03:00:04 <hongbin> #startmeeting zun 03:00:05 <openstack> Meeting started Tue Aug 29 03:00:04 2017 UTC and is due to finish in 60 minutes. The chair is hongbin. Information about MeetBot at http://wiki.debian.org/MeetBot. 03:00:06 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 03:00:08 <openstack> The meeting name has been set to 'zun' 03:00:11 <hongbin> #link https://wiki.openstack.org/wiki/Zun#Agenda_for_2017-08-29_0300_UTC Today's agenda 03:00:14 <hongbin> #topic Roll Call 03:00:17 <Shunli> O/ 03:00:18 <spn> o/ 03:00:19 <Namrata> Namrata 03:00:21 <kiennt> hi 0/ 03:00:22 <diga> o/ 03:00:28 <mkrai> o/ 03:00:30 <kiseok7> hi 03:00:47 <hongbin> thanks for joining the meeting Shunli spn Namrata kiennt mkrai kiseok7 03:01:03 <hongbin> let's get started 03:01:06 <hongbin> #topic Announcements 03:01:23 <hongbin> i have no announcement , anyone else has? 03:02:09 <hongbin> seem no 03:02:17 <hongbin> #topic Cinder integration 03:02:31 <hongbin> for this bp, there are some progress last week 03:02:49 <hongbin> i am working on two WIP patches, which i think it is ready to test 03:03:07 <hongbin> #link https://review.openstack.org/#/c/473115/ 03:03:25 <hongbin> #link https://review.openstack.org/#/c/491271/ 03:03:45 <hongbin> the first one is a big patch, i will split it into several smaller patches 03:04:32 <hongbin> basically, this is how it works: zun run --mount source=<vol_id>,destination=<path> <image> 03:04:56 <hongbin> the --mount option can be used multiple times to bind mount multiple volumes 03:05:31 <hongbin> any question so far? 03:05:59 <diga> hongbin: you are not using volume api, how mount is different from volume api ? 03:06:18 <hongbin> diga: i am using cinder api 03:06:26 <diga> okay 03:06:47 <diga> it means its a direct integration with Zun 03:06:53 <hongbin> yes 03:06:57 <diga> got it 03:07:54 <hongbin> ok, it looks there is no more question 03:08:09 <hongbin> then, we move to the next topic 03:08:19 <hongbin> #topic Introduce container composition (kevinz) 03:08:26 <hongbin> #link https://blueprints.launchpad.net/zun/+spec/introduce-compose 03:08:36 <hongbin> kevinz cannot join the meeting today 03:08:51 <hongbin> he uploaded several patches about capsule last week 03:08:51 <diga> for cinder integration using fuxi, I will update the patch today, some error needs to fix which I will update today. Due to some personal reason I couldn't work since 2 month 03:09:06 <hongbin> diga: ack 03:09:35 <hongbin> diga: you could leverage the code of my patches when integrating with fuxi 03:09:42 <diga> hongbin: Yeah 03:09:53 <diga> hongbin: will take a look at it today 03:10:06 <diga> hongbin: and update my code accordingly 03:10:34 <hongbin> back to the capsule topic 03:10:58 <hongbin> kevin has submitted some unit tests patches last week, all are merged 03:11:19 <hongbin> that is all for this bp 03:11:30 <hongbin> any question for this topic? 03:12:06 <hongbin> ok, advance topic 03:12:08 <hongbin> #topic Add support for clear container (mkrai) 03:12:13 <hongbin> #link https://blueprints.launchpad.net/zun/+spec/support-secure-container 03:12:24 <hongbin> mkrai: want to lead the discussion of this topic? 03:12:30 <mkrai> hongbin: sure 03:12:59 <mkrai> The patches for supporting a new runtime parameter in zun create/run API were merged 03:13:25 <hongbin> awesome 03:13:27 <mkrai> There is a question on whether we should allow non-admin users to select runtime or not 03:13:30 <spn> yay! 03:13:47 <mkrai> What do team think about it? 03:13:59 <hongbin> yes, i raise this suggestion 03:14:07 <hongbin> i could explain the rational a bit 03:14:23 <hongbin> i see the --runtime option as a dangourous operation 03:14:32 <spn> mkrai: did you mean changing runtime for spinning containers by non-admin users? 