Thursday, 2018-02-08

« Wednesday, 2018-02-07 Index Friday, 2018-02-09 »
*** tpepper1 has quit IRC00:03
*** tpepper has joined #kata-general00:45
*** mylinux_ has joined #kata-general01:25
*** mylinux_ has quit IRC01:29
*** sjas_ has joined #kata-general01:35
*** tpepper has quit IRC01:37
*** sjas has quit IRC01:38
*** liujiong has joined #kata-general01:39
*** tpepper has joined #kata-general01:47
*** tpepper has quit IRC01:48
*** liujiong has quit IRC02:04
*** liujiong has joined #kata-general02:05
*** mylinux has joined #kata-general02:28
*** mylinux has quit IRC02:33
*** mylinux has joined #kata-general03:23
*** mylinux has quit IRC03:28
*** mylinux has joined #kata-general04:21
*** mylinux has quit IRC04:25
*** mylinux has joined #kata-general05:19
*** mylinux has quit IRC05:24
*** mylinux has joined #kata-general06:24
*** mylinux has quit IRC06:29
*** sjas_ is now known as sjas07:18
*** mylinux has joined #kata-general07:25
*** mylinux has quit IRC07:30
*** jodh has joined #kata-general07:34
*** jbryce has quit IRC08:17
*** mylinux has joined #kata-general08:26
*** mylinux has quit IRC08:30
*** gwhaley has joined #kata-general09:01
*** liujiong has quit IRC09:18
*** jbryce has joined #kata-general10:00
kata-dev-irc-bot<samuel.ortiz> @mayank.kumar crio will run all privileged pod through runc. So you can do a `runc list` and `cc-runtime list` to check which runtime is handling which pod/containers.10:12
kata-dev-irc-bot<samuel.ortiz> @mayank.kumar Typically a few k8s components will need host ns privileges, and will be handled through runc.10:12
kata-dev-irc-bot<surya_prabhakar> what does kata in kata containers?11:09
kata-dev-irc-bot<surya_prabhakar> mean11:09
*** mylinux has joined #kata-general11:23
*** mylinux has quit IRC11:28
gwhaleyhi @surya_prabhakar - well, one possibility is that the translation of the greek καταπίστευμα is 'trust' :-)11:44
* gwhaley wonders if that copied over the irc->slackbot OK?11:44
gwhaleyoh, and the 'shorthand' for that greek phrase is 'kata', iyswim11:45
kata-dev-irc-bot<surya_prabhakar> I was thinking it was a japanese word  which means a system of individual training exercises in karate11:59
kata-dev-irc-bot<surya_prabhakar> @graham.whaley it makes sense now. who came up with this name ?11:59
kata-dev-irc-bot<xu> The foundation guys are good at naming :slightly_smiling_face:12:01
kata-dev-irc-bot<surya_prabhakar> :slightly_smiling_face:12:02
kata-dev-irc-bot<surya_prabhakar> I have a question in terms of the design.12:03
kata-dev-irc-bot<surya_prabhakar> from the architecuture diagram12:04
kata-dev-irc-bot<surya_prabhakar> it make me think that.. I wouldn't need docker to use kata containers anymore if I can talk to shim and runtime somehow12:04
kata-dev-irc-bot<surya_prabhakar> is my understanding correct?12:04
kata-dev-irc-bot<xu> you still need manage images/rootfs12:05
kata-dev-irc-bot<xu> either use docker or containerd, or use something like frakti (github.com/kubernetes/frakti)12:06
kata-dev-irc-bot<surya_prabhakar> so docker already supports a intel clear containers cc-engine to mange secure containers..12:07
kata-dev-irc-bot<surya_prabhakar> so using kata bring me advantage in terms of having a common interface to manage multiple runtimes?12:07
kata-dev-irc-bot<surya_prabhakar> or is there something else I am missing here12:07
kata-dev-irc-bot<xu> cc and runv, or runc are at the same position12:08
gwhaleyand, yes, there is also the japanese 'kata' - meaning something like martial arts practice :-)12:08
