2024-05-08 16:30:09 <@ydesouza:matrix.org> !startmeeting fedora_coreos_meeting
2024-05-08 16:30:13 <@meetbot:fedora.im> Meeting started at 2024-05-08 16:30:09 UTC
2024-05-08 16:30:13 <@meetbot:fedora.im> The Meeting name is 'fedora_coreos_meeting'
2024-05-08 16:30:22 <@ydesouza:matrix.org> !topic roll call
2024-05-08 16:31:01 <@dustymabe:matrix.org> !hi
2024-05-08 16:31:04 <@zodbot:fedora.im> Dusty Mabe (dustymabe) - he / him / his
2024-05-08 16:31:19 <@aaradhak:matrix.org> !hi aaradhak
2024-05-08 16:31:33 <@zodbot:fedora.im> Aashish Radhakrishnan (aaradhak)
2024-05-08 16:32:11 <@hricky:fedora.im> !hi
2024-05-08 16:32:13 <@zodbot:fedora.im> Hristo Marinov (hricky) - he / him / his
2024-05-08 16:32:20 <@jlebon:fedora.im> !hi
2024-05-08 16:32:23 <@zodbot:fedora.im> None (jlebon)
2024-05-08 16:32:26 <@marmijo:fedora.im> !hi
2024-05-08 16:32:28 <@zodbot:fedora.im> Michael Armijo (marmijo)
2024-05-08 16:32:49 <@gurssing:matrix.org> !hi gursewak
2024-05-08 16:32:51 <@zodbot:fedora.im> Gursewak Singh (gursewak)
2024-05-08 16:34:34 <@ydesouza:matrix.org> !topic Action items from last meeting
2024-05-08 16:35:19 <@ydesouza:matrix.org> I don't think we have any action items from the last meeting. There is anyone who wants to talk it or can I proceed?
2024-05-08 16:36:56 <@dustymabe:matrix.org> sounds good to proceed
2024-05-08 16:37:37 <@ydesouza:matrix.org> !topic URL for most recent artifact for platform+stream?
!link https://github.com/coreos/fedora-coreos-tracker/issues/625


2024-05-08 16:38:31 <@dustymabe:matrix.org> I tagged this in. We had someone recently come in channel talking about netboot.xyz 
2024-05-08 16:38:52 <@dustymabe:matrix.org> which is basically a thin helper that has a bunch of different ipxe configs for different Operating systems
2024-05-08 16:38:58 <@dustymabe:matrix.org> it has FCOS! 
2024-05-08 16:39:32 <@jlebon:fedora.im> woah, the demo at https://netboot.xyz/docs/ is pretty cool
2024-05-08 16:39:46 <@dustymabe:matrix.org> the problem is that the definitions for FCOS are always out of date
2024-05-08 16:40:11 <@dustymabe:matrix.org> they have some automation that updates it, but then netboot has to do a new release, etc.. 
2024-05-08 16:40:53 <@dustymabe:matrix.org> AFAICT there is no way in ipxe that we could configure it to grab our stream metadata and then get the necessary PXE artifacts from that
2024-05-08 16:41:13 <@dustymabe:matrix.org> i.e. we'd definitely need a "latest" link if we wanted to make this easier
2024-05-08 16:41:34 <@dustymabe:matrix.org> flatcar has that - so when you install flatcar with netboot.xyz you always get the newest version
2024-05-08 16:42:14 <@dustymabe:matrix.org> So there are a few questions to answer.
2024-05-08 16:42:39 <@dustymabe:matrix.org> 1. do we think having stable links for the latest in our streams would be bad?

2024-05-08 16:43:00 <@dustymabe:matrix.org> if we don't think it would be bad then the real question is.. how much effort is it worth?
2024-05-08 16:44:27 <@jlebon:fedora.im> https://github.com/coreos/fedora-coreos-tracker/issues/625#issuecomment-697943279 brings up an important aspect
2024-05-08 16:45:17 <@jlebon:fedora.im> we'd need stable links for our sigs too at least
2024-05-08 16:45:51 <@dustymabe:matrix.org> Jonathan Lebon: fair.. we could limit the artifacts we have stable links for to ones that we find fitting the requirements
2024-05-08 16:46:27 <@jlebon:fedora.im> hmm, i wonder if iPXE has any support for signatures
2024-05-08 16:47:21 <@jlebon:fedora.im> ok yes, it does have some infrastructure around that
2024-05-08 16:47:31 <@jlebon:fedora.im> https://ipxe.net/cmd/imgverify
https://ipxe.net/cmd/imgtrust
2024-05-08 16:48:17 <@jlebon:fedora.im> but unclear where the keyring comes from
2024-05-08 16:49:11 <@jlebon:fedora.im> dustymabe: i.e. only have stable links for the PXE artifacts?
