| *** hongbin has joined #openstack-containers | 01:28 | |
| *** hongbin_ has joined #openstack-containers | 01:46 | |
| *** noonedeadpunk has quit IRC | 01:47 | |
| *** hongbin has quit IRC | 01:48 | |
| *** noonedeadpunk has joined #openstack-containers | 01:50 | |
| *** openstackgerrit has joined #openstack-containers | 02:13 | |
| openstackgerrit | Zihao Wang proposed openstack/magnum master: requirements: Drop os-testr https://review.opendev.org/750267 | 02:13 |
|---|---|---|
| *** sapd1_x has joined #openstack-containers | 02:22 | |
| *** rcernin has quit IRC | 02:59 | |
| *** sapd1_x has quit IRC | 03:14 | |
| *** rcernin has joined #openstack-containers | 03:14 | |
| *** hongbin_ has quit IRC | 03:15 | |
| *** hongbin has joined #openstack-containers | 03:16 | |
| *** vishalmanchanda has joined #openstack-containers | 03:52 | |
| *** ykarel|away has joined #openstack-containers | 04:29 | |
| *** ykarel|away is now known as ykarel | 04:31 | |
| *** ramishra has quit IRC | 04:31 | |
| *** ramishra has joined #openstack-containers | 04:31 | |
| *** ykarel has quit IRC | 04:42 | |
| *** ykarel has joined #openstack-containers | 04:44 | |
| *** hongbin has quit IRC | 05:12 | |
| *** sapd1_x has joined #openstack-containers | 07:15 | |
| openstackgerrit | wu.shiming proposed openstack/python-magnumclient master: Remove translation sections from setup.cfg https://review.opendev.org/750281 | 07:16 |
| *** kevko has joined #openstack-containers | 07:29 | |
| *** rcernin has quit IRC | 08:00 | |
| *** kevko has quit IRC | 08:22 | |
| *** nikparasyr has joined #openstack-containers | 08:24 | |
| *** k_mouza has joined #openstack-containers | 08:26 | |
| openstackgerrit | Feilong Wang proposed openstack/magnum master: Update default k8s admission controller list https://review.opendev.org/748389 | 08:39 |
| *** flwang1 has joined #openstack-containers | 08:54 | |
| flwang1 | brtknr: do you think have any concern about https://review.opendev.org/#/c/749893/ ? | 08:55 |
| brtknr | flwang1: yes slightly in that v1.19.0 hyperkube doesnt officially exist | 08:55 |
| flwang1 | yep, but anyone can build it | 08:56 |
| flwang1 | and without this patch, the v1.19.0 won't work | 08:56 |
| brtknr | we should introduce a label to specify location of hyperkube image | 08:56 |
| flwang1 | until we support binary, we will have to build hyperkube | 08:56 |
| brtknr | btw I just scanned the image catalystcloud built for vulnerabilities | 08:57 |
| flwang1 | i don't really understand why we need it? for community? | 08:57 |
| flwang1 | pm me pls | 08:57 |
| brtknr | Image [catalystcloud/hyperkube:v1.19.0] contains 233 total vulnerabilities | 08:58 |
| flwang1 | brtknr: i think it's not only for v1.19.0 | 08:59 |
| brtknr | yes all hyperkube images have these issue | 09:00 |
| brtknr | most of them are negligible | 09:00 |
| brtknr | 1 sec, lemme share the report | 09:00 |
| brtknr | https://seashells.io/p/Kp9g8vG3 | 09:01 |
| brtknr | 133/233 negligible | 09:02 |
| flwang1 | seems most of them come with the base image | 09:02 |
| brtknr | 34/233 low | 09:02 |
| brtknr | 44/233 medium | 09:02 |
| brtknr | 8/233 high | 09:02 |
| flwang1 | i see | 09:03 |
| brtknr | and 2/233 critical | 09:03 |
| brtknr | flwang1: can we use a different base image? | 09:04 |
