| *** huntxu has joined #openstack-qinling | 01:43 | |
| *** blkart has quit IRC | 03:33 | |
| *** blkart has joined #openstack-qinling | 03:35 | |
| openstackgerrit | Merged openstack/python-qinlingclient master: handle required parameters not provided case in function creation https://review.openstack.org/586463 | 04:00 |
|---|---|---|
| *** caoyuan has joined #openstack-qinling | 09:51 | |
| *** caoyuan has quit IRC | 10:14 | |
| *** caoyuan has joined #openstack-qinling | 10:29 | |
| *** caoyuan has quit IRC | 10:50 | |
| *** huntxu has quit IRC | 11:15 | |
| *** larainema has quit IRC | 11:27 | |
| *** caoyuan has joined #openstack-qinling | 12:04 | |
| *** caoyuan has quit IRC | 12:04 | |
| chiragarora | lxcong: I just cloned the qinling repo and installed tempest using pip. Is anything else required? | 12:33 |
| *** ChanServ changes topic to "Qinling uses StoryBoard for feature and bug tracking: https://storyboard.openstack.org/#!/project/927" | 14:37 | |
| *** mnaser has joined #openstack-qinling | 17:58 | |
| mnaser | hi everyone! we're looking to see how to deploy qinling on our public cloud | 17:58 |
| mnaser | so we wanted to make it part of openstack ansible first | 17:58 |
| mnaser | can we setup a magnum cluster and link it to qinling? | 17:59 |
| lxkong | mnaser: yes, you can. Qinling can connect to any k8s cluster by changing some config options | 21:04 |
| lxkong | mnaser: FYI, https://docs.openstack.org/qinling/latest/admin/install/config_kubernetes.html | 21:05 |
| mnaser | lxkong: i noticed that docment, so how worried would one be for scope of things in a public cloud | 21:05 |
| mnaser | in terms of like multitenancy/etc | 21:05 |
| lxkong | mnaser: i don't understand what you mean by `how worried would one be for scope of things in a public cloud` | 21:06 |
| mnaser | well the idea of how controlled a serverless function is because the kubernetes cluster would be a multitenant one at that point | 21:06 |
| mnaser | so tenant A and tenant B are sharing the same k8s cluster for their funcs | 21:06 |
| lxkong | mnaser: k8s cluster is shared between tenants in openstack. | 21:07 |
| lxkong | but that's transparent to the end users | 21:07 |
| mnaser | right. but does that mean i can maybe create a serverless function that talks to k8s api and lists pods.. or maybe something that loops forever and disturbs other tenants, etc? | 21:07 |
| lxkong | mnaser: unless you have the k8s credentials, othwewise you can not talk to k8s | 21:08 |
| mnaser | gotcha. i thought pods could talk to k8s by default, but maybe i don't know much about k8s that much :) | 21:08 |
| lxkong | service account is disabled in the pod | 21:08 |
| mnaser | ack | 21:09 |
| lxkong | lxkong: and we are also working on security hardening in k8s for qinling | 21:09 |
| mnaser | i might write an openstack-ansible role to deploy it | 21:10 |
| lxkong | mnaser: but be aware of that, in public cloud, maybe you want to have your own runtime implentation | 21:10 |
| lxkong | mnaser: that will be great | 21:10 |
| mnaser | why not leverage the upstream runtimes? | 21:10 |
| lxkong | mnaser: you are running public cloud, do you want your end users know the implemenation details of the runtime? | 21:11 |
| mnaser | i mean the runtime is nothing more than a docker image with a language, no? | 21:11 |
| lxkong | the malicious user may write 'bad' functions to try to exploit your cloud | 21:11 |
| lxkong | docker is not safe | 21:11 |
| lxkong | that's the reason we need to work on the security part | 21:11 |
| lxkong | s/docker/container | 21:11 |
| mnaser | so still not ready for public cloud as fully upstream | 21:12 |
| lxkong | mnaser: but that's up to you | 21:12 |
| lxkong | we also working on hardening the reference runtime implementation to make it more close to production ready | 21:12 |
| lxkong | just let you know, it's open source, and it's just a docker image, so you have full control of it | 21:13 |
| mnaser | yeah but we'd want to upstream anything, we wouldn't want to run downstream stuff :) | 21:13 |
| mnaser | i don't see a lot of docs around the runtime stuff | 21:13 |
| lxkong | mnaser: yeah, doc is difficult part for now :-) we are trying our best to improve, you know, we are a small team for now | 21:14 |
| mnaser | of course, i totally understand | 21:14 |
| lxkong | mnaser: may i know which cloud are you working on? | 21:14 |
| lxkong | or company? | 21:14 |
| mnaser | vexxhost.com | 21:14 |
| lxkong | ooh, i know | 21:14 |
| lxkong | mnaser: you can test qinling first, we welcome any feedback | 21:15 |
| mnaser | i wonder if qinling + kata would be the solution | 21:15 |
| lxkong | hah, yeah, definitely. That rely on the stability of kata | 21:15 |
| lxkong | i already tested that | 21:15 |
| mnaser | well given how short lived the vms generally are | 21:15 |
| mnaser | we might get away with a lot | 21:15 |
| lxkong | mnaser: qinling supports to run image type function, which means end user can package their function written in any programming language in a docker image | 21:16 |
| lxkong | and run the function by specifying the image | 21:16 |
| mnaser | we have nested virt in our infra | 21:16 |
| mnaser | so if we run kata with k8s, it would be near native | 21:17 |
| lxkong | but that will bring security conerns to the cloud | 21:17 |
| lxkong | so qinling supports to create 'untrusted' runtime | 21:17 |
| mnaser | at that point, if someone wants to run malicious code, it is the same thing as starting a vm and writing malicious code in it? | 21:17 |
| lxkong | yeah, vm will be safe | 21:17 |
| mnaser | i'll have to experiment running on kata, that might be the best solution | 21:18 |
| mnaser | there's no settings to put timeouts on how long jobs run and stuff, right? | 21:18 |
| lxkong | kata is still in beta, maybe not suitable to run in production | 21:18 |
| lxkong | it's on the roadmap, but not implemented yet | 21:19 |
| mnaser | gotcha | 21:19 |
| mnaser | notifications would be big too i guess to do billing | 21:19 |
| lxkong | you are correct! | 21:19 |
| mnaser | you know what would be cool though | 21:19 |
| mnaser | if using the api you can connect it to your own k8s cluster | 21:19 |
| mnaser | so user can create cluster using the way they want (magnum, kubeadm, etc) | 21:20 |
| lxkong | yeah, | 21:20 |
| mnaser | and then make an api request to 'authorize' qinling to use it | 21:20 |
| mnaser | that might avoid the whole untrusted/billing/etc problem.. there's a lot of interesting solutions :) | 21:20 |
| lxkong | you can find something you probably need here https://storyboard.openstack.org/#!/project/927, all on the roadmap | 21:20 |
| mnaser | we're in the middle of creating 3 regions right now so we have a few things to iron out first, aha | 21:21 |
| mnaser | but hopefully soon it will be ready | 21:21 |
| lxkong | mnaser: awesome. and any kind of contribution from you are welcomed :-) | 21:22 |
| mnaser | of course, you'll see it pick up when we're evalating it more :) | 21:22 |
| lxkong | nice | 21:22 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!