Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add containerd graduation review proposal #165

Merged
merged 1 commit into from Feb 28, 2019

Conversation

estesp
Copy link
Contributor

@estesp estesp commented Oct 16, 2018

The submitted markdown document contains our proposal for graduation for the containerd CNCF project.

cc: @crosbymichael

Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com


With contributions from Microsoft and AWS, we believe that Azure and AWS are also looking at containerd for potential use within their public cloud offerings as well.

**_Other Projects_** - While the above list provides a cross-section of well known uses of containerd, the simplicity and clear API layer for containerd has inspired many smaller projects around providing simple container management platforms. Two that have come from containerd community participants directly are Michael Crosby's [boss](https://github.com/crosbymichael/boss) project and Evan Hazlett's [stellar](https://github.com/ehazlett/stellar) project, as examples of higher layer functionality that can easily be built on the containerd base.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ibuildthecloud also has a project.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rio is listed above; unless he has another one. I wouldn't put it past him :)

@caniszczyk caniszczyk added this to In progress (due diligence) in TOC Project Backlog Oct 16, 2018

**_IBM Cloud Private (ICP)_** - IBM's on-premises cloud offering has containerd as a "tech preview" CRI runtime for the Kubernetes offered within this product for the past two releases, and plans to fully migrate to containerd in a future release.

**_Google Cloud Kubernetes Engine (GKE)_** - offers containerd in "alpha clusters" on recent versions of Kubernetes.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/alpha/beta/ ? cc @Random-Liu

cos_containerd OS images are available as a Beta feature in GKE v1.11 and higher.

https://cloud.google.com/kubernetes-engine/docs/concepts/using-containerd

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

containerd will be beta when GKE v1.11 rollout, which is coming soon.


**Committers from at least two organizations.**

Containerd has had a variety of maintainers and reviewers since its inception, and currently have 14 committers representing NTT, Huawei, Docker, Google, IBM, Microsoft, Facebook, Tesla, and Cruise Automation. We also recognize **LGTM** rights for a group we call *reviewers*, of which there are currently five representing ZTE, Docker, and independants.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am wondering if containerd has a stable governing rules for maintainers. I think governing policy for maintainers' responsibility is quite healthy for the project, since I found that some members of containerd's maintainer list have not been active for a long time.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand the comment correctly, you are right that we have some non-active maintainers. We were in the process of reaching out to them to understand their intention of continuing activity as a maintainer; the result of that is the PR that was just merged: containerd/project#12

This does not change the make-up of the maintainer organization representation by much, but I will update the graduation PR to make it correct with the current status. Let me know if you had any other concerns here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your update. Only this minor concern. Sincerely wish containerd could graduate soon.

@quinton-hoole
Copy link
Contributor

+1


**_BuildKit_** - The Moby project's [BuildKit](https://github.com/moby/buildkit) can use either runC or containerd as build execution backends for building container images. BuildKit support has also been built into the Docker engine in recent releases, making BuildKit provide the backend to the `docker build` command.

**_Docker engine_** - As noted in the opening paragraph, Docker continues to consume containerd as a key component within the Docker engine stack, and is actively working to remove Docker engine implementations where containerd implementations can be used as a replacement.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if it's worth to mention but katacontainers is doing official integration with containerd shimv2 api. We are hoping to merge the PR before KubeCon Seattle.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds great--just added Kata to the list of adopters!


Our project governance is clearly laid out in our [GOVERNANCE.md](https://github.com/containerd/project/blob/master/GOVERNANCE.md) document, including details on how to become a maintainer and how maintainer and contribution processes are handled. The maintainers for containerd, the CRI project, and all sub-projects are common, and maintained in our core project repo in the [MAINTAINERS](https://github.com/containerd/project/blob/master/MAINTAINERS) file.

**Have a public list of project adopters for at least the primary repository.**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added, thanks!

@estesp
Copy link
Contributor Author

estesp commented Nov 28, 2018

Updated adopter list with Kata containers and AWS Firecracker VMM

@jovizhangwei
Copy link

@estesp can we also add Alibaba Cloud's ASK/ECI? thanks

The Alibaba Cloud Serverless Kubernetes ASK&ECI project uses containerd as its core lightweight runtime.

