Project Harbor Community, 16 Jun 2021

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Harbor Community Meeting - June 16, 2021

Description

CNCF Harbor's Community Meeting

A

To the cloud okay, we're set hello, everyone today is june 16th and that's the official hardware community meeting, uh I'm olive the community manager for harbor and I'm gonna facilitate this meeting today. As this is official cncf meeting, please follow the code of conduct from cncf be respectful to the others. In short, so we I'm gonna share the agenda. We don't have much for today's agenda.

A

Give me a second.

A

um Not this one, that's right.

A

This one and yeah: can you see my screen? Yep yep, all right so since we don't have anything put it in for the agenda today, uh anyone with topics, so we can kick off this one.

A

And as a reminder for the newcomers, if you feel like introducing yourself, that would be great.

B

I know we have an upcoming release happening next week. uh Do we have someone on the call that can talk about the uh uh the new release.

C

Hey hey ali and jonas. Actually, we have an a agenda for today's community meeting, which we previously communicated with uh companion the hub antenna. He submitted a proposal.

C

Invited him to introduce this proposal in today's community meeting.

B

B

D

Hi everybody: uh I will share this proposal with you yeah. Thank you, a member of tcr from the cloud.

E

F

Hello hi everybody.

D

Hello and first I will simply deal with the proposal and this story and again yeah. We are introducing.

D

A design, okay, let's.

D

D

And most of the senior you learn on the time of pulling images. Take too long in the entry life cycle of continuous data up at the moment, there is some immediate uh third evaluation projection, but they belong to the some special wonder or not. Actually, enough, harper is a well known as a very activity community air force wave the whole creator of under natural sub projects in the hubble community and around financial projects. It's aware maintained by the community.

D

Europe could not worry about their owner, destroy it. Also. Let's talk about the story of the operator and the proposal. We named this pro sub project and perfect.

D

To use you can certainly the containers when the register instances of the oci affects a harbor to storage and that strip builder and create a special effects.

D

Imaging is the administrator of the cabbage cluster black patio install a spatial container for away base.

A

Work node kind.

D

Of break so they're sitting the network too late, they know they are, could access the harbour and a normal developer? Frank should install touching our employees to build the accommodator applicator special aspect and procedure attractor to the hybrid instance, and the ops engineer should create a cables workload with the effects.

G

Do you need to sharing uh to share your screen.

D

um I think a way I don't need the share screen. Maybe beyond should uh share this screen. I can. I can stop sharing if needed so.

D

Okay, it's the story of, or upgrade to exercise continuously up. Hi. Are you.

F

Alive, uh I'm I'm here, uh wait, uh wait a minute.

D

Okay, this is your.

D

F

Could see my share screen yep, okay,.

A

F

uh Okay, I will introduce my our aperture image, acceleration architecture you know uh for for for some some uh image acceleration were we called uh image download on demand. uh We need three key points.

F

uh One is uh addressable uh tar archive uh win, oh no, like a star gz.

F

Need us use refs, so we also have our image image format. Image image format, which can uh very addressable, is addressable our use scratch fs.

F

This is a linux first system in kernel and it also can use fuse to in user.

F

Space fs is also used is a leaf cd and it's introduced kernel in two pointer.

F

Sorry about that uh accurate uh kernel, kernel version uh uh two is we need you we needed uh the key point of two is uh we need a fuse or other other kernel file system to provide the root fs for container?

F

So uh so we just uh because we use squash fs. So we we used. uh uh We need uh uh our our aperture use. Fuse means which the component name is aperita have used to provide the container router fs.

F

um The third is: if we, if we use fuse, it, is a user space file system, but but when we overlay many of our have used layer, it is will will decrease the performance on a file on lookup or other other iop iops some operation.

F

So we must pre-overlay some metadata for optimize this problem. So when we build container you which we we use operate builder, we put, we will pre uh pre-overlay. So all blobs metadata.

F

So we will to find every squash, blobs metadata and merge it use. The overlay whiteout format like like overlaid hourly whiteout format is, I think, is, uh is a character device.

F

Which major minor is also zero, uh so we can pre-order to to uh to optimize the file lookup and some some iops operations.

F

So this is the key point of the image acceleration.

F

Our our workflow is the upgrade builder to build, uh build aries crash fs blob from uh docker storage and merge. uh Merge, merge every blob metadata to a new blob.

