> Juul (who saw the writing on the wall and stopped selling flavors last year)

What? Juul still sells flavors, even if you select that you live in NY or MI (also banning flavors) on the popup when you enter the site: https://www.juul.com/shop/pods

And in the docs[0], the manual instructions ask you to run their agent container with --privileged=true, which gives the container access to all devices on the host and more.[1]

Looks super neat but I'll pass.

[0] http://lastbackend.com/guide/ [1] https://docs.docker.com/reference/run/

Hm.. try to start it without --privileged. WI think it's not necessary now. I don't remember the main reason why we use that flag. Please try without and can you send me feedback about. If it will work good - we'll update installer. Thx you!

> I don't remember the main reason why we use that flag.

Troubling.

Having access to the docker socket which runs as root seems equivalent.

Exactly! I asked our developer team and they said me this reason.

This becomes a physics problem; it's a race between how quickly VMs can be migrated and when the embargo is lifted.

> This deeper failure is In the incentives for Rackspace to withhold key commits on Ironic from the community because they feel it is secret sauce. (I am taking the OP's version of the tale at face value). They're one of the flagship supporters of OpenStack, and their behavior is perceptably a big reason for its failures to date.

I'm an Ironic core reviewer and work on OnMetal at Rackspace.

At Rackspace, we run ahead of Ironic trunk. It's true that we haven't been super vigilant about upstreaming our patches into Ironic; this is not because it's "secret sauce", not because we don't care. Priorities are hard, both upstream and downstream.

OpenStack moves slowly compared to a team developing proprietary software. This is a well-known fact. We do our best to upstream our patches as quickly as the project allows, but they often need to be improved to work with other hardware/drivers/etc.

For example, when we launched in July, we already had support for "cleaning" a server - erasing disks, flashing firmware, etc. The "spec" for the new feature was first posted upstream June 25, 2014.[0] This spec finally landed last January 16, 2015.

Our work on improving network support in Ironic has been similar; the project hasn't been ready for it (again, priorities). It's been done in the open[1], but the code is not in Ironic trunk yet.

We've been extremely open about what we're doing since we joined the Ironic project almost a year ago; I'm curious which patches the article has in mind.

As an Ironic developer, this article bums me out a bit, but it's a good pointer as to what we're doing poorly. /me starts writing better docs

[0] https://review.openstack.org/#/c/102685/ [1] https://etherpad.openstack.org/p/ironic-neutron-bonding

I just wanted to chime in here to say that although there were several situations where our questions couldn't be answered, we probably wouldn't have made it as far with our testing if it wasn't for the answers that were received from the openstack ironic developers. I should also point out that I've always found the openstack ironic devs to be kind and professional. So be it as it may, it is unfortunate that there are some conflicting priorities but I certainly do not blame the devs.

This is excellent information, thanks for sharing it, and correcting my assumptions above.

Great questions!

1) We boot a CoreOS image over PXE. IPA is built using Docker, exported as a filesystem, and runs in a linux container via systemd-nspawn. It can take config options via command line or kernel command line. The build system is here. [1]

2) It could, yes. Images are downloaded directly from Swift, and both the client and the server has 10gig links. We're also investigating multicast and bittorrent as alternatives for image distribution.

3) Not sure if you mean agent images or OS images... regardless, at Rackspace, each region runs as its own standalone cloud - so there shouldn't be any communication between data centers when provisioning. Does that answer your question?

4) We're working on implementing client certificate checking for communication between IPA and Ironic. The agents also live on an isolated VLAN that is only accessible by Ironic and Swift.

[1] https://github.com/openstack/ironic-python-agent/tree/master...

This has nothing to do with OpenStack. I believe they're just saying that someone with an OnMetal server can run any workload they choose.

Disclaimer: I work on the OnMetal team at Rackspace.

Yes, I've been convicted of this. :/

If I remember correctly, the legal limit is 0.02 for underage people, to account for mouthwash etc.

He is; he's part of the Developer Relations Group. I know he's been on vacation recently, that's probably part of the reason he hasn't posted as often.

If you don't support weird dietary restrictions like dpiers listed, you will miss out on a lot of offices.

Source: I currently work for ZeroCater. dpiers used to work at ZeroCater, and these are questions you're going to get hit with.

I would pay good money for this - I'm always trying to figure that sort of thing out and it always ends up as a bunch of random googling or trying to remember to check the news in a few hours.