<@jbtrystram:matrix.org>
16:29:16
!startmeeting fedora_coreos_meeting
<@meetbot:fedora.im>
16:29:19
Meeting started at 2024-05-15 16:29:16 UTC
<@meetbot:fedora.im>
16:29:20
The Meeting name is 'fedora_coreos_meeting'
<@jbtrystram:matrix.org>
16:30:02
!topic roll call
<@dustymabe:matrix.org>
16:31:15
!hi
<@jbtrystram:matrix.org>
16:31:16
!hi
<@zodbot:fedora.im>
16:31:17
Dusty Mabe (dustymabe) - he / him / his
<@zodbot:fedora.im>
16:31:19
Jean-Baptiste Trystram (jbtrystram) - he / him / his
<@dogphilosopher:fedora.im>
16:31:25
!hi
<@zodbot:fedora.im>
16:31:29
Noel Miller (dogphilosopher)
<@hricky:fedora.im>
16:31:33
!hi
<@zodbot:fedora.im>
16:31:37
Hristo Marinov (hricky) - he / him / his
<@jmarrero:matrix.org>
16:32:00
!hi jmarrero
<@zodbot:fedora.im>
16:32:05
Joseph Marrero (jmarrero)
<@gurssing:matrix.org>
16:32:14
!hi gursewak
<@zodbot:fedora.im>
16:32:17
Gursewak Singh (gursewak)
<@ravanelli:matrix.org>
16:32:39
!hi ravanelli
<@zodbot:fedora.im>
16:32:44
Renata Ravanelli (ravanelli)
<@marmijo:fedora.im>
16:33:03
!hi
<@zodbot:fedora.im>
16:33:07
Michael Armijo (marmijo)
<@jlebon:fedora.im>
16:33:27
!hi
<@zodbot:fedora.im>
16:33:30
None (jlebon)
<@jbtrystram:matrix.org>
16:34:27
Ok, let's start !
<@jbtrystram:matrix.org>
16:35:04
!topic Action items from last meeting
<@mnguyen:fedora.im>
16:35:05
!hi
<@zodbot:fedora.im>
16:35:08
Michael Nguyen (mnguyen)
<@apiaseck:matrix.org>
16:35:22
.hi
<@jbtrystram:matrix.org>
16:35:25
The only action item was : dustymabe to find someone to help wrangle changes considerations for the F41 cycle
<@apiaseck:matrix.org>
16:35:34
!hi
<@zodbot:fedora.im>
16:35:37
Adam Piasecki (c4rt0) - he / him / his
<@jbtrystram:matrix.org>
16:35:50
dustymabe: any progress on that ?
<@siosm:matrix.org>
16:35:52
.hi
<@siosm:matrix.org>
16:36:02
!hi
<@zodbot:fedora.im>
16:36:05
Timothée Ravier (siosm) - he / him / his
<@dustymabe:matrix.org>
16:36:48
jbtrystram: I think a few people volunteered recently (I think marmijo was one) to sit in on a session with me going over the process.. we still haven't done that yet, though.
<@dustymabe:matrix.org>
16:37:16
!info dustymabe and a few people will get together this week to cover an overview of the changes process we follow and try to pick it up for the F41 cycle
<@jbtrystram:matrix.org>
16:37:49
Awesome. Thanks marmijo
<@marmijo:fedora.im>
16:38:22
Of course! Let me know when you want to meet.
<@jbtrystram:matrix.org>
16:38:25
i guess there isn't anything else to add ?
I'll proceed with the topics, we have quite a few today
<@jbtrystram:matrix.org>
16:38:56
The first one is for you dustymabe
<@jbtrystram:matrix.org>
16:38:58
!topic revisit python discussion
<@jbtrystram:matrix.org>
16:39:08
!link https://github.com/coreos/fedora-coreos-tracker/issues/1730
<@dustymabe:matrix.org>
16:39:17
oh yay :)
<@jbtrystram:matrix.org>
16:39:19
!link https://github.com/coreos/fedora-coreos-tracker/issues/1730
<@dustymabe:matrix.org>
16:41:15
I put most of my reasoning in the ticket, but to quickly recap.. anecdotally I think our efforts to keep python out of Fedora CoreOS have hurt us more than they have helped us. In a perfect world we would "do all the things"TM that would be necessary to ship what we need to without including python, but practically I think what ends up happening is that we just leave pieces unimplemented or ignore the problems that result.
