►
From YouTube: SIG Node Sidecar WG 2023-09-19
Description
Meeting notes and agenda: https://docs.google.com/document/d/1E1guvFJ5KBQIGcjCrQqFywU9_cBQHRtHvjuqcVbCXvU/edit#heading=h.m8xoiv5t6qma
GMT20230919-160418_Recording_1742x1120.mp4
B
Hello,
it's
September,
19
2023.
It's
a
sidecar
working
group
meeting.
Welcome
everybody.
Let's
get
an
agenda
ganjo!
You
go
first,.
D
B
C
C
B
We
can
suggest
I,
don't
see
a
reason
why
or
not
so
yeah,
let's
make
it
going
yeah.
Just
yesterday,
I
discussed
with
avoid
Tech
about
breaking
issues.
We
have
similar
problems
for
In-Place
upgrade
cap.
We
have
so
many
issues
that
it's
really
hard
to
query
them
all.
Okay,
so
work
website.
B
Good,
maybe
label
will
be
different.
Let's
let
me
ask
who
can
do
it
and
I.
C
E
B
D
So
this
is
kind
of
an
issue
that
Paco
had
created
and
it's
related
to
the
ability
of
allocating
CPUs
exclusively
at
a
container
level.
So,
currently
CPU
manager,
if
it's
enabled
with
its
static
policy,
looks
at
the
quality
of
service
of
your
part
and
then,
if
you
specifically
indicated
through
integral
CPU
request,
that's
only
when
it
ensures
that
CPUs
are
exclusively
allocated.
D
So
I
think
what
Paco
is
requesting
was
that
we
have
the
ability
for
a
container
to
be
observed
or
evaluated
independently
of
the
overall
quality
of
service
of
the
board
and
I
had
some
potential
solutions
to
get
to.
You
know
to
get
to
a
video
of
achieving
that.
So
I
I
left
a
comment
there
and
if
you
scroll
a
little
bit
more
I
think
you
should
see
it
yeah
that
one
I
think
you
just
scrolled
by
no
I'll
share
the
link.
D
The
one
before
this
yeah
that
one
yeah,
so
this
basically
talks
about
a
new
cubelet
flag.
So
we
can
something
like
a
CPU
manager's
scope,
and
this
is
very
very
similar
to
what
we
have
with
topology
manager.
We
have
a
topology
manager
scope
and
this
would
allow
us
to
evaluate
a
container
independently
and
kind
of
independent
of
its
cause,
so
that
that
was
the
main
idea.
In
addition
to
that,
we
would
need
some
changes
in
the
resource
requirements.
D
Spec
itself,
which
is
essentially
you'd,
see
that
in
pod
spec
and
you
can
see
the
example
below
which
which
I
have
there.
So
we
can
introduce
something
like
a
resource
constraint
and
then
we
can
say
that
for
a
specific
resource,
we
have
this
constraint
and
I
want
to
have
this
as
a
very
generic
solution
and
not
just
specific
to
init
containers,
because
I've
seen
a
lot
of
other
use
cases
for
this.
So
I
just
here
to
discuss
that
and
get
a
sense
of
how
everyone
feels
about
this.
B
B
Thinking
about
every
day,
so
I
I
still
need
to
have
some
time
to
absorb
the
suggestion.
The
suggestion
is
I
know
in
topology
manager,
scope,
maybe
either
port
or
container,
but
if
it's
container,
then
you
only
look
at
container
level.
You
cannot
say
these
two
containers,
you
look
together
and
other
containers.
You
look
separately
right.
D
Yeah,
so
at
a
pod,
so
in
this
case
the
way
I
Envision.
This
is,
if
we
have
CPU
CPU
manager,
scope
as
pod,
we
would
default
to
the
current
behavior
and
we
that
would
allow
us
to
get
the
backward
compatibility
that
we
that
we
obviously
need
and
the
container
option
is
going
to
give
the
give
us
the
new
feature
or
the
capability
that
we
want.
So
we
look
at
the
container
independently.