03:14:41 <mkrai> spn: Yes 03:15:00 <hongbin> because users could use it to choose a runtime that is more secure or less secure 03:15:17 <hongbin> i think we need a way to restrict the choice of runtime 03:15:42 <hongbin> option 1: introduce a config (i.e. enabled_runtime) to specify a list of choosible runtime 03:15:55 <spn> hongbin: I am not sure I understood that argument. Why shouldnt users be allowed to change his runtime to secure or non-secure 03:15:57 <hongbin> option 2: disallow non-admin user to specify the --runtime option 03:16:22 <mkrai> hongbin: My opinion was to let non-admin users also choose runtime so that they have the flexibilty to run their container with any of the avialable option 03:16:26 <hongbin> spn: i assume there are two 'runtime': docker or clear container 03:16:55 <hongbin> spn: if user can choose docker over clear container, i assume it is less secure 03:17:20 <hongbin> spn: for example, if i am a public cloud provider, i will enforce clear container as the only runtime 03:17:37 <hongbin> spn: make sense? 03:17:46 <spn> hongbin: I agree what you said. but not every user may need a clear container all the time based on his requirment. 03:18:16 <mkrai> spn: I agree on that, the users might want to change the runtime based on their requirement 03:18:17 <hongbin> mkrai: ack 03:18:18 <spn> but yes for public cloud there should be an option for admin to restrict it 03:18:37 <hongbin> then, how about option #1 03:19:04 <spn> so why dont we drop in an option for admin so that he can decide whether on this cloud a user can change container or not 03:19:22 <hongbin> spn: +1 03:19:30 <spn> imagine this situation where on the horizon UI, if a user is allowed to change container 03:19:57 <spn> he gets an option to click on a check box or something like that which specifies type of container also as an option. 03:20:21 <spn> cc is one type of an option , future can be any other type of runtime 03:20:45 <kiennt> spn: sound good +1 03:20:52 <mkrai> hongbin: I didn't get the option #1 clearly 03:21:12 <hongbin> mkrai: there is a config called "enabled_runtime" 03:21:14 <mkrai> hongbin: Does it mean that it can contain both docker and clear container ? 03:21:32 <spn> mkrai: if we had a config option like allowed_docker_runtimes = " docker, coe" 03:21:38 <spn> etc 03:21:38 <mkrai> And this might vary for other projects like just docker or just clear container 03:21:42 <hongbin> mkrai: yes, it could be enabled_runtime=docker,cc, or enabled_runtime=cc 03:22:03 <mkrai> Ok so that non-admins have right to choose from the list? 03:22:10 <hongbin> yes 03:22:15 <spn> yes.. allowed list 03:22:20 <spn> and admin decides the list 03:22:32 <spn> if admin says only coe just one option is shown to users 03:22:32 <mkrai> But this option will be applied to all the projects 03:23:02 <spn> mkrai: can this be forced upon project basis? 03:23:10 <mkrai> how to handle case when a admin in a project wants a different list than other project? 03:23:23 <mkrai> spn: Yes i am also thinking of the same case 03:24:02 <mkrai> hongbin: Does it makes sense? 03:24:33 <hongbin> mkrai: frankly, i couldn't think of use case that requires a per-project allowed list 03:25:10 <spn> like a finance team in the company which uses containers should be forced with cc 03:25:16 <spn> not all need it 03:25:30 <hongbin> ok, that make sense 03:25:47 <hongbin> then, the question is how to do it :) 03:25:55 <spn> if its needs to be project specific than it should be zun command line tunable 03:26:04 <mkrai> spn: +1 03:26:14 <mkrai> hongbin: Right 03:26:30 <hongbin> spn: yes, that should work 03:26:56 <mkrai> Ahh I am sensing a new kind of resource in Zun :D but that might not be needed 03:27:16 <mkrai> hongbin: spn we might need to store info with some resource 03:27:32 <mkrai> store the enabled_driver info in db 03:28:32 <hongbin> yes if we go that path 03:28:43 <Shunli> I guess it should be info of compute node. 03:28:46 <mkrai> I will start to work on this implementation and present the idea in next meeting 03:28:58 <mkrai> I will discuss with spn 03:28:59 <spn> mkrai: +1 03:29:10 <hongbin> ok, sound good 03:29:12 <mkrai> Shunli: ack 03:29:28 <Shunli> as the clear container should run in clear linux, right? 03:29:44 <mkrai> Shunli: it can run on other OS also 03:29:50 <mkrai> Like Ubuntu Cent OS etc 03:30:08 <spn> mkrai: but the image is special 03:30:21 <Shunli> mkrai: thx ,ack 03:30:22 <spn> it should have a particular kernel version isn;t it 03:30:28 <mkrai> spn: Yes we need to install clear container on each compute node 03:30:54 <spn> mkrai: I am talking about changes inside the glance image? if any 03:31:18 <mkrai> spn: Which glance image? 