<@dustymabe:matrix.org>
16:42:35
copying in a few thing from the ticket (so excuse formatting):
- Package splitting.. We did manage to get some packages split out so that python deps were isolated to a sub package, but that was a lot of work and there are still some that aren't right:
- The [nfs-utils](https://github.com/coreos/fedora-coreos-tracker/issues/121) saga is [still not completely sorted out](https://github.com/coreos/fedora-coreos-tracker/issues/572)
- We have had to keep out things that I think represent basic level functionality
- like [firewalld](https://github.com/coreos/fedora-coreos-tracker/issues/26#issuecomment-415161012)
- and [basic level SELinux tools](https://github.com/coreos/fedora-coreos-tracker/issues/126) (like `semanage`) that people expects to be there (https://github.com/coreos/fedora-coreos-tracker/issues/126)
- Also integrating with things like `ansible` hasn't really been able to work well (maybe some people have figured it out??). I know we have Ignition and things are supposed to be 'immutable', but practically people need to make small tweaks periodically.
- fwupd, which we [shipped not too long ago](https://github.com/coreos/fedora-coreos-tracker/issues/449) [appears broken](https://github.com/coreos/fedora-coreos-tracker/issues/1623#issuecomment-1851904401) because it dynamically depends on some python libraries to exist. I'm not saying we do want to include those libraries, just that we can't even consider it right now.
<@jmarrero:matrix.org>
16:43:02
If https://github.com/coreos/fedora-coreos-tracker/issues/1730#issuecomment-2110740191 means we are going to get it either way. I say we add it earlier than later.
<@dustymabe:matrix.org>
16:43:48
:) - I think that might be putting the cart before the horse - we haven't really had bootc discussions here in this meeting.. a lot of indirect, but not a lot of direct
<@dustymabe:matrix.org>
16:44:05
I think this conversation is worth having on its own, independent of bootc
<@jbtrystram:matrix.org>
16:44:52
i just read through the initial reasoning for excluding python and I don't really get it
<@siosm:matrix.org>
16:45:11
yeah, it's not entirely a given that we have to match the content of the bootc image
<@jbtrystram:matrix.org>
16:45:32
"prevent users from running scripts" but we still ship bash ? I know it's a stretch to compare them but still
<@dustymabe:matrix.org>
16:46:15
jbtrystram: without reading the original ticket, my recollection is that it basically boils down to a few things:
1. less attack surface (maintenance) for us (i.e. python CVEs or features/changes we don't even have to consider)
2. encouraging people to use containers for things, whereas otherwise they might be inclined to just copy in a python script
<@jbtrystram:matrix.org>
16:46:24
total noob question : is the python binary that big or have a huge CVE history ?
<@ravanelli:matrix.org>
16:46:48
The users can always install it by their own, in the way the need.
<@jlebon:fedora.im>
16:47:11
i'm mixed about this, because it also worked as a way to keep packages out. the implied statement of this proposal is that we'd add packages we're currently not shipping. and more packages is more overhead and things to keep track of, especially when we're dragging in a whole ecosystem. OTOH, i totally recognize that it hasn't been easy to maintain this stance
<@dustymabe:matrix.org>
16:47:27
Is that an argument for continuing to deny python inclusion?
<@siosm:matrix.org>
16:47:33
The binary itself is not that big but it comes with libraries and modules that quickly add up
<@siosm:matrix.org>
16:48:16
Note that we would also have to deal with https://github.com/ostreedev/ostree/issues/1469
<@ravanelli:matrix.org>
16:49:53
The question is, about the others packages as fwupd, firewalld ... there is other way to fix it? Unless we include python?
<@siosm:matrix.org>
16:50:15
I'm mixed as well as it's needed for some important things, but I also don't like it as it's a big size increase and sends the wrong message
<@dustymabe:matrix.org>
16:50:22
so regarding "maintenance" and "new package inclusion" arguments, I'll argue that we have done more work by trying to get others to change their packages
<@siosm:matrix.org>
16:50:40
but that kept FCOS smaller
<@jlebon:fedora.im>
16:50:45
in theory, firewalld should be able to work from a container, but I doubt it's commonly used that way and would require some effort to proof out and document
<@dustymabe:matrix.org>
16:51:29
correcnt, but it also feels like something the system should provide (i.e. a firewall shouldn't be something that needs to be either layered or run as a container)
<@dustymabe:matrix.org>
16:51:50
to put it a different way, would firewalld be in FCOS today if it wasn't python based (i.e. written in rust or something)
<@ravanelli:matrix.org>
16:52:20
Yeah, probably it would be there
<@siosm:matrix.org>
16:53:22
I would argue more for semanage tools or more udev rules
<@dustymabe:matrix.org>
16:53:36
travier: fair :)
<@jmarrero:matrix.org>
16:53:41
I think if we do this and include firewalld and semanage etc, then how we stop x and y tools to be continuously added to the image? We would need to form a hard stand about something else.