| flwang1 | i don't know, but it could be hard comparing the effort switch to binary | 09:04 |
| flwang1 | brtknr: we should check with Spyros the progress of binary | 09:05 |
| flwang1 | i'm keen to get it in this cycle | 09:05 |
| flwang1 | otherwise, cherrypick is also OK for me if we can get it in early next W release | 09:06 |
| brtknr | flwang1: looking at the CVEs, a lot of them are actually related to linux kernel version | 09:06 |
| brtknr | in actual fact, containers use host kernel | 09:06 |
| flwang1 | given the k8s community has abandoned the hyperkube, it doesn't make much sense to stick on that way | 09:09 |
| flwang1 | we have to move on | 09:09 |
| flwang1 | i agree with Spyros, the k8s community is not very responsible for this case | 09:09 |
| brtknr | I tested the PS to support binary and it works for v1.19.0 | 09:10 |
| brtknr | it just needs fleshing out to support upgrades | 09:11 |
| flwang1 | really? sounds good | 09:12 |
| flwang1 | i will play it tomorrow | 09:13 |
| *** kevko has joined #openstack-containers | 09:17 | |
| flwang1 | brtknr: just to be clear, when you say it works, do you mean this patch https://review.opendev.org/#/c/748141/1/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh ? | 09:21 |
| brtknr | flwang1:yep | 09:22 |
| flwang1 | but looks like it's still using podman to start a kube-xxx container, isn't it? | 09:22 |
| flwang1 | i probably missed something | 09:22 |
| brtknr | flwang1:although [k8s.gcr.io/kube-proxy:v1.19.0] contains 53 unapproved vulnerabilities | 09:23 |
| brtknr | flwang1: yes it only uses binary for kubelets | 09:23 |
| flwang1 | i see | 09:24 |
| flwang1 | i will start to think about the upgrade path | 09:25 |
| brtknr | flwang1: btw rancher uses ubuntu base image for hyperkube | 09:39 |
| brtknr | rancher/hyperkube:v1.19.0-rancher1 | 09:39 |
| brtknr | flwang1:Image [rancher/hyperkube:v1.19.0-rancher1] contains 28 total vulnerabilities | 09:39 |
| flwang1 | interesting | 09:39 |
| brtknr | this looks much better | 09:39 |
| flwang1 | it would be nice if we can understand the dockerfile | 09:40 |
| brtknr | and the worst one is Medium CVE | 09:40 |
| brtknr | there are no high or critical issue | 09:40 |
| brtknr | this is why it would be good to introduce a kube_repo label | 09:41 |
| brtknr | so that we can specify location of hyperkube image | 09:41 |
| *** ykarel_ has joined #openstack-containers | 09:42 | |
| openstackgerrit | Merged openstack/magnum master: Drop KUBE_API_PORT for kube-apiserver https://review.opendev.org/749893 | 09:42 |
| flwang1 | let's add it to tomorrow meeting agenda | 09:43 |
| *** ykarel has quit IRC | 09:44 | |
| *** ykarel_ is now known as ykarel | 09:45 | |
| flwang1 | https://github.com/rancher/hyperkube/tree/v1.19 | 09:45 |
| flwang1 | https://github.com/rancher/hyperkube-base | 09:47 |
| flwang1 | i think we found it | 09:47 |
| flwang1 | brtknr: ^ | 09:48 |
| brtknr | yep thats the one | 09:48 |
| brtknr | i am less keen on maintaining our own image however :) | 09:49 |
| brtknr | flwang1: | 09:49 |
| flwang1 | let's discuss if we can work together with rancher team | 09:50 |
| flwang1 | and i think that's how open source works | 09:50 |
| flwang1 | i'm off for today :) | 09:55 |
| brtknr | flwang1: cool :) enjoy your day off | 09:58 |