D
The
only
problem
which,
which
is
something
that
I've
highlighted
in
the
end
of
this
comment,
is
that
we
want
to
ensure
that
the
container,
or
rather
the
pod
in
general,
has
guarantees
around
exclusive
allegations.
So
you
know
now
this
container
is
requesting
for
exclusive
allocation,
but
because
it's
not
part
of
a
pod
that
is
guaranteed,
it
could
be
evicted
by
a
pod
that
is
guaranteed.
So
we
want
to
give
these
kind
of
PODS
more
priority.
So
one
way
of
handling.
B
Okay,
and
is
it
a
scenario
when
all
the
main
containers
want
to
have
want
to
share
CPU
and
sidecar
is
working
on
some
shared
pool
of
CPUs,
or
it's
not
a
scenario.
D
I
think
at
the
early
stage,
I
haven't
thought
about
a
separate,
shared
pool.
If
that's
what
you're
asking
about
the
way
I
see
it
is
like
we
have
a
shared
pool,
and
then
we
have
exclusive
CPUs.
So
a
container
that's
requesting
exclusive
CPUs
would
be
getting
exclusive
CPUs
and
everything
else
would
be
in
the
shared
pool.
So
there's
no
separation
of
shared
pool.
B
Can
I
ask
for
all
the
main
characters
to
have
to
share
the
same
CPUs
inside
like
because
I
see?
Sidecar
is
a
little
bit
different,
Beast
or
often
sidecars,
don't
need
access
to
the
same
memory
or
same
CPU
or
same
devices
because
they
simply
provide
some
networking
collagen
functionality
that
doesn't
really
need
to
be
there.
It
only
needs
the
same
file
system
and
same
network
as
a
other
containers.
It
doesn't.
You
won't
know
about
resources
of
other
containers.
D
But
that,
but
that's
precisely
what
containers
that
don't
have
exclusive
requirement
get
so
this
is
this
is
exactly
for
normal
containers.
We
have
the
same
requirements,
so
imagine
a
pod
that
has
two
containers
one
is
that
is
running
busy,
Loop,
a
dpdk
application
and
the
other
container.
That
is
just
doing
some
sort
of
logging,
so
essentially
for
the
second
container
to
be
on
the
shared
pool.
It
doesn't
really
care.
B
Yeah
I
think
I
think
this
feature
will
be
very
valuable.
The
way
you
explain
it
is
there
any
other
questions.
B
Going
to
be
anybody
else
has
a
question
to
you,
but
yeah
I
mean
our
main
motivation
for
sidecars
like
there
are
many
reasons
why
you
need
side.
Cars
and
istio
is
existingly
moving
to
ebpf
approach
and
we
have
different
stories
there.
But
what
we
see
more
and
more
is
Aussie
IML
workloads,
they
they
want
to
be
resource
efficient
and
they
need
all
those
resource
managers
because
of
device
access
and
they
need
login,
pin
monitoring
Canada.
That's
why
sidecars
became
more
and
more
interesting
to
community,
so.
D
B
That
perspective
I
think
this
is
important
feature
and
if
it
will
be
in
129,
it
will
be
great
now
the
question
is:
like
I
see
two
apis
like
you,
you
want
to
introduce
two
apis
right.
First,
API
is
a
couplet
flag
and
second
API
is
resource
constraints.
D
D
D
D
This
is
going
to
be
applicable
to
any
container
that
specifies
this
resource
resource
constraint,
and
it
would
depend
on
you
know
how
the
node
has
been
configured
so
that
that's
very
intentional,
because
I've
seen
in
the
code
that
a
lot
of
places
when
we
are
evaluating
container
is
the
first
thing
that
we
do
is.
You
know,
append
normal
containers
to
init
containers,
and
then
we
evaluate
them
and
I
just
want
to
make
sure
that
we
continue
to
respect
that.
B
Yeah,
it
makes
sense
yeah
it
may
be
challenging
for
129
anything
relates
the
resource
utilization
can
be
challenging.
So
can
you
explain
again
what
the
resource
constraints
do.
