#opencontainers log

22:05:32 <wking> #startmeeting 2016-11-30 discussion
22:05:32 <collabot`> Meeting started Wed Nov 30 22:05:32 2016 UTC.  The chair is wking. Information about MeetBot at http://wiki.debian.org/MeetBot.
22:05:32 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic.
22:05:32 <collabot`> The meeting name has been set to '2016_11_30_discussion'
22:05:37 <wking> I missed the first few minutes...
22:05:48 <wking> #topic runtime-spec command line API
22:05:54 <wking> #link https://github.com/opencontainers/runtime-spec/pull/513
22:06:08 <wking> #action crosbymichael to comment about socket handling in the PR
22:06:30 <wking> mrunalp: other thoughts for the command line API PR?
22:06:41 <wking> crosbymichael: I can't think of anything else that we were missing
22:06:50 <wking> #topic anchor updates
22:07:57 <wking> RobDolinMS: I'm happy to keep going with the Markdown anchors for v1
22:08:16 <wking> mrunalp: works for me, any objections?
22:08:26 <wking> Works for me too, as long as I'm not doing the work ;)
22:08:47 <wking> #action RobDolinMS to work up PRs for Markdown anchors for the rest of runtime-spec
22:09:09 <wking> #topic runtime testing feedback
22:09:38 <wking> RobDolinMS if we're getting started from scratch, where should those docs go?  The README?  A wiki?
22:09:48 <wking> mrunalp: runtime-tools README is a good place
22:09:57 <wking> +1 to putting the notes in the runtime-tools README
22:10:19 <wking> stephenrwalli: RobDolinMS and I worked up Ubuntu and Fedora notes already
22:10:30 <wking> #action stephenrwalli to PR Fedora notes for runtime-tools
22:10:42 <wking> #action RobDolinMS to PR Ubuntu notes for runtime-tools
22:11:09 <wking> stephenrwalli: we have a dependency on the Go capabilities library which doesn't have an open-source license
22:11:49 <wking> #topic image-spec rc3
22:11:57 <wking> vbatts: I posted a vote for this today
22:12:11 <wking> stephenrwalli:
22:13:22 <wking> stephenrwalli: going back a topic, gocapability is 2-clause BSD: https://github.com/syndtr/gocapability/blob/master/LICENSE
22:14:07 <wking> vbatts: having some sort of notes about naming would be good for 1.0 (even if it's just "naming is not defined")
22:14:53 <wking> stevvooe: If we were working on ELF or PDF, do those specs talk about distribution over HTTP
22:14:56 <wking> ^ probably not ;)
22:15:15 <wking> stevvooe: the image format is based on Docker tech, but...
22:15:31 <wking> [stevvooe dropped]
22:15:39 <stevvooe> reloading
22:16:35 <stevvooe> chrome stopped recognizing my mic
22:16:36 <stevvooe> once sec
22:17:44 <stephenrwalli> wking: You are completely correct. My apologies, All. 2-Clause BSD. I stand corrected.
22:17:59 <stevvooe> i'll be in seattle as well
22:18:01 <stevvooe> one sec
22:18:05 <mrunalp> stephenrwalli, yep, I checked that as well
22:18:21 <stevvooe> chrome sucks
22:19:05 <RobDolinMS> stevvooe: You can direct dial into the meeting from a land line or mobile: 415-968-0849
22:19:37 <wking> philips: I'm not clear on the index use case
22:20:09 <wking> vbatts: If you have a tar image with an early oci-layout index, you can exit early on missed lookups (without reading the tar file)
22:20:16 <wking> * the whole tar file
22:20:46 <wking> vbatts: also a flat-pack use-case with lots of reference objects (assorted GNOME runtimes, Gedit runtimes, etc., etc.)
22:20:50 <stevvooe> "Due to the size of the call, you have been auto muted to improve call quality."
22:21:19 <wking> vbatts: instead of walking over HTTP you could fetch a single, required file and use the optional index to find your ref list
22:21:57 <wking> vbatts: it's for ref-listing efficiency and for packing descriptor annotations
22:22:36 <wking> #link https://github.com/opencontainers/image-spec/pull/438
22:22:47 <wking> stevvooe: what's the role of refs/ if we already have an index?
22:23:01 <wking> vbatts: it does kindof clobber that
22:23:44 <wking> vbatts: the refs/ directory has a named descriptor, whereas the index... all the blobs or just the refs or whatever... more for people who want a single source for fetching what's in the layout
22:24:16 <wking> vbatts: it's painful/impossible to walk refs/ in some cases
22:24:20 <wking> stevvooe: so can we pick one?
22:24:36 <wking> vbatts: get rid of refs/ (if we replace it with an index)
22:24:46 <wking> stevvooe: refs/ is nice because merging is easy
22:24:56 <wking> stevvooe: but your point about HTTP fetching is an interesting thing
22:25:07 <wking> stevvooe: although it's looking a lot like a manifest list...
22:26:14 <wking> stevvooe: we should compare this with the Docker safe format too
22:27:47 <wking> stevvooe: I guess what I'm saying is that this should be a full-blown object (generalizing manifest list) and replacing refs/* with a well-known path
22:27:51 <stevvooe> https://github.com/opencontainers/image-spec/blob/master/manifest-list.md
22:28:06 <wking> vbatts: I'll have to check once I can get to my work station...
22:28:14 <wking> philips: I see what you're saying, stevvooe
22:28:33 <wking> stevvooe: if we add annotations as an optional descriptor field, then manifest lists cover this case
22:28:51 <wking> vbatts: and we're replacing refs/* with... a new entry in oci-layout?  Or a refs.json?
