<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">
<style type="text/css" id="owaParaStyle">P {margin-top:0;margin-bottom:0;}</style>
</head>
<body fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">I'm not sure I follow the problem. The containers being built don't pull from infra's mirrors, so they can be secure containers. Once built, during deploy/testing, they don't install
anything, so shouldn't have any issues there either.<br>
<br>
Am I misunderstanding?<br>
<br>
Thanks,<br>
Kevin<br>
<br>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF567249" style="direction: ltr;"><font size="2" face="Tahoma" color="#000000"><b>From:</b> Sam Yaple [samuel@yaple.net]<br>
<b>Sent:</b> Tuesday, May 16, 2017 7:11 AM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> Re: [openstack-dev] [tc][infra][release][security][stable][kolla][loci][tripleo][docker][kubernetes] do we want to be publishing binary container images?<br>
</font><br>
</div>
<div></div>
<div>
<div dir="ltr">I would like to bring up a subject that hasn't really been discussed in this thread yet, forgive me if I missed an email mentioning this.
<div><br>
</div>
<div>What I personally would like to see is a publishing infrastructure to allow pushing built images to an internal infra mirror/repo/registry for consumption of internal infra jobs (deployment tools like kolla-ansible and openstack-ansible). The images built
from infra mirrors with security turned off are perfect for testing internally to infra.<br>
</div>
<div><br>
</div>
<div>If you build images properly in infra, then you will have an image that is not security checked (no gpg verification of packages) and completely unverifiable. These are absolutely not images we want to push to DockerHub/quay for obvious reasons. Security
and verification being chief among them. They are absolutely not images that should ever be run in production and are only suited for testing. These are the only types of images that can come out of infra.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>SamYaple</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, May 16, 2017 at 1:57 PM, Michał Jastrzębski <span dir="ltr">
<<a href="mailto:inc007@gmail.com" target="_blank">inc007@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<span class="">On 16 May 2017 at 06:22, Doug Hellmann <<a href="mailto:doug@doughellmann.com" target="_blank">doug@doughellmann.com</a>> wrote:<br>
</span>
<div>
<div class="h5">> Excerpts from Thierry Carrez's message of 2017-05-16 14:08:07 +0200:<br>
>> Flavio Percoco wrote:<br>
>> > From a release perspective, as Doug mentioned, we've avoided releasing projects<br>
>> > in any kind of built form. This was also one of the concerns I raised when<br>
>> > working on the proposal to support other programming languages. The problem of<br>
>> > releasing built images goes beyond the infrastructure requirements. It's the<br>
>> > message and the guarantees implied with the built product itself that are the<br>
>> > concern here. And I tend to agree with Doug that this might be a problem for us<br>
>> > as a community. Unfortunately, putting your name, Michal, as contact point is<br>
>> > not enough. Kolla is not the only project producing container images and we need<br>
>> > to be consistent in the way we release these images.<br>
>> ><br>
>> > Nothing prevents people for building their own images and uploading them to<br>
>> > dockerhub. Having this as part of the OpenStack's pipeline is a problem.<br>
>><br>
>> I totally subscribe to the concerns around publishing binaries (under<br>
>> any form), and the expectations in terms of security maintenance that it<br>
>> would set on the publisher. At the same time, we need to have images<br>
>> available, for convenience and testing. So what is the best way to<br>
>> achieve that without setting strong security maintenance expectations<br>
>> for the OpenStack community ? We have several options:<br>
>><br>
>> 1/ Have third-parties publish images<br>
>> It is the current situation. The issue is that the Kolla team (and<br>
>> likely others) would rather automate the process and use OpenStack<br>
>> infrastructure for it.<br>
>><br>
>> 2/ Have third-parties publish images, but through OpenStack infra<br>
>> This would allow to automate the process, but it would be a bit weird to<br>
>> use common infra resources to publish in a private repo.<br>
>><br>
>> 3/ Publish transient (per-commit or daily) images<br>
>> A "daily build" (especially if you replace it every day) would set<br>
>> relatively-limited expectations in terms of maintenance. It would end up<br>
>> picking up security updates in upstream layers, even if not immediately.<br>
>><br>
>> 4/ Publish images and own them<br>
>> Staff release / VMT / stable team in a way that lets us properly own<br>
>> those images and publish them officially.<br>
>><br>
>> Personally I think (4) is not realistic. I think we could make (3) work,<br>
>> and I prefer it to (2). If all else fails, we should keep (1).<br>
>><br>
><br>
> At the forum we talked about putting test images on a "private"<br>
> repository hosted on <a href="http://openstack.org" rel="noreferrer" target="_blank">
openstack.org</a> somewhere. I think that's option<br>
> 3 from your list?<br>
><br>
> Paul may be able to shed more light on the details of the technology<br>
> (maybe it's just an Apache-served repo, rather than a full blown<br>
> instance of Docker's service, for example).<br>
<br>
</div>
</div>
Issue with that is<br>
<br>
1. Apache served is harder to use because we want to follow docker API<br>
and we'd have to reimplement it<br>
2. Running registry is single command<br>
3. If we host in in infra, in case someone actually uses it (there<br>
will be people like that), that will eat up lot of network traffic<br>
potentially<br>
4. With local caching of images (working already) in nodepools we<br>
loose complexity of mirroring registries across nodepools<br>
<br>
So bottom line, having dockerhub/<a href="http://quay.io" rel="noreferrer" target="_blank">quay.io</a> is simply easier.<br>
<div class="HOEnZb">
<div class="h5"><br>
> Doug<br>
><br>
> ______________________________<wbr>______________________________<wbr>______________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">
OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">
http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">
OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</body>
</html>