21:02:34 <mrunalp> #startmeeting OCI_9_14 21:02:34 <collabot> Meeting started Wed Sep 14 21:02:34 2016 UTC. The chair is mrunalp. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:02:34 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 21:02:34 <collabot> The meeting name has been set to 'oci_9_14' 21:02:50 <vbatts> Join the call: https://www.uberconference.com/opencontainers 21:02:53 <vbatts> Optional dial in number: 415-968-0849 21:02:55 <vbatts> No PIN needed 21:02:59 <mrunalp> stevvooe, ^^ 21:03:17 <stevvooe> i don't have access to a phone right now 21:03:28 <stevvooe> this was broken in the same way last week 21:03:31 <mrunalp> #chair vbatts 21:03:31 <collabot> Current chairs: mrunalp vbatts 21:03:32 <stevvooe> do we have support for this? 21:03:49 <mrunalp> stevvooe, We can follow up with Linux Foundation. 21:04:14 <philips> uber won't let me back in 21:05:06 <vbatts> ... 21:05:12 <philips> got in 21:05:48 <mrunalp> https://github.com/opencontainers/runc/pull/1018 21:05:52 <mrunalp> #topic https://github.com/opencontainers/runc/pull/1018 21:14:16 <philips> OMFG uber dropped me 21:16:36 <Guest77797> mrunalp: chair me? 21:16:45 <Guest77797> err, once I become wking ;) 21:16:59 <mrunalp> #chair wking 21:16:59 <collabot> Current chairs: mrunalp vbatts wking 21:17:02 <wking> thanks :) 21:17:11 <mrunalp> sure np :) 21:17:16 <wking> vbatts: the CI workflow has been limping along 21:17:41 <Guest95456> philips: do we want to remove the outstanding post-v1.0 issues? 21:17:50 <philips> https://github.com/opencontainers/image-spec/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aopen%20-label%3Acomponent%2Foci-image-tool%20-milestone%3Apost-v1.0.0 21:17:59 <Guest95456> #topic image-spec v1.0.0 milestone 21:18:08 <Guest95456> #link https://github.com/opencontainers/image-spec/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aopen%20-label%3Acomponent%2Foci-image-tool%20-milestone%3Apost-v1.0.0 21:18:15 <Guest95456> philips: PDF cleanup should be in the next milestone 21:18:22 <Guest95456> vbatts: the issue I just opened today? Yeah 21:18:29 <Guest95456> philips: do you mind if I move it to rc1? 21:18:31 <Guest95456> vbatts: no 21:18:59 <Guest95456> philips: hardlink verbiage? spec 21:19:04 <Guest95456> https://github.com/opencontainers/image-spec/issues/306 21:19:18 <Guest95456> stevvooe: we need to define how hardlinks are supported (or if they are not supported) 21:19:39 <Guest95456> vbatts: tar likes to keep a number of links on the file 21:19:56 <Guest95456> vbatts: some tar implementations like to keep those... 21:20:12 <Guest95456> vbatts: we don't want it to look like a change if the number of links changes 21:20:40 <Guest95456> vbatts: so you basically need a map for all files with inodes, major, minor, and see if there are chagnes 21:20:55 <Guest95456> vbatts: and once you consider hardlinks, you're in Linux-specific land 21:21:18 <Guest95456> vbatts: it's probably a "where applicable" optional layer for systems that support hardlinks 21:21:31 <Guest95456> stevvooe: in continuity we allow each ... to have multiple paths 21:21:50 <Guest95456> stevvooe: with a bit of content verification to make sure the content is the same, and then you get one entry for all those files 21:22:05 <Guest95456> stevvooe: the extra processing is costly (with a map, and maybe an extra pass) 21:23:01 <Guest95456> philips: just to be clear, this is just about serializing hardlinks 21:23:18 <Guest95456> vbatts: yes, and we want to preserve links, but not churn excessively 21:24:03 <Guest95456> philips: so the three options are "1.0 says hardlinks are legal", "1.0 says hardlinks are optional", and "1.0 defines something more specific" 21:24:18 <Guest95456> vbatts: it's been undefined so far. It would be good to make it more explicit 21:24:32 <Guest95456> philips: the current Docker layer format doesn't talk about this? 21:25:11 <Guest95456> stevvooe: there's definitely stuff in code 21:25:22 <Guest95456> stevvooe: I can hunt down that prior art 21:25:34 <Guest95456> stevvooe: it's tricky with multiple layers 21:25:52 <Guest95456> stevvooe: say you capture the hard-link in the top layer but not the bottom layer, you end up forking the