21:01:40 <sgallagh> #startmeeting Server Working Group Weekly Meeting (2016-12-13)
21:01:40 <zodbot> Meeting started Tue Dec 13 21:01:40 2016 UTC.  The chair is sgallagh. Information about MeetBot at http://wiki.debian.org/MeetBot.
21:01:40 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
21:01:40 <zodbot> The meeting name has been set to 'server_working_group_weekly_meeting_(2016-12-13)'
21:01:40 <sgallagh> #chair nirik sgallagh mhayden dperpeet smooge jds2001 vvaldez adamw mjwolf
21:01:40 <zodbot> Current chairs: adamw dperpeet jds2001 mhayden mjwolf nirik sgallagh smooge vvaldez
21:01:40 <sgallagh> #topic roll call
21:01:40 <sgallagh> .hello sgallagh
21:01:41 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com>
21:02:20 * nirik is sort of here.
21:05:27 <geppetto> there can be only one?;)
21:05:33 <sgallagh> ...
21:05:46 <sgallagh> vvaldez sent regrets and dperpeet said he'd be a little late.
21:06:44 * linuxmodder super late sorry
21:07:35 <sgallagh> linuxmodder: No worries... it's looking like we may not reach quorum today.
21:07:37 <linuxmodder> I'll be in and out next 30 ish minutes fyi
21:07:46 <linuxmodder> if we do
21:09:01 <sgallagh> I'm going to wait about five more minutes
21:12:30 * mhayden is out with a sick kiddo today
21:12:43 <mhayden> trying not to get infected ;)
21:13:06 <sgallagh> OK, I think it's pretty clear we aren't going to hit quorum.
21:13:12 <smooge> is here
21:13:30 <adamw> .hello adamwill
21:13:31 <zodbot> adamw: adamwill 'Adam Williamson' <awilliam@redhat.com>
21:13:32 <smooge> sorry I thought I typed that a while ago
21:13:38 <adamw> sorry, i'm sort of here, and sort of chatting and sort of having a shower.
21:13:48 <smooge> tmi
21:13:52 <sgallagh> adamw: We appreciate that
21:14:14 <smooge> didn't need to know about chatting
21:14:58 <sgallagh> OK, that's probably enough people that we can get started. Just one moment longer (need to summon my child from outside now that it's getting dark)
21:15:54 <smooge> "get in here.. the winter wights will get you otherwise!"
21:16:07 <sgallagh> Nah, but there are actual coyotes around.
21:16:13 <sgallagh> OK, let's go
21:16:18 <sgallagh> #topic agenda
21:16:24 <sgallagh> #info Agenda Item: Check-in on the NFS Server Role
21:16:24 <sgallagh> #info Agenda Item: Status report and discussion of modularity plans for F26
21:16:24 <sgallagh> #info Agenda Item: Bikeshed on modular server name
21:16:46 <sgallagh> I'm going to start with the modularity topic, since dperpeet hasn't yet arrived.
21:16:53 <sgallagh> #topic Status report and discussion of modularity plans for F26
21:17:37 <sgallagh> We (base runtime and modularity) haven't been as transparent about the work we're doing here as we could be.
21:17:54 <sgallagh> But I think it's important to start by getting us all on the same page regarding goals and scheduling.
21:18:51 <sgallagh> The modularity and base runtime teams have been operating under the assumption that we will deliver a version of Fedora Server assembled using the new modularity build tools in time for Fedora 26 as a technical preview (not expected to be used by end-users)
21:19:24 <sgallagh> Now, what this actually *means*, is a little vague.
21:20:20 <smooge> *little*
21:20:31 <sgallagh> smooge: Yes, and the sun is a tad warm
21:20:58 <smooge> especially inside the orbit of Mercury
21:21:18 <nirik> is water wet too? sheesh
21:21:47 <sgallagh> The internal (to the modularity team) goal that we have been operating against is that we should essentially be able to produce the same DVD ISO as the traditional install, but built from the new modules in the new build tools
21:21:58 * nirik is looking forward to the modularity based thingie
21:23:24 <sgallagh> In Fedora 26's tech preview, we're expressly not focusing on having any update mechanism, so what you get after an install is fixed in place on the system.
21:23:37 <sgallagh> (Thus, we won't be putting it up on getfedora.org either)
21:24:16 <adamw> is this going to be part of what the releng, pungi-based process spits out?
