Re: [E] Re: [onap-discuss] [cia] Towards better container images in ONAP

2018-08-21 Thread Tal Liron 
On Sun, Aug 19, 2018 at 5:50 PM Michael Still  wrote:

> - Create a repo for "official ONAP base images", basing the contents off
> what is currently used in OOM -- so for example if there are lots of users
> of Ubuntu 16.04, then we just create a ubuntu-lts image in said repo.
>

Well, I don't think this approach gets us very far forward. There's no
advantage in hosting our own Ubuntu 16.04 as opposed to the official one.
The issue I am trying to solve in my proposal is to allow a choice of base
images to be used, and also to have them be unified across ONAP. So rather
than the base image being "ubuntu-lts" it would be "onap-base" (with a few
different tagged flavors), which could be customized as appropriate.


> This at least makes it clearer what we're using, as well as making it
> easier to then "push dependancies down" into those central base images. I
> think its pretty clear that we need to simplify what we depend on (15
> different JDK base images right now, 11 different specifications for the
> Ubuntu version, etc).
>

Again, I don't think "simplicity" is the main goal here. Simple is nicer,
but if it works, it works. The serious problem, as I see it, is that an
operator likely does not have support contracts for 15 different JDKs and
several different vendored operating systems.


> For reference, there are 96 unique "FROM" lines in ONAP Dockerfiles at the
> moment.
>

That's an intriguing (and scary) number! Can you share with us how you
derived it? It would be useful for tracking our progress.
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#11981): https://lists.onap.org/g/onap-discuss/message/11981
Mute This Topic: https://lists.onap.org/mt/24626855/21656
Group Owner: onap-discuss+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [E] Re: [onap-discuss] [cia] Towards better container images in ONAP

2018-08-19 Thread Michael Still 
On Sat, Aug 18, 2018 at 4:12 AM Viswanath V Kumar Skand Priya <
viswanath.kumarskandpr...@verizon.com> wrote:

> Hi Tal / All,
>
> Thanks for starting this thread to address this important issue and I
> second both Tal's & Michael's view as well. Infact we are now currently
> breaking our heads to bring up ONAP "behind corporate proxies" and almost
> 80% of operational issue which we always run into is this internet
> dependencies.
>

I was thinking about this more over the weekend, and I am starting to think
that a process like this would work reasonably:

- Create a repo for "official ONAP base images", basing the contents off
what is currently used in OOM -- so for example if there are lots of users
of Ubuntu 16.04, then we just create a ubuntu-lts image in said repo.

- Rebase existing Dockerfiles to use the official base image which maps to
their current base.

This at least makes it clearer what we're using, as well as making it
easier to then "push dependancies down" into those central base images. I
think its pretty clear that we need to simplify what we depend on (15
different JDK base images right now, 11 different specifications for the
Ubuntu version, etc).

I'm not opposed to letting deployers substitute their chosen SOE images in
for the central ones, and having those all in one place would certainly
make that easier.

For reference, there are 96 unique "FROM" lines in ONAP Dockerfiles at the
moment.

Thoughts?

Michael

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#11937): https://lists.onap.org/g/onap-discuss/message/11937
Mute This Topic: https://lists.onap.org/mt/24626855/21656
Group Owner: onap-discuss+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [E] Re: [onap-discuss] [cia] Towards better container images in ONAP

2018-08-17 Thread Viswanath Kumar Skand Priya via Lists.Onap.Org 
Hi Tal / All,

Thanks for starting this thread to address this important issue and I
second both Tal's & Michael's view as well. Infact we are now currently
breaking our heads to bring up ONAP "behind corporate proxies" and almost
80% of operational issue which we always run into is this internet
dependencies.

Back in Beijing summit, a topic related to "Offline OOM" was presented,
however we are unable to find more information on that to try it out
locally. As of now we are hitting trial-and-run to find direct & indirect
dependencies to bring each container image and trying our best to cache &
limit our dependencies to outside internet. Needless to say this is the
case for our lab and now just imagine the production scenario where our Ops
would go mad if we ask them to open the world for ONAP.

As Tal rightly pointed out, we do have curated list of preferred OS,
library stacks and port lists and anything that overrides this list we have
to take a long-list-of-approval chains inorder to get them under accepted
list.  While I'm excited about the notion of building container images
based on preferred base,  I'm also getting scared about the possibilities
of unearthing new unseen issues due to this base change, which would have
skipped through community hardening, as they would have no idea on how we
would intend to cook the container locally.

Worst case, if there is a vulnerability introduced in these base packages,
how would these get tracked, fixed and updated and how many different
permutations & combinations that can lead to. I guess we have opened
pandora's box and lot of surprises are awaiting for us.

BR,
Viswa



Viswanath Kumar Skand Priya
Senior Architect
Technology, Architecture & Planning



On Fri, Aug 17, 2018 at 6:59 AM Michael Still  wrote:

> On Fri, Aug 10, 2018 at 5:17 AM Tal Liron  wrote:
>
>> Hi everyone,
>>
>> My colleague Leif Madsen and I have done some research and I'd like to
>> present our conclusions as an opening to discussion. If there's interest in
>> this, we are happy to also do a proof-of-concept to show how this would
>> look in practice.
>>
>
> Thanks for starting this thread -- I think its an important conversation
> and one I am personally interested in helping out with, especially if we
> can get over the desire to have meetings in the middle of the night.
>
> I think there's another factor in play here that I want to make sure is on
> your radar. I don't know about in other countries, but I am yet to
> encounter a non-trivial enterprise in Australia which gives their
> production environments internet access. At the moment several ONAP
> components run shell scripts on start which pull packages from the internet
> (either OS packages, or python pip packages). This simply wont work in many
> production environments -- as well as meaning that operations staff don't
> know what version of the software they're running any more.
>
> I'd like to see those dependancies pushed into the container images more
> formally during the build process. Perhaps that's something we can solve at
> the same time?
>
> Thanks,
> Michael
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#11930): https://lists.onap.org/g/onap-discuss/message/11930
Mute This Topic: https://lists.onap.org/mt/24626855/21656
Group Owner: onap-discuss+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-