content 21:26:23 <Guest95456> #topic order of layers in image-layout 21:26:30 <Guest95456> #link https://github.com/opencontainers/image-spec/issues/276 21:26:50 <Guest95456> vbatts: we just need a few lines to clarify things 21:26:59 <Guest95456> philips: the content order matters but the manifest order doesn't 21:27:04 <Guest95456> philips: or something ;) 21:27:26 <Guest95456> stevvooe: the manifest order matters to help folks that don't understand the config fetch optimally 21:27:46 <Guest95456> stevvooe: at some point a simple list may not be good enough and we'll want to relax that requirement 21:28:07 <vbatts> oh. 62% was for runtime vote (5/8). but image 5 votes is 2/3major (5/7 == 71%) 21:28:19 <Guest95456> philips: it doesn't hurt me if I do 20 parallel HTTP GETs, and it doesn't matter if they all arrive at once 21:28:37 <Guest95456> stevvooe: The layer list is the ideal order in which the downloads will finish 21:28:52 <Guest95456> stevvooe: is there an argument to relax that? 21:29:04 <Guest95456> philips: no, we just need to add that language to the config section 21:29:16 <Guest95456> stevvooe: I also saw some confusion about not having layers 21:29:22 <Guest95456> stevvooe: are there valid use cases for that? 21:29:38 <Guest95456> #link https://github.com/opencontainers/image-spec/issues/313 21:29:43 <Guest95456> philips: I don't have a reason for that 21:29:50 <Guest95456> stevvooe: is there a use case that matters? 21:30:48 <Guest95456> #topic manifest field order 21:30:56 <Guest95456> philips: it shouldn't matter. You have to keep the canonical JSON 21:31:09 <Guest95456> vbatts: it's good to be deterministic, but it doesn't really matter 21:31:34 <Guest95456> stevvooe: I think suggestion are fine, but we shouldn't require round-tripping 21:32:05 <Guest95456> philips: so suggest, but don't require 21:32:30 <Guest95456> stevvooe: I prefer spec order for readability, so you can pipe through jq and compare with the spec 21:32:50 <Guest95456> stevvooe: I really don't want to impose these requirements on Python and other implementations 21:32:59 <Guest95456> +1 on suggest but don't requite 21:33:01 <Guest95456> *require 21:33:21 <cyphar> sorry I'm late 21:33:41 <Guest95456> #topic distinguish REQUIRED vs. OPTIONAL 21:33:50 <Guest95456> #link https://github.com/opencontainers/image-spec/issues/251 21:34:01 <Guest95456> #action philips to distinguish REQUIRED vs. OPTIONAL 21:34:21 <Guest95456> #topic parent manifests in layers 21:34:26 <Guest95456> #link https://github.com/opencontainers/image-spec/issues/190 21:34:48 <Guest95456> stevvooe: the original issue was about swapping out underlying dependencies 21:35:07 <Guest95456> stevvooe: I floated an manifest as a layer entry, which is logically equivalent to including the layers 21:35:16 <Guest95456> stevvooe: vbatts suggested what we already have 21:35:28 <Guest95456> stevvooe: I don't know what we need to do 21:35:58 <Guest95456> philips: I think the OP was "I want to put my binary on libc, can I swap out layer 0 without touching the top?" 21:36:18 <Guest95456> stevvooe: there are two properties here. You can swap out at build time and get a new image 21:36:29 <Guest95456> stevvooe: you can also compose at runtime by mounting images on other images 21:36:45 <Guest95456> stevvooe: but I don't see a use case for something in between with the image-spec mounting images at paths 21:36:53 <Guest95456> stevvooe: I don't think that belongs at this layer 21:37:13 <Guest95456> philips: by build time I think "here are two tarballs and a signed manifest" 21:37:30 <Guest95456> stevvooe: that's what I mean, you can compose a new image with the shuffled layers. That's build time 21:38:27 <Guest95456> philips: I think he was asking if he could reuse layer blobs 21:38:37 <Guest95456> Yeah that's content addressability. Close issue ;) 21:39:02 <Guest95456> #topic UTF-8 ref names 21:39:17 <Guest95456> #link https://github.com/opencontainers/image-spec/issues/174 21:39:55 <Guest95456> stevvooe: we considered this in Docker's registry and turned it down because it made debugging harder 21:40:11 <stevvooe> https://github.com/docker/distribution/issues/124 21:40:55 <Guest95456> and https://github.com/docker/distribution/pull/128 21:42:57 <Guest95456> philips: currently we have a restriction. 