Hi Surya, First, I would like to provide some context for folks who are not familiar with the sandbox concept in Zun. The "sandbox" is for providing isolated environment for one or multiple containers. In docker driver, we used it as a placeholder of a set of Linux namespaces (i.e. network, ipc, etc.) that the "real" container(s) is going to run. For example, if end-user run "zun run nginx", Zun will first create an infra container (sandbox) and leverage the set of Linux namespace it creates, then Zun will create the "real" (nginx) container by using the Linux namespaces of the infra container. Strictly speaking, this is not container inside container, but it is container inside a set of pre-existing Linux namespaces.
Second, we are working on making sandbox optional [1]. After this feature is implemented (targeted on Pike), operators can configure Zun into one of the two modes: "container-in-sandbox" and "standalone container". Each container driver will have a choice to support either modes or support both. For clear container, I assume it can be integrated with Zun via a clear container driver. Then, the driver can implement the "standalone" mode, in which there is only a bare clear container. An alternative is to implement "container-in-sandbox" mode. In this scenario, the sandbox itself is a clear container as you mentioned. Inside the clear container, I guess there is a kernel that can be used to boot user's container image(s) (like how to run hypercontainer as pod [2]). However, I am not exactly sure if this scenario is possible. Hope this answers your question. [1] https://blueprints.launchpad.net/zun/+spec/make-sandbox-optional [2] http://blog.kubernetes.io/2016/05/hypernetes-security-and-multi-tenancy-in-kubernetes.html Best regards, Hongbin From: [email protected] [mailto:[email protected]] Sent: July-11-17 7:14 PM To: [email protected] Subject: [openstack-dev] [zun] sandbox and clearcontainers Dell - Internal Use - Confidential Hi Folks, I am just trying to wrap my head around zun's sandboxing and clear containers. From what Hongbin told in Barcelona ( see the attached pic which I scrapped from his video) [cid:[email protected]] current implementation in Zun is, Sandbox is the outer container and the real user container is nested inside the sandbox. I am trying to figure out how this is going to play out when we have clear containers. I envision the following scenarios: 1) Scenario 1: where the sandbox itself is a clear container and user will nest another clear container inside the sandbox. This is like nested virtualization. But I am not sure how this is going to work since the nested containers won't get VT-D cpu flags. 2) Scenario 2: the outer sandbox is just going to be a standard docker container without vt-d and the inside container is going to be the real clear container with vt-d. Now this might work well but we might be losing the isolation features for the network and storage which lies open in the sandbox. Wont this defeat the whole purpose of using clear containers. I am just wondering what is the thought process for this design inside zun. If this is trivial and if I am missing something please shed some light :). Thanks Surya ( spn )
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
