21:00:47 <strigazi> #startmeeting containers
21:00:48 <openstack> Meeting started Tue Feb 12 21:00:47 2019 UTC and is due to finish in 60 minutes.  The chair is strigazi. Information about MeetBot at http://wiki.debian.org/MeetBot.
21:00:49 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
21:00:51 <openstack> The meeting name has been set to 'containers'
21:00:59 <strigazi> #topic Roll Call
21:01:02 <eandersson> o/
21:01:07 <schaney> o/
21:01:08 <strigazi> o/
21:01:15 <jakeyip> o/
21:01:17 <colin-> \o
21:01:24 <imdigitaljim> o/
21:02:02 <strigazi> #topic stories/tasks
21:02:43 <strigazi> 1. Regarding CVE-2019-5736 in fedora atomic host, looks like we are covered
21:03:04 <colin-> nice
21:03:15 <strigazi> the fs of fedora atomic is immutable so an exploit can not overwrite the runc binary
21:03:53 <strigazi> also selinux protects users against an exploit of it.
21:04:18 <colin-> oh, i thought you meant you had patched for it
21:04:23 <colin-> i'm not as sure about those things
21:04:27 <strigazi> unfortunately we have it disabled on k8s. I'm testing if we can enable it
21:04:57 <strigazi> I'm checking with the fedora community
21:05:08 <strigazi> I'll let you know
21:06:05 <strigazi> 2. For the the cluster autoscaler, we have a branch public which is fully functional and we'll push it kubernetes/autoscaler. https://github.com/cernops/autoscaler/tree/magnum-autoscaler-release-1.0
21:06:13 <colin-> cool. there's some sample exploit code attached to this report if anyone needs to test https://www.openwall.com/lists/oss-security/2019/02/11/2
21:06:21 <colin-> (very generic)
21:06:34 <strigazi> colin-: I'll try to repro
21:07:26 <strigazi> 1 and 2 were a bit generic. next:
21:07:52 <strigazi> eandersson: and others can you have a quick look into these two so we can take them:
21:08:06 <strigazi> k8s_fedora: Deploy tiller https://review.openstack.org/#/c/612336/
21:08:39 <strigazi> [k8s_fedora] Add heat-agent to worker nodes https://review.openstack.org/#/c/561858/ oh, flwang approved it
21:09:41 <strigazi> That's it from me. Does anyone else want to bring something up?
21:10:22 <schaney> mind if I add some comments and questions to the CA PR?
21:11:02 <strigazi> schaney: go for it
21:11:46 <strigazi> schaney: I was thinking we can open the PR to k/a first, but we can bring the discussion there when it is open
21:11:56 <schaney> that works as well
21:12:35 <strigazi> but it is public for that reason, so as you want :)
21:12:49 <strigazi> better comment now so you don't forget :)
21:12:56 <colin-> strigazi: did you ever try using the ipvs transport layer on your clusters?
21:13:00 <colin-> as opposed to iptables or similar
21:13:03 <strigazi> nope
21:13:10 <colin-> ok
21:13:47 <schaney> is this PR up to date? https://github.com/cernops/autoscaler/pull/3  not sure the differences between that and the release branch
21:14:18 <strigazi> the release branch is up to date
21:14:36 <strigazi> not sure where Thomas left the pr. lemme check
21:15:58 <strigazi> schaney: sorry I can not tell with certainty
21:17:13 <schaney> ok, I'll use the existing PR but make sure the code is consistent with the branch, unless that PR is known to be out of date?
21:17:22 <imdigitaljim> one random question with your autoscaler, have you tried on templates >= queens?
21:17:42 <imdigitaljim> since resources have had some changes since juno
21:18:03 <imdigitaljim> https://github.com/openstack/magnum/blob/master/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml#L1
21:18:47 <strigazi> schaney: maybe this helps https://github.com/cernops/autoscaler/compare/magnum-autoscaler-release-1.0...tghartland:openstack-provider
21:19:37 <imdigitaljim> well
21:19:38 <strigazi> imdigitaljim: no
21:19:44 <imdigitaljim> if you didnt have the PR with vendor folder
21:19:48 <imdigitaljim> it would be reviewable /shrug
21:19:59 <imdigitaljim> 1307 files is a lot to browse through
21:20:50 <schaney> looks like a lot of extra gophercloud stuff yeah
21:20:54 <strigazi> imdigitaljim: it is reviewable, you can ignore the vendor files
21:21:54 <strigazi> the gopherloud changes are very clear here: https://github.com/cernops/autoscaler/commits/magnum-autoscaler-release-1.0
21:22:31 <imdigitaljim> well we cant really comment on this PR effectively https://github.com/cernops/autoscaler/pull/3/files
21:22:35 <imdigitaljim> is all i mean
21:22:55 <imdigitaljim> in fact it hardly loads
21:22:57 <imdigitaljim> :P
21:25:21 <strigazi> I'll ping you tmr then, when we the PR will be up
21:25:36 <strigazi> github nicks?
21:25:49 <strigazi> same as here?
21:25:59 <imdigitaljim> jim-bach
21:26:03 <imdigitaljim> or jabach@blizzard.com
21:26:09 <imdigitaljim> i can forward to others
21:26:14 <schaney> scott-chaney or schaney@blizzard.com
21:26:32 <strigazi> excellent
21:26:39 <schaney> thanks!
21:28:50 <strigazi> anything else for the meeting?
21:29:08 <colin-> itsc0lin on git
21:29:10 <colin-> nope
21:29:26 <strigazi> thanks colin-
21:29:36 <jakeyip> nope
21:30:11 <imdigitaljim> thanks spyros!@
21:30:27 <strigazi> thanks everyone. see you next week o/
21:30:32 <imdigitaljim> \o
21:30:37 <strigazi> #endmeeting