#openstack-zun log

03:00:29 <fengshengqin> #startmeeting zun
03:00:30 <openstack> Meeting started Tue Mar 20 03:00:29 2018 UTC and is due to finish in 60 minutes.  The chair is fengshengqin. Information about MeetBot at http://wiki.debian.org/MeetBot.
03:00:32 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
03:00:34 <openstack> The meeting name has been set to 'zun'
03:00:45 <fengshengqin> #topic Roll Call
03:00:48 <hongbin> o/
03:00:55 <kevinz> o/
03:01:22 <fengshengqin> Thanks for joining the meeting, hongbin, kivenz
03:01:27 <hongbin> :)
03:01:36 <kevinz> :-)
03:01:58 <fengshengqin> #topic Announcements
03:02:10 <fengshengqin> Two Zun's presentations were selected at OpenStack Vancouver Summit
03:02:22 <fengshengqin> 1. Build Your Serverless Container Cloud with OpenStack and Kubernetes #link https://www.openstack.org/summit/vancouver-2018/summit-schedule/events/20734/build-your-serverless-container-cloud-with-openstack-and-kubernetes  2. Integration of Openstack Zun with Kata containers #link https://www.openstack.org/summit/vancouver-2018/summit-schedule/events/21193/integration-of-openstack-zun-with-kata-containers
03:02:31 * hongbin applaud
03:02:40 <hongbin> #link https://www.openstack.org/summit/vancouver-2018/summit-schedule/events/20734/build-your-serverless-container-cloud-with-openstack-and-kubernetes
03:02:46 <hongbin> #link https://www.openstack.org/summit/vancouver-2018/summit-schedule/events/21193/integration-of-openstack-zun-with-kata-containers
03:03:01 <fengshengqin> thanks hongbin
03:03:04 <kevinz> Cool
03:03:05 <hongbin> congrat kevinz
03:03:15 <kevinz> Thanks :-)
03:03:36 <fengshengqin> congrat , too
03:03:37 <hongbin> i believe this would be a very good presentation
03:03:55 <hongbin> kevinz: do you confirm the travel to canada?
03:04:16 <kevinz> hongbin: Yes. I can come
03:04:22 <hongbin> awesome
03:04:27 <kevinz> now applying for visa
03:04:39 <hongbin> great news
03:05:21 <fengshengqin> #topic Blueprints
03:05:36 <fengshengqin> 1. OpenStack as a virtual Kubernetes node (assignee: kevinz)
03:05:54 <kevinz> Hi
03:06:17 <fengshengqin> hi, how about your presentation to introduce zun in HongKong last week
03:06:30 <kevinz> last week prepared a Zun session in Hong Kong this Friday
03:06:43 <fengshengqin> is there anything progress about this BP
03:07:06 <kevinz> this session will happen this Friday :-)
03:07:31 <kevinz> Still working on Capsule Create(golang support)
03:08:02 <fengshengqin> oh, i make a mistake
03:08:03 <kevinz> Meet several test case failed. But now most of them are OK
03:08:27 <fengshengqin> great news!
03:08:31 <kevinz> beside, I've done a investigation about virtual-kubelet
03:08:36 <hongbin> cool
03:08:53 <kevinz> I'll paste the investigation doc to googledoc
03:09:26 <kevinz> That's all from my side
03:09:56 <fengshengqin> thanks, kevinz
03:10:07 <kevinz> my pleasure
03:10:21 <fengshengqin> 2. Support remove image in zun (assignee: pengdake)
03:10:36 <hongbin> i believe pengdake is not here
03:10:57 <hongbin> he wanted to discuss his image delete patch (i recalled)
03:11:02 <fengshengqin> yes
03:11:11 <hongbin> a question for you guys:
03:11:26 <fengshengqin> I think he is missing policy rule for image_delete api
03:11:29 <hongbin> do you have use cases for the image API (image-create, image-delete, image-show)
03:11:52 <caisan> hongbin: ping
03:11:59 <hongbin> caisan: hi
03:12:16 <hongbin> caisan: thanks for joining, you are at the right time, we are discussing your patch
03:12:16 <fengshengqin> yes, we do.
03:12:29 <hongbin> fengshengqin: what are your use cases ?
03:12:50 <caisan> hongbin: yes, i have implemented the image-delete code
03:13:09 <fengshengqin> delete image in docker data
03:13:27 <hongbin> interesting
03:13:44 <fengshengqin> if glance driver, need delete the tar in the specified path
03:13:56 <caisan> fengshengqin: policy ?
