03:00:04 <hongbin> #startmeeting zun
03:00:05 <openstack> Meeting started Tue Aug 29 03:00:04 2017 UTC and is due to finish in 60 minutes.  The chair is hongbin. Information about MeetBot at http://wiki.debian.org/MeetBot.
03:00:06 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
03:00:08 <openstack> The meeting name has been set to 'zun'
03:00:11 <hongbin> #link https://wiki.openstack.org/wiki/Zun#Agenda_for_2017-08-29_0300_UTC Today's agenda
03:00:14 <hongbin> #topic Roll Call
03:00:17 <Shunli> O/
03:00:18 <spn> o/
03:00:19 <Namrata> Namrata
03:00:21 <kiennt> hi 0/
03:00:22 <diga> o/
03:00:28 <mkrai> o/
03:00:30 <kiseok7> hi
03:00:47 <hongbin> thanks for joining the meeting Shunli spn Namrata kiennt mkrai kiseok7
03:01:03 <hongbin> let's get started
03:01:06 <hongbin> #topic Announcements
03:01:23 <hongbin> i have no announcement , anyone else has?
03:02:09 <hongbin> seem no
03:02:17 <hongbin> #topic Cinder integration
03:02:31 <hongbin> for this bp, there are some progress last week
03:02:49 <hongbin> i am working on two WIP patches, which i think it is ready to test
03:03:07 <hongbin> #link https://review.openstack.org/#/c/473115/
03:03:25 <hongbin> #link https://review.openstack.org/#/c/491271/
03:03:45 <hongbin> the first one is a big patch, i will split it into several smaller patches
03:04:32 <hongbin> basically, this is how it works: zun run --mount source=<vol_id>,destination=<path> <image>
03:04:56 <hongbin> the --mount option can be used multiple times to bind mount multiple volumes
03:05:31 <hongbin> any question so far?
03:05:59 <diga> hongbin: you are not using volume api, how mount is different from volume api ?
03:06:18 <hongbin> diga: i am using cinder api
03:06:26 <diga> okay
03:06:47 <diga> it means its a direct integration with Zun
03:06:53 <hongbin> yes
03:06:57 <diga> got it
03:07:54 <hongbin> ok, it looks there is no more question
03:08:09 <hongbin> then, we move to the next topic
03:08:19 <hongbin> #topic Introduce container composition (kevinz)
03:08:26 <hongbin> #link https://blueprints.launchpad.net/zun/+spec/introduce-compose
03:08:36 <hongbin> kevinz cannot join the meeting today
03:08:51 <hongbin> he uploaded several patches about capsule last week
03:08:51 <diga> for cinder integration using fuxi, I will update the patch today, some error needs to fix which I will update today. Due to some personal reason I couldn't work since 2 month
03:09:06 <hongbin> diga: ack
03:09:35 <hongbin> diga: you could leverage the code of my patches when integrating with fuxi
03:09:42 <diga> hongbin:  Yeah
03:09:53 <diga> hongbin: will take a look at it today
03:10:06 <diga> hongbin: and update my code accordingly
03:10:34 <hongbin> back to the capsule topic
03:10:58 <hongbin> kevin has submitted some unit tests patches last week, all are merged
03:11:19 <hongbin> that is all for this bp
03:11:30 <hongbin> any question for this topic?
03:12:06 <hongbin> ok, advance topic
03:12:08 <hongbin> #topic Add support for clear container (mkrai)
03:12:13 <hongbin> #link https://blueprints.launchpad.net/zun/+spec/support-secure-container
03:12:24 <hongbin> mkrai: want to lead the discussion of this topic?
03:12:30 <mkrai> hongbin: sure
03:12:59 <mkrai> The patches for supporting a new runtime parameter in zun create/run API were merged
03:13:25 <hongbin> awesome
03:13:27 <mkrai> There is a question on whether we should allow non-admin users to select runtime or not
03:13:30 <spn> yay!
03:13:47 <mkrai> What do team think about it?
03:13:59 <hongbin> yes, i raise this suggestion
03:14:07 <hongbin> i could explain the rational a bit
03:14:23 <hongbin> i see the --runtime option as a dangourous operation
03:14:32 <spn> mkrai: did you mean changing runtime for spinning containers by non-admin users?