kata-dev-irc-bot<xu> there are shims for all of them when working with docker, ti is designed to carry the iostream and proxy the signal to the processes in vm12:08
kata-dev-irc-bot<surya_prabhakar> @xu what do you mean by same position?12:08
gwhaleythere is an example of how to run CC 'standalone' over here: https://github.com/clearcontainers/runtime/wiki/Running-standalone12:09
gwhaleyand, yes, you should be able to do something very similar with runv, runc and cc-runtime or kata-runtime12:09
kata-dev-irc-bot<xu> when use kata/runv/cc with docker, it substitute the runc as a runtime12:09
gwhaleybut as xu says, somebody somehow has to manage the images etc.12:09
*** gwhaley has quit IRC12:11
kata-dev-irc-bot<surya_prabhakar> Is there some sort of flow diagram  if I request a secure container from kata..12:12
kata-dev-irc-bot<xu> In this draft https://docs.google.com/document/d/109pxj-90Ly58ma8CoeRKcMoPWBD0G911E53MeK2zhhA/edit?usp=sharing, it described the position of kata-runtime12:12
kata-dev-irc-bot<xu> there are some figure illustrating how it could work with kubernetes12:13
kata-dev-irc-bot<surya_prabhakar> so in the last image12:18
kata-dev-irc-bot<surya_prabhakar> kata agent is sitting inside the hypervisor based sandbox.. does this mean its running on top of the guest kernel in the container?12:19
kata-dev-irc-bot<xu> kata agent is running on top of guest kernel in the vm12:20
kata-dev-irc-bot<surya_prabhakar> @xu got it12:21
kata-dev-irc-bot<surya_prabhakar> thank u12:22
kata-dev-irc-bot<xu> you are welcome12:22
kata-dev-irc-bot<surya_prabhakar> trying to put a diagram using openstack zun and the flow to kata..12:23
kata-dev-irc-bot<surya_prabhakar> so that zun does not need explicity call for cc-runtime route and rather talk to kata12:24
kata-dev-irc-bot<surya_prabhakar> is there a diagram already in place for this ?12:24
kata-dev-irc-bot<xu> sorry, we do not have experiences with zun, but you may contribute12:25
kata-dev-irc-bot<surya_prabhakar> @xu no issues12:26
*** mylinux has joined #kata-general12:28
*** mylinux has quit IRC12:32
*** liujiong has joined #kata-general12:39
kata-dev-irc-bot<samuel.ortiz> @surya_prabhakar Yes, eventually zun will call kata-runtime instead of cc-runtime.12:45
kata-dev-irc-bot<samuel.ortiz> @surya_prabhakar The call path will be identical.12:45
*** liujiong has quit IRC12:45
kata-dev-irc-bot<surya_prabhakar> @samuel.ortiz is there some worked already happened on zun side ?13:00
kata-dev-irc-bot<xu> I don't think so13:00
kata-dev-irc-bot<surya_prabhakar> ok cool..13:01
kata-dev-irc-bot<samuel.ortiz> @surya_prabhakar It's only integration/testing work, if any, but it has not happened yet.13:03
*** gwhaley has joined #kata-general13:31
*** mylinux has joined #kata-general13:54
kata-dev-irc-bot<anne> Zun just added cc integration for the upcoming queens release. Do you currently use Zun @surya_prabhakar?15:06
kata-dev-irc-bot<anne> Reminder that if anyone had a Kata talk they wanted to submit to the Vancouver Summit, CFP closes in about 15 hours.15:20
kata-dev-irc-bot<surya_prabhakar> @anne I did a presentation with an intel developer in sydney summit about the cc integration in zun.  I use zun and I am looking at how to talk to kata using zun15:42
kata-dev-irc-bot<surya_prabhakar> I hear that it is not done yet15:42
kata-dev-irc-bot<surya_prabhakar> I spoke to the zun dev and we thought we should be remove that part of cc in zun and redirect it through kata15:43
kata-dev-irc-bot<xu> I think it works @surya_prabhakar15:46
kata-dev-irc-bot<surya_prabhakar> @xu I will try it out :slightly_smiling_face:15:53
