#fedora-meeting-1 log

16:30:09 <lorbus[m]> #startmeeting fedora_coreos_meeting
16:30:09 <zodbot> Meeting started Wed Feb  6 16:30:09 2019 UTC.
16:30:09 <zodbot> This meeting is logged and archived in a public location.
16:30:09 <zodbot> The chair is lorbus[m]. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:30:09 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:30:09 <zodbot> The meeting name has been set to 'fedora_coreos_meeting'
16:30:30 <lorbus[m]> #topic roll call
16:30:33 <ajeddeloh> .hello2
16:30:34 <zodbot> ajeddeloh: ajeddeloh 'Andrew Jeddeloh' <andrew.jeddeloh@redhat.com>
16:30:38 <mnguyen_> .hello mnguyen
16:30:40 <zodbot> mnguyen_: mnguyen 'Michael Nguyen' <mnguyen@redhat.com>
16:30:41 <ksinny> .hello sinnykumari
16:30:43 <zodbot> ksinny: sinnykumari 'Sinny Kumari' <ksinny@gmail.com>
16:30:46 <rfairley> .hello2
16:30:47 <zodbot> rfairley: rfairley 'None' <rfairley@redhat.com>
16:30:51 <dustymabe> .hello2
16:30:53 <zodbot> dustymabe: dustymabe 'Dusty Mabe' <dusty@dustymabe.com>
16:31:10 <slowrie> .hello2
16:31:11 <zodbot> slowrie: slowrie 'Stephen Lowrie' <slowrie@redhat.com>
16:31:31 <kaeso> .hello lucab
16:31:32 <zodbot> kaeso: lucab 'Luca Bruno' <lucab@redhat.com>
16:31:37 <jeyoung> .hello jeyoung
16:31:38 <zodbot> jeyoung: Sorry, but you don't exist
16:31:41 <jeyoung> :(
16:31:59 <walters> .hello2
16:32:00 <zodbot> walters: walters 'Colin Walters' <walters@redhat.com>
16:32:06 * jcajka is lurking
16:32:06 <lorbus[m]> #chair ajeddeloh mnguyen_ ksinny rfairley dustymabe slowrie kaeso
16:32:06 <zodbot> Current chairs: ajeddeloh dustymabe kaeso ksinny lorbus[m] mnguyen_ rfairley slowrie
16:32:16 <miabbott> .hello miabbott
16:32:17 <zodbot> miabbott: miabbott 'Micah Abbott' <miabbott@redhat.com>
16:32:20 <ksinny> jeyoung:Hey! try with your fas id
16:32:30 <lorbus[m]> #chair walters miabbott
16:32:30 <zodbot> Current chairs: ajeddeloh dustymabe kaeso ksinny lorbus[m] miabbott mnguyen_ rfairley slowrie walters
16:32:50 <lorbus[m]> o/ hi jeyoung!
16:33:50 <yzhang> .hello2
16:33:53 <zodbot> yzhang: yzhang 'Yu Qi Zhang' <jzehrarnyg@gmail.com>
16:33:55 <jlebon> .hello2
16:33:56 <zodbot> jlebon: jlebon 'None' <jonathan@jlebon.com>
16:33:59 <lorbus[m]> ok let's move on to the agenda!