21:24:21 <adamw> or is it an entirely separate, parallel process?
21:24:45 <sgallagh> adamw: This is part of the whole Factory 2.0 process
21:25:18 <sgallagh> I will admit to not having a clear picture of what the overlap and divergence is.
21:25:34 <sgallagh> I'm going to ask threebean to talk to that in a future meeting (probably after the New Year)
21:25:40 <adamw> roger.
21:26:33 <sgallagh> As of this morning, threebean and the Factory 2.0  team expect to be able to deliver this pipeline in time for Fedora 26
21:26:52 <sgallagh> (Unless this WG spontaneously asserts that we should not do this)
21:28:16 <sgallagh> That's pretty much my status report (and yes, I'm aware that it's still a little vague, but we're making some of it up as we go along)
21:28:43 <smooge> so in our current opium dream we are looking at having some sort of minimal box, and then factory units that deliver parts to be built on top?
21:28:47 <sgallagh> The modularity team has also gotten involved with the NFS role effort
21:29:17 <sgallagh> smooge: It's a little more concrete than an opium dream, but yes that's the size of it.
21:29:37 <linuxmodder> sgallagh,  not too up to speed on how would work 9the nfs + factory )
21:29:59 <linuxmodder> s/factory/modularity
21:30:38 <sgallagh> linuxmodder: You should be, practically all of the interaction thus far was you, me and Langdon at LISA :-/
21:30:51 <geppetto> Well we plan to help create the NFS role
21:31:05 <linuxmodder> ah, brain dead today okay that is coming back now
21:31:07 <sgallagh> Maybe that's a good segue into the next topic
21:31:44 <linuxmodder> been in 1000s of directions today sorry
21:31:45 <sgallagh> I guess dperpeet and jds2001 aren't going to make it, though
21:31:45 <smooge> sgallagh, bikeshed names?
21:31:57 <sgallagh> #topic Check-in on the NFS Server Role
21:32:34 <sgallagh> I had a fairly involved discussion about this with andreasn today in #cockpit.
21:33:08 <sgallagh> I wanted to bring it to the broader group today, but in short it boils back down to what limitations we are willing to accept for setting up the server.
21:33:50 <sgallagh> dperpeet last week expressed that he wanted to push for having something that could work with an entirely green-field environment. (Meaning no domain or otherwise centrally-managed users)
21:35:02 <sgallagh> After having the conversation with Andreas today, I"m fairly convinced that it would be bordering on impossible to create a decent user experience for that case.
21:36:36 <sgallagh> So I think we should probably start from the top and work our way down: what exactly do we want to see from this role?
21:36:48 <dperpeet> hi, I'm here now
21:36:54 <sgallagh> What are our requirements? What trade-offs are we willing to make?
21:37:40 <sgallagh> dperpeet: https://paste.fedoraproject.org/505946/14816650/
21:37:59 <sgallagh> dperpeet: Also, there's a ton of scrollback in #cockpit that would be worth your time to read.
21:38:18 <dperpeet> sgallagh, thanks, and I'm partly through that
21:38:29 <nirik> at least for a first cut I don't think we need to do everything... but it should be useful and cover cases people want.
21:39:10 <dperpeet> I would like to have workflows for all the relevant cases, but triage early on what will be part of a first design
21:39:33 <sgallagh> nirik: Part of the problem we have to deal with is the inherent limitations of the NFS protocol.
21:39:51 <sgallagh> Without kerberos in the mix, we're effectively tied to NFSv3-level functionality.
21:40:22 <sgallagh> Which means:
21:40:22 <sgallagh> 1) User and group IDs must be kept in sync (somehow) between all machines that need to interact over NFS
21:40:37 <sgallagh> 2) There is no encryption of data passing over the wire at all
21:40:51 <sgallagh> 3) A malicious client can pretend to be any UID it wants.
21:42:20 <sgallagh> nirik, smooge: Would you call that an accurate assessment?
21:42:24 <dperpeet> we could also have workflows that we explicitly scope out of a first implementation or out of all implementation
21:42:55 <smooge> sgallagh, that pretty much sums up NFS in most environments
21:43:27 <sgallagh> dperpeet: Well, the first part of that problem is one that must be solved to use NFS, period.
21:43:36 <sgallagh> And it's a case that I think Cockpit is ill-placed to solve.
