#fedora-meeting-1 log

16:30:58 <dustymabe> #startmeeting fedora_coreos_meeting
16:30:58 <zodbot> Meeting started Wed Aug 22 16:30:58 2018 UTC.
16:30:58 <zodbot> This meeting is logged and archived in a public location.
16:30:58 <zodbot> The chair is dustymabe. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:30:58 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:30:58 <zodbot> The meeting name has been set to 'fedora_coreos_meeting'
16:31:01 <dustymabe> #topic roll call
16:31:05 <slowrie> .hello2
16:31:06 <zodbot> slowrie: slowrie 'Stephen Lowrie' <slowrie@redhat.com>
16:31:09 <dustymabe> .hello2
16:31:10 <zodbot> dustymabe: dustymabe 'Dusty Mabe' <dusty@dustymabe.com>
16:31:13 <bhavin192> .hello2
16:31:14 <zodbot> bhavin192: bhavin192 'Bhavin Gandhi' <bhavin7392@gmail.com>
16:31:19 <ajeddeloh> ,hello2
16:31:30 <ashcrow> .hello smilner
16:31:31 <zodbot> ashcrow: smilner 'None' <smilner@redhat.com>
16:31:32 <ksinny> .hello sinnykumari
16:31:33 <mskarbek> .helo2
16:31:37 <zodbot> ksinny: sinnykumari 'Sinny Kumari' <ksinny@gmail.com>
16:31:39 <ajeddeloh> .hello2
16:31:40 <zodbot> ajeddeloh: ajeddeloh 'Andrew Jeddeloh' <andrew.jeddeloh@redhat.com>
16:31:50 <mskarbek> .hello2
16:31:51 <zodbot> mskarbek: mskarbek 'None' <redhat@skarbek.name>
16:32:06 <bgilbert__> .hello2
16:32:07 <zodbot> bgilbert__: Sorry, but you don't exist
16:32:12 <bgilbert> .hello2
16:32:13 <zodbot> bgilbert: bgilbert 'Benjamin Gilbert' <bgilbert@backtick.net>
16:32:14 <rubao> .hello2
16:32:16 <zodbot> rubao: rubao 'rubao' <rubao.net@hotmail.com>
16:33:09 <akshayg96> .hello akshay196
16:33:10 <zodbot> akshayg96: akshay196 'Akshay Gaikwad' <akgaikwad001@gmail.com>
16:33:21 <rfairley|afk> .hello rfairleyredhat
16:33:22 <zodbot> rfairley|afk: rfairleyredhat 'Robert Fairley' <rfairley@redhat.com>
16:33:37 <rfairley> .hello rfairleyredhat
16:33:38 <zodbot> rfairley: rfairleyredhat 'Robert Fairley' <rfairley@redhat.com>
16:33:39 <kaeso> .hello lucab
16:33:40 <zodbot> kaeso: lucab 'Luca Bruno' <lucab@redhat.com>
16:33:44 <dustymabe> #chair slowrie bhavin192 ajeddeloh ashcrow ksinny mskarbek bgilbert rubao akshayg96 rfairley kaeso
16:33:44 <zodbot> Current chairs: ajeddeloh akshayg96 ashcrow bgilbert bhavin192 dustymabe kaeso ksinny mskarbek rfairley rubao slowrie
16:33:58 <dustymabe> whoa.. nice turnout today :)
16:34:01 <dustymabe> welcome all!
