21:01:16 <sgallagh> #startmeeting Server Working Group Weekly Meeting (2016-12-06)
21:01:16 <zodbot> Meeting started Tue Dec  6 21:01:16 2016 UTC.  The chair is sgallagh. Information about MeetBot at http://wiki.debian.org/MeetBot.
21:01:16 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
21:01:16 <zodbot> The meeting name has been set to 'server_working_group_weekly_meeting_(2016-12-06)'
21:01:16 <sgallagh> #chair nirik sgallagh mhayden dperpeet smooge jds2001 vvaldez adamw mjwolf
21:01:16 <zodbot> Current chairs: adamw dperpeet jds2001 mhayden mjwolf nirik sgallagh smooge vvaldez
21:01:16 <sgallagh> #topic roll call
21:01:16 <sgallagh> .hello sgallagh
21:01:17 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com>
21:01:23 <vvaldez> .hello vvaldez
21:01:26 <dperpeet> .hello dperpeet
21:01:26 <adamw> .hello adamwill
21:01:27 <zodbot> vvaldez: vvaldez 'Vinny Valdez' <vvaldez@redhat.com>
21:01:30 <zodbot> dperpeet: dperpeet 'None' <dperpeet@redhat.com>
21:01:33 <zodbot> adamw: adamwill 'Adam Williamson' <awilliam@redhat.com>
21:01:42 <mhayden> .hello mhayden
21:01:43 <zodbot> mhayden: mhayden 'Major Hayden' <major@mhtx.net>
21:02:59 <jds2001> .hello jstanley
21:03:00 <zodbot> jds2001: jstanley 'Jon Stanley' <jonstanley@gmail.com>
21:03:02 <smooge> .hello smooge
21:03:04 <zodbot> smooge: smooge 'Stephen J Smoogen' <smooge@gmail.com>
21:03:14 <langdon> .hello langdon
21:03:15 <zodbot> langdon: langdon 'Langdon White' <langdon@fishjump.com>
21:03:25 <sgallagh> Wow, full house today.
21:03:38 <sgallagh> #topic Agenda
21:03:55 <sgallagh> I didn't remember to put together a real agenda this week, but I have a couple topics anyway.
21:04:18 <sgallagh> #info Agenda Item: Usenix LISA Booth
21:04:18 <sgallagh> #info Agenda Item: NFS Server Role Discussion
21:04:23 <sgallagh> Anyone have other topics?
21:05:55 <smooge> nothing
21:05:56 <sgallagh> Did I fall off the network again?
21:05:59 <smooge> isn't lisa now
21:05:59 <sgallagh> oh ok
21:06:11 <sgallagh> Excellent segue! ;-)
21:06:11 <smooge> sorry i got called into a wok meeting
21:06:20 <sgallagh> #topic Usenix LISA Booth
21:07:00 <smooge> who is running the lisa booth this week?
21:07:03 <sgallagh> OK, so langdon and I will be operating the Fedora Server booth at LISA tomorrow.
21:07:08 <langdon> Smooge: you making me dinner?
21:07:09 <smooge> hah
21:07:28 <smooge> no i am in north carolina
21:07:29 <sgallagh> "wok" meeting. Ha.
21:07:46 <smooge> i am wokkin on a meeting
21:08:07 <langdon> :(
21:08:10 <vvaldez> I am not, I’m in my basement this week
21:08:22 <sgallagh> Fedora Server is in kind of a transitional place this year, so it's a little less obvious than in the past what we should be talking about.
21:08:37 * jds2001 in his apartment, which is on the third floor if that counts for anything :D
21:09:01 <sgallagh> I'm probably going to yammer on about our new ansible-based role plans as well as preaching the gospel of Cockpit.
21:09:11 <jds2001> sgallagh: i'd talk about the future, about the roles.
21:09:14 <jds2001> sgallagh: +1
21:09:15 <sgallagh> But I'd like to hear from all of you what you think will be the most attractive stuff.
21:09:31 <langdon> Crazy server!
21:09:36 <mhayden> i wish i could be at LISA! :P
21:09:41 <sgallagh> langdon: For the last time, we're not calling it that.
21:09:46 <jds2001> servers? who needs those anymore? :D
21:09:59 * langdon still working on the acronym
21:10:00 <jds2001> everyone has containers!
21:10:02 <mhayden> jds2001: haha, been watching a lot of re:invent coverage :P
21:10:51 <sgallagh> Oh, actually I have a third topic to stick into the agenda later... today there was a mini-summit on Ansible Container that I attended. Some interesting stuff that could be relevant for the roles.