2024-05-08 16:49:51 <@jlebon:fedora.im> i wouldn't mind having stable links for all of them, but yeah we'd want to link the sigs too and when documenting them, always show sig verification
2024-05-08 16:50:01 <@dustymabe:matrix.org> possibly.. I mean I personally would just create stable links for all of them and then let users make their own choices
2024-05-08 16:50:44 <@dustymabe:matrix.org> but if we decide we don't like that part of it enough, then we could limit it to just enabling certain workflows
2024-05-08 16:51:01 <@jlebon:fedora.im> if we had an example that documents using ipxe verification, that'd be pretty sweet
2024-05-08 16:51:29 <@jlebon:fedora.im> but i also think that people pxe booting directly from the canonical artifacts would be rare (vs mirroring them closer first)
2024-05-08 16:52:09 <@sam:samcday.com> IIRC that's "sort of" up to the system administrator. You specify `TRUST=ca.crts` when you build iPXE. In reality everyone just uses the pre-builts which follows the mozilla CA crts: https://ipxe.net/crypto#trusted_root_certificates
2024-05-08 16:52:22 <@jlebon:fedora.im> in which case, stable links would be more about making mirroring easier. but it's not that hard to parse the JSON too
2024-05-08 16:52:24 <@dustymabe:matrix.org> I think I disagree. It probably depends on how heavy of a user you are
2024-05-08 16:53:11 <@dustymabe:matrix.org> for example I imagine this workflow is quite common to get OS on platforms that don't formally support it:

https://netboot.xyz/docs/kb/providers/equinixmetal
2024-05-08 16:54:09 <@dustymabe:matrix.org> In that list is OCI, Linode, Equinix, -> all of which we don't have official images for
2024-05-08 16:55:28 <@dustymabe:matrix.org> so.. implementation wise. I see two options:

1. just copy the artifacts and rename them to a different folder in s3
2. implement a small redirector service
2024-05-08 16:55:45 <@jlebon:fedora.im> ok, i think i understand what this is doing... that seems very far from mainstream though
2024-05-08 16:56:18 <@dustymabe:matrix.org> define mainstream :) 
2024-05-08 16:57:38 <@jlebon:fedora.im> i do like though the "a way to boot FCOS on new platforms" bit
2024-05-08 16:58:07 <@dustymabe:matrix.org> removing steps for ipxe workflows I think will help users trying out FCOS for the first time (or occasional users who re-install ~9-12mo)
2024-05-08 16:58:46 <@jlebon:fedora.im> right, i can more imagine for people kicking the tires than more production-y instances
2024-05-08 16:58:49 <@dustymabe:matrix.org> though, if you're going to install hundreds of systems in your lab or datacenter - I agree, you don't want to repull the PXE artifacts for each boot
2024-05-08 16:59:37 <@jlebon:fedora.im> anyway, it's purely my opinion. i don't have a way to quantify things either way. i would probably still mirror it even if it's just for my server in the basement.
2024-05-08 17:00:07 <@dustymabe:matrix.org> thoughts on ^^
2024-05-08 17:00:28 <@dustymabe:matrix.org> anyone else have opinions?
2024-05-08 17:02:07 <@jlebon:fedora.im> the main difference i see is in 1, there's room for inconsistency (bad) but it's less work (good). in 2, it's always up to date (good), but it's more work (bad)
2024-05-08 17:02:36 <@jmarrero:matrix.org> I don't know enough to understand why we can't just have a link to be added as part of the CI process that publishes the images right now.
2024-05-08 17:03:39 <@dustymabe:matrix.org> jmarrero: if it's a redirect then it's just a link that redirects to the actual location

if it's a just a copy then it's not a redirect, it's an actual link, just to a location/filename that's not unique to the version
2024-05-08 17:03:57 <@dustymabe:matrix.org> > in 1, there's room for inconsistency (bad)
2024-05-08 17:04:07 <@dustymabe:matrix.org> > in 1, there's room for inconsistency (bad)

Jonathan Lebon can you elaborate?