03:14:41 <mkrai> spn: Yes
03:15:00 <hongbin> because users could use it to choose a runtime that is more secure or less secure
03:15:17 <hongbin> i think we need a way to restrict the choice of runtime
03:15:42 <hongbin> option 1: introduce a config (i.e. enabled_runtime) to specify a list of choosible runtime
03:15:55 <spn> hongbin: I am not sure I understood that argument. Why shouldnt users be allowed to change his runtime to secure or non-secure
03:15:57 <hongbin> option 2: disallow non-admin user to specify the --runtime option
03:16:22 <mkrai> hongbin: My opinion was to let non-admin users also choose runtime so that they have the flexibilty to run their container with any of the avialable option
03:16:26 <hongbin> spn: i assume there are two 'runtime': docker or clear container
03:16:55 <hongbin> spn: if user can choose docker over clear container, i assume it is less secure
03:17:20 <hongbin> spn: for example, if i am a public cloud provider, i will enforce clear container as the only runtime
03:17:37 <hongbin> spn: make sense?
03:17:46 <spn> hongbin: I agree what you said. but not every user may need a clear container all the time based on his requirment.
03:18:16 <mkrai> spn: I agree on that, the users might want to change the runtime based on their requirement
03:18:17 <hongbin> mkrai: ack
03:18:18 <spn> but yes for public cloud there should be an option for admin to restrict it
03:18:37 <hongbin> then, how about option #1
03:19:04 <spn> so why dont we drop in an option for admin so that he can decide whether on this cloud a user can change container or not
03:19:22 <hongbin> spn: +1
03:19:30 <spn> imagine this situation where on the horizon UI, if a user  is allowed to change container
03:19:57 <spn> he gets an option to click on a check box or something like that which specifies type of container also as an option.
03:20:21 <spn> cc is one type of an option , future can be any other type of runtime
03:20:45 <kiennt> spn: sound good +1
03:20:52 <mkrai> hongbin: I didn't get the option #1 clearly
03:21:12 <hongbin> mkrai: there is a config called "enabled_runtime"
03:21:14 <mkrai> hongbin: Does it mean that it can contain both docker and clear container ?
03:21:32 <spn> mkrai: if we had a config option like allowed_docker_runtimes = " docker, coe"
03:21:38 <spn> etc
03:21:38 <mkrai> And this might vary for other projects like just docker or just clear container
03:21:42 <hongbin> mkrai: yes, it could be enabled_runtime=docker,cc, or enabled_runtime=cc
03:22:03 <mkrai> Ok so that non-admins have right to choose from the list?
03:22:10 <hongbin> yes
03:22:15 <spn> yes.. allowed list
03:22:20 <spn> and admin decides the list
03:22:32 <spn> if admin says only coe just one option is shown to users
03:22:32 <mkrai> But this option will be applied to all the projects
03:23:02 <spn> mkrai: can this be forced upon project basis?
03:23:10 <mkrai> how to handle case when a admin in a project wants a different list than other project?
03:23:23 <mkrai> spn: Yes i am also thinking of the same case
03:24:02 <mkrai> hongbin: Does it makes sense?
03:24:33 <hongbin> mkrai: frankly, i couldn't think of use case that requires a per-project allowed list
03:25:10 <spn> like a finance team in the company which uses containers should be forced with cc
03:25:16 <spn> not all need it
03:25:30 <hongbin> ok, that make sense
03:25:47 <hongbin> then, the question is how to do it :)
03:25:55 <spn> if its needs to be project specific than it should be zun command line tunable
03:26:04 <mkrai> spn: +1
03:26:14 <mkrai> hongbin: Right
03:26:30 <hongbin> spn: yes, that should work
03:26:56 <mkrai> Ahh I am sensing a new kind of resource in Zun :D but that might not be needed
03:27:16 <mkrai> hongbin: spn we might need to store info with some resource
03:27:32 <mkrai> store the enabled_driver info in db
03:28:32 <hongbin> yes if we go that path
03:28:43 <Shunli> I guess it should be info of compute node.
03:28:46 <mkrai> I will start to work on this implementation and present the idea in next meeting
03:28:58 <mkrai> I will discuss with spn
03:28:59 <spn> mkrai: +1
03:29:10 <hongbin> ok, sound good
03:29:12 <mkrai> Shunli: ack
03:29:28 <Shunli> as the clear container should run in clear linux, right?
03:29:44 <mkrai> Shunli: it can run on other OS also
03:29:50 <mkrai> Like Ubuntu Cent OS etc
03:30:08 <spn> mkrai: but the image is special
03:30:21 <Shunli> mkrai: thx ,ack
03:30:22 <spn> it should have a particular kernel version isn;t it
03:30:28 <mkrai> spn: Yes we need to install clear container on each compute node
03:30:54 <spn> mkrai: I am talking about changes inside the glance image? if any
03:31:18 <mkrai> spn: Which glance image?