22:29:12 <wking> vbatts: that would be like manifest.json in the current Docker format
22:29:29 <wking> stevvooe: I think index.json, because there are no refs (naming would be via annotations)
22:29:37 <stevvooe> https://github.com/opencontainers/image-spec/pull/438/files
22:30:02 <wking> #action stevvooe to add comments to the PR about a manifest-list approach
22:31:35 <wking> I think we need to keep first class naming for things like 'unpack v1.0'
22:32:14 <wking> stevvooe: but refs are not reliable, since we don't have verifiable names
22:32:30 <wking> stevvooe: image tags have a larger character set, and image names are more than just the tag
22:32:49 <wking> stevvooe: doing this by annotation lets applications figure out how they want to handle naming
22:33:11 <wking> Is image-tools unpack just going to be by digest?
22:33:29 <wking> stevvooe: I think there will be tools that let you select a portion of the index by annotation
22:33:53 <wking> stevvooe: you can do this without a specified naming scheme, just "unpack the images matching this selector..."
22:34:31 <wking> so something like "unpack com.example.name=v1.0"?
22:34:46 <wking> stevvooe: the main problem with refs is that there are many namespaces, so you need translations between them
22:35:01 <wking> stevvooe: if you just declare what it is for each system there's no need to meet in the middle
22:35:14 <wking> stevvooe: I think this is a good change, and I'll add commentary to the PR
22:36:26 <wking> stevvooe: this is a big change (but I think it's the right change).  Let's make sure we handle it appropriately
22:37:06 <wking> vbatts: with the vote out for image-spec rc3 and the holidays coming up...
22:37:55 <wking> vbatts: future RCs and 1.0 are probably in mid/late January
22:38:32 <wking> vbatts: there's also in-flight work about integrating image-layout support into Docker
22:38:48 <wking> stevvooe: the draw-back to image.json is that it's unverifiable
22:38:51 <wking> philips: why?
22:39:13 <wking> stevvooe: say you get a URL without a hash/verification/signature.  You download, unpack, and don't trust index.json
22:39:33 <wking> stevvooe: presumably someone will be hashing/signing the index.json with a side-declaration
22:39:54 <wking> stevvooe: I think this gets back around to defining a framework for signing, and we don't need to address this before 1.0
22:40:15 <wking> philips: this is like refs now, where there's no verification unless you have out-of-band signatures
22:40:26 <wking> stevvooe: it's easier if it's in one file
22:40:44 <wking> philips: there are a bunch of random, open PRs which need attention too
22:41:01 <stevvooe> https://github.com/opencontainers/image-spec/pull/451
22:41:11 <wking> #topic Shipping runtime-spec configs
22:41:16 <wking> #link https://github.com/opencontainers/image-spec/pull/451
22:41:29 <wking> stevvooe: this is a bad idea
22:41:32 <wking> philips: yeah, never do that
22:41:44 <wking> stevvooe: it seems like a good idea, but there's so much host-specific stuff
22:42:03 <wking> stevvooe: translating from the image-config to the host-config is a great security barrier
22:42:19 <wking> stevvooe: if we look at the Docker image/host config, there are many fewer image configs
22:42:47 <wking> stevvooe: the OCI spec split distribution and runtime, but the image config and runtime config should be separate (but translatable
22:43:16 <wking> philips: The spec at one point separated host-specific from runtime-specific, but some things are specific to a single machine/run
22:44:05 <wking> I think you can handle this with sanitization
22:44:18 <wking> stevvooe: this is like building a salad bowl with a sieve, plugging all the holes
22:44:37 <wking> stevvooe: if you let things go through and then whitelist/blacklist, it's going to be bad
22:45:16 <wking> are you concerned with people who don't sanitize, or about people who sanitize poorly?
22:45:28 <duglin> YES! XML lives!
22:45:30 <wking> stevvooe: I'm concerend that you don't understand the ramifications of this proposal
22:45:38 <wking> vbatts: we need XSLT...
22:45:50 <wking> crosbymichael: we have two specs for this very reason
22:46:03 <wking> crosbymichael: this is a horrible idea
22:46:52 <wking> vbatts: we were talking about this in San Francisco last year, with hints at memory requests and such in annotations.  But it would be implementation specific
22:47:05 <wking> vbatts: so it would be "your implementation chose to poke a security hole"
22:47:23 <wking> philips: I think we have a consensus and just need to post a clear reason
22:47:35 <wking> #action stevvooe to post a comment explaining why this is a bad idea
22:48:57 <wking> So with runtime specs off the table, I think we need to define how the translation should work in more detail
22:50:23 <wking> philips: there aren't many fields to map, so that shouldn't be a problem
22:50:57 <wking> stevvooe: command is pretty straightforward.  Entrypoint is always confusing.  Volumes is the only real unknown
22:51:11 <wking> philips: Volumes and ExposedPorts are hints to the UX, and not directly actionable
22:51:51 <wking> We might also have to expand the image config to cover other OSes (and VMs?)
22:51:59 <wking> philips: I'll start with the more clearly scoped stuff first
22:53:25 <wking> #topic image-tools maintenance
22:53:40 <wking> RobDolinMS: I hit some snags trying to run this
22:53:45 <wking> vbatts: open an issue?
22:53:56 <wking> #action RobDolinMS to open an issue about image-tools snage
22:53:58 <wking> *snags
22:54:08 <wking> [vbatts leaves]
22:54:15 <wking> #endmeeting