21:10:59 <sgallagh> /me puts a pin in that for now
21:11:04 <jds2001> seriously, I think talking a bit about the container stuff could be valuable as well
21:11:08 <jds2001> and where we fit in there.
21:11:14 <sgallagh> /me ndos
21:11:15 <sgallagh> *nods
21:12:18 <sgallagh> I'm probably going to avoid talking too much about the Domain Controller and DNS stuff that's been going on, mostly because the Identity Management folks from Red Hat have their own booth.
21:13:08 <jds2001> go ahead, steal their thunder :D
21:13:10 <sgallagh> I'll probably throw together a couple VMs for people to poke at Cockpit
21:13:24 <sgallagh> jds2001: Problem with stealing thunder is the lightning that comes with it
21:13:26 <langdon> I think they are right next to each other though
21:14:30 <sgallagh> OK, let's not spend too much time on this topic; anyone have a particular piece they *really* want us to talk up?
21:15:39 <sgallagh> *crickets chirp*
21:15:55 <dperpeet> sgallagh, you mentioned what I would say
21:15:55 <geppetto> sgallagh: It would be cool i fyou could speak to people about: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/DTXEZ3UACKA6VIVMVNCPLTB336BXIFJI/
21:16:00 <geppetto> And get some direct feedback
21:16:16 <sgallagh> geppetto: Ah, great idea! I will do that.
21:16:25 <sgallagh> I imagine mattdm will do the same (he will also be around)
21:16:30 * geppetto nods
21:16:40 <sgallagh> #info Talk about future of Server Roles powered by Ansible
21:16:52 <sgallagh> #info Discuss future container plans
21:17:10 <sgallagh> #info Show off Cockpit
21:17:35 <sgallagh> #info Poll people on Fedora release frequency
21:18:09 <sgallagh> #topic Ansible Container Mini-Summit
21:18:11 <langdon> sgallagh, ok.. not to be too snarky... but
21:18:16 <sgallagh> ...
21:18:18 <langdon> why not cockpit in a container?
21:18:38 * langdon was wandering so couldn't type too fast
21:18:39 <sgallagh> langdon: ?
21:18:48 <langdon> you said VMs to play around with cockpit..
21:19:01 <langdon> we can discuss in person tomorrow.. may not be relevant for everyone
21:19:01 <dperpeet> at this point I'm not aware that we can have all of cockpit in a container
21:19:13 <sgallagh> langdon: Because I don't want them mucking with my actual laptop :)
21:19:40 <sgallagh> also what dperpeet said
21:19:42 <langdon> dperpeet, oh.. didnt know that
21:19:58 <dperpeet> I concur with sgallagh's plan to use VMs
21:20:02 <sgallagh> dperpeet: Atomic's version of Cockpit is a subset of functionality, right?
21:20:33 <dperpeet> we're veering a bit off-topic here, but briefly put the web service part can run in a container
21:20:50 <dperpeet> but the base parts need to be installed
21:20:57 <dperpeet> which is what Atomic ships with in the ostree
21:21:50 <sgallagh> So, Ansible Container: basically this was a meeting of a number of interested parties to discuss future use and requirements.
21:21:52 <dperpeet> I'm happy to explain that in more detail, but probably better not here and right now
21:22:38 <sgallagh> Quick overview: basically Ansible Container is a declarative replacement for dockerfiles with pluggable output to support multiple container formats (including Docker)
21:24:01 <sgallagh> It looks quite appealing as a potential implementation mechanism for the server roles (as microservices).
21:24:32 <sgallagh> One of the major benefits to it is that it builds OpenShift-compatible containers by default, which means an easier migration path between Fedora Server and Fedora Atomic.
21:24:34 <jds2001> sgallagh: i heard a little about it at ansiblefest
21:25:03 <jds2001> threw it on the list of "this looks cool, but I really don't see the usefulness in practical terms"
21:25:29 <vvaldez> that would be nice, ideally it could output json needed for runc system containers I’d imagine
21:25:37 <sgallagh> jds2001: That was my thought then as well. After today, I think there's direct value to what we're working on.
21:26:27 <sgallagh> vvaldez: The output plugins look fairly straightforward, so I expect that wouldn't be terribly difficult to accomplish
21:27:01 <vvaldez> nice
21:27:03 <sgallagh> Anyway, I don't have a *lot* to report on this at the moment. Today's discussion opened the possibility that this could be a good fit for us, so I'm putting it on our radar.
21:27:32 <sgallagh> (Surprises are good for birthdays, not for software development projects :-D )
21:28:10 <langdon> just fyi.. modularity team has a person specifically working on modularity + ansible/ansible-container
21:28:20 <langdon> so we should have help for you there
21:28:21 <jds2001> sgallagh: my birthday is 2/6 :D
21:28:31 <langdon> is that june or feb? ;)
21:28:39 <sgallagh> langdon: Who is that person?
