21:00:59 <vbatts> #startmeeting 2016-07-27 discussion 21:00:59 <collabot> Meeting started Wed Jul 27 21:00:59 2016 UTC. The chair is vbatts. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:00:59 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 21:00:59 <collabot> The meeting name has been set to '2016_07_27_discussion' 21:01:09 <wking> vbatts: chair me? 21:01:23 <vbatts> ah yeah 21:01:27 <vbatts> #chair wking 21:01:27 <collabot> Current chairs: vbatts wking 21:01:39 <wking> cyphar: asks for an email with a link to the IRC log about a console problem, but he's still not clear on the details 21:01:50 <wking> #topic console handling in runtime implementations 21:02:08 <cyphar> correction: it's an lxc issue that I was discussing and aksed how they did it 21:02:08 <wking> mrunalp: the last time I checked they were doing something different from runC 21:02:17 <wking> thanks cyphar 21:02:30 <cyphar> and apparently they had issues with opening the console inside the container 21:02:43 <cyphar> but I don't have the irc log right now, so not sure at the moment 21:02:55 <wking> mrunalp: is crosbymichael around? 21:03:04 <wking> mrunalp: maybe we should start with image-spec? 21:03:11 <wking> #topic image-spec 0.4.0 21:03:20 <wking> philips: I think we're good here? What still has to happen? 21:03:32 <wking> vbatts: stevvooe has updated the whiteout PR 21:03:42 <mrunalp> wking, I said that they were doing it similar to libcontainer ;) 21:03:50 <wking> ah, thanks :p 21:03:55 <mrunalp> pty pair is opened outside 21:04:04 <wking> vbatts: there are some AUFS nitpicks, but otherwise it looks good to me 21:04:06 <stevvooe> https://github.com/opencontainers/image-spec/pull/171 21:04:15 <philips> https://github.com/opencontainers/image-spec/issues?utf8=%E2%9C%93&q=milestone%3Av0.4.0 21:04:33 <wking> cyphar: I'm confused by "generate ... but accept both" wording 21:05:00 <wking> vbatts: it could be more concicisly atomized, but there are two whiteout styles 21:05:21 <wking> vbatts: to my knowledge, only AUFS handles the opaque file format 21:05:39 <wking> stevvooe: the point is that we want to accept opaque files, but we want to favor the whiteout version 21:05:42 <wking> cyphar: makes sense 21:05:56 <wking> vbatts: if there are wording issues, make suggestions in the PR 21:06:41 <wking> vbatts: other news in image-spec land: good to see more tooling around image-layout and conversions 21:07:14 <wking> vbatts: stevvooe, you were going to reach out to some Docker folks? 21:07:42 <wking> vbatts: you'd mentioned a --format flag for save/load; I'm not sure about our next steps on compatiblity with Docker import/export 21:07:56 <wking> stevvooe: any help would be appreciated, but suggest changes to docker save/load 21:08:05 <wking> stevvooe: it sounds like rkt also has an implementation 21:08:22 <wking> https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/Am7byGvLCUQ 21:08:39 <wking> stevvooe: I was planning on road-mapping it for 10.13, but feel free to submit PRs 21:08:51 <wking> vbatts: I'm not aware of any work in progress on that 21:09:15 <wking> https://github.com/cyphar/oboci 21:09:30 <wking> cyphar: I want to point ^ at a directory and get some layers, but couldn't find anything convenient 21:09:33 <cyphar> https://github.com/opencontainers/image-spec/pull/159 21:10:02 <wking> vbatts: There were some footnotes in your email, but maybe it was missing a link? 21:10:27 <wking> cyphar: any thoughts on image-spec#159? 21:13:10 <wking> vbatts: no particular opinion yet, but I need more time for review 21:13:28 <wking> philips: and we're talking about it because it needs more review? 