularity could be too coarse...
03:37:33 <mkrai> I may lead to waste of resource yanyanhu
03:37:46 <yanyanhu> mkrai, yes, that is a big concern
03:37:56 <mkrai> I think #option 2 is better
03:38:46 <hongbin> silent....
03:39:02 <flwang> if we  go for #2, does that mean docker is not welcome at this case?
03:39:02 <yanyanhu> for option2, it depends on whether users buy in your idea: is "secure" container really secure?
03:39:07 <yanyanhu> :)
03:39:12 <yanyanhu> flwang, +1
03:39:24 <pksingh> flwang: +1
03:39:32 <yanyanhu> if it is 'really' secure, it is 'container' ?
03:39:46 <hongbin> yanyanhu: it is actually a vm :)
03:39:49 <Qiming> yes, it is Container NG
03:39:52 <yanyanhu> yep
03:39:56 <flwang> let me ask in another way
03:40:01 <mkrai> one container per vm
03:40:02 <flwang> why we don't like VM
03:40:08 <flwang> just because we're working on container?
03:40:08 <hongbin> yanyanhu: however, it use the vm to run container image, so it is sort of a *container*
03:40:22 <Qiming> VM kills almost every benefit you get from a container, :D
03:40:28 <flwang> without VM, we have not much relationship with OpenStack, IMHO
03:40:48 <Qiming> flwang, true, that is why they don't care about us
03:40:56 <flwang> Qiming: hah
03:41:06 <hongbin> flwang: the key of secure container is that it has optimized for the boot time
03:41:19 <hongbin> flwang: so compared to vm, secure container boot faster
03:41:25 <hongbin> flwang: that is the whole point
03:41:29 <flwang> hongbin: but
03:41:40 <mkrai> For clear container I know the container boots up really fast. I have used  it
03:41:46 <flwang> for that case, we will basically give up docker, right?
03:42:14 <mkrai> flwang: We can use the same docker cli to run clear containers
03:42:20 <flwang> or we support docker, but if you want more secure, go for clear container ?
03:42:28 <hongbin> flwang: yes, i think so. or i should say, for that case, secure container is an alternative to docker
03:42:34 <mkrai> Yes flwang
03:42:48 <flwang> ok, fair enough
03:43:02 <mkrai> #link https://lwn.net/Articles/644675/
03:43:15 <mkrai> May be this article will help to understand
03:43:25 <hongbin> flwang: you don't like secure container? or you have any concern?
03:43:47 <yanyanhu> mkrai, nice, will read it
03:45:17 <hongbin> i think we can try secure container, as an experiential driver (i am not sure if it will work)
03:45:28 <mkrai> +1 hongbin
03:45:39 <hongbin> any concern for this?
03:45:43 <pksingh> +1 hongbin
03:45:48 <flwang> hongbin: i'm happy with secure container
03:46:11 <shubhams> +1 for secure container trial
03:46:13 <hongbin> flwang: i just want to know if you see any pitfall for this approach
03:46:19 <flwang> i just don't want to miss any case which may let some potential user go away
03:46:55 <hongbin> ok, if there is no objection, i will create a bp for this
03:47:19 <hongbin> #action hongbin create a bp for adding support for secure container
03:47:24 <adisky> +1 hongbin
03:47:56 <hongbin> Anything else to discuss from our team members?
03:48:05 <mkrai> k8s integration?
03:48:16 <hongbin> mkrai: sure , we can discuss that
03:48:37 <mkrai> Do we want to integrate with Magnum for this?
03:48:54 <pksingh> hongbin: can we have anything like imagepullpolicy like k8 has?
03:49:16 <hongbin> mkrai: that doesn't mean integrate with magnum
03:49:36 <mkrai> Implement the k8s APIs in Zun?
03:49:37 <hongbin> pksingh: i am not familiar with image pulling policy, but we can investigate it later
03:49:57 <hongbin> mkrai: simply speaking, implement zun api by using k8s
03:50:03 <pksingh> hongbin: ok
03:50:09 <hongbin> here is the long version
03:50:34 <hongbin> this is a features that has been mentioned by different people in the summit
03:50:58 <mkrai> Ok got it
03:50:59 <hongbin> the people don't like to use magnum to boot k8s, because they already has a k8s that is statically there
03:51:28 <hongbin> however, they want zun to interact with an existing k8s (whether it is provisioned by magnum or not)
03:51:49 <mkrai> Magnum integration can be later part
03:51:54 <mkrai> But it is not needed now
03:52:02 <hongbin> yes, it should be optional as well
03:52:25 <mkrai> We can use our python-k8sclient :)
03:52:35 <pksingh> mkrai: why zun will integrate with magnum?
03:52:37 <hongbin> yes, we definitely can
03:52:52 <mkrai> pksingh: To provision host running k8s
03:53:05 <mkrai> pksingh: But that is optional
03:53:16 <pksingh> mkrai: do we need that vai zun?
03:53:50 <mkrai> pksingh: Either the operators can have their own existing k8s cluster
03:54:11 <mkrai> pksingh: May be in future but not sure now
03:55:15 <hongbin> ok, any other comment about the k8s integration?
03:55:39 <hongbin> maybe i should create a bp for that as well?
03:55:57 <mkrai> yes
03:56:04 <pksingh> hongbin: i think bp already exists?
03:56:16 <hongbin> pksingh: really? let's me check
03:56:18 <mkrai> hongbin: I will test python-k8sclient this week
03:56:35 <mkrai> Not sure whether it is still working or not
03:57:01 <hongbin> pksingh: no, i couldn't find any bp about k8s integration
03:57:23 <pksingh> hongbin: its different, https://blueprints.launchpad.net/zun/+spec/k8s-compatible-api
03:57:46 <hongbin> pksingh: yes, this one is just a brainstormed idea
03:57:55 <hongbin> #action hongbin create a bp for k8s integration
03:58:41 <pksingh> hongbin: there is https://blueprints.launchpad.net/zun/+spec/coe-integration
03:59:22 <hongbin> coe is a bit too general, but yes, we could link to this bp as well
03:59:45 <hongbin> ok, it looks time is up
03:59:55 <mkrai> Thanks all!
03:59:57 <hongbin> all, thanks for joining the meeting
04:00:03 <hongbin> #endmeeting