2020-08-13 00:34:55 UTC - Ning yougang: Currently, if passing another annotations when update action, original previous annotation will be removed and the passed new annotations will be added.
It may give users some confused that why my previous annotation gone. So it is better to not delete user's previous annotation when update action with new annotation, but at the same time, need to provide a feature that support to delete annotation by user via ClI, e.g. ```wsk action update hello --del-annotation key1 --del-annotation key2``` Welcome review below prs: <https://github.com/apache/openwhisk-cli/pull/488> <https://github.com/apache/openwhisk-client-go/pull/137> <https://github.com/apache/openwhisk/pull/4940> https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1597278895216300?thread_ts=1597278895.216300&cid=C3TPCAQG1 ---- 2020-08-13 04:59:16 UTC - Trevor Sibanda: Hello, I'm new to openwhisk and would appreciate some help. What would be the best way to block egress network traffic with containers executing an action. I'm creating a platform similar to coderank or <http://play.golang.org|play.golang.org> which allows anyone to upload code, execute it and retrieve the results. This is done by creating a new action for every code submission, running it and deleting afterwards. My current challenge is on limiting network access. all tcp | udp traffic should be dropped without affecting openwhisk. My current solution is to define iptables rules on the host to drop all egress traffic(lo excluded) and not allow communication between containers. Is there a better way to do this? iptables inside containers only works if running in privileged mode - which in this case is suicide. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1597294756224600?thread_ts=1597294756.224600&cid=C3TPCAQG1 ---- 2020-08-13 06:22:10 UTC - Trevor Sibanda: Update: I've managed to get this working on the standalone build by creating a new docker network and updating the config as below ```docker network create --internal --subnet 172.18.0.1/24 noInternet``` ```include classpath("standalone.conf") whisk { container-factory { container-args { network: noInternet } } }``` Suggestions still welcome +1 : Dominic Kim https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1597299730226600?thread_ts=1597299730.226600&cid=C3TPCAQG1 ---- 2020-08-13 11:09:13 UTC - Rodric Rabbah: Hi Beth. Sorry I missed your reply. If you are able to build or pull the container images ahead of time it’s possible to do a disconnected installation. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1597316953227900?thread_ts=1597173006.195700&cid=C3TPCAQG1 ---- 2020-08-13 11:10:31 UTC - Rodric Rabbah: The route management package does an npm install. This can be avoided by getting the dependencies ahead of time and modifying the script to eschew the install. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1597317031229500?thread_ts=1597173006.195700&cid=C3TPCAQG1 ---- 2020-08-13 11:11:40 UTC - Rodric Rabbah: Delete annotation! Nice. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1597317100229900?thread_ts=1597278895.216300&cid=C3TPCAQG1 ---- 2020-08-13 11:16:20 UTC - Rodric Rabbah: That works. I think different vendors apply different strategies. IBM used iptables and eptables at one point. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1597317380233000?thread_ts=1597299730.226600&cid=C3TPCAQG1 ---- 2020-08-13 11:16:54 UTC - Rodric Rabbah: Cool about the playground. Are you thinking to improve the playground that’s part of the standalone controller or you want to host the playground externally? https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1597317414234100?thread_ts=1597294756.224600&cid=C3TPCAQG1 ---- 2020-08-13 11:22:16 UTC - Rodric Rabbah: Welcome @Trevor Sibanda :wave: https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1597317736234600 ---- 2020-08-13 11:24:12 UTC - Rodric Rabbah: From the outside though not inside the containers. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1597317852235000?thread_ts=1597299730.226600&cid=C3TPCAQG1 ---- 2020-08-13 13:36:42 UTC - Trevor Sibanda: It'll be hosted externally. I'll be sure to drop a link when its live. https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1597325802235400?thread_ts=1597294756.224600&cid=C3TPCAQG1 ---- 2020-08-13 20:32:12 UTC - Brendan Doyle: I just created a PR to cover an old issue of force deleting non empty packages. It just deletes all actions in the package before deleting the package if the force flag is set in the api. I'd appreciate anyone pointing out any potential issues with doing this plus any potential optimization with the way I'm doing the action deletes. But think this is a convenient feature that should be available for people PR: <https://github.com/apache/openwhisk/pull/4941> Related Issue: <https://github.com/apache/openwhisk/issues/1824> +1 : Rodric Rabbah, seonghyun, Ning yougang https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1597350732238200 ----