F

Now we push this this blob to harbor or oca compatible registry.

F

And and when we we in a node, were in google light node, we can use container d snap shorter, which plugin, which we we we call the operator snapshot to create a aperture to provide the uh to provide the image root. Fs and overlay, uh and an overlay read, write layer for local local file system like xfs or x, ext for fs to a read, read, write layer, and this is the completely.

F

A container container fs.

F

Our apparatus keep uh immediate acceleration, have some key feature. uh We can support multiple data source like a registry. uh It is harder or distribution, or uh some api and uh posix compatible file system like nfs or some others, and we will.

F

We will have local valve system cache.

F

So when we on demand uh download some some data block, we will to put it put them to the local file system.

F

We will compatible with oci image spike.

F

We have some four is the hybrid reliability. uh This is our key feature for from other from other, like uh I've used some uh projector like a statistic or needles or other our evidence.

F

Process uh process can can be recovered by our like, like a master process, because the ibus fuse process in user space provides the root effects. If the fuse crashed. If you use process crashes or other other problem, the container will will have some master.

F

I will have some problem in immediately, so we have. uh We have some uh some some, uh how to say.

F

Some kind of feature uh to fix this.

F

The fab is a weak prefetch because of some view like a gillipc or or others a key. So in the image we will find the prefetch. The data block uh when container contains that it is the download from the registry where uh they source uh at it. It didn't uh uh on demand. Download uh six is the prepared.

F

We will pre prepare metadata early. So this is this is the weekend uh we can we we we like, we call it the merge method.

F

uh Seven is we have the date block checksum, because we we download our every datablock from uh from from registry to network. We must have to check some so currently we we use the checkout. uh We use the a compressed algorithm to to do this, like lz4.

F

It is, we can integrate the p2p system, so now we will only support our tencent tke p2p. We will support other like dragonfly or kraken in future.

F

Our workflow is the continuously used operator snapshot to execute port, creating command or image pooling command to its operator. Snapshotter will use apert fuse to construct containers to root fs three is applied, have used through the meta, merge meta layer which super blocks stored in then operator fuse will know, mapping between files and the different layers and blocks.

F

For its apparent support, harbor registry operate or operate object, storage and local posix file system as a backend data storage lawyer, layer, 5, content, decrypt, container or port, in which a read-only root type root is which provide from aperture views and use overlay fs to mount a read-write upper layer for containers.

F

Six, when the container start apple ws, as the fifth system will receive actual read, requests and find out whether there is a current corresponding data block cache locally and return data from the local cache. Firstly, if data block has not been cached, it will read block from this source design our design, our our design. Actually our design is uh you can you can you can consider it's a extended squash fs, the superglue? A super block is the squash fs.

F

uh Add a blob table which is, I know, table director triple fragment table uid gid table extra extra attribute table is from squash fs. We just added the blob table.

F

I know table is also, I know table. We just add, I know table uh in a notable. We we add a node hider. I know header, we just added the blob index from the squash fs.

F

So it can it can.

F

It can direct file from a different blob. So uh I know the type of way also supports uh a directory file, symbol, link, block device, chart device, uh fifo and the socket.

F

uh Other we have the direct directory table. It also is a orange orange squash fs directory table. We also will add the add the blob.

F

Index our blob blob table is from blob id with proper id is like, I know, a blob id is our shot.

F

Fragment table is also from squash fs.

F

uh Artfx format uh operator also sports oci manifest, so we also, we also need uh our media type for april, like.

F

Applicationvnd.Ocn.Com.

F

Uses our snapshotter will recon reconnect the apparatus, oci, artificate and use on demand and create fuse to on demand.

F

F

So uh I will uh be okay, uh this is my introduce some questions.

H

I

Have you deployed apparatus in production or is it just a design or plc.

F

uh Our currently, our only have a poc.

F

As uh our background is, uh is our uh when we only for support squad, rfs and us under on the data sources, see uh nfs, uh we use the production, but uh this source will, but by the way it won't extend this source from registry and asset we use must use fs I have used.

F

This is on poc.

I

Okay- and I'm not very sure about these uh uh snippets- you pasted of the manifest okay yeah, for example, um based on the oci convention. The media type of the config blob may should be changed to some. You know apple rate, specific media type.

