16:30:17 <jlebon> #startmeeting fedora_coreos_meeting 16:30:17 <zodbot> Meeting started Wed Jul 7 16:30:17 2021 UTC. 16:30:17 <zodbot> This meeting is logged and archived in a public location. 16:30:17 <zodbot> The chair is jlebon. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:30:17 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:30:17 <zodbot> The meeting name has been set to 'fedora_coreos_meeting' 16:30:24 <jlebon> #topic roll call 16:30:25 <darkmuggle> .hello2 16:30:26 <zodbot> darkmuggle: darkmuggle 'None' <me@muggle.dev> 16:30:34 <jlebon> #chair darkmuggle 16:30:34 <zodbot> Current chairs: darkmuggle jlebon 16:30:41 <bgilbert> .hi 16:30:41 <zodbot> bgilbert: bgilbert 'Benjamin Gilbert' <bgilbert@backtick.net> 16:30:44 <jlebon> #chair bgilbert 16:30:44 <zodbot> Current chairs: bgilbert darkmuggle jlebon 16:31:08 <jbrooks> .hello jasonbrooks 16:31:11 <zodbot> jbrooks: jasonbrooks 'Jason Brooks' <jbrooks@redhat.com> 16:31:14 <jlebon> #chair jbrooks 16:31:14 <zodbot> Current chairs: bgilbert darkmuggle jbrooks jlebon 16:31:45 <lucab> .hi 16:31:46 <zodbot> lucab: lucab 'Luca Bruno' <lucab@redhat.com> 16:32:13 <jlebon> #chair lucab 16:32:13 <zodbot> Current chairs: bgilbert darkmuggle jbrooks jlebon lucab 16:32:34 <jlebon> #chair jaimelm 16:32:34 <zodbot> Current chairs: bgilbert darkmuggle jaimelm jbrooks jlebon lucab 16:32:56 <jaimelm> .hello2 16:32:57 <zodbot> jaimelm: jaimelm 'Jaime Magiera' <jaimelm@umich.edu> 16:33:29 <jlebon> i expect a smaller crowd today. i'll leave off the juicier tickets for the video meeting next week, and we can tackle a few smaller ones today. 16:33:50 <jlebon> so it should be a shorter meeting 16:33:57 <lorbus> .hi 16:33:58 <zodbot> lorbus: lorbus 'Christian Glombek' <cglombek@redhat.com> 16:34:02 <jlebon> #chair lorbus 16:34:02 <zodbot> Current chairs: bgilbert darkmuggle jaimelm jbrooks jlebon lorbus lucab 16:34:26 * jlebon waits 30s more 16:35:05 <jlebon> #topic Action items from last meeting 16:35:26 <travier> .hello siosm 16:35:27 <zodbot> travier: siosm 'Timothée Ravier' <travier@redhat.com> 16:35:31 <jlebon> * bgilbert to file ticket to consider switching Ignition/Afterburn to reference GCE metadata server by IP 16:35:34 <jlebon> * jaimelm to investigate F35: CHANGE: CompilerPolicy Change #872 * darkmuggle to investigate F35: CHANGE: DNS Over TLS #873 16:35:37 <jlebon> * jlebon to investigate F35: CHANGE: "Fedora Linux" in /etc/os-release #874 16:35:40 <jlebon> * darkmuggle to investigate F35: CHANGE: More flexible use of SSSD fast cache for local users #875 16:35:43 <jlebon> * lucab to investigate F35: CHANGE: OpenSSL3.0 #876 16:35:45 <jlebon> * jlebon to investigate F35: CHANGE: RPM 4.17 #877 16:35:48 <jlebon> * dustymabe to investigate F35: CHANGE: Remove nscd #879 16:35:50 <jlebon> * walters to investigate F35: CHANGE: DNF/RPM Copy on Write enablement for all variants #878 16:35:53 <jlebon> #chair travier 16:35:53 <zodbot> Current chairs: bgilbert darkmuggle jaimelm jbrooks jlebon lorbus lucab travier 16:35:54 <jlebon> ok, my suggestion is to not tackle the CHANGE ones today and leave that for next week 16:35:59 <bgilbert> #info bgilbert filed https://github.com/coreos/fedora-coreos-tracker/issues/891 16:36:01 <jaimelm> Goo idea 16:36:05 <jaimelm> also, good idea 16:36:32 <jlebon> ehhh, instead of re-actioning them all, let's do: 16:36:59 <jlebon> #action look at the action items from the previous meeting for F35 CHANGE-related items 16:37:57 <jlebon> ok to move on? 16:38:03 <bgilbert> +1 16:38:16 <jlebon> #topic Consider referencing GCP metadata service by IP in Ignition/Afterburn 16:38:19 <jlebon> #link https://github.com/coreos/fedora-coreos-tracker/issues/891 16:38:39 <jlebon> bgilbert filed this, but I tagged it for this meeting 16:39:02 <jlebon> from lucab's comment, it sounds like it should be safe to assume the IP will not change 16:39:21 <bgilbert> cool 16:39:39 <lucab> I did ask some GCP contacts, and they pointed out the fact that even Google is hardcoding it in a few places 16:39:48 <bgilbert> +1, thanks lucab 16:39:50 <bgilbert> the idea here is: there have already been two exploits that poison the metadata.google.internal hostname 16:39:57 <jlebon> lucab: +1 