kata-dev-irc-bot<surya_prabhakar> Is todays meeting an architecture meeting or working committee meeting?15:54
kata-dev-irc-bot<xu> working committee15:55
kata-dev-irc-bot<surya_prabhakar> I saw on the kata site that only contributors are allowed on the working committee meeting ..  So I haven't contributed anything yet. so not sure if I can join15:55
kata-dev-irc-bot<xu> you can join both15:55
kata-dev-irc-bot<mrhillsman> you can join15:56
kata-dev-irc-bot<xu> but only the arch meeting is focus on technology part15:56
kata-dev-irc-bot<anne> working committee is for marketing and community work15:57
kata-dev-irc-bot<surya_prabhakar> @anne thank you :slightly_smiling_face:15:57
*** jodh has quit IRC16:10
*** tpepper has joined #kata-general16:51
kata-dev-irc-bot<mayank.kumar> thanks @samuel.ortiz how can i associate which containers from runc list and cc-runtime list are running as vms. I want to be able to show a mapping from a pod to a container in cc-runtime list and the associated vm which is running it16:56
*** tpepper has quit IRC17:49
*** gwhaley has quit IRC18:30
kata-dev-irc-bot<sebastien.boeuf> @mayank.kumar only pods from cc-runtime list should be running as VMs.18:44
*** mylinux has quit IRC18:46
*** mylinux has joined #kata-general18:49
kata-dev-irc-bot<mayank.kumar> thanks @sebastien.boeuf @samuel.ortiz runc list is empty for me. i only see two qemu processes running but cc-runtime list shows 8 containers. the only pod that is multi containers is kubens. so i am toally confused.19:21
kata-dev-irc-bot<mayank.kumar> if someone can point me to a way to map a pod to a cc-runtime list container, that would help as well.  also where is the mapping which decides which pod will be started by which runtime ? i thought kubelet has the mapping to say which runtime to use ? is there a separate config as well ? and why there are only two qemu processes if i have 8 pods, here there are  ``` default       busy-66bdcdccc4-n2g5d              1/119:24
kata-dev-irc-botRunning   0          20h kube-system   etcd-worker-3                      1/1       Running   0          22h kube-system   kube-apiserver-worker-3            1/1       Running   0          22h kube-system   kube-controller-manager-worker-3   1/1       Running   0          22h kube-system   kube-dns-545bc4bfd4-tklcg          3/3       Running   0          22h kube-system   kube-flannel-ds-dpfnb              2/2       Running   119:24
kata-dev-irc-bot22h kube-system   kube-proxy-sfvq6                   1/1       Running   0          22h kube-system   kube-scheduler-worker-3            1/1       Running   0          22h  ```19:24
kata-dev-irc-bot<mayank.kumar> is the busybox  the only one running in vm if yes then why do i see two qemu processes ?19:25
*** tpepper has joined #kata-general20:39
*** justJanne has quit IRC20:44
*** justJanne has joined #kata-general20:45
*** ChanServ has quit IRC20:57
kata-dev-irc-bot<eric.ernst> @mayank.kumar - depending on how you have it setup, CRI-o may be using another binary instead of runc.  ie, in our directions it updates to use crio-runc21:10
kata-dev-irc-bot<eric.ernst> (just a specific checkout/version of runc that is known good w/ crio)21:10
kata-dev-irc-bot<eric.ernst> may be worth checking that.21:10
kata-dev-irc-bot<eric.ernst> regarding your query.... let me see what kubectl describe provides...21:11
*** mylinux has quit IRC21:13
kata-dev-irc-bot<eric.ernst> @mayank.kumar perhaps someone else will have better info, but if you do kubectl describe pod <podname>, you'll see a given container ID21:15