<@jmarrero:matrix.org>
16:53:57
Or are we changing the stance to just allowing anything that is a expected tool.
<@dustymabe:matrix.org>
16:54:11
jmarrero: we still have our package inclusion request issue template - we can still say no to things
<@siosm:matrix.org>
16:54:23
Each tool should be evaluated on their own like we already do
<@dustymabe:matrix.org>
16:54:29
i.e. for example
<@dustymabe:matrix.org>
16:54:48
depending on the outcome of this ticket.. we still wouldn't just go straight and add python to FCOS
<@dustymabe:matrix.org>
16:55:01
we'd first open a ticket for each tool to evaluate if we want to include it
<@dustymabe:matrix.org>
16:55:19
but we needed to clear this hurdle first, because it's not worth having those conversations otherwise
<@ravanelli:matrix.org>
16:56:42
Firewalld is a widely recognized tool that might offer a simpler solution compared to configuring udev rules maybe.
Does fedora include firewalld as part of its default installation? I guess so
<@ravanelli:matrix.org>
16:57:43
I have mix feeling about adding python as well, but I see firewalld as a base packed
<@siosm:matrix.org>
16:57:47
iptables & nft are also widely used
<@siosm:matrix.org>
16:58:02
I would argue firewalld is very niche
<@siosm:matrix.org>
16:58:09
especially on servers
<@dustymabe:matrix.org>
16:58:15
> Does fedora include firewalld as part of its default installation? I guess so
yes, in server/workstation
but, not in cloud (though think cloud is meant specifically for cloud env where security groups exist)
<@jlebon:fedora.im>
16:59:05
right, firewalld is not the only wrapper around iptables/nftables that exist. we don't ship it in RHCOS either for example
<@dustymabe:matrix.org>
16:59:30
we don't support RHCOS in single node use cases and Openshift handles the firewall there
<@dustymabe:matrix.org>
16:59:51
though, maybe we should take the conversation back the the higher level
<@siosm:matrix.org>
17:00:03
firewalld is also one of the biggest offender on my laptop for boot time, so I don't think we'll want to enable it by default, etc. but that's deviating from the python discussion
<@jlebon:fedora.im>
17:00:06
right, my point is that firewalld is not the only thing that exists in this area
<@dustymabe:matrix.org>
17:00:22
neither is NetworkManager?
<@jlebon:fedora.im>
17:01:19
right? a big part of bringing up python again is for firewalld, right?
<@siosm:matrix.org>
17:01:27
NetworkManager takes longer, but I can not really do without network :)
<@dustymabe:matrix.org>
17:01:33
no, I mean I listed out a few different reasons
<@dustymabe:matrix.org>
17:01:45
i think it's a culmination of things
<@ravanelli:matrix.org>
17:02:00
Which of these packages can we say are absolutely necessary? and depend on python?
<@dustymabe:matrix.org>
17:02:38
new stuff comes up all the time - like https://github.com/coreos/fedora-coreos-tracker/issues/1122#issuecomment-2102779351
"oh great, this will solve a problem for us"
EDIT: It needs python
<@ravanelli:matrix.org>
17:02:58
If we can live without it, I say we don't need python?
<@siosm:matrix.org>
17:03:19
I personally think that no system package should depend on an interpreted language. But I know that's a difficult stance and we have tons of bash scripts.
<@dustymabe:matrix.org>
17:03:49
travier: and up until recently (dnf5) you'd have no RHEL or Fedora
<@jlebon:fedora.im>
17:04:32
which both predate the rise of minimal OSes and containers :)
<@jmarrero:matrix.org>
17:04:42
firewalld is part of the tools used on RHCSA to manage the firewall
<@dustymabe:matrix.org>
17:05:25
I'm happy with the conversation (quite lively and productive), but also don't want to capture the entire meeting on this one topic
<@dustymabe:matrix.org>
17:06:05
happy to keep going or try to find some stopping point if we can agree on what we would like next steps to be (i.e. decision, some investigation, etc)
<@jmarrero:matrix.org>
17:06:21
Same for semanage* so a lot of Fedora, CentOS and RHEL users I bet expect these tools to be there and have no issues with python being a dependency of their package.
<@siosm:matrix.org>
17:07:15
for semanage: https://discussion.fedoraproject.org/t/managing-selinux-in-fedora-coreos/116733
<@siosm:matrix.org>
17:07:44
(not going either way)
<@siosm:matrix.org>
17:07:50
(not going either way, neither a +1 or -1)
<@dustymabe:matrix.org>
17:07:52
travier: :)
<@jmarrero:matrix.org>
17:08:38
I am leaning +1
<@siosm:matrix.org>
17:09:28
Let's sleep on it and talk about it again next week?
