12:29:44 #startmeeting Using Fedora Atomic as workstation 12:29:44 Meeting started Wed Aug 3 12:29:44 2016 UTC. The chair is jdieter. Information about MeetBot at http://wiki.debian.org/MeetBot. 12:29:44 Useful Commands: #action #agreed #halp #info #idea #link #topic. 12:29:44 The meeting name has been set to 'using_fedora_atomic_as_workstation' 12:29:56 #meetingname flock2016 12:29:56 The meeting name has been set to 'flock2016' 12:31:16 Hi, Good afternoon, everyone 12:31:29 This is my best attended session every 12:31:33 *applause* 12:31:51 Let's first prove that I'm not going to be bs'ing here 12:32:19 This laptop is now running rpm-ostree at this moment 12:32:26 And has been since January of this year 12:32:32 Presentation over! 12:32:34 ;) 12:32:58 I told people about this, and they said I should tell people about this because it's not trivial 12:33:49 To make marketing happy, I can't call it Atomic, but instead call it rpm-ostree 12:33:57 First some background 12:34:06 #topic Background 12:34:15 Why use it? 12:34:23 The entire root filesystem is read-only and signed 12:34:35 If anything gets changed, you'll see it. 12:34:53 I'm currently running Rawhide and I updated this morning 12:35:02 I dared to do this because if it failed (and it did), I could reverse 12:35:21 Wireless was broken so I reverted it. 12:35:29 Also, it's fun!!! 12:35:38 #topic Limitations 12:35:46 There are no workstation trees available 12:35:49 Dave is working on that 12:35:57 You'll need to build your own trees 12:36:07 You'll want custom packages, and you can't do that right now 12:36:32 rpm-ostree has a lot of bugs, and the fixes come slowly (if at all) 12:37:00 comps is not supported 12:37:08 You have to specify each package by hand 12:37:51 Since, you can't add applications (r/o root), you can use docker/vms/Flatpak 12:38:03 Except I haven't managed to get Flatpak working yet 12:38:08 I've gone mostly the docker route 12:38:29 In the end it will be good, but it will cause a lot of pain to set up 12:38:32 #Setting up 12:38:44 Creating a tree 12:39:00 You have a lot of decisions to make. Some will want to use Gnome 12:39:09 Some people will want to use Emacs, but I want to use vim 12:39:19 And, no, I'm not getting into a war here 12:39:56 I have a separate machine that tries to compose a new tree every five minutes, and if it succeeds, sends it to S3 12:40:15 You need to then create the tree file 12:40:29 There's some documentation 12:40:37 My stuff is all public 12:40:51 You'll want to use scripts, otherwise it's a lot of work 12:41:17 I've got a script that creates a full tree file from a tree file with comps groups. 12:41:27 You then compose the tree file into a tree 12:41:33 Hopefully it works 12:41:53 You will run into problems 12:42:03 dracut-rescue can't be installed, or it will break the compose 12:42:22 You'll have to test, and then go back to the compose step 12:42:32 I've had to repeat up to 100 times 12:43:26 To get it to the point where it's usable for daily use 12:43:32 To just get it to boot is much less hard 12:44:00 Q: Could you just run rpm -qa to get a list of rpms and add them to the tree? 12:44:26 A: Yes, you'll end up with a bunch of extra packages, but it should work 12:44:46 *comment from audience* You should be a provenpackager 12:44:48 I am 12:45:00 *comment from audience* You should fix the packages 12:45:02 I do 12:45:10 Except docker 12:45:17 #topic Deploying the tree 12:45:33 The method I like is a netinstall with a kickstart 12:46:06 About once a month I reimage because rpm-ostree has garbage collection issues 12:46:17 ostreesetup --osname=... --url=... 12:46:24 That is the command to kick off the deployment 12:46:50 Q: What partition setup are you using? 12:47:13 A: I use an LVM volume group 12:47:35 The / needs to be large enough to handle at least 2 full tree 12:47:59 Because of garbage collection issues 12:48:39 Q: What actually *is* signed 12:48:53 A: The tree and the objects in it 12:49:36 I think it signs the metadata and then the objects 12:49:48 But don't pin me down on that detail, because it's an implementation detail 12:50:01 Q: If you change a file, would that break the signature 12:50:19 A: Yes, you couldn't because it's read-only, but if you could, it would break the signature 12:50:57 I run secure provisioning that securely sets up LUKS, GRUB, and passwords 12:51:14 So I don't need to be present to do the provisioning 12:51:23 #topic Experiences 12:51:28 I like it 12:51:43 It will take quite a while to get used to when you first set it up 12:51:57 It will take quite a while to get setup if we don't get a tree from... David? 12:51:59 ;) 12:52:15 I like being able to rollback when things go wrong 12:52:38 If you're in a big company, you just rollback if the update fails 12:53:30 Q: When can I use this? 12:53:53 I have 200 desktops, all identical 12:54:13 I'm trying to work out how this works with my system? 12:54:53 A: You can have multiple trees that share packages. So you'd compose a tree for each of your "images" 12:55:10 Q: Are you running anything in containers or just on the host system? 12:55:29 A: I run most of my development in docker, and the only thing on my host system is ssh and git. 12:56:21 The plan is that Flatpaks will provide user-specific applications 12:57:00 Q: Have you played with mlock and overlays to modify /home without modifying /home? 12:57:06 A: No, I have not 12:57:36 It's kind of cool 12:57:46 Q: Are you going to talk more about specific hiccups you ran into? 12:57:58 A: No, because most of them were specific to certain packages 12:58:20 Q: What about the current Fedora rpm-ostree isn't sufficient? 12:58:46 A: The current Atomic Host only has command-line 12:58:53 I have a GUI in my base system 12:59:07 Q: Do you do daily updates? 12:59:18 A: I tend to, unless I'm aware of a blocking bug 12:59:47 Q: How does it deal with a second update after you've updated once? 12:59:56 A: It always touches the inactive tree 13:00:09 Q: What issues have you had with Flatpak? 13:00:13 A: Let me show you 13:00:23 *Segmentation fault (core dumped)* 13:00:44 This is a tree from 2016-07-18 13:00:56 *from audience* You're probably missing glib-networking 13:01:36 Q: Why are you running a tree from 2016-07-18? 13:02:09 A: rpm-ostree doesn't work with insufficient logging for me to work out what's wrong 13:02:41 Q: How does this work with static networking? 13:02:49 A: /etc is not part of the read-only system 13:03:24 It's part of the tree, but changes to etc are done using a three-way merge 13:03:37 Q: How many problems did you have with %post scripts? 13:03:56 A: Loads of warnings, but only two packages actually crashed 13:04:20 *audience discussion about the scripts* 13:04:48 One of the main things you see are problems with things that try to talk with SELinux because it's not available during compose 13:05:07 #topic Resources 13:05:12 Here are my resources 13:05:33 https://patrick.uiterwijk.org 13:05:48 puiterwijk @ FreeNode 13:06:19 Q: Is it possible to install rpm-ostree on top of a regular system? 13:06:40 A: Yes, run a command and it will show up in GRUB 13:06:52 Q: Can this be used as part of QA? 13:06:57 A: Very likely, yes 13:07:13 Q: Should it be used as part of OpenQA? 13:07:19 A: Yes 13:08:25 *comment from audience* The QA advantage of ostree will be that you're testing exactly what people are using 13:09:35 *docker question* 13:11:31 Q: What's the minimum OS version you need to use ostree? 13:11:45 A: Fedora 22, RHEL 7.2 13:15:43 *applause* 13:15:46 #endmeeting