16:34:05 <lorbus[m]> #topic Action items from last meeting
16:34:06 <emv> .hello2
16:34:07 <zodbot> emv: Sorry, but you don't exist
16:34:19 <lorbus[m]> #chair jlebon
16:34:19 <zodbot> Current chairs: ajeddeloh dustymabe jlebon kaeso ksinny lorbus[m] miabbott mnguyen_ rfairley slowrie walters
16:34:39 * lorbus[m] sent a long message:  < https://matrix.org/_matrix/media/v1/download/matrix.org/kVzAYiNfLiwuOwAHXXVgDqEk >
16:35:17 <lorbus[m]> #topic bgilbert to update the ticket with discussion summary, PR the design doc, and file tickets for needed work
16:35:24 <dustymabe> * bgilbert
16:35:26 <dustymabe> * bgilbert to update the ticket with discussion summary, PR the design
16:35:28 <dustymabe> doc, and file tickets for needed work
16:35:30 <dustymabe> * kaeso
16:35:32 <dustymabe> * kaeso to open a FCOS tracker issue to discuss if we should have an
16:35:34 <dustymabe> oem-id for bare metal
16:35:36 <dustymabe> * **UNASSIGNED**
16:35:38 <dustymabe> * sinny to open a ticket where we discuss adding ostree configs to an
16:35:40 <dustymabe> rpm rather than having them be an unmanaged file on the system
16:35:42 <dustymabe> lorbus[m]: matrix replaced your message with a link
16:35:44 <dustymabe> :)
16:36:04 <ksinny> #info opened ticket https://github.com/coreos/fedora-coreos-tracker/issues/143
16:36:18 <lorbus[m]> dustymabe: oh, I see
16:36:31 <sayan> .hello sayanchowdhury
16:36:34 <zodbot> sayan: sayanchowdhury 'Sayan Chowdhury' <sayan.chowdhury2012@gmail.com>
16:36:35 <lorbus[m]> was wondering why it looked so nice on my client :P
16:36:43 <emv> .hello vielmetti
16:36:43 <zodbot> emv: Sorry, but you don't exist
16:36:44 <ksinny> lol
16:36:46 <emv> lol
16:36:53 <sayan> rofl
16:37:00 <lorbus[m]> #chair sayan
16:37:00 <zodbot> Current chairs: ajeddeloh dustymabe jlebon kaeso ksinny lorbus[m] miabbott mnguyen_ rfairley sayan slowrie walters
16:37:11 <dustymabe> #info kaeso opened #142 for oem-id for bare metal
16:37:15 <dustymabe> #link https://github.com/coreos/fedora-coreos-tracker/issues/142
16:37:48 <dustymabe> I think bgilbert did what he said he was going to do - I forget which ticket that action item was for
16:37:54 <dustymabe> bgilbert is AFK this week
16:38:09 <lorbus[m]> so re-action?
16:38:16 <dustymabe> one sec
16:38:24 <dustymabe> i'll see if I can figure it tout
16:39:29 <kaeso> dustymabe: did we forgot to note in the action item what was the discussion about? :)
16:39:36 <kaeso> *forget
16:39:39 <dustymabe> #info bgilbert updated #138 with discussion from last weeks meeting about ssh password login by default
16:39:53 <dustymabe> #link https://github.com/coreos/fedora-coreos-tracker/issues/138#issuecomment-459219374
16:41:12 <walters> re metal I just updated https://github.com/coreos/coreos-assembler/pull/305
16:42:18 <lorbus[m]> I think that covers all of last weeks action items! (unfortunately the set topic isnt correct, but anyway. move on?
16:42:47 <dustymabe> +1
16:43:03 <lorbus[m]> #topic Decide how to handle user SSH keys
16:43:11 <lorbus[m]> #link https://github.com/coreos/fedora-coreos-tracker/issues/139
16:43:53 <dustymabe> ok I added the meeting label to this
16:44:09 <dustymabe> there was a lot of discussion in the ticket and bgilbert laid out our options very nicely
16:44:11 <lorbus[m]> walters: is this related to one of last weeks topics? or should I add a topic for it after these?
16:44:24 <walters> re oemid on bare metal
16:44:28 <walters> and also for general interest
16:44:33 <lorbus[m]> walters: nvmd
16:44:47 <lorbus[m]> #undo
16:44:47 <zodbot> Removing item from minutes: <MeetBot.items.Link object at 0x7fe4fe5320d0>
16:44:48 <lorbus[m]> #undo
16:44:48 <zodbot> Removing item from minutes: <MeetBot.items.Topic object at 0x7fe4fe5321d0>
16:45:02 <lorbus[m]> #link https://github.com/coreos/coreos-assembler/pull/305
16:45:10 <lorbus[m]> #topic Decide how to handle user SSH keys
16:45:22 <lorbus[m]> #link https://github.com/coreos/fedora-coreos-tracker/issues/139
16:45:25 * dustymabe rewind
16:45:33 <dustymabe> there was a lot of discussion in the ticket and bgilbert laid out our options very nicely
16:46:09 <dustymabe> it looks like we are currently thinking that we will implement an authorized_keys.d/ approach using a `AuthorizedKeysCommand`
16:46:13 <ajeddeloh> Can you have multiple AuthorizedKeysCommand's?
