<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">
<style type="text/css" id="owaParaStyle">P {margin-top:0;margin-bottom:0;}</style>
</head>
<body fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Kolla's general target is in the node range of 1 - 100 nodes. A lot of smaller clusters can't afford to do ci/cd of their own and so Kolla currently pushes all the work to the site,
and the site can't afford to do it right, and so just doesn't deal with security updates.<br>
<br>
This is akin to a site forcing super secure passwords and so all the users just write the password on a sticky note and put it under their keyboard. The ideal is extra security, but the reality is less security.<br>
<br>
Keeping up to date containers with security updates applied and trackable helps solve a real issue. I agree, it is better to do it at your own site, if you can afford it, but like most things security, its not a bool, secure or not, its a spectrum. Providing
tagged up to date images on the hub strengthens the security of a lot of openstacks.<br>
<br>
It also lowers the hugely high bar of getting a production system workable. You don't have to build all the containers from the get go to get a system going. You can do that as you get time to do so.<br>
<br>
Thanks,<br>
Kevin<br>
<br>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF879666" style="direction: ltr;"><font size="2" face="Tahoma" color="#000000"><b>From:</b> Jeffrey Zhang [zhang.lei.fly@gmail.com]<br>
<b>Sent:</b> Monday, April 17, 2017 7:43 PM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> Re: [openstack-dev] [kolla] Tags, revisions, dockerhub<br>
</font><br>
</div>
<div></div>
<div>
<div dir="ltr">
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
I think we have two topics and improvements here</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
<br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
1. images in <a href="https://hub.docker.com/r/kolla/" target="_blank">https://hub.docker.com/r/kolla/</a></div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
2. tag in end-user env.</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
<br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
# images in <a href="http://hub.docker.com" target="_blank">hub.docker.com</a></div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
<br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
we are building kolla tag image and push them into <a href="http://hub.docker.com" target="_blank">
hub.docker.com</a>. After this,</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
we do nothing for these images.</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
<br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
The issue is</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
<br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
1. any security update is not included in these images.</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
solution: I do not think use 4.0.0-1 4.0.0-2 in <a href="http://hub.docker.com" target="_blank">
hub.docker.com</a> is a good idea.</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
if so, we need mark what 4.0.0-1 container and what's the difference with 4.0.0-2.</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
This will make another chaos. </div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
And any prod env shouldn't depend on <a href="http://hub.docker.com" target="_blank">
hub.docker.com</a>'s images, which is vulnerable </div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
to attack and is mutable. </div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
2. branch images are not pushed.</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
solution: we can add a job to push branch images into <a href="http://hub.docker.com" target="_blank">
hub.docker.com</a> like inc0</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
said. For example:</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
centos-source-nova-api:4.0.0</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
centos-source-nova-api:ocata</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
centos-source-nova-api:pike</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
centos-source-nova-api:master<br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
But branch tag images is not stable ( even its name is stable/ocata ), users are</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
not recommended to use these images </div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
<br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
# images in end-user env</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
<br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
I recommended end user should build its own image rather then use <a href="http://hub.docker.com" target="_blank">
hub.docker.com</a> directly.</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
in my env, I build images with following tag rule.</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
<br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
when using 4.0.0 to build multi time, i use different tag name. For example</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
1st: 4.0.0.1</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
2nd: 4.0.0.2</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
3rd: 4.0.0.3</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
...</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
<br>
</div>
<div class="gmail_default" style="font-family:monospace,monospace; font-size:small">
The advantage in this way is: keep each tag as immutable ( never override )</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Apr 18, 2017 at 6:46 AM, Steve Baker <span dir="ltr">
<<a href="mailto:sbaker@redhat.com" target="_blank">sbaker@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span class="">On Tue, Apr 18, 2017 at 9:57 AM, Doug Hellmann
<span dir="ltr"><<a href="mailto:doug@doughellmann.com" target="_blank">doug@doughellmann.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
Excerpts from Michał Jastrzębski's message of 2017-04-12 15:59:34 -0700:<br>
<span class="m_4179256523659068535gmail-">> My dear Kollegues,<br>
><br>
> Today we had discussion about how to properly name/tag images being<br>
> pushed to dockerhub. That moved towards general discussion on revision<br>
> mgmt.<br>
><br>
> Problem we're trying to solve is this:<br>
> If you build/push images today, your tag is 4.0<br>
> if you do it tomorrow, it's still 4.0, and will keep being 4.0 until<br>
> we tag new release.<br>
><br>
> But image built today is not equal to image built tomorrow, so we<br>
> would like something like 4.0.0-1, 4.0.0-2.<br>
> While we can reasonably detect history of revisions in dockerhub,<br>
> local env will be extremely hard to do.<br>
><br>
> I'd like to ask you for opinions on desired behavior and how we want<br>
> to deal with revision management in general.<br>
><br>
> Cheers,<br>
> Michal<br>
><br>
<br>
</span>What's in the images, kolla? Other OpenStack components? </blockquote>
<div><br>
</div>
</span>
<div>Yes, each image will typically contain all software required for one OpenStack service, including dependencies from OpenStack projects or the base OS. Installed via some combination of git, pip, rpm, deb. </div>
<span class="">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
Where does the<br>
4.0.0 come from?<br>
<br>
</blockquote>
<div><br>
</div>
</span>
<div>Its the python version string from the kolla project itself, so ultimately I think pbr. I'm suggesting that we switch to using the version.release_string[1] which will tag with the longer version we use for other dev packages.</div>
<div><br>
</div>
<div>[1]<a href="https://review.openstack.org/#/c/448380/1/kolla/common/config.py" target="_blank">https://review.openstack.<wbr>org/#/c/448380/1/kolla/common/<wbr>config.py</a> </div>
</div>
<br>
</div>
</div>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">
OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div><span style="font-size:13px; border-collapse:collapse"><font face="monospace, monospace">Regards,</font></span></div>
<div><span style="font-size:13px; border-collapse:collapse"><font face="monospace, monospace">Jeffrey Zhang</font></span></div>
<div><span style="font-family:monospace,monospace; font-size:12.8px">Blog: </span><a href="http://xcodest.me/" style="font-family:monospace,monospace; font-size:12.8px" target="_blank">http://xcodest.me</a><font face="monospace, monospace"><br>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>