@estesp
Copy link
Contributor Author

estesp commented Jan 8, 2019

This is not a CNCF requirement for graduation, but may be of interest to reviewers to note that the containerd security audit provided via the CNCF is now published: https://github.com/containerd/containerd#security-audit

@caniszczyk
Copy link
Contributor

final RFC from @cncf/toc and community before we kick a vote off next week


**Committers from at least two organizations.**

Containerd has had a variety of maintainers and reviewers since its inception, and currently have 12 committers representing Docker, NTT, Google, IBM, Microsoft, Facebook, Tesla, and Cruise Automation. We also recognize **LGTM** rights for a group we call *reviewers*, of which there are currently six reviewers representing ZTE, Huawei, Docker, Microsoft and an independent developer.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are 8 reviewers today: containerd/project#13. The two additional reviewers represent Alibaba.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the reminder! I will update the document @xiang90

Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
@caniszczyk
Copy link
Contributor

graduation vote is out https://lists.cncf.io/g/cncf-toc/message/2873

@caniszczyk caniszczyk moved this from In progress (due diligence) to TOC Approved (sponsors/voting) in TOC Project Backlog Feb 18, 2019
@caniszczyk
Copy link
Contributor

Hey @estesp a question from @jbeda

I notice that the governance ultimate rolls up to the Moby TSC for ultimate arbitration of technical disputes: https://github.com/containerd/project/blob/master/GOVERNANCE.md. I'd love to see the project stand on its own vs. deferring to an outside community

@jbeda
Copy link
Contributor

jbeda commented Feb 19, 2019

The graduation criteria simply states:

Explicitly define a project governance and committer process. This preferably is laid out in a GOVERNANCE.md file and references an OWNERS.md file showing the current and emeritus committers.

This is obviously not the full criteria. A GOVERNANCE.md that say "Joe decides everything" fulfills the criteria but obviously isn't acceptable. I read this more as create an independent, fair and vendor neutral governance structure. The fact that the Moby TSC is the ultimate arbitrator means that we should be examining that governance structure too. That is defined here.

Basically the Moby TSC is voted on from each of the participating projects. Solomon Hykes also gets a vote. To really map the process here we'd have to dig into the individual projects. There are no requirements or protections against vendor majority on the Moby TSC. By a quick look, 4 out of the 7 members of the Moby TSC are Docker employees. And the Moby TSC process could change in the future.

I'd feel much much better about voting to graduate containerd if it had an independent governance structure.

@estesp
Copy link
Contributor Author

estesp commented Feb 19, 2019

Just to clarify some of the claims in the last comment:

  • Moby TSC most definitely has protections against vendor-majority; specifically 1/3 of seats is max for any company (clearly stated in the "Committee Size" section). Only 2 of the current members are from Docker, but we have a timing issue in that Stefan just joined Docker recently and immediately notified us that he stepped down from the Moby TSC, but the site has not been updated. We have been internally discussing how to manage replacement of the seat, but that step has not occurred yet. We can fix the list with a PR however. Not sure who else was incorrectly numbered as a Docker employee.
  • Moby TSC is not beholden to Docker, if that is the implication, and the reason it exists was to separate governance of prior-Docker-owned projects to a neutral and fair governance process that is clearly defined on the TSC site. Many Kubernetes governance principles were the guide for the formation of the TSC. Several Kubernetes founders were involved in the creation and review of the TSC documents. Think of it as "step 1" in a long phase of discussions that led to removing the BDFL model from originally Docker-created projects.

I'm happy to respond to the broader discussion of whether Moby TSC is a proper "escape valve" for technical issues in containerd that cannot be resolved within the project itself. We have discussed it as a project recently, and feel fully free to use or not use the Moby TSC as an umbrella for governance, but haven't made any clear steps away from Moby TSC as a project to date. However I thought it would be useful to clarify some facts about the TSC before any rumor mills got wound up. :)

@jbeda
Copy link
Contributor

jbeda commented Feb 19, 2019

I don't want to start any rumors so thanks for responding!

Sorry I missed the restriction on max representation of a single company. I may be confused though as it looks like there are currently 4 ppl there from Docker (Justin, Stefan, Arnaud, Sebastian) going to 3 (with Stefan stepping down) and I would expect at max 2. (I may have company affiliation wrong though as this stuff isn't always obvious).

All the same, I feel that we are on new ground here by having the technical arbitration for a project be outside of the project (and the CNCF). I also realize that the need to use the Moby TSC will be rare to nonexistent and that this is currently more of a theoretical concern than a practical one.

How hard would it be to cut that cord before we close the vote?