16:46:28 <ajeddeloh> because GCE wants to hijack that for oslogin
16:46:46 <dustymabe> ajeddeloh: probably not
16:47:11 <kaeso> ajeddeloh: my read of the manpage is a "no"
16:47:57 <dustymabe> regardless of whether we use authorizedkeyscommand or hack up authorizedkeysfile we believe our path forward does not include update_ssh_keys code
16:48:08 <dustymabe> does anyone object to that direction/strategy?
16:49:11 <lorbus[m]> how long do we wait for an upstream reaction before going to option 4?
16:49:44 <ajeddeloh> For #6 there are CL implications
16:49:44 <dustymabe> lorbus[m]: i don't think we should 'wait' on upstream at this point
16:50:05 <ajeddeloh> since we currently use that directory. I think it would be fine but effectively keys would be added twice
16:50:05 <lorbus[m]> dustymabe: ack
16:50:11 <dustymabe> lorbus[m]: basically once we get ready to implement something then we do it.
16:50:40 <dustymabe> ajeddeloh: #6 is something like: https://github.com/coreos/fedora-coreos-tracker/issues/139#issuecomment-458341663 ?
16:51:13 <ajeddeloh> err my bad
16:51:14 <ajeddeloh> #5
16:51:22 <ajeddeloh> modifying openssh
16:51:44 <lorbus[m]> ah I see, thanks for linking dustymabe
16:51:58 <dustymabe> ajeddeloh: if we modify upstream it would no doubt take some time to get into a released sshd
16:52:07 <dustymabe> so the implications for CL are probably minimal?
16:52:45 <ajeddeloh> yeah but we'd pick it up eventaully
16:53:02 <ajeddeloh> since there _will_ be another openssh vuln probably before CL EOL
16:53:12 <dustymabe> do you guys already use a directory in AuthorizedKeysFile ?
16:53:43 <dustymabe> for CL
16:53:55 <ajeddeloh> no I'm saying since update-ssh-keys is already doing its job
16:54:03 <ajeddeloh> openssh would see every key twice
16:54:05 <dustymabe> ah, I see
16:54:13 <dustymabe> +1
16:54:35 <dustymabe> I think i'd be happy to tackle that problem because that means upstream would have implemented that functionality
16:54:37 <dustymabe> :)
16:55:00 <dustymabe> anyway that's all I had for this topic, just wanted to FYI where we currently are and ask for input/concerns
16:55:08 <dustymabe> ajeddeloh: maybe add that comment about CL to the ticket
16:55:16 <ajeddeloh> But if things break then we lock users out or let other users in
16:55:20 <ajeddeloh> +1
16:55:21 <kaeso> ajeddeloh: I don't think CL will have problems, we are not pointing directly to the .d
16:56:01 <ajeddeloh> kaeso: isn't that where update-ssh-keys reads from
16:56:44 <kaeso> ajeddeloh: yes, but not sshd itself
16:57:01 <ajeddeloh> yeah, that's my point
16:57:11 <kaeso> ack
16:57:12 <ajeddeloh> OH
16:57:23 <kaeso> let's take followup offline, it's not super-relevant here now
16:57:28 <ajeddeloh> +1
16:58:05 <lorbus[m]> #topic Keep/Remove Python dependent package: nfs-utils
16:58:15 <lorbus[m]> #link https://github.com/coreos/fedora-coreos-tracker/issues/121
16:59:17 <dustymabe> ksinny: would you like to summarize our conversation with the nfs team?