21:13:38 <wking> stevvooe: my concern is that it's too naive 21:13:42 <wking> stevvooe: (the API) 21:13:56 <wking> stevvooe: we started close to that with docker/distribution, but that's now more complex 21:14:37 <wking> stevvooe: distribution and camlistore have good APIs 21:14:49 <wking> stevvooe: but if we agree that the interfaces aren't final, this is probably fine 21:15:02 <wking> philips: so maybe add a caveat about the interfaces not being stable 21:15:14 <wking> #action wking to update image-spec#159 with an unstable caveat 21:15:44 <wking> vbatts: stepping back. cyphar, how is oboci related to image-spec#159? 21:16:12 <wking> cyphar: dependant is probably too strong, but containers/images has an API oriented at skopeo, so it's not concerned with creating new images 21:16:37 <wking> cyphar: it's useful for translating between formats, but there's not a convenient "create a new layer" library 21:16:38 <vbatts> #link https://github.com/containers/image 21:16:45 <philips> left a note https://github.com/opencontainers/image-spec/pull/159#discussion_r72525379 21:17:02 <wking> cyphar: I'm not wild about implementing all of that in oboci. We all benefit from shared tooling 21:17:15 <wking> cyphar: who maintains the library is a separate issue, but I think we want it 21:17:31 <wking> stevvooe: you're saying we need a libcontainer like runC's in image-spec? 21:17:46 <wking> cyphar: that may be too far, but we need a library somewhere 21:18:21 <wking> philips: the tricky thing there is that the library (or whatever) needs to handle lots of formats, and we don't want Docker v1, etc. in an opencontainers tool 21:18:51 <wking> stevvooe: do we have that requirement for testing? 21:19:03 <wking> philips: for Docker v2.2 and image-spec, but not for all the other things 21:19:30 <wking> philips: I think we want an omni library inside of rkt, but I don't think we'd import and OCI-only library 21:19:54 <wking> cyphar: I'm not saying pull containers/image into OCI; I'm saying we're missing something for creation 21:20:13 <wking> stevvooe: if the goal is to prevent fragmentation, why is containers/image not part of the OCI? 21:20:44 <wking> vbatts: defining a Go-type interface is useful (for reporting media types and returning an OCI stream or something) 21:20:58 <wking> philips: I think defining an interface would be good, and I get the image-creation issue 21:21:10 <wking> philips: we can go to the TOB and suggest a Go interface for creation 21:21:17 <wking> vbatts: does it need that level of input? 21:21:36 <wking> philips: we need to clear up this sort of thing and ocitool. Having a TOB meeting to clean all that up would be good 21:21:48 <wking> vbatts: I don't disagree, but, yeah... 21:22:04 <wking> philips: we can also just seed it in oci-image-tool 21:22:21 <wking> vbatts: I was thinking of adding this to the validation tool with a public Go interface 21:22:44 <wking> how is this different from Descriptors? 21:22:59 <wking> stevvooe: this is a framework for handling differnt media types 21:24:00 <wking> stevvooe: I think the way forward is to iterate on oci-image-tool's internal library 21:24:17 <wking> stevvooe: and eventually we can pull off the "unstable" caveat and pull it out into its own project 21:24:27 <wking> philips: sounds good 21:24:37 <wking> ^ switch the last two author 21:24:44 <cyphar> ;) 21:24:53 <stevvooe> s/stevvooe/philips/ and s/philips/stevvooe -> same result 21:24:55 <wking> vbatts: that's it for image-spec 21:25:26 <wking> vbatts: we could clarify 1.0-specific things in the milestones to get a burn list or whatever 21:25:34 <vbatts> https://github.com/opencontainers/image-spec/milestone/3 21:25:42 <wking> vbatts: do we need more trackers so the 1.0 milestone reflects our plans? 21:26:56 <wking> philips: I look at this as a backlog for our next release, which may become a 0.5.0 21:27:02 <wking> philips: anyone have burning issues? 21:27:28 <wking> stevvooe: are there post-1.0 items to move back? Like a plan for signing/naming? 