<@siosm:matrix.org>
17:09:39
otherwise it's going to take the entire meeting
<@dustymabe:matrix.org>
17:10:06
travier: sounds good.. maybe we can all agree to at least think about it a little?
<@jlebon:fedora.im>
17:10:45
SGTM
<@dustymabe:matrix.org>
17:10:49
i.e. do we think the pain and work we have caused ourselves by not having it (think there are many packages where we never included them or it took a really long time because of the no-python stance)
<@dustymabe:matrix.org>
17:11:18
i.e. do we think the pain and work we have caused ourselves by not having it (think there are many packages where we never included them or it took a really long time because of the no-python stance) has been worth it.
to me it feels a bit like we are fighting against the ecosystem that RHEL and Fedora have fostered
<@dustymabe:matrix.org>
17:12:08
!info take some time to consider the python discussion from this week's meeting (see transcript) and we will discuss next week
<@jbtrystram:matrix.org>
17:12:50
!action : All to think about the python discussion
<@jbtrystram:matrix.org>
17:13:32
Ok let's move on to the next topic :)
<@jbtrystram:matrix.org>
17:13:35
!topic NetworkManager-team & teamd not included in C10S
<@jbtrystram:matrix.org>
17:13:46
!link https://github.com/coreos/fedora-coreos-tracker/issues/1727
<@jbtrystram:matrix.org>
17:14:06
This one is from travier
<@siosm:matrix.org>
17:16:05
I've not confirmed things yet but apparently those packages are not going to be included in CentOS Stream 10
<@siosm:matrix.org>
17:16:33
so we don't have to do anything in FCOS, but we can consider removing them. We would need a deprecation phase, etc.
<@dustymabe:matrix.org>
17:17:02
so this is kind of a "if it's not in stream 10, it won't be in RHEL 10, so it won't be in RHCOS" logic?
<@jbtrystram:matrix.org>
17:17:19
How are people supposed to do teaming ? kargs only ?
<@dustymabe:matrix.org>
17:17:44
I always felt teaming was a bit of an idea, but not many people used it over bonding
<@dustymabe:matrix.org>
17:18:16
IIUC teaming is just another form of bonding, but it uses a userspace utility and not the built in kernel functionality
<@siosm:matrix.org>
17:18:21
I've never used it so I don't know. We would probably need someone to reach out to the networking team to chat about it?
<@jlebon:fedora.im>
17:18:25
wait, is teaming older or newer than the bonding support?
<@dustymabe:matrix.org>
17:18:38
teaming is newer IIUC
<@jlebon:fedora.im>
17:18:58
ok, that's what i thought. rhbz https://bugzilla.redhat.com/show_bug.cgi?id=1935544 says:
> The already available replacement is the bonding driver
which makes it sound like the opposite
<@jlebon:fedora.im>
17:19:03
ok, that's what i thought. rhbz https://bugzilla.redhat.com/show\_bug.cgi?id=1935544 says:
> The already available replacement is the bonding driver
which makes it sound like the opposite
<@jbtrystram:matrix.org>
17:19:34
teaming seems to be more featureful according to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-comparison_of_network_teaming_to_bonding
<@dustymabe:matrix.org>
17:19:35
that bug is private
<@jlebon:fedora.im>
17:19:48
dustymabe: gahhh, sorry
<@jlebon:fedora.im>
17:20:02
i was trying to find the original reason behind the removal
<@jlebon:fedora.im>
17:20:13
it seems like it was already marked as deprecated in RHEL9
<@jlebon:fedora.im>
17:20:53
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/deprecated-functionality#deprecated-functionality-networking
<@jlebon:fedora.im>
17:21:29
given that it's the same maintainers in Fedora, we should probably also consider removing support for it from FCOS too
<@dustymabe:matrix.org>
17:21:55
right. I asked two questions in the ticket:
will it be removed from upstream or from Fedora?
even if it isn't removed from upstream or from Fedora should we consider removing it from FCOS?
<@dustymabe:matrix.org>
17:22:10
in the case of 1. we have no decision to make here - just action for when it happens
<@dustymabe:matrix.org>
17:22:19
in the case of 2. we'd need to decide that
<@dustymabe:matrix.org>
17:22:40
maybe let's find out the answer to 1. first and then we can discuss 2. ?
