<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 15/08/18 21:32, Cédric Jeanneret
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:f6005e48-c40c-bbbe-3bd7-d673cb2d89d5@redhat.com">
<pre wrap="">Dear Community,
As you may know, a move toward Podman as replacement of Docker is starting.
One of the issues with podman is the lack of daemon, precisely the lack
of a socket allowing to send commands and get a "computer formatted
output" (like JSON or YAML or...).
In order to work that out, Podman has added support for varlink¹, using
the "socket activation" feature in Systemd.
On my side, I would like to push forward the integration of varlink in
TripleO deployed containers, especially since it will allow the following:
# proper interface with Paunch (via python link)
</pre>
</blockquote>
I'm not sure this would be desirable. If we're going to all
container management via a socket I think we'd be better supported
by using CRI-O. One of the advantages I see of podman is being able
to manage services with systemd again.<br>
<blockquote type="cite"
cite="mid:f6005e48-c40c-bbbe-3bd7-d673cb2d89d5@redhat.com">
<pre wrap="">
# a way to manage containers from within specific containers (think
"healthcheck", "monitoring") by mounting the socket as a shared volume
# a way to get container statistics (think "metrics")
# a way, if needed, to get an ansible module being able to talk to
podman (JSON is always better than plain text)
# a way to secure the accesses to Podman management (we have to define
how varlink talks to Podman, maybe providing dedicated socket with
dedicated rights so that we can have dedicated users for specific tasks)
</pre>
</blockquote>
Some of these cases might prove to be useful, but I do wonder if
just making podman calls would be just as simple without the
complexity of having another host-level service to manage. We can
still do podman operations inside containers by bind-mounting in the
container state.<br>
<br>
<blockquote type="cite"
cite="mid:f6005e48-c40c-bbbe-3bd7-d673cb2d89d5@redhat.com">
<pre wrap="">
That said, I have some questions:
° Does any of you have some experience with varlink and podman interface?
° What do you think about that integration wish?
° Does any of you have concern with this possible addition?
</pre>
</blockquote>
I do worry a bit that it is advocating for a solution before we
really understand the problems. The biggest unknown for me is what
we do about healthchecks. Maybe varlink is part of the solution
here, or maybe its a systemd timer which executes the healthcheck
and restarts the service when required.<br>
<blockquote type="cite"
cite="mid:f6005e48-c40c-bbbe-3bd7-d673cb2d89d5@redhat.com">
<pre wrap="">
Thank you for your feedback and ideas.
Have a great day (or evening, or whatever suits the time you're reading
this ;))!
C.
¹ <a class="moz-txt-link-freetext" href="https://www.projectatomic.io/blog/2018/05/podman-varlink/">https://www.projectatomic.io/blog/2018/05/podman-varlink/</a>
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>