I

We need to go back to the oci artifact and I think they have a process for you to register a new media type.

F

F

G

I

Because we use this media type tool for uh identifying different kind of artifacts.

I

That make sense so so, if you name it as a docker container image hover will think it's a double container image.

F

Okay: okay, it's configurations, media type,.

I

I think it is this, but yeah yeah. I think we need to uh you, know double check offline with other maintainers.

E

I

Is a kind of convention in the osi community that we want to follow.

F

Okay, but for container ds, cri and other other uh other snapshots. It's only support.

I

Container image.

F

Data container image that we want, plus json others as ci, will refuse.

I

Yeah, that would be a problem if you push it to hardware, because, however, you think it's.

F

Okay, so we can so so. This is our uh reason, for we need a subproject and is uh coupled with harper.

I

I I I don't quite understand why it has to be. To be honest, maybe I missed some. You know a previous discussion, but I'm it doesn't seem um personally, um I'm not very sure why it should be put under gold harbor, because harvard is uh you know, registry, and I.

B

I

Justify a new org: if you want to open source it, you can have. You know, apparate, slash apple builder and operate.

G

I

G

Want to share some background, we have some overlap discussion. I don't think we needed to discuss this topic here.

I

Okay, because because and this will create some conflict, I just want to point out, for example, this image cannot be scanned cannot be signed. uh You know, many of the workflow hardware supports. You know is broken for this new type of image, but but yeah we can. We can continue the discussion. Sure.

F

uh So for for uh for my uh opening, I I I know our harbour will uh we will build a uh image acceleration work group? Is this uh steven.

G

Yeah, okay, actually I want to um share some information. After the discussion of this proposal. Yeah, as you mentioned, uh we have set up uh we'll go over to working on the image acceleration, uh the top. I think the task automation of that. What group is we provide?

G

We want to provide an integration solution to let's harbor leverage.

G

You know different uh image, acceleration tools or image accelerator to you know to convert to the normal or regular image to accelerate format, and then the user can you know, pull the image in a different. You know accelerating way, um I think the uh the mission of that worker right now to you know it's focused on the integration.

G

uh It's not so you know uh working on some new uh uh accelerator. That's different uh measure. uh I want to clarify this is uh the proposal we discussed we are discussing here is totally different with the mission we will do in the group.

G

D

G

The goal of the workplace provider of the integration, of course, if this uh uh upgrade right after this a new accelerator is ready, it can also be integrated. You know into harbor with the general you know, uh integrating framework.

I

But if you look at the story by frank, it doesn't seem it's necessary because it can be local. He doesn't need to pull image.

I

A

I

I mean frank: can: just I assume frame, can install docker and build up image via docker file, then use the parrot builder to build its uh apparate image. So it doesn't need any registry to do the conversion.

G

So the upper, let me operate right operator.

F

G

F

G

We will build the operator for major right and that, for me, immediately will also be pulled to the registry for management and the story.

I

Right yeah, but I think the the story with neither is that neither will pull image from harbor and do the conversion. But you know, if you read this section, it doesn't need to pull any image. You just do the building locally, because it's read the content of the image from the docker's local.

G

I

Yeah my plan is their workflow is not exactly the same. As you know, other accelerator, like nida's,.

F

So you you say this workflow is same as nylas.

I

I mean it's not the same.

F

I

Yeah because neither need to pull the image first, but in your case you don't seem need to put in it right.

F

uh I think it is this workflow uh operator. Workflow also need that the docker local storage uh yeah.

I

Yes, but neither doesn't need it so.

E

This is so different.

I

Because nidos can pull the layer without loading it to darker local storage and do the version. That's my understanding.

D

I

But for your case, you don't need to pull any image because you can build it via docker file locally and do convert okay.

F

I think this is just a little bit different from docker.

I

Local yeah, yeah and.

F

And the registries from atar layer, just like a white house, felt some different.

I

um Yes, but I mean the workflow proposed, I think in another pr- it's not necessary for app.

F

Yeah apple also can can cancel from.

I

We need to think which is a better workflow like do we yeah suggest user to build it locally or do we you know tell us you need to do the conversion. I personally prefer the apparent way, because um if you, if you need to do the conversion like you, need to push the docker image to cover first and do the conversion, we need to think how we associate these two images, because they have the same content that we we need to tell user this fact.