21:43:03 <Guest95456> philips: do folks want to lift it? 21:43:15 <Guest95456> I like base-64 to allow folks to do what they want with ref names 21:43:25 <Guest95456> And think debugging doesn't get that much harder 21:44:02 <Guest95456> I think stevvooe and I just differ on weighting the flexibility vs. debugging ease balance 21:44:33 <Guest95456> philips: if someone wants to create a base-64-ref version, they can do that? 21:44:37 <Guest95456> as a forked spec? 21:45:05 <Guest95456> stevvooe: with all the naming discussion, folks mostly agree on tags. Ensuring tag consistency is good, and this gets us somewhat there without requiring tags 21:45:17 <Guest95456> * without requiring a particular naming format 21:45:40 <Guest95456> stevvooe: were we nesting tags inside of refs? 21:45:53 <Guest95456> vbatts: nesting tags could be nipped in the bud by requiring filename tags 21:46:09 <Guest95456> stevvooe: I'd like to revisit this after getting the Docker PR compiled 21:46:28 <Guest95456> #link https://github.com/docker/docker/issues/25779 21:46:44 <Guest95456> philips: in other places we are very careful about allowing characters 21:48:04 <Guest95456> philips: folks can push refs like "base64-..." then folks can use whatever they want 21:48:14 <Guest95456> stevvooe: I agree we want to limit the character set 21:48:36 <Guest95456> Base 64 is a restricted character set 21:48:48 <Guest95456> stevvooe: I think base-64 is too unfriendly 21:48:57 <Guest95456> stevvooe: and needs specialized toolink 21:48:59 <Guest95456> *tooling 21:49:28 <philips> "A" to "Z", "a" to "z", "0" to "9", the hyphen `-`, the dot `.`, and the underscore `_` 21:49:53 <Guest95456> stevvooe: we should look into supporting what's needed by semantic versioning 21:50:12 <Guest95456> philips: cgroups has a similar problem, and we picked some super-dumb escaping syntax 21:50:21 <Guest95456> stevvooe: so are you proposing we do that? 21:50:24 <Guest95456> philips: no 21:50:54 <Guest95456> vbatts: what we have isn't broken. If you want UTF-8, you can use base64-... refs or a base64-refs/ directory or whatever 21:52:36 <Guest95456> philips: we've already said there's no semantic meaning 21:52:42 <Guest95456> philips: so I think we can just close the issue 21:52:46 <Guest95456> stevvooe: please, close it 21:52:56 <Guest95456> philips: I think that's it for all non-milestone and non-tool issues 21:52:58 <philips> https://github.com/opencontainers/image-spec/milestone/8 21:53:29 <Guest95456> philips: other topics? 21:54:06 <Guest95456> #topic console handling in runC 21:54:31 <Guest95456> cyphar: main spec issue is that in /dev/pts the owner is odd 21:54:53 <Guest95456> cyphar: in most systems the group for /dev/pts/* is the tty group and the tty group can write to any slave 21:55:02 <Guest95456> cyphar: this doesn't currently happen in runC 21:55:20 <Guest95456> cyphar: you can mount devpts with gid=5, and new slaves will default to that group 21:55:38 <Guest95456> cyphar: with that, you won't need to touch the group owner 21:56:09 <Guest95456> cyphar: the other way to do this it to implement grantpt in Go, but then you have to parse /etc/group and it gets complicated with user namespaces 21:56:56 <Guest95456> cyphar: are we looking for solutions that only rely on config.json, or are we ok looking at the rootfs for group information? 21:57:06 <Guest95456> mrunalp: crosbymichael, any thoughts? 21:57:17 <Guest95456> crosbymichael: I'd have to look at it 21:57:31 <Guest95456> mrunalp: cyphar, can you test some software with the gid approach? 21:57:48 <Guest95456> mrunalp: try tmux, mutt, screen, ... 21:58:09 <Guest95456> cyphar: the current console branch has this implemented. I was just bringing it up as a recently-discussed point 21:58:31 <Guest95456> mrunalp: I'll try it out again soon 21:58:39 <Guest95456> mrunalp: anything else 21:58:57 <Guest95456> #endmeeting 21:59:16 <Guest95456> mrunalp: you might have to end this since I've been punted back off my nick ;) 21:59:34 <Guest95456> which means my #topics probably didn't stick either 22:00:58 <vbatts> #endmeeting