flock2016
LOGS
12:31:36 <jzb> #startmeeting flock2016
12:31:36 <zodbot> Meeting started Tue Aug  2 12:31:36 2016 UTC.  The chair is jzb. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:31:36 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
12:31:36 <zodbot> The meeting name has been set to 'flock2016'
12:31:51 <jzb> Dan Walsh doing talk on Containers in Production
12:32:05 <jzb> put out paper internally, but will be exteral, about containers in production
12:32:33 <jzb> one thing - talk about devops all the time. New model putting out packages, release cycles, at this point, Docker is concentrated almost exclusively on the developer side.
12:32:51 <jzb> really concentrating on the developer. Trying to look from the operators point of view, what are operators looking for?
12:33:04 <jzb> Most container work concentrated on developer, docker-build docker commit
12:33:16 <jzb> standardization ,new tools can arise
12:33:27 <jzb> starting to see other groups starting to build container images using other tools
12:33:31 <jzb> good to have innovation
12:33:34 <jzb> ansible has playbooks
12:33:42 <jzb> openshift has a thing called s2i (Source to Image)
12:33:58 <jzb> talk about how Fedora is doing layered builds, another project going on for a while...
12:34:16 <jzb> as long as output is the same, we don't have to ship a Docker fully instrumented for building containers in production.
12:34:20 <jzb> copy on write filesystem
12:34:29 <jzb> when doing docker builds and commits, what is that?
12:34:44 <jzb> taking what I had before, COW filesystem
12:35:05 <jzb> when I'm running in production, I don't want application to be able to modify itself. we want to move towards a state where we're not using a COW filesystem.
12:35:11 <jzb> COWs have some problems
12:35:22 <jzb> DeviceMapper, btrfs break shared memor
12:35:25 <jzb> memory
12:35:49 <jzb> block based devices, problem with filesystem, kernel figures out that shared memory is the same.
12:36:01 <jzb> kernel looks @ filesystem, to see block device is the same
12:36:15 <jzb> as soon as I use DM or btrfs, kernel gets confused, both systems are using same lower-level image
12:36:41 <jzb> 10 containers ... with JRE, on a standard filesystem, you load 1 into memory, with cow you get 10
12:36:49 <jzb> overlayfs - doesn't have shared memory
12:36:59 <jzb> working very hard to fix it, SELinux support isn't there
12:37:04 <jzb> SElinux coming soon
12:37:39 <jzb> OverlayFS - not posix compliant filesystem
12:37:52 <jzb> problems based on assumptions with it being posix compliant
12:38:18 <jzb> open file for write, and open for read only, can wind up with two separate files.
12:38:23 <jzb> not the same file twice
12:38:55 <jzb> write performance suffers at larger scales with COW
12:39:04 <jzb> in production most images should never be modified
12:39:14 <jzb> don't want applications able to write to /usr when in production
12:39:30 <jzb> security much better if only can write to certain directories, COW do not support network storage
12:39:34 <jzb> doesn't work with NFS
12:39:38 <jzb> lose ability to share images
12:39:52 <jzb> each container server downloads gigabytes of images
12:41:26 <jzb> shared images == instant updates - all containers running the same code
12:41:33 <jzb> get rid of cow filesystems?
12:42:01 <jzb> in production we want to, but we can't
12:42:05 <jzb> we have pet filesystems
12:42:11 <jzb> correction: Pet containers
12:42:29 <jzb> atomic/openshift registry, taking docker registry service + additional features
12:42:40 <jzb> when someone does docker push to registry
12:42:45 <jzb> watches for messages about push
12:42:50 <jzb> application explodes onto ostree
12:43:03 <jzb> explodes filesystem to ostree filesystem
12:43:08 <jzb> first ability to do an atomic scan
12:43:16 <jzb> this looks for vulnerabilities
12:43:41 <jzb> approve or block for sharing via docker pull
12:45:55 <jzb> [video playing]
12:52:59 <jzb> system containers
12:53:19 <jzb> on an atomic host, software must be shipped as a container image
12:53:31 <jzb> how do you handle when software is installed as container?
12:53:41 <jzb> kubernetes requires etcd and flanneld.
12:53:50 <jzb> they have to be up before k8s, and docker needs all of those.
12:53:59 <jzb> these containers can be run with read/only images
12:54:12 <jzb> docker has problems with container priority
12:54:34 <jzb> but systemd can give priority to other things, but can't install etcd and flanneld
12:54:37 <jzb> and need docker
12:54:46 <jzb> so - came up with concept of system containers
12:54:59 <jzb> atomic command enhanced to handle system containers
12:55:15 <jzb> uses skopeo to pull image from registry
12:55:21 <jzb> use ostree to store image layers on disk
12:55:31 <jzb> create systemd unit file and uses runc to run container
12:55:47 <jzb> runc is a standardized part of open container initiative
12:55:57 <jzb> going to use runc inside systemd unit files
12:56:04 <jzb> atomic pull --oci etcd
12:56:44 <jzb> atomic install --oci etcd
12:56:57 <jzb> systemd enable etc
12:57:01 <jzb> ...
