22:06:27 <adrian_otto> #startmeeting containers
22:06:28 <openstack> Meeting started Tue Sep 23 22:06:27 2014 UTC and is due to finish in 60 minutes.  The chair is adrian_otto. Information about MeetBot at http://wiki.debian.org/MeetBot.
22:06:29 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
22:06:31 <openstack> The meeting name has been set to 'containers'
22:06:42 <iqbalmohomed_> Hi ..
22:06:47 <iqbalmohomed_> Iqbal Mohomed, IBM Research
22:07:05 <adrian_otto> #link https://wiki.openstack.org/wiki/Meetings/Containers Our Agenda
22:07:11 <adrian_otto> #topic Roll Call
22:07:13 <adrian_otto> Adrian Otto
22:07:17 <adrian_otto> hi Iqbal!
22:07:41 <iqbalmohomed_> Hi Adrian .. hope the openstack meetup was fun last week!
22:08:04 <adrian_otto> yes, it was worth the trip up from LA to attend it
22:09:10 <adrian_otto> so I did not have today's date on the meeting schedule, so it stands to reason that we have thin attendance
22:09:23 <iqbalmohomed_> ah ok ... just us it seems
22:09:29 <adrian_otto> I will take a moment to fix that
22:10:23 <mtesauro> I was wondering about that - the schedule missing today
22:10:59 <adrian_otto> no worries, we can regroup next week, hopefully with more progress to report
22:11:22 <adrian_otto> Diga has been working on the API a bit, and expects to have the Pecan/WSME basics done this week
22:11:25 <mtesauro> works for me
22:11:28 <adrian_otto> #topic Announcements
22:11:38 <adrian_otto> Any announcements from the team?
22:12:50 <adrian_otto> #topic Review Action Items
22:13:09 <adrian_otto> #action adrian_otto to coordinate a follow-up about Gantt, to help the containers team understand its readiness plans, and how they may be applied in our work.
22:13:18 <adrian_otto> Status: in-progress. Awaiting response from bauzas
22:13:42 <adrian_otto> #topic Backlog
22:13:46 <adrian_otto> #link https://wiki.openstack.org/wiki/Meetings/Containers Containers Team Meeting Page
22:14:04 <adrian_otto> Any open subjects to add to the backlog?
22:15:18 <adrian_otto> #topic Open Discussion
22:16:48 <iqbalmohomed_> I have a question again :)
22:17:01 <adrian_otto> of course!
22:17:31 <iqbalmohomed_> I'm curious if we are depending on ironic for provisoning a bare metal host for docker containers (if the user wants bare metal of course)
22:18:19 <adrian_otto> yes, we would rely on Nova to produce the instance, so it would be Ironic in the bare metal case.
22:18:21 <iqbalmohomed_> My understanding is that we make use of vanilla nova mechanisms to provision the top-level instance
22:18:46 <adrian_otto> Doesn't Nova use a virt driver to talk to Ironic?
22:19:43 <iqbalmohomed_> IC ... I don't have any experience with ironic (good or bad) ... I was thinking another way to achieve what we need for the container service is perhaps with privilaged containers
22:20:10 <iqbalmohomed_> Right now, I don't believe nova-docker can create privilaged containers
22:20:31 <adrian_otto> adjusting it to allow that is not a major undertaking
22:21:10 <adrian_otto> that's probably a pretty small patch.
22:21:13 <iqbalmohomed_> That's what i figured ... if we have a special launcher privilaged container, we could use it to spawn child containers on a compute node
22:21:41 <iqbalmohomed_> I was thinking more about sets of containers as opposed to single containers
22:22:05 <iqbalmohomed_> i'm not sure how much the container service wants to think about groups of containers rather than singletons
22:22:06 <adrian_otto> yes, although we do not attempt to address multi-tenant security concerns, so you'd need to match it to use cases where you are not running hostile workloads on the same compute node
22:22:47 <adrian_otto> well, Magnum would allow containers to have a parent
22:22:53 <iqbalmohomed_> right ... multi-tenancy is a bit problematic if the privilaged container allows user access
22:22:58 <adrian_otto> so you could arrange them in a hierarchy
22:23:12 <adrian_otto> iqbalmohomed_: yes, exactly.
22:23:13 <iqbalmohomed_> anyways ... just wanted to through out a design which would not use ironic
22:24:20 <adrian_otto> yes, nested containers can work by either using a privileged container as the root entity, or awaiting Linux kernel features that allow nested unprivileged containers
22:24:37 <adrian_otto> that's technically possible, and I believe is in progress
22:24:45 <adrian_otto> although I have not confirmed that yet
22:24:51 <iqbalmohomed_> yup ... i've been reading this as well
22:25:06 <iqbalmohomed_> with the latter, the multi-tenancy concerns are much reduced
22:25:42 <adrian_otto> well, as long as the users recognize that the level of security isolation offered by type 1 hypervisors is not the same as the isolation provided by containers
22:26:46 <iqbalmohomed_> So in the case of ironic, the top-level host of containers is not shared by multiple tenants ... is that right
22:26:49 <adrian_otto> the fact that containers share a single kernel per host, and that all containers have access tot he full syscall table by default present a different risk profile for multitenancy
22:27:01 <adrian_otto> yes, that's correct.
22:27:24 <adrian_otto> the "instance" would belong to one tenant, and only his/her containers could land on it
22:27:43 <iqbalmohomed_> cool ... makes sense ... thx
22:27:46 <adrian_otto> whereas if the base instance is a container, you might have >1 per host
22:28:01 <adrian_otto> depending on the sizing of the container and the sizing of the host, etc.
22:28:35 <adrian_otto> Magnum could allow the ratio of instances to containers to be configurable
22:29:17 <adrian_otto> or just leave it up to the scheduler
22:29:48 <adrian_otto> ok, I put the next 4 meetings up on the calendar at https://wiki.openstack.org/wiki/Meetings/Containers#Weekly_Containers_Team_Meeting
22:30:24 <adrian_otto> any other discussion before we wrap up for today?
22:31:02 <adrian_otto> ok, thanks everyone for attending
22:31:13 <iqbalmohomed_> bye ... take care
22:31:18 <Slower> thanks!
22:31:34 <adrian_otto> our next meeting is Tuesday 2014-09-30 at 1600 UTC
22:31:41 <adrian_otto> #endmeeting