16:34:06 <jlebon> .hello2
16:34:07 <zodbot> jlebon: jlebon 'None' <jonathan@jlebon.com>
16:34:08 <dustymabe> #chair jlebon
16:34:08 <zodbot> Current chairs: ajeddeloh akshayg96 ashcrow bgilbert bhavin192 dustymabe jlebon kaeso ksinny mskarbek rfairley rubao slowrie
16:34:24 <kaeso> ("None" seems to be a very common name)
16:34:37 <lorbus> .hello2
16:34:38 <zodbot> lorbus: lorbus 'Christian Glombek' <c@petersen-glombek.de>
16:35:03 <dustymabe> #chair lorbus
16:35:03 <zodbot> Current chairs: ajeddeloh akshayg96 ashcrow bgilbert bhavin192 dustymabe jlebon kaeso ksinny lorbus mskarbek rfairley rubao slowrie
16:35:18 <dustymabe> ok i'll go over news real quick
16:35:26 <dustymabe> #topic news
16:35:52 <dustymabe> We had a few members talk at flock and devconf.us and devconf.in even over the last few weeks
16:36:03 <dustymabe> the talks for flock aren't public yet, but I think the ones for devconf are
16:36:27 <dustymabe> will try to post a link to videos when we have those all public
16:36:46 <dustymabe> also ksinny hosted the first APAC fedora coreos meeting
16:37:00 <dustymabe> we had a nice turnout, 10+ people. thanks ksinny!
16:37:08 <lorbus> ksinny++
16:37:23 <rfairley> ksinny++
16:37:26 <dustymabe> anyone with any other news they'd like to share ?
16:37:30 <ajeddeloh> ksinny++
16:37:30 <zodbot> ajeddeloh: Karma for sinnykumari changed to 19 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
16:37:31 <mskarbek> for devconf.us are public, i didn't see any recordings frOm devconf.in
16:37:48 <dustymabe> ksinny: do you know if devconf.in talks were recorded ?
16:37:52 <ksinny> It was nice too have good turnout in first APAC meeting :)
16:38:04 <rubao> ksinny++
16:38:04 <zodbot> rubao: Karma for sinnykumari changed to 20 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
16:38:06 <ksinny> dustymabe: I  think it was recorded
16:38:21 <ksinny> I will share the link when I have them
16:38:29 <dustymabe> +1 - will try to share them all with links
16:38:46 <dustymabe> ok moving on to previous meeting action items
16:38:53 <dustymabe> #topic previous meeting action items
16:39:02 <dustymabe> * ajeddeloh to PR rolling design doc for comment
16:39:04 <dustymabe> * sanja to create docs repo this week
16:39:06 <dustymabe> * strigazi to file ticket for system containers discussion
16:39:08 <dustymabe> * ajeddeloh to file ticket regarding ignition and spec versions
16:40:15 <dustymabe> #info sanja created docs stencil repo this week.. more info coming on that soon
16:40:27 * ajeddeloh forgot about the spec versions one. Looks like I never added it to my todo, doing that now
16:40:42 <dustymabe> do we have strigazi around ? want to update us on your AI ?
16:40:50 <dustymabe> ajeddeloh: ok.. re-actioning
16:40:56 <dustymabe> #action ajeddeloh to file ticket regarding ignition and spec versions
16:41:42 <dustymabe> i'll re-action the item from strigazi.. i don't see a ticket he made for that
16:41:50 <dustymabe> #action strigazi to file ticket for system containers discussion
16:42:30 <dustymabe> ajeddeloh: want to update us on that 1st action item you had?
16:42:40 <dustymabe> hint https://github.com/coreos/fedora-coreos-tracker/pull/27 :)
16:43:01 <ajeddeloh> There's a PR up
16:43:26 <dustymabe> #info ajeddeloh opened PR for rolling design doc https://github.com/coreos/fedora-coreos-tracker/pull/27
16:43:31 <ajeddeloh> I accidently deleted the first one fat-fingering `git push -f` as `git push -d`
16:43:47 <dustymabe> boo :(
16:44:07 <dustymabe> ok moving on to meeting tickets
16:44:21 <dustymabe> #topic Firewall Management
16:44:24 <ajeddeloh> But yeah, if anyone has comments, wants to LGTM, etc, that'dbe useful
16:44:27 <dustymabe> #link https://github.com/coreos/fedora-coreos-tracker/issues/26
16:45:08 <kaeso> mskarbek: I think you started that ^
16:46:10 * dustymabe assumes he is typing :)
16:46:20 <mskarbek> yes, but I don't have any particular opinion for now. I was just asking what is considered as a solution for FCOS
16:46:39 <dustymabe> +1
16:46:42 <kaeso> ack
16:46:44 <dustymabe> so discussion ensues
16:46:54 <kaeso> I think we very briefly touched on that
16:47:04 <kaeso> regarding firewalld and python
16:47:32 <dustymabe> yep.. anyone want to do a recap?