21:28:44 <langdon> ttomeck
21:28:52 <langdon> oops.. i think i dropped an e
21:28:53 <sgallagh> Ah, ok. Yes, he was on the call.
21:28:58 <langdon> ttomecek
21:29:28 <sgallagh> OK, shall we move on to the NFS discussion?
21:29:34 <geppetto> Also if anyone wants to have a look easier, there is a copr: http://copr-fe.cloud.fedoraproject.org/coprs/james/ansible-container/
21:31:25 <sgallagh> geppetto++
21:31:26 <zodbot> sgallagh: Karma for james changed to 1 (for the f25 release cycle):  https://badges.fedoraproject.org/tags/cookie/any
21:31:52 <sgallagh> #topic NFS Server Role Discussion
21:32:02 <dperpeet> We have the google doc here: https://docs.google.com/document/d/1jLyKsECdHdlKltmHGgf_-iOKj-hj4Qjbh5Zgm7a-eMc/edit and andreasn updated the Cockpit feature page https://github.com/cockpit-project/cockpit/wiki/Feature:-NFS-Server
21:32:06 <sgallagh> dperpeet, jds2001: Mind giving a quick...
21:32:10 <sgallagh> ok, you beat me to it
21:32:12 <dperpeet> :)
21:32:40 <dperpeet> at this point we need to make sure that the user stories are good
21:32:45 <sgallagh> dperpeet: I read the user story that Andreas put together.
21:33:10 <sgallagh> I think we need to call out a few others (that may have some or much overlap) but are very important.
21:33:34 <dperpeet> yeah, I iterated a bit also
21:34:07 <dperpeet> I emphasized different permission settings
21:34:11 <sgallagh> One extremely common example is NFS-mounted home directories.
21:34:16 <dperpeet> right
21:34:52 <jds2001> sgallagh: do we want to include autofs configuration?
21:34:53 <sgallagh> I think we also need to focus on getting Kerberos-protected shares done right.
21:35:10 <sgallagh> jds2001: That's a client-side configuration; we can't easily do that on the server-side except via FreeIPA.
21:35:26 <sgallagh> However, I *do* think we want to start looking at how to do that optimally with FreeIPA
21:35:37 <dperpeet> I suggest adding feedback to the wiki page
21:35:40 <sgallagh> Sorry, probably need some background info there.
21:35:43 <dperpeet> so andreas can reference it there
21:35:57 <dperpeet> or comment on trello https://trello.com/c/00TuMHlI/414-design-nfs-server-configuration
21:36:09 <vvaldez> jds2001: I would +1 an autofs config, as it is there’s a default /net by just installing/enabling the package we could go from there
21:36:11 <sgallagh> dperpeet: Sure, will do.
21:36:30 <jds2001> sgallagh: does kerberos have any impact on the UI?
21:36:32 <sgallagh> vvaldez: /net is a special-case
21:36:56 <dperpeet> we can add important stories that interact with other technologies if they are important
21:36:58 <sgallagh> jds2001: Possibly.
21:37:00 <jds2001> vvaldez: im used to working in enterprise environments where we obliterate that :)
21:37:09 <jds2001> vvaldez: so i honestly completely forgot about it.
21:37:20 <dperpeet> it doesn't mean that it has to be implemented right away, but certainly we should point that story out in the design phase
21:37:28 <vvaldez> sure, same here, we use our own custom ones but still, very nice to have on new servers that get brought up
21:37:42 <vvaldez> autofs itself, not just /net. ack sgallagh
21:39:12 <sgallagh> Autofs setup would be nice, but I don't think it can be implemented without a way to "push" config to the clients.
21:39:51 <sgallagh> I suppose we could offer ansible snippets that admins could download and add into their playbooks to configure the NFS clients, though.
21:40:02 <sgallagh> But now I'm getting into implementation, so I'll stop
21:40:12 <sgallagh> (though that might impact UI...)
21:40:16 <jds2001> sgallagh: really, it's a separate role
21:40:41 <jds2001> "file server client
21:40:47 <jds2001> " or something like that
21:40:49 <sgallagh> jds2001: Well, not necessarily if we do the integration work necessary to update a FreeIPA config as well
21:41:04 <jds2001> that just updates maps
21:41:05 <sgallagh> Because any SSSD client of FreeIPA can just pick up the autofs config
21:41:23 <jds2001> it wont make sure that autofs is configured correctly on the clients to look at it :)
21:41:29 <sgallagh> hmm
21:41:36 <dperpeet> I suggest adding this as a potential interaction point with other technology, but not design it fully at this point
21:41:54 <sgallagh> dperpeet: Fair point.