03:14:34 <hongbin> it sounds like this is the operation for cloud admins ?
03:15:01 <hongbin> e.g. cloud admins want to delete image from docker daemon and glance tarball
03:15:31 <hongbin> however, docker daemon and glance tar is hidden from normal users (non-admin)
03:15:43 <hongbin> this sounds like we should make image API as admin API
03:16:04 <fengshengqin> this is a good idea.
03:16:36 <hongbin> caisan: ack
03:16:40 <hongbin> fengshengqin: ack
03:16:44 <hongbin> caisan: what do you think?
03:16:46 <fengshengqin> https://github.com/openstack/zun/tree/master/zun/common/policies
03:17:21 <caisan> hongbin: you means cloud user just can use the image supported by cloud platform?
03:17:57 <hongbin> caisan: normal users would simply run the container with an image
03:18:10 <caisan> just that?
03:18:15 <hongbin> yes
03:18:34 <hongbin> i believe normal users won't care the specific path of glance tarball
03:18:50 <hongbin> or the docker image stored in a specific compute host
03:19:02 <hongbin> since all the hosts are hidden from normal users
03:19:08 <caisan> this strategy reminds me of openstack/trove which do the same way of managing database image.
03:19:15 <hongbin> (only admin can list the hosts)
03:19:53 <hongbin> yes, although i am not quite familiar with trove
03:20:25 <hongbin> caisan: for your patch, i believe most of the code will be used, what need to be change is the police
03:20:51 <hongbin> caisan: change the police to make it admin only, that is it
03:21:13 <hongbin> like this: check_str=base.RULE_ADMIN_API
03:22:41 <hongbin> caisan: any comment ?
03:22:44 <fengshengqin> anything else?
03:23:03 <fengshengqin> 3. Introduce quota for containers (assignee: TBD)
03:23:12 <caisan> hongbin: yes, i got it. but this cloud be not inconvenience for normal user if they pull the wrong image
03:23:28 <caisan> sorry guys, i am poor in english :(
03:23:48 <hongbin> caisan: i think zun is for pulling hte image and mange them
03:23:51 <caisan> typing slowly
03:24:01 <hongbin> caisan: normally users just want to provide the name of the image, and let zun to pull it
03:24:38 <hongbin> if the image is wrong, zun is responsible to deal with it
03:25:11 <hongbin> caisan: think about it in nova, do the users are responsible to pull down the glance image ?
03:25:40 <hongbin> caisan: i believe they are not, nova will manage the glance image tarball internally
03:25:46 <caisan> hongbin: yes, i got the point. but the user can delete the image in glance.
03:26:16 <hongbin> caisan: yes, this is the same as zun ?
03:27:01 <caisan> hongbin: so the add the policy , normal user will delete the image in glance or docker if the need ?
03:27:15 <hongbin> caisan: yes
03:27:41 <hongbin> caisan: and i believe they won't have access to docker, so yes, they can delete it in glance
03:27:59 <caisan> hongbin: well, at least, docker can not be accessed. yes
03:28:15 <hongbin> agree
03:28:36 <fengshengqin> 3. Introduce quota for containers (assignee: TBD)
03:28:56 <fengshengqin> as i known, Keystone has supportted unified limits in Queen
03:29:05 <hongbin> fengshengqin: this one is assigned to kien and kien doesn't seem to be here
03:29:23 <hongbin> yes
03:29:50 <hongbin> i haven't looked into the unified limits in keystone yet, but this would be an interesting investigation
03:30:12 <fengshengqin> currently, nova manage the quota itself, not registering  the quota to keystone
03:30:30 <hongbin> yes
03:31:28 <fengshengqin> i don't known how supports it for zun
03:31:46 <hongbin> fengshengqin: no worry, kien will figure it out (i believe) :)
03:32:33 <fengshengqin> OK, let's discuss this next time
03:32:52 <hongbin> +1
03:32:59 <fengshengqin> #topic Bugs
03:33:08 <fengshengqin> 1. Cannot create container with kata runtime (assignee: hongbin)
03:33:37 <hongbin> for this one, i believe the kata team is investigating the issue
03:33:54 <hongbin> they doubt that the issue is about the ipv6 support in kata
03:34:10 <hongbin> they are working on patching the runtime and give it another try
03:34:26 <hongbin> that is all about this bug
03:34:32 <hongbin> fengshengqin: ^^
03:34:57 <fengshengqin> thanks, hongbin, let's wait for new patch for kata
03:35:09 <fengshengqin> 2. Error on running privsep helper command (assignee: hongbin)
03:35:23 <hongbin> for this one, i have several patches up for reviews
03:35:36 <hongbin> #link https://review.openstack.org/#/c/544155/
03:35:45 <hongbin> #link https://review.openstack.org/#/c/554021/
03:36:00 <hongbin> this bug was introduced after the adding of privsep
03:36:21 <hongbin> privsep is the daemon for executing all the shell commands
03:36:30 <fengshengqin> so we can execute the sudo command?