I

But if we do this in the apparate way, we don't need to do that.

D

G

I did not fully understand why why you just build the image locally, you don't you do not need to play it.

I

Because because.

G

I

G

Time you deploy your image to multiple. You know sounds of a runtime, you build it every time, I'm a little. I.

H

Think I think it's a builder into the operator format and it will push to harbor.

D

H

Yeah yeah, but it is another darker image right. Is it different from the oci docker image definition, even though using the same media type, I don't think they're on the same.

I

Yeah yeah yeah, so I just want to find out the difference in the workflow.

G

Scrub I'll show the full diagram.

I

Yeah, if you see the diagram under the architecture section, oh.

G

uh You can directly read the from a registry.

I

It can, but it doesn't have to yeah. I mean you can put images first load it into the docker logo, store and do the conversion. But it's not necessary.

F

We can use the local fast system.

G

G

But for repeat repeatedly distributed, you know why we need to build repeatedly.

F

Yeah, like a way way pro, we constructed a scratch fs file. We can from the local version system and the merge the oauth crusher fs metadata.

F

But it's like a little a little different, I think a little different from needles or other uh that uh strategy yeah. So that is a used ctr remote. I think.

F

But it also others build a acceleration image built to master from the image, but upgrade can from local fashion system.

I

Yeah yeah, I see it's totally possible. You can create an apparate file if you want to get rid of docker, that's totally doable right. You just yeah.

G

And I need for a larger distribution. You need a central node to distribute the the similar content right. Even it's.

F

G

F

C

E

G

Like some like content replication, you push one copy of the content to the central node like its registry or http server server, and then you know uh synchronize or replicate choose a local cache. Then the container runtime can read a different look. What I mean is you do not need to you know to repeat the building process.

G

I think for most part, it's similar to nadas, just you know actually in the in nandas they have uh agents in the container runtime red. Here they use the local first system.

F

Yeah, uh we also have the local fire system, like uh other immediate acceleration, project, star, jj or need us. A local is a master master local system. A local country is necessary.

G

Okay, as we have mentioned.

D

The strategies so, what's uh so.

G

From your side of your opinion, what's the.

G

What are the better parts.

B

G

Choose this solution, so I know.

F

I think the key feature is I've used recover because.

F

This is a big, the most different from other project.

F

What's the most difference, uh this strategy will need us just to use the library views were just a little effuse and connection with kernel, but when I've used process is down or crashed, the podium or container is done.

G

I think you are see.

F

G

F

F

D

G

You need to mute.

F

Okay, I will continue uh even though need, as a reminder have used root, advance support, also crashed. They cannot continue to read, read some files or others, but uh but apparatus have used a week. We uh we invite us uh a mikai sister.

F

This word, this word mccain needs uh also a mechanics. We also have use process crashed. If we will, the container is, is iohan and when we remount immediately reminds of use the container uh con, the container root have, as we also can, can be, read right because fuse and the kernel uh communicate with fd. If the fuse process down the fd will be released, we we, we have a like a babysitter process to hold the fd, and we have some snapshots and.

F

Request tracking.

F

To hold some some open, fd interviews and and lowest uh lowest request, yeah I've used.

F

uh We uh we uh we, we do this also from a paper like a refuse, but this is just a paper, not a project.

F

But when we we talk about a container root, have its master read-only file system. This can decrease our.

F

So it's the uh uh uh read-only file system will be either review. uh Re re recovery reviews in read-only file system will be easy from with, uh for uh will be easier, more easier than than read. Write versus.

F

I think this is the most um uh most most different from strategizing and needles. We will. We want a project with which is a product production, ready.

G

Okay, thank you. I think we have. We have discussed a lot, so maybe we can continue the discussion of this proposal in the pr right.

G

G

G

A

All right, I'm sorry, um anyone I think the dim has a pr that needs attention. Do they want to discuss it right now or.

J

Yeah, hello, everybody so hello.

J

um Yes, I have this pr open still um since um some time and yeah for us, it's a it's a bit of a of a burden, and there is a lot of users uh requesting it on the issue and I've mentioned it already last time- and you know I honestly don't want to be too pushy, but it's uh it's kind of a small issue and I would like to help you kind of make a decision how this can be approved or help you to get to the proof.

