18:00:47 <vbatts|work> #startmeeting 2015-01-27 discussion 18:00:47 <collabot> Meeting started Wed Jan 27 18:00:47 2016 UTC. The chair is vbatts|work. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:47 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 18:00:47 <collabot> The meeting name has been set to '2015_01_27_discussion' 18:00:52 <vbatts|work> #chair wking 18:00:52 <collabot> Current chairs: vbatts|work wking 18:01:24 <tianon> (someone have the latest video link? the 1771332256 seems to be 404 again D: ) 18:02:17 <jlb13> should be the same as ever, tianon 18:02:46 <jlb13> i'm in the call, can't sort out how to see the actual number. but it's saved in my phone, and is up and running 18:02:54 <tianon> doh, now it works 18:02:59 <jlb13> cool 18:03:48 <duglin> echo echo 18:04:22 <duglin> yup 18:04:27 <RobDolinMS> Good day :) 18:04:48 <mikebrow> fist bump 18:05:24 <RobDolinMS> #action duglin rebase ops PR 18:06:22 <wking> #link https://github.com/opencontainers/specs/pull/225#issuecomment-172633075 18:07:33 <jlb13> whoa. that was more like echo(echo(echo))). 18:08:03 <jlb13> bah. parser fail. 18:08:29 <RobDolinMS> #info Present: anuthan, crosbymichael, duglin, jlb13, Liangchenye, Mike Brown (mikebrow), Mrunal Patel (mrunal), RobDolinMS, tianon, wking, Vishnu Kannan (vishh) 18:08:45 <RobDolinMS> Doug: I agree with Michael, ... 18:08:57 <RobDolinMS> Doug: Whether someone else can see is up to the environment 18:09:33 <RobDolinMS> Crosby: The spec should at least say, if you create a container you should be able to get state. 18:09:37 <RobDolinMS> Jesse: Agree 18:09:53 <RobDolinMS> Jesse: leave delegated user and superuser as optional 18:10:18 <RobDolinMS> Trevor: What if I'm running a virtual host and launch nested continers using the same runtime? 18:10:24 <mikebrow> I don't think we should recurse 18:10:31 <mikebrow> into the children 18:10:38 <RobDolinMS> #info Present: Guest (vbatts) 18:11:12 <RobDolinMS> Doug: This isn't just about querying state, it's about other operations 18:11:53 <RobDolinMS> Jesse: I would not be opposed to different operations having different credentials 18:12:03 <RobDolinMS> Crosby: There are many ways to do auth; 18:12:14 <RobDolinMS> Crosby: If you create it, you can get it. 18:12:52 <RobDolinMS> Crosby: If a runtime is smart and can act on nested containters (or some sort of pod level) that's great, but not required 18:13:12 <RobDolinMS> Jesse: What about multi-tenancy 18:13:57 <RobDolinMS> Trevor: Sounds like we're closer than the current PR text 18:14:30 <wking> #topic when are pre-start hooks executed? 18:15:02 <wking> crosbymichael: possible security concerns 18:15:19 <wking> mrunal: we may need pre- and post-mount hooks to work around any pivot-roots 18:15:55 <wking> crosbymichael: for more specific, "right before the process is jailed within the rootfs, run the pre-start hooks" 18:16:22 <wking> mrunal: after the configured mounts, but before the pivot 18:17:19 <wking> what about not having a pivot? 18:17:51 <wking> crosbymichael: what's the point without a pivot? You're probably on your own with unspecified behavior if you don't pivot 18:17:52 <RobDolinMS> Crosby: as the user, you get the same functionality out 18:18:14 <RobDolinMS> Vish: but the spec wouldn't restrict? 18:18:19 <RobDolinMS> Mrunal: right 18:18:34 <RobDolinMS> Mruanl: Crosby's proposal would cover most use cases 18:18:45 <RobDolinMS> Trevor: Could someone talk about why it couldn't be further 18:18:59 <RobDolinMS> Mrunal: You would have already established some settings 18:19:32 <duglin> yea ! split start & create :-) 18:19:34 <wking> vishh: this would be easier without hooks 18:19:39 <RobDolinMS> Vish: What if hooks were handled outside? 18:19:55 <RobDolinMS> Mrunal: It would not cover pre-mount and post-mount 18:20:11 <wking> also for adding the container process to cgroups 18:20:20 <RobDolinMS> Vish: Can you write-up some examples? 