2024-05-08 17:04:23 <@jlebon:fedora.im> i think this is talking about TLS certificates though, not GPG key verification
2024-05-08 17:05:50 <@jmarrero:matrix.org> I like the idea of the redirect and just get's auto updated. 
2024-05-08 17:06:15 <@jlebon:fedora.im> dustymabe: the stream metadata is canonical. adding secondary sources of truth means introducing risks for things being out of date
2024-05-08 17:06:59 <@jlebon:fedora.im> whereas a redirector doesn't introduce another source of truth
2024-05-08 17:07:34 <@dustymabe:matrix.org> Jonathan Lebon: fair, but worst case you boot the 2 week old FCOS I guess? I would see us just running something as part of the release process (similar to how we update the image family in GCP) to update this
2024-05-08 17:09:00 <@dustymabe:matrix.org> I guess in the interest of time we can talk about implementation later? or is it worth going deeper into that now?
2024-05-08 17:09:18 <@jmarrero:matrix.org> https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-to-page-redirect.html
2024-05-08 17:09:23 <@jlebon:fedora.im> yeah, that sounds good. maybe keep it async in the ticket?
2024-05-08 17:09:54 <@dustymabe:matrix.org> jmarrero: yeah I think that's only if you are hosting a static site (like a website) in s3
2024-05-08 17:10:08 <@dustymabe:matrix.org> Jonathan Lebon: +1
2024-05-08 17:10:18 <@dustymabe:matrix.org> maybe we can agree on direction here, though?
2024-05-08 17:10:22 <@jmarrero:matrix.org> iPXE would not be able to follow the link from a static html that gets updated with every release?
2024-05-08 17:10:50 <@dustymabe:matrix.org> jmarrero: iPXE won't follow redirects?
2024-05-08 17:11:03 <@dustymabe:matrix.org> if that's true then it limits our options probably to `1.` :) 
2024-05-08 17:11:07 <@jmarrero:matrix.org> I am asking*
2024-05-08 17:11:33 <@jmarrero:matrix.org> anyway lets move on :D 
2024-05-08 17:11:34 <@jlebon:fedora.im> i'd be very surprised if it didn't
2024-05-08 17:11:59 <@ydesouza:matrix.org> I will set this as an action, so you can discusse more about it async. Thats ok?
2024-05-08 17:12:34 <@dustymabe:matrix.org> should we do a proposed/agreed? or I could just `!info` 
2024-05-08 17:12:59 <@dustymabe:matrix.org> Yasmin de Souza: probably not super important, so maybe we don't need an action item
2024-05-08 17:14:40 <@ydesouza:matrix.org> Okay! How about a just a info? :)
2024-05-08 17:15:01 <@ydesouza:matrix.org> Just to keep tracking about this task.
2024-05-08 17:15:12 <@dustymabe:matrix.org> sounds good! I'll type something up
2024-05-08 17:15:16 <@dustymabe:matrix.org> Jonathan Lebon: FYI: https://ipxe.org/crypto#trusted_root_certificates
2024-05-08 17:16:08 <@sam:samcday.com> Hum - I don't think iPXE does gpg verification, only x509 code signing certs
2024-05-08 17:16:11 <@dustymabe:matrix.org> !info to enable use cases like netboot.xyz (and iPXE in general) we think it would be beneficial to have stable links people can use. We're not sure 100% on which implementation would be most appropriate yet, though.
2024-05-08 17:16:24 <@ydesouza:matrix.org> Thanks Dusty!
2024-05-08 17:16:28 <@dustymabe:matrix.org> that info look OK>
2024-05-08 17:16:32 <@dustymabe:matrix.org> that info look OK?
2024-05-08 17:16:56 <@ydesouza:matrix.org> Loks nice! Thank you again! 
So, lets to o our open floor!
2024-05-08 17:17:06 <@ydesouza:matrix.org> !topic Open Floor
2024-05-08 17:17:41 <@jlebon:fedora.im> yes sorry, i was reading more on that now
2024-05-08 17:18:09 <@jlebon:fedora.im> the example code in https://ipxe.net/cmd/imgverify made it look very GPG like, but the note at the bottom of the page clears it up
2024-05-08 17:18:20 <@dustymabe:matrix.org> !info Fedora 40 based coreos is getting shipped out to `stable` stream nodes over the next few days!
