<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi Surya,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">First, I would like to provide some context for folks who are not familiar with the sandbox concept in Zun. The “sandbox” is for providing isolated environment for one or multiple containers. In docker driver,
we used it as a placeholder of a set of Linux namespaces (i.e. network, ipc, etc.) that the “real” container(s) is going to run. For example, if end-user run “zun run nginx”, Zun will first create an infra container (sandbox) and leverage the set of Linux
namespace it creates, then Zun will create the “real” (nginx) container by using the Linux namespaces of the infra container. Strictly speaking, this is not container inside container, but it is container inside a set of pre-existing Linux namespaces.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Second, we are working on making sandbox optional [1]. After this feature is implemented (targeted on Pike), operators can configure Zun into one of the two modes: “container-in-sandbox” and “standalone container”.
Each container driver will have a choice to support either modes or support both. For clear container, I assume it can be integrated with Zun via a clear container driver. Then, the driver can implement the “standalone” mode, in which there is only a bare
clear container. An alternative is to implement “container-in-sandbox” mode. In this scenario, the sandbox itself is a clear container as you mentioned. Inside the clear container, I guess there is a kernel that can be used to boot user’s container image(s)
(like how to run hypercontainer as pod [2]). However, I am not exactly sure if this scenario is possible.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Hope this answers your question.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">[1] <a href="https://blueprints.launchpad.net/zun/+spec/make-sandbox-optional">
https://blueprints.launchpad.net/zun/+spec/make-sandbox-optional</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">[2] <a href="http://blog.kubernetes.io/2016/05/hypernetes-security-and-multi-tenancy-in-kubernetes.html">
http://blog.kubernetes.io/2016/05/hypernetes-security-and-multi-tenancy-in-kubernetes.html</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Hongbin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Surya.Prabhakar@dell.com [mailto:Surya.Prabhakar@dell.com]
<br>
<b>Sent:</b> July-11-17 7:14 PM<br>
<b>To:</b> openstack-dev@lists.openstack.org<br>
<b>Subject:</b> [openstack-dev] [zun] sandbox and clearcontainers<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span lang="EN-GB" style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#AAAAAA">Dell - Internal Use - Confidential
</span></b><span lang="EN-GB" style="font-size:12.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Hi Folks, <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> I am just trying to wrap my head around zun’s sandboxing and clear containers. From what Hongbin told in Barcelona ( see the attached pic which I scrapped from his video)
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><img border="0" width="433" height="241" id="Picture_x0020_1" src="cid:image002.jpg@01D2FA9E.8B2A7D00"></span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">current implementation in Zun is, Sandbox is the outer container and the real user container is nested inside the sandbox. I am trying to figure out how this is going to play out<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">when we have clear containers. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">I envision the following scenarios:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="margin-left:54.0pt;text-indent:-18.0pt"><span lang="EN-GB">1)</span><span lang="EN-GB" style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><span lang="EN-GB">Scenario 1: where the sandbox itself is a clear container and user will nest another clear container inside the sandbox. This is like nested virtualization.
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:54.0pt"><span lang="EN-GB">But I am not sure how this is going to work since the nested containers won’t get VT-D cpu flags.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:54.0pt;text-indent:-18.0pt"><span lang="EN-GB">2)</span><span lang="EN-GB" style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><span lang="EN-GB">Scenario 2: the outer sandbox is just going to be a standard docker container without vt-d and the inside container is going to be the real clear container with vt-d. Now this
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:54.0pt"><span lang="EN-GB">might work well but we might be losing the isolation features for the network and storage which lies open in the sandbox. Wont this defeat the whole purpose of using clear containers.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">I am just wondering what is the thought process for this design inside zun. If this is trivial and if I am missing something please shed some light
</span><span lang="EN-GB" style="font-family:Wingdings">J</span><span lang="EN-GB">.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Surya ( spn ) <o:p></o:p></span></p>
</div>
</div>
</body>
</html>