21:42:06 <sgallagh> jds2001: Would you mind adding these use-cases to the doc?
21:42:17 <jds2001> sure
21:42:49 <sgallagh> Much obliged.
21:43:28 <sgallagh> As for whether the kerberized NFS will affect the UI... it *might* if we want to offer a choice of secure vs. insecure sharing.
21:44:01 <sgallagh> (We can't *only* offer secure sharing unless we want to require that the machines be part of a domain to use this feature... which is a choice we could make, of course)
21:44:32 <dperpeet> interesting, but feels a bit too forceful
21:44:50 <sgallagh> dperpeet: Which part?
21:45:02 <dperpeet> only offering secure sharing
21:45:06 <langdon> please don't .. unless the domain part is part of the setup..
21:45:33 <sgallagh> langdon: Well, that's where I was going: we could offer sharing if you're a domain member or prompt you to join one first before setting up sharing.
21:45:35 <langdon> too hard for us non-sysadmins
21:45:51 <langdon> yeah.. my problem is i don't know how to set up a domain ;)
21:45:53 <sgallagh> Joining a domain is quite easy these days.
21:45:59 <langdon> except on windows
21:46:04 <jds2001> what's a domain? why do i need one just to share files?
21:46:04 <sgallagh> langdon: *joining*, not *creating*
21:46:10 * jds2001 puts on inexperienced admin hat
21:46:43 * langdon is/was a developer but played a sysadmin on tv for like 6m .. (by tv, on a contract for some friends)
21:47:11 <sgallagh> jds2001: That sounds like a job for... the designer! ;-)
21:47:17 <langdon> sorry.. i was trying to say.. i don't know how to setup a domain.. so i don't have one to join... or be a member of
21:47:26 <dperpeet> let's not limit ourselves like this from the start (regarding domain requirement)
21:47:48 <sgallagh> dperpeet: Well, we have a domain requirement for secure sharing no matter what.
21:48:07 <sgallagh> So even if we're not  *limiting* ourselves to it, we either still have to offer it or else only enable insecure sharing.
21:48:09 <dperpeet> right, but we'll want to support quick&dirty sharing as well
21:48:11 <sgallagh> I don't like the latter at all
21:48:31 <smooge> dns domain versus ldap domain versus kerberos domain versus nfs versus samba... goes back to being quiet
21:48:33 <sgallagh> So we still have to solve the "why do I need a domain?" question either way.
21:48:43 <langdon> ok.. don't hit me.. but i can do ssh setup.. so nfs over ssh tunnels? or is that "not recommended" for some reason?
21:48:54 <smooge> OH GOD NO
21:49:02 <smooge> PLEASE NO NO NO
21:49:04 <langdon> ha.. figured that was probably the response
21:49:11 <sgallagh> smooge: I tried very hard to convince FreeIPA folks to choose the term "hegemony" instead of "domain", but I was shot down.
21:49:29 <smooge> well its our cockput ui.. it is a hegemony to me
21:49:35 <langdon> "set of friendly computers" is probably too wordy
21:49:59 <smooge> langdon, several reasons.. NFS can use udp.. ssh doesn't do that
21:50:07 <sgallagh> langdon: Well, there are two effects to the secure NFS. One is that it's actually encrypted, the other is that the Kerberos layer eliminates the ancient problem about ensuring that UIDs are the same on the clients as the server.
21:50:38 <dperpeet> long term we'll want to default to secure unless the user doesn't want that
21:50:56 <sgallagh> dperpeet: I don't know that we can call that "long-term".
21:51:18 <langdon> ahh.. yes... i see.. but there is a plan to make domain setup easy too, right? so is it just a chicken and egg thing? like do "both" for now with a warning about insecure and then when the "easy domain part" happens maybe a prompt to go set one up first and a stronger warning on insecure
21:51:18 <sgallagh> I wonder if "NFSv3-compatible" would be a cop-out option...
21:51:26 <dperpeet> sgallagh, shortly after we can reliably set up a freeipa server in a container
21:51:39 <dperpeet> langdon, exactly
21:51:44 <sgallagh> dperpeet: So nine months ago?
21:51:53 <dperpeet> as part of our roles
21:51:58 <dperpeet> properly configured
21:52:03 <dperpeet> does that all work?
21:52:11 <dperpeet> haven't checked recently
21:52:23 * langdon notes that he thinks it still asks a lot of hard questions
21:52:26 <sgallagh> We don't have a role for it yet
21:52:43 <sgallagh> But I've been told that the container version of FreeIPA is fairly stable.