<@jlebon:fedora.im>
17:22:56
SGTM
<@dustymabe:matrix.org>
17:23:21
would be great if we could get a volunteer to reach out to the NM team to ask about this
<@dustymabe:matrix.org>
17:23:29
I imagine they would be the ones who might know
<@dustymabe:matrix.org>
17:23:38
any takers?
<@dustymabe:matrix.org>
17:24:32
(and as always, this is a learning experience for someone)
<@siosm:matrix.org>
17:24:39
Well, I can do it, but would be good if someone else did
<@siosm:matrix.org>
17:24:46
to create connections regarding networking
<@ravanelli:matrix.org>
17:25:10
I can
<@dustymabe:matrix.org>
17:25:23
🎉
<@dustymabe:matrix.org>
17:25:35
jbtrystram: want to action that?
<@ravanelli:matrix.org>
17:26:17
travier: if you can share some contact with me ;)
<@jbtrystram:matrix.org>
17:26:35
!action ravanelli to contact the libteam maintainers to figure out if they intend to drop the package from fedora
<@siosm:matrix.org>
17:26:38
Renata Ravanelli: sure, let's sync about that :)
<@siosm:matrix.org>
17:27:09
let's move to open discussion?
<@jbtrystram:matrix.org>
17:27:28
https://lists.fedorahosted.org/archives/list/libteam@lists.fedorahosted.org/thread/YETC5RAS3QZAFFJT5KNDLJURNWSIOA4Q/
<@jbtrystram:matrix.org>
17:28:24
we couldn't go trough all the topics so I'll re-add the labels for next week :)
<@jbtrystram:matrix.org>
17:28:25
!topic Open Floor
<@siosm:matrix.org>
17:29:25
Well, you'll have to not remove them :)
<@dustymabe:matrix.org>
17:30:00
Hopefully next time we'll have F41 changes to go through!
<@jbtrystram:matrix.org>
17:30:30
I have a quick question
<@jlebon:fedora.im>
17:30:36
do we want to do a video meeting soon to go over https://github.com/coreos/fedora-coreos-tracker/issues/1726 ?
<@jbtrystram:matrix.org>
17:32:28
I've been looking at the releng side of things today , and I am unsure about the purpose of the `bodhi-updates` stream. If all changes there are automatically added to `testing-devel` through the `bump-lockfile` job, why not simply have `testing-devel` pull rpm from the updates repo and remove the bodhi-update stream ?
<@dustymabe:matrix.org>
17:33:06
I think at one time we believed we needed it, but we haven't used it in a long time. I think we can drop it
<@dogphilosopher:fedora.im>
17:33:14
How do video meetings typically get scheduled?
<@jbtrystram:matrix.org>
17:34:20
oh so I am not missing a detail :) I'll file something so it can be discussed further. Thanks
<@apiaseck:matrix.org>
17:34:45
Need to drop, thanks for running jbtrystram. Thanks all.
<@siosm:matrix.org>
17:34:59
https://github.com/coreos/fedora-coreos-tracker/issues/779
<@siosm:matrix.org>
17:35:23
dogphilosopher: we make an issue about it and announce it
<@dustymabe:matrix.org>
17:35:57
yeah. we'd like to do it more, but it's more work to set up than the IRC meeting
<@dustymabe:matrix.org>
17:36:11
so someone would have to own organizing it more
<@dogphilosopher:fedora.im>
17:36:24
I am very +1 on this idea.
<@siosm:matrix.org>
17:36:30
and it needs a dedicated secretaryu
<@siosm:matrix.org>
17:36:32
and it needs a dedicated secretary
<@dustymabe:matrix.org>
17:36:33
(and also capturing the discussion in text form for others outside of the meeting to consume)
<@dogphilosopher:fedora.im>
17:37:29
Is there any kind of transcription software we can use?
<@dustymabe:matrix.org>
17:38:12
maybe :)
<@dustymabe:matrix.org>
17:38:15
I need to run for now
<@dustymabe:matrix.org>
17:38:21
thanks jbtrystram for running the meeting!
<@siosm:matrix.org>
17:38:41
There is a transcript functionality in Google Meet but it's never fully accurate and does not follow the formalism of decisions, etc
<@jbtrystram:matrix.org>
17:40:05
also the video calls are really high bandwidth which is more productive but make following the discussion way harder for the new members
<@jlebon:fedora.im>
17:40:08
agree re. taking notes
i think we can chat about this in #coreos:fedoraproject.org. we'll announce it if it happens next week.
<@jbtrystram:matrix.org>
17:40:45
if there is nothing else i'll end the meeting :)
<@siosm:matrix.org>
17:41:48
sounds good. we are overtime
<@jbtrystram:matrix.org>
17:41:53
!endmeeting