16:40:13 <jaimelm> that's helpful info lucab 16:40:24 <bgilbert> and an attack that overrides the metadata service is catastrophic for security 16:40:25 <lucab> they are still asking internally, but I doubt I'll get a more explicit answer anytime soon 16:40:47 <bgilbert> so if we can just assume 169.254.169.254, maybe we should 16:41:03 <jlebon> agree with that, yeah 16:41:18 <lucab> so I guess we can go ahead now, or wait a bunch more days to see if there are further followups 16:41:45 <lucab> but all the signs so far point to "should be fine" 16:41:48 <jlebon> i think this might've been answeredin the previous meeting but: are there any other clouds for which the question should also be asked? 16:42:04 <darkmuggle> my biggest objection is that its not documented 16:42:14 <darkmuggle> right now GCP says to use the DNS 16:42:36 <darkmuggle> and while it should be safe, I'd much rather we get the word from on high that its fine 16:43:24 <darkmuggle> plumbing the depths of my memory during days at $other_employer they use the DNS endpoints for doing image testing 16:43:31 <bgilbert> jlebon: just looked through the Ignition codebase. the only other provider that uses a hostname is Packet, and that one uses HTTPS 16:43:39 <travier> it is documented as the links from Luca points out 16:43:41 <jlebon> darkmuggle: was lucab's comment in that ticket not convincing? 16:44:07 <darkmuggle> jlebon: well, I missed it 16:44:15 <jlebon> :) 16:44:15 <darkmuggle> nevermind 16:44:23 <darkmuggle> +1 16:44:27 <travier> +1 16:44:34 <jlebon> bgilbert: ack ok 16:44:50 <jlebon> bgilbert: want to do a #proposed? 16:45:14 <lucab> It's kind documented transitively. The metadata server is the internal name server resolver. The internal name server resolver is at 169.254.169.254. 16:45:18 <lucab> *kinda 16:45:20 <bgilbert> #proposed we will switch Ignition and Afterburn to contact the GCP metadata service by IP instead of hostname 16:45:55 <jlebon> +1 16:46:13 <lucab> can we add a "(unless further comments by $date)"? 16:46:14 <darkmuggle> +1 16:46:37 <travier> +1 16:46:47 <bgilbert> lucab: I mean, actions are always subject to revision 16:46:57 <bgilbert> it'll take a while for the PRs to percolate to the OS 16:47:04 <bgilbert> do you have a specific concern? 16:47:27 <travier> we have until this hits stable to revert it 16:47:39 <travier> and even after if this turns out a bad idea 16:47:58 <lucab> yes, this week is a bit of a short/slow one and I asked my contacts just this morning, I still have some hope for some additional feedback 16:48:15 <jaimelm> The sysadmin in my has a built-in revulsion to using hardcoded IPs in code. 16:48:21 <jaimelm> s/my/me/ 16:48:49 <jaimelm> +1 on waiting 16:49:18 <jlebon> sounds fine to me too 16:49:21 <bgilbert> lucab: sure, I can slow-roll the PRs 16:49:48 <lucab> bgilbert: that'd be fine 16:50:33 <bgilbert> #action we will switch Ignition and Afterburn to contact the GCP metadata service by IP instead of hostname, unless we receive significant information to the contrary by next week 16:50:37 <bgilbert> ^ good? 16:50:42 <lucab> +1 16:50:46 <darkmuggle> +1 16:50:51 <jlebon> you mean #agreed? 16:50:55 <bgilbert> #undo 16:50:55 <zodbot> Removing item from minutes: ACTION by bgilbert at 16:50:33 : we will switch Ignition and Afterburn to contact the GCP metadata service by IP instead of hostname, unless we receive significant information to the contrary by next week 16:51:03 <bgilbert> #agreed we will switch Ignition and Afterburn to contact the GCP metadata service by IP instead of hostname, unless we receive significant information to the contrary by next week 16:51:08 <darkmuggle> +2 16:51:14 * jlebon nods 16:51:21 <jlebon> cool cool 16:51:41 <jlebon> #topic /boot/ignition/config.ign permissions 0644 to 0600 16:51:46 <jlebon> #link https://github.com/coreos/fedora-coreos-tracker/issues/889 16:51:55 <bgilbert> good call 16:52:10 <jlebon> bgilbert: want to introduce it? :) 16:52:14 <bgilbert> sure 16:52:29 <bgilbert> coreos-installer -i or -I writes an Ignition config to /boot/ignition/config.ign 16:52:33 <bgilbert> *coreos-installer install 16:52:53 <bgilbert> Ignition reads it, and then does not clean it up afterward 16:52:55 <bgilbert> and it's world-readable. 