Docker support tasks
These are a collection of tasks that should be completed prior to user beta release:
-
Image creation:
-
prepare-docker
clientside extension toprepare
-
create_docker_image
on clientside -
initial create_image
Docker server-side support -
create_image
server-side refactor to non-ndz format
-
-
Support a Docker image registry per-cluster
-
Token auth server with Emulab backend (https://gitlab.flux.utah.edu/emulab/pydockerauth) -
Deploy said server on mothership boss -
Adapt/hack simple Python registry client library (https://gitlab.flux.utah.edu/emulab/docker-registry-py) -
Write CLI commands to operate on the registry (show/delete tags/repos), add temporary passwords for the registry, etc -
[ ] Add a standard deployment script or package, so that registries can run on an Emulabops
. These days, with ZFS,ops
is easy.- I have a script-like thing, but won't actually integrate it until we have some demand.
-
-
Support federated cluster Docker registries
-
Handle authentication, perhaps via federation ca-derived certs ( pydockerauth
supports this to some extent) -
Add CLI commands to push/pull image layers between federated registries -
Add Docker support to image_import
path -
Adjust priv/pubkeys at Emulab and Cloudlab Utah, away from letsencrypt - This is done where it really mattered (e.g. we use real certs for both the registry and auth server endpoints); but we still create letsencrypt certs to support root-less admin registry login from one cluster to another. We can't support root-less login and still use the real boss key.
-
Deploy registries at Cloudlab Wisc and Clemson, maybe IG DDC
-
-
Docker clientside:
-
CAP_NET_ADMIN et al -
privileged vs deprivileged -
[ ] choice of init- The code mostly exists to support this, but I doubt anyone will ever care.
[ ] tarballs as Docker volumes, instead of dumping into the layer-
support non-emulabized images that define a specific USER in image, and mount Emulab authkeys into HOME -
Most Docker images support entrypoint/command, which we overload so we can fire off init; so need to fully emulate entrypoint/command semantics (minus stdin) -
Support EXPOSE (exposing ports; requires below firewall mod)
-
This is a collection of tasks that can be completed after user beta release:
-
Docker
libnetwork
enhancements-
True layer 2 mode (i.e., no layer 3 gateways; private layer 3 per layer 2 network) -
[ ] Make firewall code respect local modifications- Supported upstream.
-
Write our own IP assignment modules -
Fix bug where virtual netdev mac addrs are not set as commanded inside container
-
-
Block store access
-
Mode one: mount in phys host, bind-mount into container -
[ ] Mode two: privileged containers on dedicated phys host- We'll wait for demand.
-
-
Documentation
-
CloudLab manual
-
Edited by David Johnson