J

You know we can jump on a review session together with someone from the harbor team, and I can you know, demonstrate how it is working, what the problem, what problems it does solve. I also mentioned it in the in the pr request, but uh yeah I would like to see if we can kind of resolve it together.

A

Do you want me to share it, so we can? Yes, I think we went over it once.

J

Yeah, we went over it once and it's basically a simple feature, but it allows to use uh you know: robot accounts for replication, and this is for us helpful or for for our customers helpful.

J

You know to have a global harbor cluster, where images are replicated across different locations and zones, and it also help us to create a new pool request that we are currently building, which makes like proxy caching of ghsr on gcr possible, because this is not possible at the moment and yeah, because the robot accounts are essentially because you don't want to use your system administrator um credentials to for the replication.

A

Can you see it, I'm sorry, I'm just having too many windows open, but.

J

Okay yeah, so this actually allows not to have a multiple, so this allows to use robot counts for api access and replication instead of using the system administrator account to do so.

J

You can share my screen if you want.

A

I think I have shared it or I don't.

J

It's still, I think it's still black.

A

Yeah, okay, I know how that happened. It asked me if I want to stop sharing this. I said yes, do you wanna try or should I try again.

J

Now it's there yeah, so I try to provide as much post information as possible and abigail asked me to write documentation.

J

You know about it's, not it's not a feature by persay, it's more of a bug fix because it's really a tiny function change, um but it allows multiple use cases. You know to make possible basically use robot accounts for api access, or you know for replication, and so I can. I can write about make a block block entry or some entry and documentation how to use robot accounts for api access, and this is basically what happens here so we're using.

J

We made this little change and this allows us to use robotics for application from one hand.

E

You know this, it's not really a matter of um like how do we do it right, it's a matter of, should we do it. This was always the issue. Okay, yeah of that of like. Where would your grand open api access to robot accounts.

J

But it's already there, you know. So it's it's not uh something that is it's a new functionality. It's already there and it's just you know basically fixing the bug, because the function is called get projects and also get project, but it does get projects which is, in my opinion, not correct it. Should you know? So if you, if you, if you look at the code, changes really just the three lines of code change, um but I mean in general, yeah you're right.

J

If you say you don't want to use robot accounts for api access, but then the question is: why do we use robot accounts for replication or or for yeah, or why? Why cannot? Why cannot? Can we not use robot.com so.

E

I think the concern um at least previously it was because the replication has an end point right, you're replicating from one from the source. Excuse me from the from the current harvard instance to another harper instance. If you're configuring yeah push based and then similarly you need credentials for the targeting, since, if you're doing a poll based and so any kind of credentials.

E

For you know, the target registry instance doesn't even have to be harbor right. It's like one of the many instances that we support, like the cloud registries um or koi, or something like that that that you know responsibility really rests with the system admin, so um it used to seem like it wasn't appropriate for robot accounts to be able to configure application. We also just sort of you know lock down the surface area of what a robot account can do.

E

um So you know I appreciate the pr, but it's we need to think about slow more in terms of should we be doing this and if, if we should um yeah absolutely we'll go ahead and merge this.

E

C

E

My recollection of you.

J

E

Because we've gone over this before.

J

Yeah, because I understand that.

E

We can consider it for 2.4. I actually added two we're going through the 2.4 um list of to do's right now. Actually- and I actually I flagged this issue, so we will discuss it internally. First, okay,.

J

Okay, no, I understand all right.

J

Yeah, thank you. Thank you. My name is sure.

E

G

All right any still have time yeah I I I want to leverage one or two minutes to update the operator.

G

Release me one minute.

G

Okay, now uh uh quicker news yeah, we have released the hub operator 1.0.1, it's a patch release. uh Yesterday, yeah we released and in this patch release we introduced some. You know uh enhancements to the operator. I think uh there's some items can be highlighted. The first one is we support the counter as the ingress controller, and we also you know uh to let the operators support in one operator version to support multiple hardware version, only the multiple harbor patch version, so one operator can deploy.

G

You know multiple uh harbor patch version, not metal version, and we also fix some. You know bugs that when the uh harbor class cr is deleted, some you know results are not deleted, so we have fixed that.

G

And the welcome feedback. Thank you.