16:53:18 <bgilbert> the Ignition config may contain secrets, so we should not leave it lying around like that 16:53:31 <jaimelm> no beuno 16:53:42 <bgilbert> but the question is, how serious is this, and how should we address it 16:53:53 <bgilbert> there's a PR up to make it mode 0600 16:53:54 <jlebon> right 16:54:08 <bgilbert> there's also been some discussion about removing the file outright after Ignition completes 16:54:30 <bgilbert> (note that this only affects coreos-installer scenarios, not cloud images) 16:54:42 <bgilbert> but there's also the question of existing installs. 16:55:11 <jlebon> for comparison on clouds: my understanding is that on some platforms, it sticks around and anyone can request it from the metadata server, right? 16:55:31 <bgilbert> jlebon: yes, and we have open docs bugs to document that fact 16:55:35 <darkmuggle> are you thinking an selinux profile? 16:56:04 <bgilbert> jlebon: but that's a common problem across OSes. this one is specific to us. 16:56:18 <bgilbert> darkmuggle: doesn't seem worth it. there's no real reason for us to retain that file at all 16:56:35 <bgilbert> in terms of severity: the file is not normally accessible to containers, and the default core user already has passwordless sudo 16:56:42 <jlebon> bgilbert: right ok. so i guess the hypothetical question is: if a cloud provided a mechanism to have it removed, then there's no reason we wouldn't leverage it, right? 16:56:51 <travier> I think we should remove it. If it has a local root account password, having it there is an easy local root 16:56:53 <bgilbert> if the user creates additional unprivileged users, they will have access where they shouldn't 16:57:08 <bgilbert> jlebon: correct. we currently do not, though. 16:57:32 <jaimelm> +1 on removing. In general, a defining a clean up process would be useful moving forward. 16:57:32 <jlebon> right, sure. just trying to establish where we want to go, and we should try to be consistent across cloud and metal 16:57:33 <bgilbert> travier: our docs encourage the use of a strong password hash, fwiw 16:57:45 <jaimelm> invariably, there will be more things to clean up down the road I bet. 16:57:50 <bgilbert> jlebon: +1 16:58:00 <travier> #link https://github.com/coreos/fedora-coreos-docs/issues/306 16:58:04 <travier> for the docs changes 16:58:41 <jlebon> IOW, looking at this at the higher level, our stance should be something like: on platforms where possible, we should scrub the Ignition config after provisioning is complete 16:58:49 <travier> +1 16:58:52 <jaimelm> +1 16:58:56 <bgilbert> that one is for removing the config from the metadata server 16:59:04 <bgilbert> this one is for firewalling the metadata server: 16:59:05 <bgilbert> #link https://github.com/coreos/fedora-coreos-docs/issues/272 16:59:14 <bgilbert> jlebon: +1 16:59:44 <bgilbert> actually that implies that docs#306 should be a code bug instead 17:00:13 <jlebon> yeah, i think you're right 17:00:14 <darkmuggle> +1 17:00:27 <travier> for Ignition? Instances will usually not have enough access to remove user-data 17:00:45 <jlebon> that's the "where possible" bit :) 17:00:56 <bgilbert> travier: ah, it's a control-plane operation? ouch 17:00:59 <travier> but that could be for the MCO for example 17:01:05 <jaimelm> ^ 17:01:18 <jlebon> oh you're talking about the firewall 17:02:00 <bgilbert> jlebon: I wasn't. I misunderstood 17:02:04 <travier> It's 'gcloud compute instances remove-metadata' so I think you need the corresponding account access 17:02:07 <bgilbert> right 17:02:23 <bgilbert> okay, so, wrt cleaning up our messes 17:03:00 <bgilbert> my initial view is that this isn't a major fire in default configurations, since we're not leaking to anyone unprivileged 17:03:02 <travier> Creating a good 'on boot' fixup to remove all those ignition config files lying there is going to be tricky to not mess the /boot RW remount 17:03:25 <bgilbert> but that we should clean up existing systems nonetheless 17:03:51 <bgilbert> travier: I haven't followed the /boot RO saga. we can't just remount RW in a mount namespace and do the thing? 