21:43:36 <smooge> even with kerberos some of that is still possible though harder .. but it is with all shared network protocols
21:45:09 <sgallagh> dperpeet: Well, the problem is that I can't think of any workflow that wouldn't require us to solve at least the ID-sync problem
21:45:23 <sgallagh> That's very much a pre-requisite.
21:45:44 <geppetto> Can't we just leave it to the host?
21:45:55 <geppetto> So passwd/group gets bind mounted in?
21:46:17 <sgallagh> geppetto: Congratulations, you just reinvented NIS :(
21:46:40 <geppetto> haha … Well, yes, the other stuff so ldap/etc. nsswitches work too
21:47:02 <sgallagh> geppetto: In our previous conversations on this topic, we expressed that we didn't think it was a good user experience to have users required to do things in different places in the UI before they can get started with sharing.
21:47:17 <dperpeet> we can limit our first iteration by saying freeipa is present
21:48:08 <sgallagh> dperpeet: See, the funny part here is that the FreeIPA case is simultaneously the most feature-complete approach we can take while potentially being the *easiest* too.
21:48:46 <linuxmodder> freeipa ftw
21:48:48 <sgallagh> Because FreeIPA presents us with APIs to deal with setting up groups (that could be used for sharing) as well as a searchable and filterable set of users and groups.
21:49:20 <dperpeet> true, but we could also make setting up a freeipa container part of that role
21:49:21 <adamw> yeah, i'm really having a hard time seeing how we shouldn't just say this is a freeipa-ified nfs server role.
21:49:25 <sgallagh> In addition to handling both UID mapping or providing Kerberos support for NFSv4
21:49:45 <smooge> well time for NIS++++
21:50:14 <sgallagh> adamw: Well, version 2 could support AD as well, since it has many of the same features, just different interfaces to them.
21:50:27 <adamw> fwiw, a freeipa-enabled nfs server role is a thing i could absolutely use. one which ignored freeipa and tried to reinvent it badly is one i couldn't use at all. (i've been thinking of switching my NAS to run Fedora and doing freeipa-integrated NFS mounts on it.)
21:50:29 <sgallagh> dperpeet: Well, that's scope-creeping as well
21:51:09 <sgallagh> dperpeet: In the first pass, I'd be perfectly happy just polling realmd to see if you're in a FreeIPA domain and if not, asking you to join one first.
21:51:19 <dperpeet> sgallagh, that would work also
21:51:32 <dperpeet> as a scope for the first iteration
21:51:39 <dperpeet> but the role workflow would include setting one up
21:51:41 <dperpeet> easily
21:52:00 <sgallagh> Yes, I think that would be a good medium-to-long-term approach as well.
21:52:01 <dperpeet> you are joined, you can join or you can set one up and join
21:52:11 <linuxmodder> dperpeet,  think atm we are still thinking iteration 0 tho
21:52:23 <dperpeet> right, but for the workflows we want to have a bit larger picture
21:52:33 <linuxmodder> true true
21:52:38 <sgallagh> linuxmodder: Well, it makes sense to keep the long-term goals in mind so we don't accidentally block ourselves out
21:53:07 <dperpeet> but scoping the freeipa setup out of a first iteration is pretty crucial, and I agree on the scope-creep there
21:53:21 <dperpeet> the reason I think it's good to include it is that it makes the role more realistic
21:53:23 <dperpeet> and well rounded
21:53:26 <dperpeet> since it's cross-tool
21:53:37 <dperpeet> exactly what we want to make sure we can make work
21:53:57 <dperpeet> in my opinion that's the benefit right there
21:53:57 <adamw> what we have here, folks, is a role dependency
21:54:00 <sgallagh> dperpeet: FWIW, "setting up a FreeIPA domain" is something I think needs to be in the first two or three workflows we build.
21:54:03 <adamw> our nfs server role depends on our freeipa server role
21:54:04 <adamw> ;)
21:54:07 <linuxmodder> dperpeet,  sgallagh  never meant to imply  we would not stay  lookign out to future
21:54:10 <sgallagh> Because it will enable so many other things
21:54:17 <adamw> dnf-roll install nfs-server
21:54:24 * adamw goes and cries
21:54:28 <sgallagh> /me wants sushi now
21:54:56 * nirik agrees that a freeipa/kerberozied/nfsv4 would be useful.
