►
From YouTube: SIG - Storage 2023-01-16
Description
Meeting Notes:
https://docs.google.com/document/d/1mqJMjzT1biCpImEvi76DCMZxv-DwxGYLiPRLcR6CWpE/edit#
A
All
right
so
I
think
we
can
go
ahead
and
get
started
for
those
who
attended
since
I
last
or
joined
since
I
last
said
this
feel
free
to
add
your
topics
to
the
meeting
agenda.
I'm
sharing
that
now
and
we
can
probably
go
ahead
and
get
started
with
the
first
topic.
B
Yeah,
can
you
hear
me
yep
so
and
I
really
want
some
just
one.
Some
suggestions
regarding
my
latest
PR,
the
support
for
populators
on
CDI
and
Michael
commented
and
last
Friday
there
regarding
the
new
cross,
namespace
data
source
and
data
source
ref
support
on
kubernetes.
C
B
This
is
a
pretty
new
topic
to
me,
so
I
really
just
wanted
some
comments
and
suggestions
because
I
read
this
and
though
I
understand
it,
I
don't
really
know
how
to
approach
this
in
regards
to
my
PR
or
I,
don't
know
if
we
should
first
merge
the
pr
and
then
work
on
this
honestly,
I'm
I,
don't
really
know
what
how
to
approach
this.
E
In
yeah,
just
to
like
further
explain
my
comment,
it's
that
so,
just
if
you
know
say
some
person
has
this.
You
know
it's
Alpha
feature
game
now,
but
if
they
have
it
enabled,
the
issue
is:
what
will
happen
is
that,
since
the
data
volume
controller
create
will
end
up
creating
the
PPC,
that's
the
the
resource,
the
reference
grants
will
get
compared
against
the
data
volume,
controller
service
account
and
not
the
user.
E
So
that's,
basically
the
main
issue
and
I'm
not
sure
how
so
I
think
you
know
the
easiest
way
to
address
this
is
like
we
could
in
our
web
hook,
say
like
oh
you're,
you're
referencing,
another
namespace.
We
don't
allow
that
now.
You
know
reject
the
request,
but
if
we
do
want
to
support
this
in
the
future,
we'll
have
to
figure
out
how
to
do
this.
Reference,
Grant
validation
in
our
in
our
validation
web
Hook.
When
the
user
creates
the
data
volume.
A
So
is
it
possible
that
I
mean,
since
we
already
have
our
own
home-cooked
cross
name,
space
logic-
that
for
now
we're
just
okay
with
using
that?
Because
it's
something
that's
been
established
and
then
we'll
understand
that
this
Alpha
feature
may
graduate
to
Beta
over
time
it
may
change
or
or
mutate
to
some
degree
as
they
work
The
Kinks
out
of
it,
and
then
we
adopt
it
later
or
we
may
end
up
in
the
future.
E
Yeah,
so
that
would
be
like.
Basically,
we
were
so
we
would
just
reject
the
data
volume
now
if
it
refers
to
resource
in
another
name,
space
right.
A
I
mean
it
seems,
like
probably
the
safest
way
to
go
since
I
mean
that
the
idea
of
being
able
to
specify
a
namespace
on
the
data
source,
which
is
how
this
thing
is
implemented,
is
new.
So
if
we
just
let's
see
where
was
the
yeah,
here's
the
the
PVC,
so
the
namespace
field
is
basically
the
new
part
right.
It
used
to
just
be
these.
E
So
it's
totally
fine
if
it
I
just
wanted
to
make
sure
that
we
address
this
now.
So
in
the
pr
we
should
probably
just
check
that
field,
and
if
it's
set
to
something
other
than
whatever
the
Target
name
spaces,
we
should
maybe
fail
it.
E
Yeah
I
think
it
will
yeah
and
then
yeah
we'll
have
to
research
how
to
do
it.
I
think
it
may
be
yeah
I'm,
not
sure
how
we
would
integrate
with
it
but
yeah.