17:03:57 <travier> Or we could simply make an announcement and mount an empty RO directory on top of the /boot/ignition instead to avoid doing the remount 17:04:19 <bgilbert> travier: we'd have to keep doing that forever though 17:05:06 <travier> bgilbert: it should work. I vaguely recall issues if something else tries to remount RW at the same tim 17:05:16 <jlebon> remounting rw in a mount namespace sounds like it should work, yeah. ignition-firstboot-complete currently dues that 17:05:38 <darkmuggle> systemd-tmpfile? 17:05:44 <bgilbert> of note, there's possible version skew between coreos-installer and the OS. but we could fix this by changing firstboot-complete to remove the file + a barrier release that removes it on existing nodes 17:05:49 <travier> bgilbert: forever only if we find the folder in /boot 17:06:04 <bgilbert> and then fixing the perms in coreos-installer is just belt + suspenders redundancy 17:06:05 <jlebon> my strawman is to just ship a systemd service which does this gated on ConditionPathExists, but we don't make it a barrier and instead just drop it until we have a barrier for whatever other reason 17:06:17 <jlebon> darkmuggle: needs rw remount, so can't be just tmpfiles 17:06:21 <travier> systemd-tpmfiles can not remount RW and remove 17:06:27 <darkmuggle> ah 17:06:47 <bgilbert> jlebon: I like that, yeah 17:06:55 <bgilbert> travier: conditionally forever is still forever :-P 17:07:10 <travier> +1 for shipping like jlebon said until we have another barrier 17:07:12 <travier> :) 17:07:21 <jaimelm> +1 17:07:29 <lucab> travier: it can we add an ExecStart :) 17:07:33 <bgilbert> proposed incoming 17:07:38 <lucab> *if we add 17:08:07 <jlebon> lucab: to systemd-tmpfiles.service? yuck :) 17:08:18 <travier> :) 17:08:20 <lucab> :D 17:08:45 * jlebon waits for bgilbert's proposal 17:08:54 <travier> We will have to make sure this unit is well ordered to not break systems 17:09:06 <bgilbert> #proposed we will change firstboot-complete to delete /boot/ignition/config.ign. we will also add a systemd service that removes /boot/ignition/config.ign on existing nodes, and ship that service until after the next barrier release. in parallel, we will change coreos-installer to write /boot/ignition/config.ign with mode 0600. 17:09:29 <jaimelm> well done sir 17:09:32 <jaimelm> ack 17:09:36 <jlebon> +1 17:09:56 <travier> +1 17:10:01 <bgilbert> travier: we have a lot of flexibility in the ordering, thankfully 17:10:32 <jlebon> this will be made easier by what i'm working on with moving firstboot-complete to f-c-c 17:10:38 <bgilbert> jlebon: yup 17:10:46 <jlebon> (i have pending code which makes it a proper script too) 17:10:53 <jaimelm> nice 17:11:12 <jaimelm> have everyone voted? Time to move on? 17:11:25 <bgilbert> #action we will change firstboot-complete to delete /boot/ignition/config.ign. we will also add a systemd service that removes /boot/ignition/config.ign on existing nodes, and ship that service until after the next barrier release. in parallel, we will change coreos-installer to write /boot/ignition/config.ign with mode 0600. 17:11:38 <jlebon> s/#action/#agreed/ 17:11:50 <bgilbert> .... 17:11:51 <bgilbert> #undo 17:11:51 <zodbot> Removing item from minutes: ACTION by bgilbert at 17:11:25 : we will change firstboot-complete to delete /boot/ignition/config.ign. we will also add a systemd service that removes /boot/ignition/config.ign on existing nodes, and ship that service until after the next barrier release. in parallel, we will change coreos-installer to write /boot/ignition/config.ign with mode 0600. 17:11:56 <jaimelm> heh 17:12:00 <bgilbert> also: is there general agreement that we don't need to raise a major alarm about this one? 17:12:06 <bgilbert> #agreed we will change firstboot-complete to delete /boot/ignition/config.ign. we will also add a systemd service that removes /boot/ignition/config.ign on existing nodes, and ship that service until after the next barrier release. in parallel, we will change coreos-installer to write /boot/ignition/config.ign with mode 0600. 