D
So
you
know
currently
CPU
manager
looks
at
the
quality
of
service
of
a
bot
and
and
if
we
have
so,
for
example,
if
you
look
at
the
first
container
here,
it
would
look
at
integral
CPU
request,
but
the
overall
quality
of
service
of
this
particular
pod
is
burstable,
so
the
CPU
manager
would
actually
not
even
allocate
exclusive
CPUs
for
the
first
container
so
that
that's
essentially
the
problem
that
we
are
trying
to
solve.
So
what
we
are
trying
to
do
is
make
this
requirement
explicit,
as
opposed
to
earlier
it
was
implicit.
D
If
you
have
a
guaranteed
quality
of
service
pod
and
integral
CPUs
requests
within
the
container.
Only
then
it
will
be
allocated
exclusive
CPU.
So
it's
like
you
have
to
go
to
see
if
you
manager
documentation
to
figure
out
how
do
I
actually
request
exclusive
CPUs.
With
this
we
would
be
making
the
request
more
explicit.
B
So
in
swap
cap
we
want
to
wanted
to
make
sure
that
customer
can
disable
swap
because
swap
like
first
it
has
security
problems,
but
also
it
has
some
performance
issues.
B
So
what
we
said
is
if
Port
is
guarantees
and
we
will
disable
swap
for
the
sport,
but
also
we
said
that,
if
container
is
guaranteed
and
guaranteed
is
meaning
that
memory
limits
have
equal
memory
request,
then
we
also
will
disable
swap
so
we
we
didn't
put
an
explicit
API
there.
We
just
said
that
implicitly
we
will
look
at
your
container
and
decide
per
container
kind
of,
is
it
guaranteed
or
not,
but.
D
I
think
I
think
swap
is
still
in
a
better
position
than
we
are
with
CPU
manager,
because
we
don't
evaluate
a
container
based
on.
You
know
the
quality
of
service
of
the
container
itself,
like
with
swap
say
at
a
container
level.
You
are
able
to
disable
swap,
but
here
we
we
are
stuck
with
what
we
get,
as
you
know,
as
a
package
of
pod
as
a
whole.
E
D
So
I
I
did
think
about
it
a
little
bit
so
the
the
mistakes
that
you
could
make
is,
for
example,
if
in
the
first
first
phase
we
are
just
doing
this
for
CPUs,
like
the
API
allows
us
to
specify
something
like
a
memory
with
the
resource
constraints,
but
that's
not
supported,
so
we
would
need
an
admission,
a
validation
admission
hook
to
make
sure
that
you
know
that
it's
the
spec
is
validated,
then.
The
other
aspect
that
we
would
need
to
handle
at
cubelet
level
is
a
scenario
where
you
know.
By
default.
D
You
have
pod
scope,
which
is
current
default
behavior
and
then
all
of
a
sudden,
a
pod
comes
where
resource
constraints
are
specified.
In
that
case,
cubelet
would
be
rejecting
that
POD
at
admission
time,
because
you
know
it
doesn't
make
sense.
This
particular
node
is
not
going
to
be
able
to
support
this
configuration.
So
those
are
the
two
main
scenarios
that
I've
thought
about,
especially
with
relation
to
inconsistent
configuration
or
behavior.
But
if
there's
anything
else
that
you
can
think
of
like
yeah.
D
Yeah
so
I
think
the
way
I
would
see
is
that
the
resource
constraints
corresponding
to
a
resource
would
have
to
be
identical
to
what
has
been
specified
with
resource
request
and
limit,
because
if
that's
not
the
case
from
scheduling
point
of
view,
we
are
not
going
to
be
doing
the
right
thing.
So
that's
going
to
be
important
as
well.
So
that
is
another
constraint
that
we
would
have
to
perhaps
handle
in
the
validation
web
hook.
A
D
A
A
A
Excuse
me,
it
might
be
in
this
room
like
I
said:
yeah
I'm,
admittedly
not
great
at
it,
but
like
it's
exclusive
just
seems
like
if
it's
not
really
even
needed,
just
if
it's
in
the
list,
if
the
resource
is
listed,
then
that
resource
is
exclusive
and
then
you
can't
oh.
