- Alice reported working on Docker and Kubernetes deployment. While these do rely on containers, it was agreed that the goal was different from the mandate of this WG, as they rely on special deployment on sites, giving root access to VO.
- CERN and FNAL opened feature requests for unpriviledged namespace support in RedHat Entreprise Linux 7.3, which is supposed to be released later this year.
- Vincent proposed a pilot: using a more recent kernel/distrubution to try to build a tool that will use unprivileged namespaces to build a working SL6/7 environment for jobs, in order to test it on RHEL 7.2 or any preview of 7.3 and identify missing pieces. This proposal did not arouse the interest of members of the Working Group
- Dave proposed another pilot: build glExec plugins relying on privileged namespaces (still a SUID) to create the same kind of isolation (which could also, for example, allow to obtain an SL6 environment on SL7). CMS would be interested on such tool, which could ease the deployment of glExec (not special user or mapping needed) for new sites. In theory, as soon as unprivileged namespaces were supported, adpating such plugin to run as a normal user should be rather straightforward
- Maarten commented that it may be worth it as long as it does not consume too much effort and investment
- No agreement was reach on this topic, leading to no action before the next meeting