17:12:38 <bgilbert> should we have a coreos-status post? 17:12:45 <travier> I'm torned on the raising alarm side 17:12:58 <travier> This is just like the mode fixup change 17:13:08 <jlebon> also torn 17:13:08 <bgilbert> ah, right 17:13:17 <darkmuggle> I'm conflicted on raising the alarm myself 17:13:43 <darkmuggle> I can see some some admin being used to seeing the ignition config in /boot 17:13:45 <travier> I think we are really missing a place to bring news to operator in a non alarming way while bringing visibility 17:13:52 <travier> we have the coreos-status 17:13:54 <travier> ml 17:13:55 <jaimelm> It's probably best to wait until the fix is in to avoid undu panic and attempts to take advantage. 17:14:01 <jaimelm> undo* 17:14:19 <darkmuggle> but the config /boot is platform specific 17:14:49 <bgilbert> we could release-note it if we had release notes :-/ 17:14:53 <jlebon> did we end up making a post/email for the /etc mode bits? 17:14:59 <jaimelm> travier: agreed. 17:15:14 <travier> no, but I think we should do one 17:15:32 <travier> but we have nowhere to put it 17:15:40 <bgilbert> coreos-status is exactly that place, isn't it? 17:15:43 <jlebon> probably worth combining it then 17:15:46 <bgilbert> jlebon: +1 17:15:50 <travier> beside the ml, which is not really a great format 17:16:06 <jaimelm> This came up last Fall for something I thought we should post 17:16:13 <travier> but it works until we have something better 17:16:18 <jlebon> i think coreos-status is OK, we just need to make sure it's worded well 17:16:25 <jaimelm> there's nothing for static informative stuff. 17:16:45 <travier> Let's do a combined coreos-status mail for those two issues 17:17:37 <bgilbert> #proposed we will post to coreos-status about /etc mode bits and config.ign mode bits, timing to be determined 17:17:48 <jaimelm> ack 17:17:49 <jlebon> +1 17:18:46 <bgilbert> travier: ^ lgty? 17:18:54 <travier> +1 17:19:11 <bgilbert> also darkmuggle 17:19:54 <bgilbert> #action bgilbert to learn the difference between #agreed and #action 17:19:59 <bgilbert> #agreed we will post to coreos-status about /etc mode bits and config.ign mode bits, timing to be determined 17:20:20 <travier> :) 17:20:24 <jlebon> heh 17:20:30 <jlebon> ok cool 17:20:53 <bgilbert> thanks for bringing this up 17:20:57 <jlebon> let's leave it there for today for the tickets since the other ones are larger 17:21:08 <jlebon> #topic Open Floor 17:21:18 <jlebon> anyone has anything to bring up? 17:21:42 <lucab> I was scrolling through some container-related posts and noticed a familiar logo in this one: https://www.koyeb.com/blog/the-koyeb-serverless-engine-from-kubernetes-to-nomad-firecracker-and-kuma 17:21:48 <jlebon> next week *should* be a video meeting 17:22:11 <bgilbert> Ignition 3.3.0 stable spec is in `testing` and will be in the next `stable` 17:22:21 <jlebon> lucab: oh cool! 17:22:27 <bgilbert> corresponding Butane release coming soon 17:22:49 <jaimelm> Open Floor: It might be worth a discussion documentation style in the future. Several times when I've written docs, one person will sign off on it after a few suggested changes. Then someone else comes along with many suggested changes that change the tenor substantially. Perhaps a documentation style guide. 17:22:54 <jlebon> lucab: everytime that happens, it's like seeing your house on TV or something :) 17:23:08 <jlebon> bgilbert: +1 17:23:11 <bgilbert> this spec has kernel-argument support and filesystem format `none` 17:23:41 <bgilbert> jaimelm: are they usually style comments or technical comments? 17:23:42 <jlebon> jaimelm: that's a good point. we don't have a good maintainership story for docs right now 17:24:02 <jaimelm> bgilbert: mostly style 17:24:02 <jlebon> it's kind of "everyone and no one" 17:24:10 <lucab> doesn't Fedora have one? 17:24:25 <jaimelm> used to. is it still around? 17:25:16 <travier> https://github.com/travier/fedora-coreos-nomad > Nomad on top of FCOS demo here 17:25:50 <travier> From my latest FCOS talk: https://twitter.com/siosm/status/1412396467659083779 17:26:16 <jlebon> jaimelm: can you make a tracker issue for this? we can tag it with the meeting label to bring it up in a future meeting 17:26:58 <jaimelm> will do 17:27:00 <jlebon> travier: thanks for giving that talk! 17:27:16 <lucab> I only found https://fedoraproject.org/wiki/Archive:Docs_Project_Style_Guide 17:28:11 * jlebon will close in 60s 17:29:11 <jlebon> #endmeeting