16:47:33 <kaeso> and as there won't be python, then firewalld is difficult
16:47:58 <dustymabe> indeed. do we have any thoughts on the "switch to nftables" ?
16:48:05 <kaeso> and we were looking into kubernetes/openshift and we didn't see any hard-req on firewalld
16:48:20 <kaeso> that's for the firewalld side
16:48:27 <kaeso> for the iptables/nftables side
16:48:46 <kaeso> I know that iptables (userland) has a nftables backend
16:48:54 * ajeddeloh isn't too knowledgeable about these things, but nftables succeeds iptables, yes?
16:49:07 <dustymabe> ajeddeloh: yeah, i think. that's about as much as I know about it though
16:49:27 <kaeso> so if iptables-save/restore doesn't break on that, we can keep using those
16:49:30 <ajeddeloh> should probably support nftables then, probably iptables since so many people use it
16:50:09 <kaeso> dustymabe, ajeddeloh: yes, but there are both userspace and kernelspace things to consider
16:50:17 <dustymabe> so what kaeso is saying is that the iptables userland supports nftables backend so we might be able to just continue using iptables
16:50:42 <jlebon> but can one use iptables with nftables + direct nftables configuration?
16:51:00 * misc test
16:51:06 <dustymabe> i personally like firewalld, though it can be overcomplicated (with zones and such)
16:51:12 <jlebon> basically, do we have to choose between the two, or can we support both?
16:51:40 <kaeso> jlebon: on the kernel side or on the userspace?
16:51:49 <jlebon> userspace
16:51:50 <misc> so, iptables-save on a nftables firewall return nothing
16:51:50 <ajeddeloh> both I guess
16:52:06 <dustymabe> another crazy idea.. if the firewalld team were itching for a rewrite in a compiled language, would we prefer that as a solution ?
16:52:36 <ajeddeloh> that's a big if
16:52:50 <kaeso> dustymabe: some kind of containerized/portable/system service would also be ok, I think
16:52:53 <dustymabe> of course, but it's good to explore
16:53:11 <ajeddeloh> does firewalld sit on top of ip/nftables
16:53:21 <kaeso> *system-container
16:53:25 <ajeddeloh> kaeso: seems heavyweight
16:53:27 <misc> firewalld sit on top of netfilter
16:53:52 <ajeddeloh> I do think we should support ip/nftables regardless of firewalld
16:54:06 <dustymabe> mskarbek: in short.. thank you for bringing this up. this is obviously a topic that needs discussion :)
16:54:38 <mskarbek> nftables provides xtables - iptables compatibility, based on presentation from the last netdevconf they are working on missing docs in that area
16:54:48 <misc> ajeddeloh: as much as I like nftables, I suspect people might not be familliar enough with it. I do have nftables in prod and I still wonder how to dump the rules :)
16:55:21 <ajeddeloh> nf/iptables basically just expose the kernel interface, yes?
16:55:28 <ajeddeloh> (could be very wrong about that
16:55:28 <dustymabe> i think firewalld essentially is an abstraction layer on top so you probably don't care what the underlying tech is
16:55:29 <misc> and firewalld provides a API, which is likely much easier and stable for developpers
16:55:49 <misc> ajeddeloh: not really
16:56:00 * ajeddeloh is very wrong about it
16:56:12 <dustymabe> ajeddeloh: don't worry.. /me learning too
16:56:47 <misc> I think the question is more "who will change the firewall"
16:56:52 <dustymabe> so I think a summary is that this clearly needs investigation
16:57:01 <mskarbek> ajeddeloh: https://upload.wikimedia.org/wikipedia/commons/d/dd/Netfilter-components.svg
16:57:23 <dustymabe> misc: ideally you configure the firewall on system first boot and don't touch it after that
16:57:24 <ajeddeloh> as a general guiding rule though I like shipping the "simplest" (read: from an implementation standpoint, not user) tools (again independent of if we _also_ ship firewalld in some form)
16:57:25 <misc> like, end users, integrators, and if so, how, trought kubernetes/docker ?