For
now
we
can
just
say
it's
not
supported
cross
namespace
mm-hmm.
D
Sorry
go
ahead,
so
I
put
in
a
note
on
the
dock.
I
might
be
missing
something,
but
why
can't
we
just
do
this?
Subject
access
review
thing
and
verify
that
the
user
context
could
create
a
PVC
like
that.
E
Yeah
I
think
that
this
is
where
I
have
to
I.
Don't
know
enough
about
the
mechanics
of
how
these
reference
Grant
things
are
implemented.
So
the
subject
access
review
says:
like:
can
a
user
create
a
PVC,
whereas
with
these
reference
grants
it's
you
know,
can
a
user
create
a
PVC
that
references
a
resource?
So
it's
a
little
different
I'm,
not
sure
that
the
the
you
know,
I
I,
don't
think
that
you.
D
D
D
D
So
they
they
would
probably
like
I
got
your
comment
Michael.
They
should
probably
provide
something
similar
to
subject
access
review
then
in
the
future.
E
E
Just
I
think
it's
something
that
you
know
requires
a
little
more
research
and
I
wanted
to
just
make
sure
that
it
was
addressed
in
in
some
way
in
navarrospr.
A
Ing
yeah
one
other
one
other
way
that
it
could
be
supported,
potentially,
is
to
just
have
the
reference
Grant
or
yeah.
The
reference
grants
refer
to
the
service
account
the
data
volume
controller
is
running
under.
A
If
you
want
to
allow
the
data
volume
controller
to
make
such
references
I
mean
that's
a
little
bit
of
a
huge
Hammer,
because
that's
basically
you
can
say
everybody
can
do
it.
That
can
use
data
volumes
or
nobody
can,
but
that
could
be
one
way
potentially.
E
Yeah
I
mean
that's.
Definitely,
you
know
if
we
didn't
want
to
do
anything
in
the
pr
now
that
that's
one
way
it
would
work
but
I
think
the
security
conscious
admin
would
probably
not
like
that.
Yeah.
D
A
D
E
E
Well,
it's
got
to
be
part
of
the
PVC
definition,
so.
E
E
Yeah,
maybe
it
maybe
only
the
if
it's
Alpha
in
126,
maybe
you
have
to
have
126.
You
know,
client
libraries
for
for
it
to
be
visible.
A
A
Okay,
all
right,
so
why
don't
we
jump
down
to
the
next
topic
and
that
belongs
to
elitche.
F
So
this
is
something:
if
you
don't
have
other
topics.
Maybe
it
could
be
interesting
so
asking
for
limiting
IO
with
the
keyword
and
unfortunately
we
don't
have
a
good
solution
for
this.
F
So
liver
does
various
option
to
limit
IO,
but
those
options
are
not
supported
by
keyword,
API,
actually
for
good
reasons,
because
those
are
pretty
hard
numbers
to
find
out
and
expose
them
to
the
hand
user
it's
complicated.
So
that's
the
main
reason
why
we
have
an
extent
keyword
API
for
this,
but
still
the
workaround
has
been
always.
We
suggested
to
use
sidecar.
F
However,
it
doesn't
work
for
outblock,
for
example,
that
was
the
latest
user.
Who
was
asking
about
this?
F
F
F
However,
these
cap
is
actually
only
extending
crying,
so
PV
and
PVC
are
not
listed
in
the
containers
pack
foreign.
So
there
is
an
issue.
I
found
an
issue
about
this,
but
it's
not
really
active.
I
would
say:
I,
don't
have
a
clear
solution,
but
yeah
I
just
want
to
make
you
I,
don't
know.
If
you
are
already
aware
about
this.
F
Those
mostly
will
be
devices,
but
it
could
be
that
you
could
limit
also
some
attached
network,
but
it
will
be
a
device.
I
mean
a
path
device
at
the
end
for
a
4C
group.
C
F
Specify
another
aspect:
this
is
actually
another
aspect
of
the
problem.