03:36:39 <hongbin> so this bug basically breaks all the command execution
03:37:05 <hongbin> fengshengqin: in before, yes, but we switch to privsep for security reasons
03:37:19 <hongbin> fengshengqin: right now, all the shell commands are executed by privsep daemon
03:37:43 <fengshengqin> i got, i will review again.
03:37:50 <hongbin> thanks
03:38:02 <fengshengqin> #topic Open Discussion
03:38:15 <fengshengqin> how about containerize for zun?
03:38:32 <hongbin> what do you mean by containerize?
03:39:03 <fengshengqin> i mean zun is installed in a container
03:39:20 <hongbin> yes
03:39:36 <hongbin> i believe we have BPs for that, let me find the link
03:39:54 <hongbin> #link https://blueprints.launchpad.net/zun/+spec/zun-wsproxy-as-container
03:40:18 <hongbin> #link https://blueprints.launchpad.net/zun/+spec/zun-api-as-container
03:40:27 <fengshengqin> ok, i will try to do something about it.
03:40:36 <hongbin> cool
03:41:07 <fengshengqin> now i have a question
03:41:14 <hongbin> go ahead
03:41:37 <fengshengqin> such as zun will execute df in container
03:42:05 <hongbin> could you explain it a bit?
03:42:06 <fengshengqin> df get the info of the container, not for the host
03:42:16 <hongbin> oh, i see
03:42:35 <hongbin> zun exec <container> <command>
03:43:00 <hongbin> above is the exec command, would it be useful ?
03:43:30 <fengshengqin> so zun should send the commant to host, then host return infos to zun which is installed in continer.
03:44:20 <fengshengqin> i think it is not
03:44:29 <hongbin> you mean the exec command?
03:44:42 <hongbin> zun exec <container> df
03:44:58 <hongbin> this is equals to "docker exec <container> df"
03:45:36 <caisan> shouldn't it return the info of the container ?
03:45:49 <fengshengqin> it will return the df info of container
03:46:00 <hongbin> yes
03:46:17 <caisan> this is what we expect
03:46:18 <fengshengqin> but i want get the host info
03:46:40 <hongbin> oh, i see
03:46:47 <hongbin> there is an admin api
03:46:49 <caisan> fengshengqin: you mean docker daemon host ?
03:46:58 <hongbin> $ zun host-list
03:47:16 <hongbin> $ zun host-show
03:47:36 <caisan> cool
03:47:44 <hongbin> this will return some host information i believe
03:47:58 <fengshengqin> what about lspci?
03:48:25 <hongbin> this is a good question
03:48:39 <fengshengqin> all command in zun code which get host info?
03:49:32 <hongbin> fengshengqin: ??
03:49:44 <hongbin> fengshengqin: don't get your last question
03:51:17 <fengshengqin> I mean zun has installed in container, when zun execute the lspci/df/..., it will return the info of container
03:51:33 <fengshengqin> but i want get the info of host
03:52:23 <hongbin> fengshengqin: right now, zun is installed in the host (not in the container) right ?
03:52:31 <fengshengqin> yes
03:53:01 <hongbin> suppose zun is containerized, it is about the containerization of the zun-api and zun-wsproxy
03:53:16 <hongbin> zun-compute should not be containerized ( i think)
03:53:26 <hongbin> and all the commands are executed by zun-compute
03:53:39 <fengshengqin> oh,i see.
03:53:41 <hongbin> therefore, zun-compute will execute those commands in host
03:54:13 <fengshengqin> so we want send the command to host
03:54:20 <hongbin> yes, definitely
03:54:33 <fengshengqin> This is not a mature idea, I'll think about it, also hope to get your suggestions
03:54:43 <hongbin> sure
03:55:09 <fengshengqin> anything else?
03:55:31 <hongbin> no from my side
03:55:43 <fengshengqin> thanks for joining the meeting again, see you next time
03:55:53 <hongbin> fengshengqin: thanks for chairing the meeting, i believe you did a good job :)
03:56:07 <fengshengqin> thanks
03:56:10 <hongbin> yes, see you all
03:56:33 <fengshengqin> #endmeeting