| *** annabelleB has joined #kata-general | 02:23 | |
| *** annabelleB has quit IRC | 02:26 | |
| *** sjas_ has joined #kata-general | 04:37 | |
| *** sjas has quit IRC | 04:40 | |
| *** annabelleB has joined #kata-general | 05:01 | |
| *** annabelleB has quit IRC | 05:01 | |
| *** fiddletwix has quit IRC | 05:06 | |
| *** gwhaley has joined #kata-general | 08:07 | |
| *** gwhaley has quit IRC | 11:02 | |
| *** gwhaley has joined #kata-general | 12:18 | |
| xzr | hey gwhaley, sorry, pestering you since you've been the only active fellow around here :P | 12:33 |
|---|---|---|
| xzr | https://pastebin.com/a6XNrYMH | 12:33 |
| xzr | was wondering if the --selinux-enabled thing warranted an issue | 12:34 |
| xzr | granted I don't understand all the gears turning in the machine with that one | 12:34 |
| xzr | hmm guess I should test that on another OS as well, to see if it's atomic specific | 12:34 |
| xzr | could be a combination with some other setting | 12:35 |
| gwhaley | hi xzr - heh, that may be because of timezone (many folks in U.S. and China for instance). a lot of others hang on slack, and that then waits for them to appear, so that can work better sometimes ;-) | 12:39 |
| gwhaley | for selinux - did I see Peng or Wei or somebody note there was a relevant issue recently - let me peek... | 12:39 |
| xzr | ah, you located in .ie? Used to have a few buddies working for intel there. Still one working for mcafee in cork | 12:44 |
| gwhaley | I'm actually in .uk - working from home (there is a big Intel office in the uk, but none of my group work there etc.). I have been to one of the Ireland offices :-) Know a couple of folks there - networking stuff | 12:48 |
| gwhaley | I had a look for selinux stuff (github search), but could not locate the relevant thread/Issue. There is a thread on kata-dev email list as well, but that is probably not quite what you are asking: | 12:49 |
| gwhaley | down in here, is about how we could isolate the VMs on the host http://lists.katacontainers.io/pipermail/kata-dev/2018-July/000257.html | 12:49 |
| gwhaley | let me try harder on github - I'm sure we had something around selinux... | 12:49 |
| xzr | yea I did try searching for selinux on the different projects in there as well | 12:53 |
| xzr | no dice | 12:53 |
| gwhaley | xzf: I can't find a github Issue to discuss how/what we might do with selinux - so, yes please, open an issue and then we can kick off a discussion (at a minimum we can document what we do/don't support and why right now). | 12:54 |
| gwhaley | It is an interesting topic in that I will ask 'do you enable selinux on the host or in the guest' :-) Or both... :-) | 12:54 |
| xzr | yeah that's what I'm scratching my head with currently | 12:55 |
| xzr | we have some apps with selinux policies defined that we run on native hosts currently | 12:55 |
| xzr | planning to containerize those, so then can we just use those policies directly in the container, then create a separate policy for docker | 12:56 |
| gwhaley | and... it would be great if that just migrated or translated into a kata container... which sounds sane | 12:56 |
| xzr | luckily will soon have a proper demo system to start testing this stuff on | 12:56 |
| gwhaley | and, wrt your previous look at kata and atomic, atomic does look interesting in that respect | 12:57 |
| xzr | I'll test it on plain centos first, see if I get the same result | 13:01 |
| *** annabelleB has joined #kata-general | 13:01 | |
| *** annabelleB has quit IRC | 13:34 | |
| xzr | peculiar, the systemd problem seems to manifest on base centos7 as well | 14:19 |
| xzr | the config files are actually quite similar | 14:19 |
| xzr | also the selinux problem manifests in a similar manner | 14:20 |
| xzr | ah yea the default install instructions determine the options given to the docker daemon, instead of just dropping in the kata-runtime into "existing config" | 14:23 |
| xzr | so maybe nobody has ran into these kinds of problems, or they ran into them and just chose to ignore them | 14:23 |
| xzr | of course I could be wrong, but would be nice if the kata runtime didn't require too many changes to the docker daemon configuration | 14:32 |
| gwhaley | xzr: for the config, indeed, it assumes a clean install. You need to modify some docker config somewhere to tell docker it has a new runtime it can use, and what it is called :-) | 14:33 |
| gwhaley | A PR to improve those docs welcome ;-) | 14:33 |
| gwhaley | And Issues for the systemd and selinux stuff ... | 14:33 |
| xzr | well, I used the base centos docker config that comes after yum install | 14:34 |
| xzr | and just added kata-runtime | 14:34 |
| xzr | ended up with the same problems as on atomic | 14:34 |
| xzr | as I didn't clean out all the docker start params (that are there by default) | 14:34 |
| xzr | yup, I'll be posting some stuff once I figure it out | 14:35 |
| gwhaley | xzr: thx. Then we can figure out/discuss on the thread. It occurs to me, I wonder if the default docker from Centos is 'too old' for kata. Just a thought. I think we have seen this on other distros (where their default docker install is v.v.old) | 14:36 |
| xzr | hmm true enough | 14:36 |
| xzr | holy cow it's indeed quite quite old | 14:37 |
| xzr | 1.13.1 | 14:37 |
| gwhaley | ouch! | 14:38 |
| gwhaley | ;-) | 14:38 |
| xzr | right, think I'm in for a world of pain with upgrading docker on atomic | 14:38 |
| xzr | I'll take a looksie with newer docker on centos | 14:39 |
| xzr | ah well, figures | 14:47 |
| xzr | the default docker-ce configuration is a great deal simpler than the one coming with centos | 14:47 |
| xzr | and doesn't have selinux enabled by default | 14:47 |
| *** fiddletwix has joined #kata-general | 14:48 | |
| *** fiddletwix has quit IRC | 14:49 | |
| *** fiddletwix has joined #kata-general | 14:50 | |
| xzr | though, for the most part kata seems to be fine on 1.13.1 as well | 15:09 |
| xzr | the selinux thing manifests on docker ce as well | 15:09 |
| *** kata-irc-bot has joined #kata-general | 15:43 | |
| kata-irc-bot | <mvedovati> Still stuck, any help is appreciated. About running kata-container standalone I followed this: https://github.com/kata-containers/documentation/blob/master/Developer-Guide.md#running-standalone | 15:51 |
| kata-irc-bot | <eric.ernst> @mvedovati - TBH I haven't run stand-alone. Rereading the chat history to see what the original issue you ran into was... | 16:10 |
| kata-irc-bot | <eric.ernst> Can you share the output / issue you observed when running with docker in the first place? That may shed some light here. | 16:10 |
| kata-irc-bot | <eric.ernst> Also, did you install using packages, are building from source? It may be helpful to just open up a github issue against github.com/kata-containers/runtime ... | 16:11 |
| kata-irc-bot | <raravena80> ^^ hmm, it might related to suse, do we have any suse test? not sure if anybody has tried with that | 16:19 |
| *** gwhaley has quit IRC | 17:00 | |
| *** sjas_ is now known as sjas | 17:33 | |
| *** gwhaley has joined #kata-general | 17:53 | |
| *** annabelleB has joined #kata-general | 19:08 | |
| *** annabelleB has quit IRC | 19:27 | |
| *** gwhaley has quit IRC | 19:31 | |
| *** annabelleB has joined #kata-general | 20:14 | |
| *** annabelleB has quit IRC | 20:47 | |
| *** kata-irc-bot has quit IRC | 23:56 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!