16:59:27 <ksinny> sure
17:02:13 <ksinny> In order to separate python dependencies in nfs-utils package, we need to separate them into separate python sub-package. unfortunately nfs-utils in F30 include a Python script nfsconvert.py which is to convert deprecated sysconfig/nfs configuration into /etc/nfs.conf
17:02:28 <ksinny> Related change proposal - https://fedoraproject.org/wiki/Changes/nfs.conf
17:03:14 <lorbus[m]> ksinny: it's this one, isn't it?: https://src.fedoraproject.org/rpms/nfs-utils/blob/master/f/nfsconvert.py
17:03:38 <ksinny> we had a disussion on bug https://bugzilla.redhat.com/show_bug.cgi?id=1667889 with nfs-utils maintainer and so far it seem sthat they want to keep Python script into nfs-utils package
17:03:55 <ksinny> One proposed solution is in https://bugzilla.redhat.com/show_bug.cgi?id=1667889#c13
17:04:21 <ksinny> which is about we create a nfs-utils-coreos package that has minimal needed to do a NFS mount
17:05:11 <ksinny> I believe this new package can contain utilities which we need from current nfs-utils
17:05:31 <dustymabe> we floated the idea of a rewrite of the `nfsconvert.py` but it was rejected for a good reason, being that they already had a ton of testing on the existing implementation
17:05:58 <ksinny> yeah and it makes sense
17:06:07 <ajeddeloh> would we maintain the -coreos package or would they
17:06:28 <lorbus[m]> having a minimal package that doesn't ship this legacy convert script sounds like a good way to me
17:06:39 <dustymabe> ajeddeloh: I think they are offering to carry it
17:06:51 <dustymabe> it's basically an extra paragraph in the spec file to generate another rpm
17:06:55 <lorbus[m]> but is -coreos the right suffix for it? shouldn't it be something like -minimal?
17:06:56 <ajeddeloh> +2 to the -coreos package
17:07:03 <ajeddeloh> lorbus[m]: ++
17:07:11 <dustymabe> so obviously having a nfs-utils-coreos package would give us everything we would need but I worry about this approach
17:07:15 <kaeso> I think the minimal -coreos idea works as long as all reverse dependencies of nfs-utils are switched to that
17:07:41 <dustymabe> kaeso: I think "reverse dependencies" can be satisfied with a virtual provides and a conflictes
17:07:58 <ksinny> Maybe we can have something sub-pacakge with nfs-utils-minimal which we FCOS can use and existing nfs-utils package can add requires on it
17:08:07 <ksinny> that way there will no duplication
17:08:46 <walters> a bit surprised https://src.fedoraproject.org/rpms/nfs-utils/pull-request/7 didn't come up in that thread
17:08:47 <dustymabe> regarding -coreos or -minimal. If we go with this approach (which I don't know if it is good or not) I'd prefer the -coreos suffix
17:09:18 <ajeddeloh> what worries you and why -coreos instead of -minimal
17:09:31 <walters> personally I feel like as long as yum uses python trying to stop people from using it is going to be a somewhat lost cause
17:09:40 <kaeso> dustymabe: but then with virtual provides -coreos and -utils can't be co-installed, I guess
17:09:49 <dustymabe> kaeso: right
17:09:56 <dustymabe> ajeddeloh: let me do those one at a time
17:10:15 <dustymabe> if we use minimal then I think people will misinterpret it and also try to mold it for different uses
17:10:21 <dustymabe> if we use coreos it's explicit
17:10:33 <dustymabe> and other people won't try to shoehorn it for other things they want to do
17:10:42 <dustymabe> and now for the 2nd part
17:11:29 <dustymabe> this approach worries me because I don't think it's scalable (i don't think every package that has python parts will want to carry a coreos sub package nor do I really want them to)
17:11:51 <dustymabe> so while it's great they are offering this, I think it will be hard to convince others of this
17:12:01 <kaeso> that echoes walters' statement above
17:12:12 <dustymabe> kaeso: yep
17:13:04 <dustymabe> so what do we think we want to do here
17:13:12 <ksinny> If we want to name it -coreos then what dustymabe suggested sounds good to me
17:13:13 <ajeddeloh> Any python removal (especailly in this case where we're removing non-upstream legacy stuff) is good in my book
17:13:20 <walters> https://github.com/coreos/fedora-coreos-tracker/issues/32#issuecomment-455579535
17:13:28 <ajeddeloh> so I think we ought to take it where we can get it if they're offering
17:13:55 <miabbott> +1 to take them up on their offer
17:14:00 <dustymabe> ajeddeloh:
17:14:00 <ajeddeloh> I'd be in favor of removing everything in /etc/sysconfig if that were feasible
17:14:23 <walters> BTW see also the "Python as a security vulnerability" subsection of https://lwn.net/Articles/723823/
17:14:46 <dustymabe> ajeddeloh:  'non-upstream legacy stuff' ? i think the nfsconvert script was recently introduced
17:15:21 <walters> (It's not just python of course, beyond other scripting langauges on Unix, on Windows Powershell is also a focus of similar attempts to restrict it where possible)
17:16:22 <ajeddeloh> dustymabe: the header at the top of the file says its for reading a deprecated file
17:16:33 <lorbus[m]> so we are in favor of taking up their offer?