2024-05-08 17:18:37 <@dustymabe:matrix.org> We should probably start tracking change proposals for the F41 release
2024-05-08 17:18:57 <@jlebon:fedora.im> https://ipxe.net/crypto#code_signing
2024-05-08 17:19:14 <@ydesouza:matrix.org> Do we already have a document for it where we can track proposes?
2024-05-08 17:19:57 <@dustymabe:matrix.org> https://github.com/coreos/fedora-coreos-tracker/issues/1714
2024-05-08 17:20:35 <@dustymabe:matrix.org> I guess I'll need to find a volunteer to take over the driving of that discussion and the process around it for the F41 cycle (since I won't be around for most of it)
2024-05-08 17:21:35 <@dustymabe:matrix.org> !action dustymabe to find someone to help wrangle changes considerations for the  F41 cycle
2024-05-08 17:21:59 <@jlebon:fedora.im> thankfully, we've been pretty good at keeping the checklist up to date
2024-05-08 17:22:00 <@jmarrero:matrix.org> Talking about proposals, reviews and additional owners welcomed on: https://fedoraproject.org/wiki/Changes/DNFAndBootcInImageModeFedora
2024-05-08 17:22:15 <@jlebon:fedora.im> oh i see, change proposals, yes.
2024-05-08 17:22:34 <@dustymabe:matrix.org> yeah, the change proposals are less well defined at this point
2024-05-08 17:22:42 <@dustymabe:matrix.org> another thing I've been thinking about too.. we really are lacking by not having a proper firewall management tool in FCOS
2024-05-08 17:22:50 <@jlebon:fedora.im> might be good to document that script and how it's run somewhere in the tracker itself
2024-05-08 17:22:58 <@jlebon:fedora.im> i tried once i think and didn't get it to work
2024-05-08 17:23:07 <@dustymabe:matrix.org> https://mastodon.social/@deflockcom/112378364735796507
2024-05-08 17:23:50 <@dustymabe:matrix.org> basically if you run FCOS in a cloud, then yes cloud firewall/security groups, etc. if you run it on bare metal or in a bespoke environment, you really want a firewall
2024-05-08 17:25:19 <@dustymabe:matrix.org> I think the argument would be easier if firewalld was written in !python - but I don't see that changing
2024-05-08 17:25:50 <@jlebon:fedora.im> https://github.com/coreos/layering-examples/blob/main/ansible-firewalld/Containerfile is relevant here
2024-05-08 17:26:20 <@dustymabe:matrix.org> ehh, is it though
2024-05-08 17:26:44 <@dustymabe:matrix.org> I understand what you are saying, but feels kind of like firewall should be table stakes
2024-05-08 17:26:47 <@jlebon:fedora.im> obviously a different kind of message. i.e. firewalling wouldn't feel built in
2024-05-08 17:26:55 <@dustymabe:matrix.org> right
2024-05-08 17:27:45 <@sam:samcday.com> Related: https://github.com/coreos/fedora-coreos-tracker/issues/1623#issuecomment-1851904401
2024-05-08 17:28:00 <@dustymabe:matrix.org> maybe we should have a more focused discussion on this at some point
2024-05-08 17:28:08 <@dustymabe:matrix.org> Yasmin de Souza: i'm done blabbing :) 
2024-05-08 17:28:16 <@sam:samcday.com> UDisks2 needs python. CoreOS ships fwupdmgr by default but it chokes without udisks2
2024-05-08 17:28:29 <@ydesouza:matrix.org> Thanks for the discussion today, folks!
2024-05-08 17:28:53 <@jlebon:fedora.im> i feel like you should also be able to do firewalling from a container. one problem of course is bootstrap
2024-05-08 17:28:54 <@jlebon:fedora.im> i feel like you should also be able to do firewalling from a container. one problem of course is bootstrapping
2024-05-08 17:29:25 <@jlebon:fedora.im> thanks Yasmin de Souza for running!
2024-05-08 17:29:45 <@dustymabe:matrix.org> yep. 
2024-05-08 17:30:00 <@ydesouza:matrix.org> Have a nice week, everyone!
2024-05-08 17:30:11 <@ydesouza:matrix.org> !endmeeting