D
D
Yeah,
so
I
I
think
one
of
the
reasons
I
went
this
way
was
because
in
the
API
documentation
they
kind
of
tell
you
to
not
have
bullying
Fields.
So
when
was
that-
and
the
other
reason
was
that
you
know
down
the
line,
we
might
want
to
add
a
shared
feel
to
this,
and
we
might
want
to
split
resources
between
exclusive
and
shared.
So
having
kind
of
this
laid
out
explicitly
makes
a
stronger
case
capability.
B
E
D
I
think
what
I'm
going
to
do
is
like
I
study
I.
Remember:
you
had
shared
on
slack
a
doc,
the
planning
document
and
a
separate
section.
So
I've
added
this
to
that,
and
we
can
maybe
write
up
the
cap
in
the
cycle
see
how
it
goes
again.
Priority
I
leave
it
for
the
sake
to
decide,
but
you
know
we
can
maybe
start
working
in
this
direction.
If
it
doesn't
get
in
129,
that's
okay!
We
can
maybe
you
know,
work
Full
Throttle
in
130,
but
I.
B
Yeah,
that's
definitely
will
be
helpful
and,
as
I
said,
it
will
be
very
interesting
for
sidecar
customers,
how
many
of
them
yeah.
Okay,
yeah
I,
have
more
questions,
but
there
are
two
specific,
so
yeah,
but.
D
Yes
feel
free
to
leave,
comment
on
the
issue
itself
like
because
I'm
currently
thinking
about
how
do
I
go
towards
the
next
step
and
I'm
trying
to
make
sure
that
I
have
all
the
edge
cases
tackled.
Like
some
of
the
discussions
that
we
already
had
about
you
know,
the
consistency
is
about
values
not
specified
in
a
proper
way,
handling,
misconfigurations
and
things
like
that.
All
those
are
the
time
thinking
about
already,
but
if
you
have
like
specific
questions,
that's
great
I'm,
looking
for
actually
specific
input.
B
It's
a
big
area
to
investigate
is
if
customers
already
have
NRI
plugins
wasn't
breaking
anything,
because
this
split
brain
a
situation
when
some
decisions
are
made
on
the
right
time.
Decisions
made
on
Google
is
not
ideal,
so
if
they
may
not
know
about
a
new
way,
how
everything
will
be.
D
How
yeah
yeah
I
was
thinking
about
about
NRI
plugins
as
well,
and
perhaps
even
interaction
of
NRI
plugins
with
dra,
because
dra
provides
us
the
user
interface
and
we
can
use
NRI
as
a
mechanism
of
implementing
you
know,
actual
CPU
allocation.
But
one
of
the
challenges
with
that
and
like
based
on
discussions
I've
learned
that
when
people
want
to
use
NRI,
plugins,
you're
kind
of
taking
control
of
the
resource
allocation
completely
and
you
would
potentially
be
disabling
CPU
manager
and
all
these
resource
managers.
B
D
I
think
that's
how
I
would
see
it.
Otherwise
we
would
need
some
sort
of
separation
of
resources.
You
know
some
resources
that
are
hunted
by
kubernet
and
some
that
are
given
to
some
of
the
component
doesn't
have
to
it
could
be.
You
know
a
CPU
plug-in
that
I
chose
to
implement
using
say
device,
plugin
API,
that's
something
that
Nokia
CPU
puller
has
done.
So
those
are
the
kind
of
semantics
you
separate
resources
in
General
within
a
node,
but
I
don't
think
we
can.
We
are
in
in
the
shape
or
or
the
ability
to
do
that.
D
B
Makes
sense:
okay,
so
yeah,
let's
continue
discussion
in
a
bigger
forum.
Okay,
for
this
PR
for
this
meeting
dot,
you
have
two
vrs
yeah
I.
A
Was
just
I'm
just
putting
them
on
a
list
there's
two
more
PRS
that
lead
reviews,
or
at
least,
if
we're
gonna
go
with
that
label
label
them.