@crosbymichael
Copy link

From @estesp points, I think this addresses much of the issues you raised and I don't think this should impact the graduation vote at this point. I'm not sure we want to cut the cord this close to the final vote unless others have issue with this. I would like this to be a thought out and reviewed decision among the maintainers of the project and not done in haste unless this is going to impact all the graduation work we have put in so far.

As for going forward, I think this is something to bring up with the maintainers of the project and see of the Moby TSC is needed vs being totally independent. This is something I will take on and start the discussion go with the maintainers of the project. I think at this point in the project, the maturity of the project, we are able to move away from the Moby TSC but this is a decision for all the maintainers.

As far as who is at Docker on the TSC, with Stefan stepping down, we only have Justin and Sebastian, Arnaud is not at Docker.

@estesp
Copy link
Contributor Author

estesp commented Feb 19, 2019

I may be confused though as it looks like there are currently 4 ppl there from Docker (Justin, Stefan, Arnaud, Sebastian) going to 3 (with Stefan stepping down) and I would expect at max 2. (I may have company affiliation wrong though as this stuff isn't always obvious).

  • Arnaud left Docker almost 2 years ago; he is VP of Engineering for Vente-Privee, a European retail conglomerate (https://www.linkedin.com/in/aporterie/)
  • It is our timing mistake to not have already updated MEMBERS.md to remove Stefan a few weeks ago when he emailed the current TSC members and formally stepped down from the TSC on the same day he joined Docker as an employee.
  • That leaves Sebastiaan and Justin as the 2 representatives from Docker, Inc. on the current TSC.

@jbeda
Copy link
Contributor

jbeda commented Feb 19, 2019

Ah -- I was confused as Arnaud's personal web page still has him working for Docker: https://icecrime.net/about/. Thanks for the clarification.

@estesp
Copy link
Contributor Author

estesp commented Feb 19, 2019

@icecrime update your website! 😂

@jbeda
Copy link
Contributor

jbeda commented Feb 19, 2019

After talking to @estesp about how the project works and how the TSC connection really is a theoretical concern I agree that it is unreasonable to ask to change the governance at the 11th hour. But I do encourage the project to look to remove this connection. But that'll have to happen separate from this vote.

@crosbymichael
Copy link

@jbeda that sounds totally reasonable to me and we will get the discussion started with the containerd maintainers and community.

Thanks!

@bgrant0607
Copy link
Contributor

@jbeda The question about the Moby TSC was helpful. I'm not sure it's a problem, but I found it odd when I noticed it recently.

However, we have no explicit policy regarding "protections against vendor majority". The most relevant criterion is "Have committers from at least two organizations." I don't think we should impose a new "majority" policy on the fly for this specific graduation proposal. For example, would that imply that no project where 50% of the commits / contributions come from a single organization can graduate? That's not an issue for containerd, but would be an issue for at least 8 other projects. If we did want to impose such a policy, we should think about how we can help projects broaden their contributor bases, which perhaps we should do regardless.

@jbeda
Copy link
Contributor

jbeda commented Feb 24, 2019

@bgrant0607 -- yes -- I'm not imposing new requirements here but just digging into the details of the whole governance structure of the project (which does import the Moby TSC). We should follow up separately on updating the graduation requirements to something that is more meaningful than "has some governance". Let's take the discussion off this issue.

@caniszczyk
Copy link
Contributor

+1 binding TOC votes (8/9):
Jeff: https://lists.cncf.io/g/cncf-toc/message/2900
Joe: https://lists.cncf.io/g/cncf-toc/message/2914
Matt: https://lists.cncf.io/g/cncf-toc/message/2915
Xiang: https://lists.cncf.io/g/cncf-toc/message/2916
Brian: https://lists.cncf.io/g/cncf-toc/message/2924
Brendan: https://lists.cncf.io/g/cncf-toc/message/2931
Quinton: https://lists.cncf.io/g/cncf-toc/message/2933
Alexis: https://lists.cncf.io/g/cncf-toc/message/2934

@caniszczyk caniszczyk merged commit 4e8e459 into cncf:master Feb 28, 2019
@estesp estesp deleted the containerd-graduation branch February 28, 2019 13:23
@caniszczyk caniszczyk moved this from TOC Approved (sponsors/voting) to Done in TOC Project Backlog Mar 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
No open projects
Development

Successfully merging this pull request may close these issues.

None yet