16:57:47 <misc> dustymabe: yeah, but docker do firewall magic, and so does kubernetes (or did)
16:57:52 <kaeso> dustymabe: I think we can keep adding datapoints to that ticket and revisit in some time
16:57:59 <mskarbek> nftables is combining and replacing iptables, ip6tables, ebttables and arptables
16:58:12 <dustymabe> long live nftables
16:58:16 <dustymabe> haha
16:58:25 <kaeso> misc: I personally like to keep us in the scope of first-boot/immutable rules setup
16:58:50 <dustymabe> ok summary we definitely need to investigate this more and come up with a recommendation for the group
16:58:54 <kaeso> misc: and leave runtime changes to higher levels, as per users choices
16:58:55 <dustymabe> anybody opposed to that ^^
16:58:56 <ajeddeloh> kaeso++
16:58:57 <zodbot> ajeddeloh: Karma for lucab changed to 5 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
16:58:57 <mskarbek> dustymabe: not necessarily, ebpf is already waiting to replace iptables and nftables :D
16:59:11 <dustymabe> mskarbek: :)
16:59:25 <misc> kaeso: well, sure, but if runtime change requires iptables, we will not do boot time on nftables :/
17:00:06 <kaeso> misc: yes, that requires investigation at the compat/interop layer
17:00:46 <dustymabe> +1 ok I'll try to summarize and add info to the ticket
17:00:49 <dustymabe> thanks mskarbek
17:01:28 <dustymabe> anybody opposed to moving on to the next ticket?
17:02:07 <dustymabe> #topic arm64 / aarch64 support for Fedora CoreOS
17:02:11 <dustymabe> #link https://github.com/coreos/fedora-coreos-tracker/issues/13
17:02:39 <dustymabe> do we have geoff or ed-packet ?
17:02:50 <dustymabe> i keep wondering if this card needs to brought up every meeting or not ?
17:03:04 <dustymabe> i feel like we've mostly quelled concerns, but could be wrong
17:04:23 * dustymabe thinks we can move on
17:04:25 <kaeso> dustymabe: I think so, just let's keep the ticket one so we remember the infra offer when we start setting up the pipeline
17:04:33 <kaeso> s/one/open/
17:04:38 <dustymabe> kaeso: yeah. so remove meeting tag?
17:04:48 <kaeso> yup
17:05:01 <dustymabe> +1 will do
17:05:23 <ksinny> dustymabe: Just saw comment in ticket https://github.com/coreos/fedora-coreos-tracker/issues/13#issuecomment-411151165 . Should we request the hardware?
17:05:23 <dustymabe> #topic open floor
17:05:34 <dustymabe> ksinny: which comment?
17:06:06 <dustymabe> ahh the comment about requesting hardware ?
17:06:09 <ksinny> dustymabe: comment from  vielmetti
17:06:11 <ksinny> yeah
17:06:19 <dustymabe> got ya.. cool want to follow up on that?
17:06:45 <ksinny> yeah, I can
17:06:55 <dustymabe> ok now that we are in open floor
17:07:05 <dustymabe> i know we had quite a discussion in our network design ticket
17:07:24 <dustymabe> ajeddeloh: could we get a TL;DR from that ticket ?
17:07:42 <dustymabe> #link https://github.com/coreos/fedora-coreos-tracker/issues/24
17:08:10 <ajeddeloh> Uh, can I say "no"
17:08:18 <dustymabe> haha sure
17:08:23 <ajeddeloh> Like, there's a lot there
17:08:31 <ajeddeloh> and we haven't reached a conclusion
17:08:32 <dustymabe> I can try
17:08:41 <ajeddeloh> go for t
17:09:21 <dustymabe> basically "we've got a lot of comments from network manager team and we're trying to work with them to see if NM+nmstate can fit the needs of FCOS, in the same networkd fit the needs for CL"
17:09:40 <dustymabe> does that seem reasonable?