18:20:57 <RobDolinMS> Crosby: If we want hooks to only be on the house side, the hooks would have to know how to do (set?) and (nest?) 18:21:21 <RobDolinMS> Mrunal: that's how it is in runc right now 18:21:30 <RobDolinMS> Mrunal: it gives the most flexibility 18:21:44 <RobDolinMS> Mrunal: Example: having hooks write before and after container mounts are done 18:22:20 <RobDolinMS> Mrunal: After the pivot, you don't have access to the host mounts 18:22:50 <RobDolinMS> Vish: Can we come-up with an example case that doesn't work? 18:22:50 <wking> vishh: wants a case where mount propogation wouldn't work 18:23:00 <wking> vishh: the less we do, the more flexible the whole design will be 18:23:15 <RobDolinMS> #Action: Mrunal post example case that doesn't work 18:23:41 <RobDolinMS> Vish: Hooks are awesome, we're just going to make it awesomeer 18:24:01 <RobDolinMS> ( ^ one line summary of the meeting :) ) 18:24:17 <wking> vishh: instead of adding more hooks, just make a sandbox and let the user do whatever they want to the sandbox before launching a process in the sandbox 18:24:40 <wking> #topic JSON Schema validation 18:24:41 <RobDolinMS> #topic JSON Schema 18:24:58 <wking> #link https://github.com/opencontainers/specs/pull/313 18:25:01 <RobDolinMS> Vincent: It's getting closer 18:26:02 <RobDolinMS> Vincent: It's pretty good; interger ranges can be specified 18:26:31 <RobDolinMS> Vincent: I have not seen tooling on generating a sample JSON document from a schema 18:27:02 <RobDolinMS> Vincent: Could be built into OCI validation tooling 18:27:40 <RobDolinMS> Vincent: Could be self-versioned or could have schema that validates the released version 18:28:00 <RobDolinMS> Mrunal: How well does it handle the optional fields? 18:28:11 <RobDolinMS> Vincent: Pointers are a challenge 18:28:58 <RobDolinMS> Vincent: Everything is implied optional; can add to indicate required 18:29:36 <RobDolinMS> Vincent: The Linux field in the config file references out to a LinuxSchema.json 18:30:05 <RobDolinMS> Vincent: May be a bit complex to have some fields required and some not based on different platforms 18:30:21 <RobDolinMS> Mrunal: I'll take a look from a runc perspective 18:31:05 <RobDolinMS> Trevor: There are lots of validators, if one doesn't work, we can replace 18:31:37 <RobDolinMS> Vish: Are you using Swaggr? 18:31:49 <duglin> aka wsdl :-) 18:32:06 <RobDolinMS> #link https://openapis.org/ 18:32:25 <RobDolinMS> Vincent: It's largely a forward dialect of JSON Schema 18:32:37 <RobDolinMS> Vincent: There is additional markup to accomodate XML and YAML 18:33:54 <RobDolinMS> Vincent: Moving to OAI / Swagger is not blocked by starting with JSON Schema 18:34:26 <RobDolinMS> #action Vincent to continue iterating 18:34:33 <RobDolinMS> #topic Create and Start 18:34:48 <RobDolinMS> #info Doug has a PR and would like someone to take a look 18:34:57 <RobDolinMS> #action vishh to take a look at PR 18:35:07 <RobDolinMS> #topic Issues for v0.4 18:35:25 <duglin> vishh the PR is on runc 18:35:31 <vishh> ack 18:35:51 <RobDolinMS> Call for "release captain" 18:36:02 <RobDolinMS> #action Mrunal will start a thread about v0.4 issues 18:36:18 <RobDolinMS> #EndMeeting 18:36:43 <mikebrow> Post meeting chat discussion… https://github.com/opencontainers/runc/pull/507 18:36:43 <mikebrow> Should the runc list command be true to the stored state on disk or should it refresh state on those containers 18:36:43 <mikebrow> to make sure check the state at the point of reporting it is correct. Then if refresh is the choice we pick 18:36:45 <mikebrow> should we report or have the option of reporting the differences? 18:37:16 <crosbymichael> mikebrow: just go by what the container.State() returns 18:37:25 <crosbymichael> if changes are needed we will make them to that api 18:37:27 <crosbymichael> not in runc 18:37:44 <RobDolinMS> (Did we have MeetBot running for the minutes? ) 18:37:46 <mikebrow> makes sense 18:38:16 <mikebrow> Thx @crosbymichael 18:38:25 <tianon> RobDolinMS: yeah, although I don't think you were ever added as #chair 18:38:37 <tianon> ping vbatts|work 18:38:43 <tianon> (to end the meeting) 18:39:03 <wking> #endmeeting