03:31:32 <spn> sorry I meant the docker image which runs on cc 03:32:13 <mkrai> It is same as the normal image 03:32:24 <spn> mkrai: ok got it 03:32:57 <mkrai> hongbin: that's all from me :) 03:33:02 <hongbin> thanks mkrai 03:33:12 <Shunli> thanks mkrai 03:33:19 <spn> mkrai: thanks for brining this discussion :) 03:33:32 <hongbin> #topic NFV use cases (lakerzhou) 03:33:35 <mkrai> Thank you all for a good discussion :) 03:33:40 <hongbin> #link https://etherpad.openstack.org/p/zun-nfv-use-cases 03:33:59 <hongbin> for this one, Shunli is working on several patches about pci 03:34:29 <hongbin> Shunli: do you have more details to add? 03:34:52 <Shunli> i'm struggled on the unit test last week. so the pci patch is a bit slow 03:35:12 <Shunli> just uploaded a pci device db model yesterday 03:35:36 <Shunli> no more progress about the pci feature. 03:35:42 <hongbin> #link https://review.openstack.org/#/c/498286/ 03:35:58 <hongbin> Shunli: i think those are good progress 03:36:10 <hongbin> Shunli: thanks for the work 03:36:44 <Shunli> hongbin: the api version controller breaks the unit. 03:37:03 <Shunli> i'm cannot solve it, need someone help on it. 03:37:03 <hongbin> Shunli: which patch? 03:37:24 <Shunli> the network detach api patch. it's random. 03:37:42 <Shunli> even after i add the http header of api version for ut 03:37:57 <Shunli> it's still fails some times. 03:38:07 <hongbin> this one? https://review.openstack.org/#/c/493787/ 03:38:16 <Shunli> https://review.openstack.org/#/c/493787/ 03:38:56 <Shunli> not sure if someone familiar with the pecan route, can digg into this problem. 03:39:18 <mkrai> Shunli: I also added the api-version in header for unittest 03:39:23 <mkrai> otherwise it failed 03:39:46 <hongbin> however, the gate looks all pass 03:39:55 <Shunli> yes, it success some times, some times fail. 03:40:27 <hongbin> ok, we can work on that offline 03:40:47 <Shunli> ok. 03:41:05 <hongbin> all, any other comment on this topic? 03:41:33 <hongbin> #topic Open Discussion 03:41:53 <hongbin> all, any topic that you want to discuss with the team? 03:42:01 <kiennt> hi, i have one 03:42:05 <kiennt> https://etherpad.openstack.org/p/zun-multihost-problems 03:42:08 <kiennt> #link https://etherpad.openstack.org/p/zun-multihost-problems 03:43:16 <kiennt> zun multi-host scenario has some problems and I need advice. 03:43:27 * hongbin is reading the etherpad 03:46:11 <hongbin> kiennt: i couldn't figure out what was wrong , need to find some time to setup the environment to reproduce the error 03:47:18 <hongbin> kiennt: i will get back to that after finishing the cinder bp 03:48:57 <kiennt> hongbin: Basically, Zun doesn't pass pool_id because subnet doesn't have subnetpool_id. So Kuryr will try to create new kuryr subnetpool (which already created in the 1st node) 03:49:22 <kiennt> Therefore it will raise exception Another pool with same cirdr 03:49:37 <hongbin> yes 03:50:39 <hongbin> however, i don't have a solution in mind right now :) 03:51:20 <hongbin> perhaps this bp will help 03:51:22 <hongbin> #link https://blueprints.launchpad.net/kuryr-libnetwork/+spec/existing-subnet 03:51:27 <spn> kiennt: exist if detects no pool id by zun? 03:51:33 <spn> exit* 03:51:34 <Shunli> does neutron has the tag plugin enabled? 03:52:08 <kiennt> hongbin: np, it's a bit tricky :D thanks for the link 03:52:19 <kiennt> Shunli: yes, it does 03:52:36 <hongbin> Shunli: tag plugin is enabled after pike 03:52:59 <hongbin> it should be called "tag extension" 03:53:04 <Shunli> https://review.openstack.org/#/c/441024/ 03:53:12 <Shunli> yes, tag extension 03:54:46 <hongbin> ok, let's work on the project this week, and rediscuss it at the next meeting 03:54:52 <kiennt> spn: yes, if zun can't pass pool_id, kuryr will create its subnetpool. 03:55:06 <kiennt> hongbin: yes 03:55:08 <kiennt> exist if detects no pool id by zun? 03:55:08 <kiennt> <spn> exit* 03:55:22 <kiennt> oh, wrong copy paste 03:55:27 <spn> :) 03:55:28 <kiennt> sorry, thank you all 03:55:51 <hongbin> any other topic to discuss? 03:56:13 <kiennt> none from me 03:56:20 <Shunli> no 03:56:29 <hongbin> ok 03:56:40 <hongbin> all, thanks for joining the meeting, see you next week 03:56:43 <hongbin> #endmeeting