So,
even
if
we
we
love
us,
you
sold
this
at
CSI
level.
It
won't
be
solved
for,
for
example,
NFS
or
anyway,
either.
Actually,
for
example,
if
we
have
or
spell
provisioner
with
the
directory,
we
cannot
limit
you
for
a
single
qql
image,
for
example
a
raw
image,
because
we
need
the
underlying
device.
We
need
to
to
limit
the
io
with
the.
G
F
Yeah,
this
is
actually
the
workaround
with
side
color,
so
those
options
are
not
supportive
by
keyword.
Api
I
know
that
qma
can
do
it
is
that
if
we
expose
those
options
in
keyword,
API
is
the
user
that
needs
to
to
set
those
values,
and
we
don't
want
this.
It
should
be
the
cloud
that
mean
that
so
those
values
and
they
should
be
set
it,
and
actually
it's
what
this
cap
for
kubernetes
does.
A
Alicia,
do
you
have
a
link
to
the
work
around
with
sidecars
just
for
the
benefit
of
folks
who
do
want
to
pursue
it,
and
you
can
add
it
later,
I
wouldn't
want.
F
It
yeah
I
will
so
there
has
been
issues,
I
can
copy
a
couple
and
then
you
can
reference
those,
but
basically
the
sidecars
modifies
on
the
flight.
The
XML
delivered
XML.
A
Okay,
thanks
so
I've
become
curious
about
yeah
the
mechanism
where
the
enforcement
happens,
because
you
raised
a
good
point
about
how
you
don't
like
if
it's
in
the
cubert
VM
API.
That
could
be
useful
when
the
user
wants
to
limit
themselves.
But
the
bigger
use
case
is
probably
that
the
admin
is
allowing
a
certain
amount
of
you
know
of
I
O
for
VMS
that
you
know
have
a
certain
class.
A
So
it
would
be
interesting
to
see
how
that
enforcement
piece
could
be
done
because
we
could,
perhaps
you
know,
have
that
as
something
where
Cube
vert
then
modifies
the
VM
definition
under
the
covers.
According
to
the
policy,
that's
expressed.
F
Yeah
so
so
far
I
have
been
talking
with
Fabian
about
this.
We
always
have
refer
give
this
kubernetes
cap,
as
reference
is
not
yet
accepted,
but
these
won't.
This
one
won't
solved
a
problem.
F
At
least
we
need
some
integration
with
CSI,
so
basically
kubernetes
needs
to
pass
those
values
to
this
to
the
CSI
and
the
CSI
is
the
one,
for
example,
for
Block
device,
create
provision
the
device
and
then
set
the
C
group
for
this
device,
because
this
cap,
basically
only
extend
cry
and
the
storage
provision
by
CSI
doesn't
appear
into
the
Container
spec.
F
So
for
a
block
devices
it
will
work
because
you
have
the
pulse
but,
for
example,
for
directory
or
NFS,
it
won't
work
mm-hmm.
F
C
Block
layer
in
the
kernel
sorry
to
enter
piology
so
like.
C
Yeah,
so
anything
which
is
backed
by
a
block
device,
so
you
can
do
this
enforcement
at
the
blog
device
and
the
C
group
pairing
basis.
So
you
need
a
backing
block
device
and
then
it
can
work
so
so
I
think
it
was
iSCSI
and
fiber
channel
and
local
disk
and
like
we
all,
have
the
block
device
so
I
think
it
should
work
there
and
and
in
recent
years
like
previously,
we
didn't
support
the
right
back
controls
any
kind
of
buffered
rights.
C
They
were
not
controlled
by
the
bloxy
groups,
but
now
and
recent
year
these
and
has
done
made
all
the
changes.
And
now
we,
when
file
systems,
have
been
extended,
ext4
xfs,
that
we
support
the
buffered
rights
as
well.
So
that
way
and
the
C
group
V2
it
should
be
much
better,
so
yeah
I
guess
the
answer
will
be
then
I
don't
know
like.
