Docker support tasks
These are a collection of tasks that should be completed prior to user beta release:
prepare-dockerclientside extension to
create_imageDocker server-side support
create_imageserver-side refactor to non-ndz format
Support a Docker image registry per-cluster
- Token auth server with Emulab backend (https://gitlab.flux.utah.edu/emulab/pydockerauth)
- Deploy said server on mothership boss
- Adapt/hack simple Python registry client library (https://gitlab.flux.utah.edu/emulab/docker-registry-py)
- Write CLI commands to operate on the registry (show/delete tags/repos), add temporary passwords for the registry, etc
[ ] Add a standard deployment script or package, so that registries can run on an Emulab
ops. These days, with ZFS,
- I have a script-like thing, but won't actually integrate it until we have some demand.
Support federated cluster Docker registries
Handle authentication, perhaps via federation ca-derived certs (
pydockerauthsupports this to some extent)
- Add CLI commands to push/pull image layers between federated registries
Add Docker support to
Adjust priv/pubkeys at Emulab and Cloudlab Utah, away from letsencrypt
- This is done where it really mattered (e.g. we use real certs for both the registry and auth server endpoints); but we still create letsencrypt certs to support root-less admin registry login from one cluster to another. We can't support root-less login and still use the real boss key.
- Deploy registries at Cloudlab Wisc and Clemson, maybe IG DDC
- Handle authentication, perhaps via federation ca-derived certs (
- CAP_NET_ADMIN et al
- privileged vs deprivileged
[ ] choice of init
- The code mostly exists to support this, but I doubt anyone will ever care.
[ ] tarballs as Docker volumes, instead of dumping into the layer
- support non-emulabized images that define a specific USER in image, and mount Emulab authkeys into HOME
- Most Docker images support entrypoint/command, which we overload so we can fire off init; so need to fully emulate entrypoint/command semantics (minus stdin)
- Support EXPOSE (exposing ports; requires below firewall mod)
This is a collection of tasks that can be completed after user beta release:
- True layer 2 mode (i.e., no layer 3 gateways; private layer 3 per layer 2 network)
[ ] Make firewall code respect local modifications
- Supported upstream.
- Write our own IP assignment modules
- Fix bug where virtual netdev mac addrs are not set as commanded inside container
Block store access
- Mode one: mount in phys host, bind-mount into container
[ ] Mode two: privileged containers on dedicated phys host
- We'll wait for demand.
- CloudLab manual