17:09:42 <ajeddeloh> yeah
17:09:55 <ksinny> short and sweet :)
17:10:15 <ajeddeloh> couple things to add (high level)
17:10:17 <dustymabe> cool, as you said there's a lot there and if everyone wasn't reading everything they might be interested but without dropping 30 minutes of reading time :)
17:10:35 <lorbus> The first Container SIG IRC meeting is happening tomorrow at 15:00 UTC in #fedora-containers
17:10:51 <dustymabe> lorbus: ++
17:11:00 <dustymabe> #info The first Container SIG IRC meeting is happening tomorrow at 15:00 UTC in #fedora-containers
17:11:27 <dustymabe> brb.. jlebon can you take over
17:11:47 <jlebon> dustymabe: sure
17:11:48 <ajeddeloh> we like networkd's config format a lot; it's flexible and clean. NM wants to improve in that area as well, become more networkd-like. nmstate does a great job of syncing state between the config and the actual device state.
17:12:13 <ajeddeloh> networkd isn't as well maintained as either and nmstate would need to be rewritten in not-python
17:13:15 <jlebon> also: NM is currently the default in both Fedora and RHEL
17:14:14 <jlebon> man, that thread is massive now
17:14:58 <jlebon> anyone has any clarification questions about the NM vs networkd discussions?
17:15:38 <jlebon> alrighty, anything else anyone wants to bring up for open floor?
17:16:31 <ajeddeloh> Thoughts on creating "experiment" issues. Like a todo of investigation
17:16:54 <jlebon> hmm, can you expand on that?
17:16:58 <jlebon> like a spike?
17:17:01 <kaeso> ajeddeloh: context (or your immediate usecase)?
17:17:05 <ajeddeloh> an example would be "see if we can setup ostree between the Ignition disks and files stage"
17:17:50 <ajeddeloh> jlebon: yeah, but lets not let the scrumminess get exposed externally :P
17:18:04 <jlebon> heh gotcha
17:18:23 <jlebon> experimental issues sound cool to me
17:18:52 <jlebon> I'd say go ahead and open one up and we can see how it goes
17:18:59 <ajeddeloh> sgtm
17:19:03 <kaeso> ajeddeloh: only if we agree to have a failed/succeeded doc-summary at the end
17:19:23 <ajeddeloh> kaeso: great idea
17:19:39 <lorbus> kaseo++
17:19:49 <lorbus> kaeso++
17:19:49 <zodbot> lorbus: Karma for lucab changed to 6 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
17:20:04 <jlebon> (and making sure to not conflate results with "we're definitely doing this")
17:20:34 <dustymabe> sorry I had to run
17:20:40 <kaeso> indeed, it's more of a "lessons learned"
17:20:41 <dustymabe> someone was knocking at the door
17:21:25 <jlebon> anything else?
17:21:31 <dustymabe> jlebon: only one other thing
17:21:56 <jlebon> shoot
17:22:20 <dustymabe> #info dustymabe posted a draft PRD to the mailing list: https://lists.fedoraproject.org/archives/list/coreos@lists.fedoraproject.org/thread/3O3ZLEU733VEHBXTMIVXSA6RUNIVEUZ3/
17:22:27 <dustymabe> we've already got some feedback
17:22:37 <dustymabe> please check it out and see if you have anything to add!!
17:22:45 <dustymabe> that's it from me
17:23:11 <jlebon> dustymabe: where's the feedback?
17:23:18 <jlebon> doesn't seem like there were any replies
17:23:29 <dustymabe> jlebon: https://github.com/coreos/fedora-coreos-tracker/pull/28
17:23:40 <jlebon> gotcha
17:23:51 <jlebon> alrighty, closing this out in 3...
17:24:02 <jlebon> 2...
17:24:07 <jlebon> 1...
17:24:14 <jlebon> #endmeeting