kata-dev-irc-bot<eric.ernst> this should match one of the containers described by either crio-runc list or cc-runtime list21:16
kata-dev-irc-bot<eric.ernst> (or runc list, pending what you are running on your host...)21:16
kata-dev-irc-bot<eric.ernst> For CRI-o, we have a pretty decent writeup (shameless plug) describing how to use annotations to configure which oci runtime is selected @ https://medium.com/cri-o/intel-clear-containers-and-cri-o-70824fb5181121:17
kata-dev-irc-bot<eric.ernst> Once Kata runtime is fully available, it'll follow the same logic.  ie, s/cc-runtime/kata-runtime21:18
*** mylinux has joined #kata-general21:19
kata-dev-irc-bot<mayank.kumar> thanks @eric.ernst i was following https://github.com/clearcontainers/runtime/wiki/Clear-Containers-and-Kubernetes. i did compare the containerId from cc-runtime list with the pod containerId, may be i missed something or capatilization issues etc, i will double check21:29
kata-dev-irc-bot<mayank.kumar> onething i wasnt able to get working is being able to access this kubernetes clsuter from outside GCE. if someone has pointers that would be super awesome21:30
kata-dev-irc-bot<eric.ernst> Okay.  All of the privileged containers (most of the ones that start for k8s bringup) are handled via runc21:30
*** ChanServ has joined #kata-general21:31
*** barjavel.freenode.net sets mode: +o ChanServ21:31
kata-dev-irc-bot<mayank.kumar> and runc in this setup is not using clear containers only crio-runs is i guess21:32
kata-dev-irc-bot<mayank.kumar> where do you look for this ?21:32
kata-dev-irc-bot<eric.ernst> Stepping back/up, CRI-O will call into a runtime21:32
kata-dev-irc-bot<eric.ernst> that runtime will either be runc or cc-runtime21:33
kata-dev-irc-bot<eric.ernst> It decides based on how CRIO is setup and how the workload is described (annotations)21:33
kata-dev-irc-bot<eric.ernst> So, runc doesn't use clear containers (nor will it - they are just replacements for the same thing, if that makes sense...)21:34
kata-dev-irc-bot<eric.ernst> Anyway, if you followed this install directions, CRIO will actually call into the binary crio-runc, which is just renamed for your benefit so you don't have to change/trample over a pre-existing runc on your host system21:34
kata-dev-irc-bot<eric.ernst> And when I say "CRI-o will call into a runtime", more specifically, it'll call into an OCI compliant runtime...21:37
kata-dev-irc-bot<mayank.kumar> thanks @eric.ernst will read up your blog.22:11
kata-dev-irc-bot<mayank.kumar> i see the cc-runtime pods take a long time to terminate. they are stuck in terminating state22:12
kata-dev-irc-bot<eric.ernst> cool.  I hope that helps.  I plan to write a more generic one over next couple days to help clarify some of your questions.22:12
kata-dev-irc-bot<eric.ernst> I think CRI-o cleanup in K8S was, um, suboptimal in the version that we suggest in that install directions.22:13
kata-dev-irc-bot<eric.ernst> Once we move to latest CRIO/K8S this should be much improved.22:13
kata-dev-irc-bot<tpepper> @eric.ernst you’re gonna present that at one of the CNPDX meetups too right?  :slightly_smiling_face:22:36
*** tpepper has left #kata-general22:36
kata-dev-irc-bot<eric.ernst> Would love to. :+1:22:36
kata-dev-irc-bot<eric.ernst> Just started my draft.  Was thinking the title could be "Is Kata-containers replacing the internet, and other FAQ"22:38
kata-dev-irc-bot<tpepper> @eric.ernst as it turns out Josh Berkus just msg’d me saying he’s looking or a speaker on the 22nd if that’s not too soon23:26
« Wednesday, 2018-02-07 Index Friday, 2018-02-09 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!