C
Please
pardon
me,
I,
don't
know
much
about
CSI
and
all
the
lingo
here,
but
I
guess
it
could
be
left
to
the
the
the
software
which
is
implementing
providing
the
CSI
plugin
and
the
the
one
providing
NFS
will
simply
deny
that.
I
cannot
support
these
iops
or
DPS
limits
at
this
point
of
time
until.
F
C
Yeah,
like
the
thing
we
are
working
on,
though
it's
not
very
popular
yet
but
yeah
on
top
of
NFS,
we
are
trying
to
make
a
qsd
cable
storage
demon,
CSI
plugin
and
on
top
of
NFS.
Maybe
that
could
be
a
solution
where
qst
can
provide
the
iops
and
BPS
limits.
A
Yeah
so
I
guess
I'm
trying
to
understand
if
some
of
that
work
that
you
were
describing,
that
does
that
allow
for,
like
a
traditional
pod,
based
workload
to
be
controlled
on
the
mounted
file
system
via
CRI,
or
does
it
still
require
some
sort
of
layer
like
qmu
provides
in
order
to
do
that.
C
I
I
don't
know
like
I
I,
Frankly,
Speaking
I,
don't
understand
the
question
when
you
say
traditional
pod
world.
So
what
we
were
trying
to
do
is
maybe
you
can
figure
it
out
like
just
that
use
qst
and
provide
a
CSI
plugin
for
that,
so
that
it
can
provide
you
data
volumes
which
are
backed
by
qcar2
and
as
an
option
so
so
like
what
was
the
question
exactly
I'm?
Just
sorry,
yeah.
F
F
A
I'm,
just
trying
to
think
of
the
of
the
scenario
where
you
had
like
this-
isn't
maybe
the
most
sensible
configuration.
But
let's
say
you
have
a
a
database
like
a
standard
database,
MySQL
or
whatever
running
inside
of
a
pod,
and
it
has
its
database
stored
on
a
file
system
PV.
Now
this
isn't
probably
the
best
configuration.
A
But
in
such
a
scenario,
let's
we're
talking
about
being
able
to
limit
these
file
systems
and
I
was
trying
to
understand
if
some
of
those
enhancements
to
c
groups
V2
were
allowing
at
the
because
you
were
talking
about
the
buffered
rights
if
I
remember
right
so
does
that
allow
the
the
control
of
the
I
o
rates
is
to
a
mounted
file
system
for
a
pod,
like
that,
in
that
case,.
C
D
F
Point
because
the
cap
basically
externally
cry
so
it
means
the
container
engine
is
able
to
limit
the
io
only
for
the
devices
listed
in
the
containers
pack.
Okay,
so
we
need
so
kubernetes
amount
needs
to
take
those
values.
F
So
there
is
this
separate
issue:
I
linked
there.
They
reference
the
the
quality
of
service
resource
cap,
but
there
isn't
really
I.
Don't
know
there
is
no,
not
a
real
answer.
I
mean.
A
F
Not
only
they
try
to
cover
so
other
other
things,
I
I,
don't
think
block
I
block
I
use
the
most
interesting
I
think
they
have
something
like
CPU
Affinity
or
this
kind
of
things.
F
So
it's
not
only
and
yeah.
A
F
A
H
So,
a
while
ago
somebody
asked
about
Lynn
store,
so
I
added
some
research
into
that
to
see
if
we
can
add
it
to
a
lane,
but
it
looks
like
the
back
end,
for
that
is
actually
proprietary
and
you
have
to
pay
for
it.
So
I
don't
think
we
can
put
that
in
a
line.
I
just
wanted
to
mention
that.
A
Okay,
let's
see
if
we
can
add
a
note
about
that.
H
The
CSI
driver
and
all
the
front-end
stuff
is
all
open
source,
but
the
actual
back
end
is
closed
sources
and
fire
Alcatel.
A
Okay
feel
free
to
to
update
that
log
there,
in
my
notes
here,
if
you'd
like
Alexander,
thanks
for
following
up
on
that
any.