21:27:48 <wking> philips: I think where we're at with naming is that it's tied with being able to transport something 21:28:13 <wking> philips: signing is a bit more nebulous. Where does the signature go? Ideally it's an external object, but then how do you find it? 21:28:23 <wking> cyphar: how does skopeo handle naming/signing 21:28:35 <wking> vbatts: I'll have to defer to Milslav on that now 21:28:54 <wking> cyphar: There's a detached GnuPG signature, but I'm not sure how it's transported 21:29:05 <wking> philips: where to people put detached metadata like that? 21:29:30 <wking> cyphar: and if you detach it, now you have to determine what is signed 21:29:50 <wking> cyphar: if you have an external "here's my signature", you can't put the sig hash in the object itself 21:30:09 <wking> https://github.com/opencontainers/image-spec/issues/176 21:30:24 <wking> ^ signed name-assertion CAS objects 21:30:48 <wking> stevvooe: ELF sections have well-known names that reference various parts of the data 21:30:54 <wking> philips: as refs? 21:31:00 <wking> stevvooe: I'm not sure, but something like that 21:31:21 <wking> stevvooe: the main thing is that I want some idea of what naming will look like in an image-layout 21:31:35 <wking> stevvooe: folks expect docker save/load to include naming and verification 21:32:20 <wking> stevvooe: TUF / rpm / aci have pre-existing approaches 21:32:30 <wking> vbatts: rpm is more convoluted than that 21:32:47 <wking> vbatts: rpm is effectively a binary key/value store with a signature inside one of those key/value pairs 21:33:02 <wking> vbatts: so signing the rpm (or sets of rpms) adjusts the rpms itself 21:33:16 <wking> stevvooe: I didn't know that they embedded signatures; has it always been like that? 21:33:39 <wking> philips: rpm archives sign top-level metadata (like TUF) and there are signatures in the rpm itself 21:33:44 <wking> vbatts: and it's been that way for a while 21:33:55 <wking> philips: in TUF it's completely separate from the image 21:34:10 <wking> philips: at the end of the day, TUF looks like yum 21:34:22 <wking> stevvooe: there might be a pointer back? 21:34:35 <wking> philips: the image says "my public sigs may be found at {location}" 21:34:48 <wking> stevvooe: I dunno, but it needs to be thought through 21:35:02 <wking> philips: I think we're still missing models for what we're doing 21:35:13 <wking> philips: we still haven't solved the transportable, out-of-band verification 21:35:38 <wking> philips: so for triage, I think we should leave this to post 1.0 21:35:53 <wking> cyphar: does anyone know where crosbymichael is? 21:36:25 <wking> philips: next steps: vbatts or I can send a mail about getting to the end of 0.4 and calling for 1.0 issues 21:37:09 <wking> philips: last call for image-spec? 21:37:21 <wking> #topic console handling and the command-line API 21:37:31 <wking> mrunalp: cyphar can you give an update? 21:38:27 <wking> cyphar: after the container has been created, you open the pseudoterminal pair in the container 21:38:36 <wking> cyphar: where should the master file descriptor go? 21:38:52 <wking> cyphar: you can have --socket UNIX_SOCKET and use cmsg to send the master back out 21:39:12 <wking> cyphar: the other solution is to store it in the state JSON, but then someone has to hold it open until the caller opens it 21:39:45 <wking> cyphar: with the socket approach, the higher level of the socket can get the master, and then the container can close it's copy of the master 21:40:20 <wking> cyphar: there's no current way for us to handle duping /dev/null over descriptors, but we don't support that at the moment 21:40:30 <wking> cyphar: do we want to support /dev/null duping? 21:40:47 <wking> cyphar: if we open /dev/ptmx inside the container, do we require the spec to have certain mounts? 