E

That's all awesome, that's awesome thanks steven, so what version of harvard does it represents support.

G

Exactly uh I think it is uh 2.2 uh zero.

G

2.2.1.2.2.2.2.2, so all the quality versions of the 2.2 okay.

E

And you said it supports uh it supports contour in the operator.

G

Yeah, you can configure contouring ingress controller in the operator to you know to support the ingress of harbor.

E

Thank you, that's great cool, and when are we expecting to release uh 1.1? Is it.

G

uh I think the current uh for release the 1.1.

G

The draft plan is made of next month, yes middle of july, so in 1.1 one, I think the uh the most feature is. We supported the new harbor version right, 2.3 yeah, just one month later after the 2.3 is released.

G

E

That sounds good.

J

In that context, one is planned to release two to three.

E

213 should come out this week, oh great, the end of this week. If I'm not mistaken,.

B

I think we planned for the beginning of next week, because we're all out on friday all right, yes, yeah, thanks jonas.

C

D

A

Okay alex anything else, or we can close.

E

uh Yeah we're so you know we're close to releasing the 2.3 and we're going through the the feature. The list of features requests for 2.4.

E

So uh if you, if you guys, have any featured requests anything you'd like to see you know accomplished in 2.4, this would be the time to to uh go into the harbor issues on github and creating an issue or adding comments to an existing issue and uh yeah I'll, be adding some feedback to a list of issues that we're gonna be working on, but you know feel free to to ping me or to ping. Anyone in the channel um yeah, so you're gonna have one more release. One more minor release this year.

E

Right so uh we'll probably start we're looking at 2.4 right now and we'll probably do a release right before the next kubicon in october. You know probably ga after kubicon right. That's what, as we usually do. We have uh a demobile fc build or an rc1 rc2 right before kubicon, and then we have the actual ga.

E

You know a few weeks after that right. So this is gonna, be last one for the year. um We don't know exactly how long, but that's roughly the timeline. So if you have anything you want to get get done. If it's important, definitely, you know put it on the github issues.

J

Is this a concept with a satellite uh for harbor? Is it still planned for 2.4? Is it? Is it documented somewhere in the discussion, because I tried to find it, but maybe I didn't look right, but I couldn't find any.

D

J

On this, in those regards, is it still planned or what is it are.

E

You referring to.

A

E

Are you referring to.

J

E

It is being discussed and it is um part you know our intention to release some version of that in 2.4. I don't know for actually release it, but we're going to be working on it at the very least.

J

And then it'll.

E

J

E

Come out in a dot release of 2.4 or maybe later but yeah.

J

We would do this, is the discussion somewhere documented? Is it? Is it public discussion on the discussion board or on the community.

E

J

Don't think it's been discussed.

E

So much on on harbor, because the thinking is, if we were to do it, it would be released under a repository of its own under the go harbor project.

E

C

E

Pull you in to those discussions so yeah we've been thinking about it a little bit from in the context of what we need in our downstream products um yeah but yeah. It would be good to to move this to the upstream as early as we can. So thanks for bringing this up- um and you know I'll- let's, let's move this to a more.

E

You know more public um forum for for discussion and design, but essentially we're going to need a very lightweight instance of harbor, because uh the current harbor is too large and the satellite harbor does not need the. You know the full suite of features that we that we have today in harper right. So uh a lot of the the gating mechanisms, for you know pushing the images to that satellite instance.

E

All I mean that risk that all rests with the central harbor, the data that the harbor is deployed in your data center right and those satellite harbors are basically just receiving images.

E

We're not really, you know envision any kind of pushing images back from the satellite to the central. um It's really just for running pure application workloads and so also the things like you know, scanning images that should all be done on the on the central harbor. It's going to scan its you know, signatures are verified and then it gets pushed out to satellite and so trying to make the satellite as small as possible.

E

Because, let me know the footprint for these edge nodes are very small at times in most edge solutions, you know, there's a 1u or 2u single server. You know with limited limited ram in storage, so that's kind of the plan here but yeah. Let me let me um let me uh get you more involved in those discussions with dean.

E

D

J

All right, thank you for this update.

A

Okay- and I think we're on time, so we can close right.

E

Yep thanks everyone for tuning thanks to orland.

A

For hosting bye-bye thanks.

B