[openstack-dev] [tc][appcat] The future of the App Catalog
zbitter at redhat.com
Sat Mar 11 00:09:42 UTC 2017
On 10/03/17 12:27, Monty Taylor wrote:
> On 03/10/2017 10:59 AM, Clint Byrum wrote:
>> I'm curious what you (Josh) or Zane would change too.
>> Containers/apps/kubes/etc. have to run on computers with storage and
>> networks. OpenStack provides a pretty rich set of features for giving
>> users computers with storage on networks, and operators a way to manage
>> those. So I fail to see how that is svn to "cloud native"'s git. It
>> seems more foundational and complimentary.
> I agree with this strongly.
> I get frustrated really quickly when people tell me that, as a user, I
> _should_ want something different than what I actually do want.
> It turns out, I _do_ want computers - or at least things that behave
> like computers - for some percentage of my workloads. I'm not the only
> one out there who wants that.
> There are other humans out there who do not want computers. They don't
> like computers at all. They want generic execution contexts into which
> they can put their apps.
> It's just as silly to tell those people that they _should_ want
> computers as it is to tell me that I _should_ want a generic execution
I totally agree with you. There is room for all kinds of applications on
OpenStack, and the great thing about an open community is that they can
all have a voice. In theory.
> One of the wonderful things about the situation we're in now is that if
> you stack a k8s on top of an OpenStack then you empower the USER to
> decide what their workload is and which types of features it is - rather
> than forcing a "cloud native" vision dreamed up by "thought leaders"
> down everyone's throats.
I'd go even further than that - many workloads are likely a mix of
_both_, and we need to empower users to be able to use the right tools
for the right parts of the job and _integrate_ them together. That's
where OpenStack can add huge value to k8s and the like.
You may be familiar with the Kuryr project, which integrates Kubernetes
deployments made by Magnum with Neutron networking so that other Nova
servers can talk directly to the containers and other fun stuff. IMHO
it's exactly the kind of thing OpenStack should be doing to make users'
lives better, and give a compelling reason to install k8s on top of
OpenStack instead of on bare metal.
So here's a fun thing I learned at the PTG: according to the Magnum
folks, the main thing preventing them from fully adopting Kuryr is that
the k8s application servers, provisioned with Nova, need to make API
calls to Neutron to set up the ports as containers move around. And
there's no secure way to give Keystone authentication credentials to an
application server to do what it needs - and, especially, to do *only*
what it needs.
Keystone devs did agree in back in Austin that when they rejigger the
default policy files it will done in such a way as to make the
authorisation component of this feasible (by requiring a specific
reader/writer role, not just membership of the project, to access APIs),
but that change hasn't happened yet AFAIK. I suspect that it isn't their
top priority. Kevin has been campaigning for *years* to get Nova to
provide a secure way to inject credentials into a server in the same way
that this is built in to EC2, GCE and (I assume but haven't checked)
Azure. And they turned him down flat every time saying that this was not
Sorry, but if OpenStack isn't a good, secure platform for running
Kubernetes on then that is a HAIR ON FIRE-level *existential* problem in
We can't place too much blame on individual projects though, because I
believe the main reason this doesn't Just Work already is that there has
been an unspoken consensus that we needed to listen to users like you
but not to users like Kevin, and the elected leaders of our community
have done nothing to either disavow or officially adopt that consensus.
We _urgently_ need to decide if that's what we actually want and make
sure it is prominently documented so that both users and developers know
FWIW I'm certain you must have hit this same issue in infra - probably
you were able to use pre-signed Swift URLs when uploading log files to
avoid needing credentials on servers allocated by nodepool? That's
great, but not every API in OpenStack has a pre-signed URL facility, and
nor should they have to.
(BTW I proposed a workaround for Magnum/Kuryr at the PTG by using a
pre-signed Zaqar URL with a subscription triggering a Mistral workflow,
and I've started working on a POC.)
> It also turns out that the market agrees. Google App Engine was not
> successful, until Google added IaaS. Azure was not successful until
> Microsoft added IaaS. Amazon, who have a container service and a
> serverless service is all built around the ecosystem that is centered on
> ... that's right ... an IaaS.
I think this is the point where you're supposed to insert the disclaimer
that, in any market, past performance is not a guarantee of future
> So rather than us trying to chase a thing we're not (we're not a
> container or thin-app orchestration tool) - being comfortable with our
> actual identity (IaaS provider of computers) and working with other
> people who do other things ends up providing _users_ with the a real win.
k8s is an application that can run in Nova servers, and things we can do
to make OpenStack a better host for k8s will also make it a better host
for other kinds of computer-wanting applications, and vice-versa.
There's no conflict there.
> Considering computers as some-how inherently 'better' or 'worse' than
> some of the 'cloud-native' concepts is hog wash. Different users have
> different needs. As Clint points out - kubernetes needs to run
> _somewhere_. CloudFoundry needs to run _somewhere_. So those are at
> least two other potential users who are not me and my collection of
> things I want to run that want to run in computers.
I think we might be starting to talk about different ideas. The whole
VMs vs. containers fight _is_ hogwash. You're right to call it out as
such. We hear far too much about it, and it's totally unfair to the
folks who work on the VM side. But that isn't what this discussion is about.
Google has done everyone a minor disservice by appropriating the term
"cloud-native" and using it in a context such that it's effectively been
redefined to mean "containers instead of VMs". I've personally stopped
using the term because it's more likely to generate confusion than clarity.
What "cloud-native" used to mean to me was an application that knows
it's running in the cloud, and uses the cloud's APIs. As opposed to
applications that could just as easily be running in a VPS or on bare
metal, but happen to be running in a VM provisioned by Nova.
So where in the past an "application" was just a software package to run
on some computer and the racking, patching, configuring of switches,
scheduling of backups &c. was all done manually; now we have APIs for
all of those things. Cloud-native applications actually make use of
those APIs. Why should k8s and CloudFoundry have to act like they're
running on old-school physical infrastructure? Why shouldn't running on
OpenStack make them _better_? Why shouldn't they be able to scale
themselves out? Replace broken servers? And so on.
And, briefly veering back on-topic, if we want those deployments to be
reproducible (we do) then that also inevitably means new packaging
formats to take into account the extra information about the
infrastructure and external services that is never going to be captured
e.g. inside a container image. (BTW comparing the app catalog to Juju
would be much more productive than comparing it to Docker Hub.)
More information about the OpenStack-dev