17:17:01 <lorbus[m]> +1 If it moves us forward
17:17:03 <walters> ajeddeloh: yeah that'd be nice.../etc/sysconfig is IMO a weird relic of a Red Hat Linux era attempt to improve configuration but it ended up being "we put an /etc in your /etc"
17:17:27 <dustymabe> lorbus[m]: I think we are, but their offer might not be useful to us if we have to declare python bankruptcy with the other packages
17:17:38 <mnguyen_> +1 on taking them up on their offer
17:17:38 <kaeso> this nfsconvert doesn't need any external pylib, so it could be a good candidate for system-python too without further fallout from additional dependencies
17:18:07 <dustymabe> kaeso: agree - i think maybe we should start to consider walters' proposal
17:18:22 <dustymabe> #link https://github.com/coreos/fedora-coreos-tracker/issues/32#issuecomment-455579535
17:18:36 <kaeso> the two are not mutually exclusive
17:18:38 <lorbus[m]> dustymabe: I think it's probably cumbersome for all py packages on our list...but at least this moves us there slowly
17:18:41 <dustymabe> ajeddeloh: I'd be interested in your thoughts there ^^
17:18:56 <ajeddeloh> I don't see a downside in taking their offer
17:19:25 <ajeddeloh> Like yes, we _can_ not take their offer but we don't gain anything by doing it
17:19:42 <dustymabe> lorbus[m]: I don't disagree with you. but do realize that the "extra package" could be a source of maintenace/breakage possibly
17:19:45 <lorbus[m]> ajeddelloh++
17:19:53 <miabbott> ajeddeloh: 💯
17:19:54 <dustymabe> so it's not without cost (even though that cost isn't on us)
17:19:55 <ajeddeloh> in fact it would let people use /etc/sysconfig, which is an antifeature
17:20:08 <kaeso> would -utils depends on -coreos or would they just duplicate some of their content?
17:20:34 <dustymabe> kaeso: my understanding is they would have the exact same file set except remove python files
17:21:29 <slowrie> I'd personally prefer to take their offer and accept the maintenance risk
17:21:49 <kaeso> dustymabe: ack, now I understand better your virtual provide hint above
17:21:49 <ksinny> +1
17:22:01 <slowrie> But I'm definitely of the opinion that I'd like to not ship python :)
17:22:05 <lorbus[m]> I was thinking of the plain utils pkg depending on -coreos/-minimal, hence preferring -minimal pkg naming
17:22:25 * ajeddeloh doesn't really care if its -coreos or -minimal
17:22:35 <ksinny> lorbus[m]: same here, but dustymabe had something different in mind :)
17:22:37 <slowrie> no opinions here on the package naming either
17:22:45 <ajeddeloh> fcos is image based not package based so it really doesn't matter
17:23:03 <ajeddeloh> matter to us*
17:23:04 <dustymabe> ack
17:23:14 <lorbus[m]> it's true. let's move on for now. only little time left
17:23:33 <lorbus[m]> #topic https://github.com/coreos/fedora-coreos-tracker/issues/91
17:23:39 <lorbus[m]> #undo
17:23:39 <zodbot> Removing item from minutes: <MeetBot.items.Topic object at 0x7fe4edbbc0d0>
17:23:39 <dustymabe> #proposed we'll agree to accept nfs-utils-coreos subpackage and continue to fight the python battle against other rpms to see where we land
17:23:48 <dustymabe> acks/nacks?