21:40:57 <wking> cyphar: you'll have to have a /dev/ptmx mount 21:41:15 <wking> cyphar: or if opening the console fails, do we error out? 21:42:04 <wking> I think we already require those dev bits: https://github.com/opencontainers/runtime-spec/blob/v1.0.0-rc1/config-linux.md#default-file-systems https://github.com/opencontainers/runtime-spec/blob/v1.0.0-rc1/config-linux.md#default-devices 21:42:40 <wking> cyphar: this will all be done inside the container, but with --console this doesn't happen in the container unless you bind mount the path somewhere inside the container 21:44:02 <wking> mrunalp: my concern is can we land this in runC? Is this delaying 1.0? 21:44:11 <wking> mrunalp: can we land --console for now? 21:44:18 <wking> mrunalp: crosbymichael, thoughts? 21:44:22 <wking> crosbymichael: not really 21:44:31 <wking> mrunalp: can we land #513 without mentioning this flag 21:44:37 <wking> crosbymichael: you need a working implementation 21:46:16 <wking> Currently #513 doesn't talk about --console or --socket or whatever 21:46:45 <wking> cyphar: you could also handle the socket with a JSON payload [wking: or something, I didn't quite catch this] 21:46:52 <wking> mrunalp: we need to land something before 1.0 21:47:05 <wking> cyphar: right now it's pretty vague 21:47:17 <wking> cyphar: I'm not sure what process.terminal means 21:48:35 <wking> mrunalp: I can help with the new approach. cyphar, let me know 21:49:06 <wking> cyphar: if we land runtime-spec#513, I think we still need adjustments around some MUST wording 21:49:37 <wking> mikebrow: the current MUST for standard streams inheriting makes --console illegal 21:49:58 <wking> mikebrow: I'd like that language to be at least supportive of future changes 21:50:18 <wking> crosbymichael: the current spec is so set in stone, or whatever you want to call it, that it doesn't make sense without TTY stuff 21:50:46 <wking> crosbymichael: quit rushing PRs in when they don't cover everything 21:51:07 <wking> cyphar: we're not punting on terminal, the current wording is blocking terminal 21:52:25 <cyphar> https://github.com/opencontainers/runtime-spec/pull/513/files#diff-0c1e5a5baa5649945697a530e09acbf5R35 21:53:46 <wking> cyphar: I don't think the current process.terminal is ambiguous 21:54:04 <wking> mrunalp: from last week, false means don't do anything special 21:54:25 <wking> mrunalp: true means the container's standard streams will be attached to a terminal 21:54:54 <wking> crosbymichael: There's a lot that has to happen beside attaching the slave, you also need to bind /dev/console, etc. 21:56:01 <wking> mrunalp: I can upgrade the open process.terminal with this information 21:56:20 <wking> https://github.com/opencontainers/runtime-spec/pull/518 21:56:49 <wking> cyphar: LXC had some problems with this, where you could exec into a container and start writing commands to the initial process 21:57:05 <wking> cyphar: you have to allocate a new TTY on Linux 21:57:31 <wking> crosbymichael: if we want a Unix socket so we can open a container inside the mount namespace 21:58:15 <wking> crosbymichael: There's also netlink and pipes in runC 21:59:22 <wking> cyphar: this fits into the ongoing nsenter reroll I'm currently working on 21:59:33 <cyphar> https://github.com/opencontainers/runc/pull/950 << refactoring of nsenter 21:59:41 <wking> crosbymichael: Maybe land the nsenter refactoring first, and then things like this would be easy 21:59:56 <philips> I have to drop. Bye everyone! 22:00:27 <wking> mrunalp: As long as we're blocked the order doesn't really matter. But I'll update #518 and then we can update #513 22:00:42 <wking> crosbymichael: And cyphar and I will work on getting the runC implementation in 22:01:05 <wking> mrunalp: anything else? 22:01:10 <wking> #end_meeting 22:01:14 <wking> #end-meeting 22:01:26 <wking> #endmeeting