| *** kevko has quit IRC | 10:05 | |
| openstackgerrit | Bharat Kunwar proposed openstack/magnum master: [k8s] Add vulnerability scanner https://review.opendev.org/598142 | 10:08 |
| *** k_mouza has quit IRC | 10:16 | |
| *** kevko has joined #openstack-containers | 10:19 | |
| *** kevko has quit IRC | 10:24 | |
| *** ykarel has quit IRC | 10:33 | |
| *** ykarel has joined #openstack-containers | 10:34 | |
| *** ykarel_ has joined #openstack-containers | 10:40 | |
| *** ykarel has quit IRC | 10:42 | |
| *** sapd1_x has quit IRC | 10:47 | |
| *** dave-mccowan has joined #openstack-containers | 10:59 | |
| *** k_mouza has joined #openstack-containers | 11:08 | |
| *** dave-mccowan has quit IRC | 11:12 | |
| *** dave-mccowan has joined #openstack-containers | 11:13 | |
| *** k_mouza has quit IRC | 11:14 | |
| *** mgariepy has quit IRC | 11:15 | |
| *** k_mouza has joined #openstack-containers | 11:18 | |
| *** k_mouza has quit IRC | 11:18 | |
| *** ykarel__ has joined #openstack-containers | 11:32 | |
| *** ykarel_ has quit IRC | 11:35 | |
| *** ykarel__ has quit IRC | 11:39 | |
| *** ykarel has joined #openstack-containers | 11:42 | |
| *** ykarel has quit IRC | 11:43 | |
| *** ykarel has joined #openstack-containers | 11:45 | |
| *** ykarel has quit IRC | 11:46 | |
| *** ykarel has joined #openstack-containers | 11:48 | |
| *** mgariepy has joined #openstack-containers | 12:05 | |
| *** ykarel_ has joined #openstack-containers | 12:14 | |
| *** ykarel has quit IRC | 12:16 | |
| *** flwang1 has quit IRC | 12:39 | |
| *** kevko has joined #openstack-containers | 12:49 | |
| *** k_mouza has joined #openstack-containers | 13:09 | |
| *** kevko has quit IRC | 13:26 | |
| *** ykarel_ is now known as ykarel | 13:30 | |
| *** ykarel_ has joined #openstack-containers | 13:37 | |
| *** ykarel has quit IRC | 13:37 | |
| *** ykarel_ is now known as ykarel | 13:53 | |
| *** k_mouza has quit IRC | 14:27 | |
| *** ykarel_ has joined #openstack-containers | 14:30 | |
| *** ykarel has quit IRC | 14:30 | |
| *** k_mouza has joined #openstack-containers | 14:51 | |
| *** ykarel_ is now known as ykarel|away | 14:56 | |
| *** k_mouza has quit IRC | 15:03 | |
| *** nikparasyr has left #openstack-containers | 15:09 | |
| *** k_mouza has joined #openstack-containers | 15:10 | |
| *** sapd1_x has joined #openstack-containers | 15:27 | |
| *** k_mouza has quit IRC | 15:29 | |
| *** jmlowe has quit IRC | 15:30 | |
| *** jmlowe has joined #openstack-containers | 15:32 | |
| *** k_mouza has joined #openstack-containers | 15:41 | |
| *** ykarel|away has quit IRC | 15:44 | |
| *** k_mouza has quit IRC | 16:06 | |
| *** k_mouza has joined #openstack-containers | 16:08 | |
| *** mgariepy has quit IRC | 16:09 | |
| *** k_mouza has quit IRC | 16:18 | |
| *** vishalmanchanda has quit IRC | 16:21 | |
| *** k_mouza has joined #openstack-containers | 16:24 | |
| *** k_mouza has quit IRC | 16:30 | |
| *** sapd1_x has quit IRC | 16:33 | |
| *** mgariepy has joined #openstack-containers | 17:10 | |
| *** mgariepy has quit IRC | 17:37 | |
| *** mgariepy has joined #openstack-containers | 17:38 | |
| *** mgariepy has quit IRC | 18:14 | |
| *** mgariepy has joined #openstack-containers | 18:28 | |
| *** rcernin has joined #openstack-containers | 23:02 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!