12:57:11 <jzb> using runc, systemd, ostree for backing store - but can't update container
12:57:25 <jzb> when new etcd comes out, need to pull a new container (and build)
12:57:27 <jzb> simple signing
12:57:32 <jzb> wanting to have concept of simple signing
12:57:37 <jzb> similar to what we use with RPM
12:57:47 <jzb> user can sign document ... "dan walsh trusts this image"
12:58:06 <jzb> "we dont' trust all images by dan walsh, but we'll sign ones we trust"
12:58:11 <jzb> so you add signatures
12:58:28 <jzb> adding concept to these tools, add gpg type signature
12:58:40 <jzb> allow users to pgp sign a lookaside cache
12:58:46 <jzb> allow signatures to be stored anywhere
12:59:03 <jzb> put 'em on a Web site, "there are 40K docker images, but I only trust these 4 - here are their checksums"
12:59:22 <jzb> really simple stuff, not a hierarchy
12:59:29 <jzb> letting people work with signing based on this concept
12:59:33 <jzb> policy rules engines
12:59:37 <jzb> to say who you trust
12:59:50 <jzb> set up a policy, only allow docker engine run applications signed by acme inc
13:00:49 <jzb> introducing the OCID effort
13:01:15 <jzb> look at new tool building called OCID - it's components needed by kubernetes in production
13:01:25 <jzb> container image transport - way to get image to local system
13:01:29 <jzb> need way to store images
13:01:37 <jzb> open container initiative runtime
13:01:41 <jzb> a way to start a container
13:01:50 <jzb> and then I need an api - a wrapper around this application
13:01:58 <jzb> Skopeo - greek for remote viewing
13:02:29 <jzb> used by atomic CLI to view container image data on registry (JSON data)
13:02:43 <jzb> don't have to pull image to look @ json metadata
13:02:59 <jzb> also figured we could add pull/push registry features.
13:03:14 <jzb> worked on splitting library from CLI w/CoreOS
13:03:27 <jzb> skopeo - two parts, cli and library
13:03:34 <jzb> might eventually be used by RKT
13:04:09 <jzb> storage - after pull image, need to be able to store on disk, anybody play with Atomic cli
13:04:16 <jzb> want to look @ content but not run
13:04:34 <jzb> several releases ago, added ability to mount (e.g., "atomic mount fedora /mnt"
13:04:53 <jzb> running containers, can do --live + go into container mount point and then go into container and see content show up
13:06:21 <jzb> graphc, graphtool, cowman, storetool
13:06:40 <jzb> create container storage ClI & library
13:06:48 <jzb> https://github.com/containers/storage
13:07:07 <jzb> tbd - add support ostree, and network storage (Ceph, Gluster, NFS)
13:07:37 <jzb> CoreOS could use it as its backend
13:08:23 <jzb> open container initiative , runc developed in OCI,
13:08:39 <jzb> runc is just an initial implementation of implementation
13:08:51 <jzb> clear linux is about to release a specification to run machines
13:08:58 <jzb> they follow oci spec
13:09:12 <jzb> docker 1.11 uses runc as default backend
13:09:29 <jzb> oci tool https://github.com/opencontainers/ocitools
13:11:26 <jzb> OCID container management API
13:11:36 <jzb> Open Container Initiative Daemon
13:11:40 <jzb> least developed part of project
13:11:50 <jzb> impelments kublet container runtime interface
13:12:02 <jzb> kubernetes / google server interface launching / running pods
13:12:08 <jzb> kubernetes wants to execute
13:12:15 <jzb> kubernetes uses skopeo to pull image
13:12:27 <jzb> ocid stores image on disk using storage
13:12:32 <jzb> then ocid runs container using runc
13:12:47 <jzb> standards based alternative to docker and rkt runtimes
13:12:57 <jzb> want to get into OCI
13:13:04 <jzb> not trying to replace docker
13:13:16 <jzb> trying to supplement -
13:13:36 <jzb> base on kubernetes but implementing same functionality
13:13:39 <jzb> for atomic
13:13:52 <jzb> move openshift to OCID by default
13:14:00 <jzb> and then have that standardized
13:14:18 <jzb> where docker is constantly changing, we dont' have to swap things out based on changes in Docker upstream
13:14:35 <jzb> containers in production will focus on system containers for ... in production
13:15:26 <jzb> non-production container == under development
13:16:56 <nardasev> question: Copr recently sucks
13:17:09 <nardasev> A: we are aware of that and are trying to fix it as hard as we can
13:17:44 <nardasev> huge rebuilds cause problems, some services time out...
13:17:56 <nardasev> we're trying to change the queue logic
13:19:55 <jzb> #endmeeting