03:31:32 <spn> sorry I meant the docker image which runs on cc
03:32:13 <mkrai> It is same as the normal image
03:32:24 <spn> mkrai: ok got it
03:32:57 <mkrai> hongbin: that's all from me :)
03:33:02 <hongbin> thanks mkrai
03:33:12 <Shunli> thanks mkrai
03:33:19 <spn> mkrai: thanks for brining this discussion :)
03:33:32 <hongbin> #topic NFV use cases (lakerzhou)
03:33:35 <mkrai> Thank you all for a good discussion :)
03:33:40 <hongbin> #link https://etherpad.openstack.org/p/zun-nfv-use-cases
03:33:59 <hongbin> for this one, Shunli is working on several patches about pci
03:34:29 <hongbin> Shunli: do you have more details to add?
03:34:52 <Shunli> i'm struggled on the unit test last week. so the pci patch is a bit slow
03:35:12 <Shunli> just uploaded a pci device db model yesterday
03:35:36 <Shunli> no more progress about the pci feature.
03:35:42 <hongbin> #link https://review.openstack.org/#/c/498286/
03:35:58 <hongbin> Shunli: i think those are good progress
03:36:10 <hongbin> Shunli: thanks for the work
03:36:44 <Shunli> hongbin: the api version controller breaks the unit.
03:37:03 <Shunli> i'm cannot solve it, need someone help on it.
03:37:03 <hongbin> Shunli: which patch?
03:37:24 <Shunli> the network detach api patch. it's random.
03:37:42 <Shunli> even after i add the http header of api version for ut
03:37:57 <Shunli> it's still fails some times.
03:38:07 <hongbin> this one? https://review.openstack.org/#/c/493787/
03:38:16 <Shunli> https://review.openstack.org/#/c/493787/
03:38:56 <Shunli> not sure if someone familiar with the pecan route, can digg into this problem.
03:39:18 <mkrai> Shunli: I also added the api-version in header for unittest
03:39:23 <mkrai> otherwise it failed
03:39:46 <hongbin> however, the gate looks all pass
03:39:55 <Shunli> yes, it success some times, some times fail.
03:40:27 <hongbin> ok, we can work on that offline
03:40:47 <Shunli> ok.
03:41:05 <hongbin> all, any other comment on this topic?
03:41:33 <hongbin> #topic Open Discussion
03:41:53 <hongbin> all, any topic that you want to discuss with the team?
03:42:01 <kiennt> hi, i have one
03:42:05 <kiennt> https://etherpad.openstack.org/p/zun-multihost-problems
03:42:08 <kiennt> #link https://etherpad.openstack.org/p/zun-multihost-problems
03:43:16 <kiennt> zun multi-host scenario has some problems and I need advice.
03:43:27 * hongbin is reading the etherpad
03:46:11 <hongbin> kiennt: i couldn't figure out what was wrong , need to find some time to setup the environment to reproduce the error
03:47:18 <hongbin> kiennt: i will get back to that after finishing the cinder bp
03:48:57 <kiennt> hongbin: Basically, Zun doesn't pass pool_id because subnet doesn't have subnetpool_id. So Kuryr will try to create new kuryr subnetpool (which already created in the 1st node)
03:49:22 <kiennt> Therefore it will raise exception Another pool with same cirdr
03:49:37 <hongbin> yes
03:50:39 <hongbin> however, i don't have a solution in mind right now :)
03:51:20 <hongbin> perhaps this bp will help
03:51:22 <hongbin> #link https://blueprints.launchpad.net/kuryr-libnetwork/+spec/existing-subnet
03:51:27 <spn> kiennt: exist if detects no pool id by zun?
03:51:33 <spn> exit*
03:51:34 <Shunli> does neutron has the tag plugin enabled?
03:52:08 <kiennt> hongbin: np, it's a bit tricky :D thanks for the link
03:52:19 <kiennt> Shunli: yes, it does
03:52:36 <hongbin> Shunli: tag plugin is enabled after pike
03:52:59 <hongbin> it should be called "tag extension"
03:53:04 <Shunli> https://review.openstack.org/#/c/441024/
03:53:12 <Shunli> yes, tag extension
03:54:46 <hongbin> ok, let's work on the project this week, and rediscuss it at the next meeting
03:54:52 <kiennt> spn: yes, if zun can't pass pool_id, kuryr will create its subnetpool.
03:55:06 <kiennt> hongbin: yes
03:55:08 <kiennt> exist if detects no pool id by zun?
03:55:08 <kiennt> <spn> exit*
03:55:22 <kiennt> oh, wrong copy paste
03:55:27 <spn> :)
03:55:28 <kiennt> sorry, thank you all
03:55:51 <hongbin> any other topic to discuss?
03:56:13 <kiennt> none from me
03:56:20 <Shunli> no
03:56:29 <hongbin> ok
03:56:40 <hongbin> all, thanks for joining the meeting, see you next week
03:56:43 <hongbin> #endmeeting