H
A
H
Let
me
find
it
real
quick.
Now,
we've
we've
had
some
people
look
at
it
already
so
being
handled
the.
H
Okay,
basically
the
the
problem
is,
they
were
trying
to
use
data
sources
and
they
created
a
data
volume
out
of
it
before
the
data
import,
prom
had
finished
populating
the
source
and
that
caused
a
male
pointer
in
the
validation.
H
So
I
think
that's
definitely
something
we
need
to
fix.
We
had
some
thoughts
on
it
and
I.
Think
Michael
had
some
thoughts
on
it
as
well
I'm
like
well.
Maybe
we
shouldn't
even
try
to
validate
it
and
do
the
checking
in
the
controller.
A
H
I
think
we
need
to
discuss
what
are
the
you
know.
What
we
do
is,
just
you
know,
check
to
make
sure
the
null
pointer
doesn't
happen
and
call
it
a
day
or
if
we
want
to
think
about
it
a
little
more
and
see
if
we
we
have
a
way
of
implementing
lives
of
this
thing,
which
is
essentially
trying
to
be
more
Cloud
native
and
allowing
you
to
create
the
resource,
even
if
the
source
isn't
completed
yet,
but
that
of
course
is
completed,
then
we
actually
start
the
whole
process
of
populating.
A
Yeah,
it
seems
to
me,
like
the
the
least
surprising
way
that
this
could
behave
is
that
the
import
would
just
be
paused
until
everything
was
ready
to
go
just
like
we
do,
for,
for
example,
trying
to
clone
from
another
data
volume
that
hasn't
been
populated.
Yet
it's
a.
It
seems
like
a
similar
use
case
where
you
kind
of
have
to
wait
for
everything
to
be
in
place
before
you
can
continue.
A
But
it's
not
yeah,
it
sounds
like
you
know,
I
understand,
I,
guess
with
the
with
the
permissions.
If
you
don't
know
what
what
it
is,
that
is
going
to
be
what
operation
is
happening
later
because
you
don't
know,
what's
in
the
data
source
right,
okay,
all
right!
So
is
there
any
any
other
comments
from
anyone
here
or
or
with
the
discussion
continue
in
the
in
the
issue.
H
And
the
discussion
of
continuing
the
issue
I
just
wanted
to
point
out.
Maybe
people
have
any
thoughts
on
it.
They
could
have
some
some
context
there.
So,
okay.
A
All
right
any
other
any
comments
from
anyone,
otherwise
we
would
kindly
direct
you
to
the
issue
to
put
them
there
as
well.
We
can
see
what
the
best
approach
is.
E
E
A
pretty
straightforward
we
shouldn't
be,
we
should
check
a
pointer
before
be
referencing
it.
It
would
be
a
good
first
issue
for
someone
if
they
want
to
fix
it.
A
Does
that
does
that
I'm
trying
to
understand
the
security
aspect
that
you
were
pointing
out,
but
does
that
okay.
A
Yeah
that
that's
I
guess
that's
a
good
like
First
Step,
At
least,
to
fix
the
to
fix
the
actual
like
null
pointer,
dereference,
okay,.
A
Sounds
good
cool
all
right,
so,
let's
move
on
from
their
last
call
for
additional
topics
and
then
I
will
I'll
end
the
meeting
after
that.
A
All
right
sounds
like
we
are
covered
thanks
everybody
for
joining
and
for
the
participation
with
some
interesting
discussions
once
again,
so
I
will
I
think
I'll
actually
go
ahead
and
create
the
next
agenda
block
right
at
the
end
of
this
call,
so
that
it
will
be
there
if
you
guys
during
the
course
of
the
next
two
weeks,
have
a
topic
that
you'd
like
to
discuss.
Then
please
do
visit
this
agenda
and
add
it
and
yeah
I.
Think
that's
all!
So,
thanks
again,
everybody
have
a
great
week.