So
we
can
sort
of
identify
these.
A
B
A
So
slightly
different,
there
was
a
comment
from
JP
bets
on
that
one,
and
my
the
difference
is
that
this
holds
the
Sig
term.
Basically,
it's
a
pre.
If
the
pre-stop
never
finishes
for
a
sidecar,
then
you
won't
get
the
same
term
basically,
so
it
sort
of
behaves
like
normal
containers.
Do
if
you're
free
to
stop
last
forever
close
your
pre-stop
terminates
early,
then
your
sick
term
won't
come
until
the
main
tanks
are
done
or
could
restart
blasts
too
long,
but
still
has
time.
A
A
I
think
what
Mathias
have
written
up
was
that
you'll
get
the
Sig
term,
regardless
of
the
status
of
your
pre-stop.
It
was
still
running
or
had
exhibit
regardless.
So,
let's
sort
of
works.
The
way
that
normal
containers
do,
which
is
your
if
your
grease
stop
runs
long.
Your
sick
term
is
delayed
until
it's
done.
E
Okay,
I
think
it's
it's
easier
to
to
fix
the
documentation
than
to
fix
the
code,
so.
B
Yeah
I
will
modify
it,
but
we
are
breaking
scenario
right
so
I'll
scenario.
No,
we
don't
so
if,
if
I
want
to
implement
istio
I
want
to
start
pre-stop
and
wait
for
main
character
to
complete
and
then
when
making
a
complete
I
I
exit
the
pre-stop
like
by
six
term,
so
I
want
to
exit
immediately.
So
I
want
to
wait
till
also
maintenance
still
running,
but
then
once
I
complete
I
want
to
exit
immediately.
E
A
A
Yeah,
so
the
the
way
you
would
do
it
is
that
you
basically
exit
upon
Sig
term
free
stuff
lets
you
do
whatever
you
want
to
do
like
a
head
of
sort
of
get
ready
to
shut
down,
and
then
Sig
term
is
the
actual
shutdown
signal.
B
Yeah,
but
if
I
need
to
do
something
in
pre-stop,
make
some
kind
of
best
effort
cleanup,
then
I
cannot
do
it
right
in
this
scenario,
because
if
I
do
it
for
too
long,
then
I
will
miss
a
sixth
term
and
go
will
force
port
to
wait
for
entirety
of
graceful
termination,
yeah.
E
Yeah
yeah
yeah
yeah,
that's
not
ideal,
and
if
we
want
to
to
implement
the
way
we
documented
that's
complex.
A
A
B
Yeah,
let
me
reply
back
here
and
we
can
just
calculate
I
didn't
want
to
keep
this
scenario.
I
want
to
make
sure
that
we
can
exit
as
fast
as
possible,
but
allow
as
much
cleanup
as
you
want.
So
you
need
to
be
able
to
agree
as
much
of
cleanup
if
you
want,
but
then
you
should
be
able
to
exit
to
know
when
to
exit
to
exit
immediately.
E
And
and
avoid
misbehaving
Christopher's,
which
could
be
possible.
A
B
B
Yeah,
so
we
still
may
be
in
this
people
situation
when
we
just
missed
a
little
bit
the
sixth
term
because
of
police
talk
and
then
I
wait
for
entirety
of
graceful
termination.
B
Okay,
let's
discuss
in
the
NPR
in
this
documentation,
PR
and
then
adjust
the
implementation
corresponding.
B
B
B
B
A
I
guess
it's
like
a
like
a
log
inside
car
I
think
I
would
assume
that
most
implementations,
the
the
login
service,
like
you,
don't
have
like
a
separate
blogging,
binary
or
separate
like
execution
that
you
run
to
actually
go
sync
stuff
off
the
disk
or
sync
stuff
somewhere
else,
like
basically
you're
you're
using
the
pre-stop
to
Signal
the
primary
binary.
That's
running
to
go
do
something
special,
but
yeah
like
it
could
work
either
way.