Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-10-12 Thread Tobias Florek 
Hi,
>>> I think we need to discuss this with the systemd team.  We are currently
>>> looking into running non privileged containers as a user launched
>>> at boot time using systemd.
>>>
>>> Lukas what is the chances of getting a systemd that would run as a non
>>> root user as pid 1 inside of a container?  Could we execute systemd-user
>>> to do something like that?
>> Currently this is not possible, but I think to making that work it
>> would require just minor changes. Anyway I don't want to promise
>> anything, so can we postpone this discussion to systemd conference?
>>
>> Lukas

now that systemd conference has been a success, I wanted to ask whether
you had a chance to look into it?

Cheers,
 Tobias Florek

Re: [atomic-devel] How to apply non-atomic tuned profiles to atomic host

2016-10-12 Thread Colin Walters 

On Tue, Oct 11, 2016, at 02:45 PM, Jeremy Eder wrote:
> Because layered products (not just OpenShift) do not want to be
> coupled to the RHEL release schedule to update their profiles.  They
> want to own their profiles and rely on the tuned daemon to be there.

I see two aspects to this discussion:

1) Generic tradeoffs with host configuration
2) The specific discussion about tuned profiles

Following 2) if I run:

$ cd ~/src/github/openshift/origin
$ git describe --tags --always
v1.3.-rc1-14-ge9081ae
$ git log --follow contrib/tuned/origin-node-host/tuned.conf

There are a grand total of *two* commits that aren't mere
code reorganization:

commit d959d25a405bb28568a17f8bf1b79e7d427ae0dc
Author: Jeremy Eder 
AuthorDate: Tue Mar 29 10:40:03 2016 -0400
Commit: Jeremy Eder 
CommitDate: Tue Mar 29 10:40:03 2016 -0400

bump inotify watches

commit c11cb47c07e24bfeec22a7cf94b0d6d693a00883
Author: Scott Dodson 
AuthorDate: Thu Feb 12 13:06:57 2015 -0500
Commit: Scott Dodson 
CommitDate: Wed Mar 11 16:41:08 2015 -0400

Provide both a host and guest profile

That level of change seems quite sufficient for the slower
RHEL cadence, no?

Particularly when one considers that something like the
inotify watch bump could easily be part of a "tuned updates"
in the installer that would live there until the base tuned
profile updates.

Right?

> Before we go the layered RPM route I just want to make sure you're
> onboard with it, as I was not aware of any existing in-product users
> of that feature.  Are there any? If we're the first that's not an
> issue, just want to make sure we get it right.

In this particular case of tuned, I'd argue that Atomic Host should come
out of the box with these profiles,
and that any async updates could be done via the openshift-ansible
installer.