17:23:54 <lorbus[m]> #topic Bare Metal Installer: Attempt to build media based on current strategy
17:24:02 <slowrie> ack
17:24:04 <ksinny> so, we agreed on having -coreos sub-package with functionality equivalent to nfs-utils - python ?
17:24:13 <lorbus[m]> #link https://github.com/coreos/fedora-coreos-tracker/issues/91
17:24:40 <lorbus[m]> ksinny: yes I think so, sorry didn't info.
17:24:45 <lorbus[m]> #undo
17:24:45 <zodbot> Removing item from minutes: <MeetBot.items.Link object at 0x7fe4f5406610>
17:24:51 <lorbus[m]> #undo
17:24:51 <zodbot> Removing item from minutes: <MeetBot.items.Topic object at 0x7fe564fd2f10>
17:25:17 <lorbus[m]> #info Agreement on having -coreos sub-package with functionality equivalent to nfs-utils - python
17:25:22 <ksinny> acks to proposal
17:25:24 <lorbus[m]> #topic Bare Metal Installer: Attempt to build media based on current strategy
17:25:34 <lorbus[m]> #link https://github.com/coreos/fedora-coreos-tracker/issues/91
17:25:44 <dustymabe> I added this item to the meeting list
17:26:01 <dustymabe> https://github.com/coreos/fedora-coreos-tracker/issues/91#issuecomment-461100135
17:26:20 <dustymabe> I've got a few open PRs for adding an installer ISO to be output from CoreOS Assembler
17:26:44 <dustymabe> There's still some work to be done (and some PRs for me to consider - thanks walters for your patience there)
17:26:47 <dustymabe> but it's a start
17:27:05 <dustymabe> and I've been working with some other people who have been interested in this work to get them hacking on it and successful
17:27:30 <dustymabe> that's mostly all I had
17:27:45 <ajeddeloh> dustymabe++
17:27:45 <zodbot> ajeddeloh: Karma for dustymabe changed to 9 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
17:28:27 <mnguyen_> 👍
17:28:35 <lorbus[m]> nice
17:29:15 <lorbus[m]> any more comments on this? otherwise i'll open the floor for one last minute
17:29:48 <lorbus[m]> #topic Open Floor
17:30:38 <lorbus[m]> anybody got anything? otherwise let's end meeting in 30 sec :)
17:30:42 <ksinny> Everone is doing amazing work, keep it up!
17:30:49 <dustymabe> ksinny++
17:30:52 <dustymabe> thanks everyone!
17:30:54 <lorbus[m]> ksinny++
17:31:00 <emv> thanks everybody!
17:31:02 <dustymabe> lots of hacking on coreos-assembler lately :)
17:31:11 <lorbus[m]> thanks for joining in everyone!
17:31:19 <dustymabe> jeyoung: anything for open floor today?
17:31:40 <dustymabe> or jcajka
17:31:40 <jeyoung> dustymabe: just trying to follow along :)
17:31:44 <jeyoung> and I exist!
17:31:47 <emv> ksinny: if any packet related questions come up pls route them to me
17:31:48 <dustymabe> jeyoung: woot!
17:32:04 <emv> emv aka vielmetti
17:32:26 <jcajka> dustymabe: not really, digging now in to the build process
17:32:44 <lorbus[m]> jeyoung, emv: thanks for joining as well!
17:32:56 <lorbus[m]> jcajka, too!
17:33:00 <dustymabe> jcajka: +1
17:33:00 <lorbus[m]> #endmeeting