21:52:50 <dperpeet> I'm fine with taking this into the NFS role, but it shouldn't be a requirement
21:52:54 <sgallagh> So it's probably time to start looking into deploying it.
21:53:12 <sgallagh> langdon: define "it"?
21:53:24 <langdon> "freeipa setup"
21:53:36 <dperpeet> sgallagh, is there anyone willing to try and make that happen for our upstream tests? I'm happy to spend some time on this as well - it will get tested many times a day
21:53:43 <dperpeet> our = Cockpit
21:53:44 <sgallagh> langdon: The ipa-install-server script asks hard questions.
21:53:48 <langdon> like don't you have to have a custom domain (ie. dns domain)
21:53:50 <sgallagh> Most of them don't need answering.
21:54:05 <sgallagh> (That's why rolekit can install it with nothing more than "domain name")
21:55:17 <sgallagh> I think it's probably worth having another look at getting it deployed via Cockpit.
21:55:52 <sgallagh> The real problem with the install script is that they require explicit answers to a ton of stuff that could have reasonable defaults instead.
21:56:13 <dperpeet> let's fix that upstream before we try to hack something
21:56:42 <dperpeet> and for the NFS role we can have a rough concept of defaulting to a secure setup, if available
21:56:45 <sgallagh> dperpeet: Not likely to happen.
21:56:51 <smooge> actually langdon you will be at USENIX with a lot of people who do ths alot.. is there a way you could ask them to try it and ask the questions to htem?
21:57:08 <sgallagh> Upstream prefers detailed choices.
21:57:12 <langdon> smooge, sure.. we can do that..
21:57:49 <dperpeet> since we want to prioritize the NFS role in Cockpit as a proof of concept, I don't want to flesh it out too much in the initial design
21:58:07 <dperpeet> otherwise we get delays on all the other roles
21:58:41 <geppetto> sgallagh: You don't think they'll accept pulling defaults to show the user, where pressing return DTRT?
21:58:41 <dperpeet> e.g. we can keep actual domain setup out of this for now, out of scope
21:59:07 <jds2001> dperpeet: +1
21:59:13 <sgallagh> dperpeet: That's fair
21:59:32 <dperpeet> using one seems good
21:59:36 <dperpeet> as that affects the UI
22:01:09 <sgallagh> geppetto: Maybe, but I doubt it's on their priority list and I don't have the time to hack it up.
22:02:47 <langdon> ok.. so .. I would like modularity to be involved in this.. so i would like us to build a nfs-server-module and/or container in support of this.. but i am not sure how to make sure they are coordinated with this work
22:03:43 <sgallagh> langdon: I think what we'd like to do is finish fleshing out our requirements doc and get the first pass of a UX mock-up from andreas.
22:03:58 <sgallagh> Then we can present it to your team to discuss actual implementation under the hood.
22:04:24 <sgallagh> dperpeet: Remind me when your current sprint ends (and when you'll have those mock-ups)?
22:04:27 <sgallagh> Was it next Friday?
22:04:41 * jds2001 thought it *started* next Friday?
22:04:46 <dperpeet> sgallagh, the sprint will end a week from now
22:04:56 <jds2001> ahhh
22:05:03 <langdon> sgallagh, ok.. i may have people start on the "defining the module" and "container" .. and then we can lay the role stuff on top.. re-work is ok.. i would just prefer to make progress in parallel (i have other requests for nfs-server anyway)
22:05:52 <dperpeet> langdon, you can track what we base the design on in the google doc and the cockpit wiki page / trello
22:05:53 <sgallagh> langdon: Sounds good to me.
22:06:00 <langdon> dperpeet, ack
22:06:22 <dperpeet> langdon, or ping me :)
22:06:22 <sgallagh> dperpeet: OK, so next Tuesday we expect to have mock-ups, or it's happening the following sprint?
22:07:02 <dperpeet> sgallagh, I'm cautiously optimistic about getting at least a first iteration of mock-ups before our next meeting
22:07:08 <dperpeet> or in time for that meeting
22:07:43 <sgallagh> That would be fantastic. Thank you.
22:07:55 <dperpeet> thank andreasn :)
22:08:11 <langdon> dperpeet, i applaud you on your excellent consultant answer
22:08:51 <dperpeet> langdon, thanks :)
22:10:04 <sgallagh> OK, I don't think I have anything else to add here, and we're over time.
22:10:06 <sgallagh> Anyone else?
22:11:51 <sgallagh> Thanks for coming, folks
22:11:53 <sgallagh> #endmeeting