[openstack-dev] [zun] sandbox and clearcontainers

Kumari, Madhuri madhuri.kumari at intel.com
Wed Jul 12 04:53:32 UTC 2017

Hi Surya,

Please see my response inline.
Currently Zun have two drivers for managing containers: Docker and NovaDocker. Sandbox was initially implemented for the NovaDocker driver which we are going to deprecate soon.
Also we are working on making the sandbox optional for the Docker driver. See patch [1] for the code.

[1] https://review.openstack.org/#/c/471634/


From: Surya.Prabhakar at dell.com [mailto:Surya.Prabhakar at dell.com]
Sent: Wednesday, July 12, 2017 4:44 AM
To: openstack-dev at lists.openstack.org
Subject: [openstack-dev] [zun] sandbox and clearcontainers

Dell - Internal Use - Confidential
Hi Folks,
        I am just trying to wrap my head around zun's sandboxing and clear containers.   From what Hongbin told in Barcelona ( see the attached pic which I scrapped from his video)

[cid:image003.jpg at 01D2FAF8.E8A6E1D0]

current implementation in Zun is, Sandbox is the outer container and the real user container is nested inside the sandbox.  I am trying to figure out how this is going to play out
when we have clear containers.
[Kumari, Madhuri] The sandbox container is just an infra container that manage IaaS resources associated with a container or a group of containers. Real container is only using the resources attached with the infra container not running inside infra container, so no other virtualization layer is involved here.

I envision the following scenarios:

1)      Scenario 1: where the sandbox itself is a clear container and user will nest another clear container inside the sandbox. This is like nested virtualization.

But I am not sure how this is going to work since the nested containers won't get VT-D cpu flags.

2)      Scenario 2: the outer sandbox is just going to be a standard docker container without vt-d and the inside container is going to be the real clear container with vt-d.  Now this

might work well but we might be losing the isolation features for the network and storage which lies open in the sandbox. Wont this defeat the whole purpose of using clear containers.

[Kumari, Madhuri] I have tried to run infra container as docker container and the real container as a Clear Container and it seems to work well. But I agree with your point that we might lose the advantage of using clear container.

So after the sandbox is made optional, we can run a clear container directly without any sandbox. Thus solving the issue.

I am just wondering what is the thought process for this design inside zun.  If this is trivial and if I am missing something please shed some light :).

Surya ( spn )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170712/cba1668c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 24947 bytes
Desc: image003.jpg
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170712/cba1668c/attachment.jpg>

More information about the OpenStack-dev mailing list