21:55:25 <dperpeet> the user benefit is exactly at getting different tools setup in a way that they work well together
21:56:02 <sgallagh> dperpeet: I think the FreeIPA setup is going to require a lot of careful planning though, because there are a number of situations that are hard to do today that I think are going to be very important.
21:56:09 <dperpeet> it's a bit more complex, but at the same time you can ignore a bunch of things because we only need a subset of the stuff each can provide individually
21:56:16 <sgallagh> (Like helping people set up a FreeIPA domain that is subordinate to an existing AD domain)
21:56:29 <dperpeet> right, we don't have to make it freeipa
21:56:44 <dperpeet> we can also be a bit more vague and consider that some stuff is solved
21:56:55 <dperpeet> like users across networks
21:57:13 <sgallagh> dperpeet: No, I think we *do*, but I also think we can for the immediate time just say: "Prerequisite: you have a FreeIPA domain set up manually somewhere"
21:57:38 <dperpeet> ok, that would work
21:58:21 <sgallagh> (I mean, in a pinch, the rolekit installation of a FreeIPA domain still works and is easy for setting up a green-field deployment)
21:59:01 <sgallagh> It's just exactly the wrong tool for trying to set up some of the more interesting deployments (like replicas and AD trusts)
21:59:55 <sgallagh> Proposal: The NFS Server Role, version 1 will be built around the expectation that a FreeIPA server exists in the environment and that the NFS server host must be enrolled in it.
22:01:07 <sgallagh> Anyone opposed?
22:01:18 <sgallagh> /me is trying to tie this up without going too far over time
22:01:26 <dperpeet> I think it's good
22:02:17 <nirik> +1
22:04:21 <sgallagh> smooge, adamw?
22:04:39 <smooge> I think that is as good as it gets
22:04:49 <sgallagh> thanks
22:04:58 <sgallagh> #agreed The NFS Server Role, version 1 will be built around the expectation that a FreeIPA server exists in the environment and that the NFS server host must be enrolled in it.
22:04:58 <smooge> I am thinking that it looks like we are aiming on the wrong one first but can understand it
22:05:25 <sgallagh> smooge: Yeah, I think we need to fully digest this one before we bite off FreeIPA
22:06:31 <sgallagh> (Also, there's nothing saying we can't work on what we need to do both in parallel; I plan to talk to the FreeIPA guys about figuring out how we can simplify a lot of this stuff)
22:06:42 <sgallagh> That way when we get to where we start building the role, it's ready for us.
22:06:48 <dperpeet> yeah, the scoping is just to make sure the work is unblocked
22:07:37 <sgallagh> #topic Open Floor
22:07:45 <sgallagh> Any last-minute topics before I close out the meeting?
22:08:24 <nirik> I still owe an email about the media stuff I agreed to wrangle... will try and do that...
22:08:47 <smooge> sgallagh, bikeshed?
22:08:57 <smooge> sgallagh, mine is "Opium Dreams"
22:09:06 <adamw> i was +1, btw
22:09:09 <sgallagh> smooge: Let's take it to the list. It's very late in the day for some folks here.
22:09:19 <adamw> sorry, i just got sandbagged by some outrageous wheeze the developer of my new apartment building is trying to run on us
22:09:19 <smooge> okie dokie
22:09:52 <sgallagh> adamw: No worries. Server SIG has a "lazy consensus" policy, so as long as you didn't come back and disagree, all is well :)
22:10:01 <sgallagh> Thanks for coming, everyone.
22:10:20 <sgallagh> Oh, one quick thing
22:10:58 <sgallagh> Welcome to Martin Pitt (formerly of Canonical) to the Cockpit Project! :)
22:11:15 <smooge> hello
22:11:18 <smooge> welcome
22:11:20 <smooge> good luck
22:11:25 <sgallagh> Well, he's not actually in the channel
22:11:42 <smooge> .undo
22:11:44 <smooge> .undo
22:11:44 <zodbot> smooge: (undo <nick>) -- Removes the latest note you sent to <nick>.
22:11:45 <sgallagh> But I hope very much that he'll be joining us in these meetings come the new year :)
22:11:57 <smooge> ok
22:12:12 <sgallagh> Alright, that's all I've got.
22:12:21 <sgallagh> Thanks for coming
22:12:23 <sgallagh> #endmeeting