15:13:15 <davdunc> #startmeeting fedora_cloud_meeting
15:13:16 <zodbot> Meeting started Thu Sep  1 15:13:15 2022 UTC.
15:13:16 <zodbot> This meeting is logged and archived in a public location.
15:13:16 <zodbot> The chair is davdunc. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
15:13:16 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
15:13:16 <zodbot> The meeting name has been set to 'fedora_cloud_meeting'
15:13:28 <davdunc> #topic roll call
15:13:32 <mhayden> .hello mhayden
15:13:33 <zodbot> mhayden: mhayden 'Major Hayden' <mhayden@redhat.com>
15:13:42 <davdunc> #chair mhayden spotz
15:13:42 <zodbot> Current chairs: davdunc mhayden spotz
15:13:44 * Eighth_Doctor waves
15:13:54 <davdunc> #chair mhayden spotz Eighth_Doctor
15:13:54 <zodbot> Current chairs: Eighth_Doctor davdunc mhayden spotz
15:14:00 <mikelo> .hello mikelo2
15:14:00 * mhayden waits for Ninth_Doctor
15:14:02 <zodbot> mikelo: mikelo2 'Mikel Olasagasti Uranga' <mikel@olasagasti.info>
15:14:06 <dduffey> .hello dduffey
15:14:07 <zodbot> dduffey: dduffey 'None' <david.duffey@treeotech.com>
15:14:12 <davdunc> #chair mhayden spotz Eighth_Doctor dduffey mikelo
15:14:12 <zodbot> Current chairs: Eighth_Doctor davdunc dduffey mhayden mikelo spotz
15:14:19 <Eighth_Doctor> .hello ngompa
15:14:20 <zodbot> Eighth_Doctor: ngompa 'Neal Gompa' <ngompa13@gmail.com>
15:14:29 <davdunc> #chair mhayden spotz Eighth_Doctor dduffey mikelo ngompa
15:14:29 <zodbot> Current chairs: Eighth_Doctor davdunc dduffey mhayden mikelo ngompa spotz
15:14:34 <spotz> Also in the OpenStack TC meeting:)
15:14:58 <davdunc> spotz: you are always welcome. will ping if something comes up.
15:15:35 <davdunc> apologies folks. I was writing and lost the top of hour.
15:15:40 <spotz> We're video this week so at least I can keep this channel open vs flip flopping
15:15:51 <dduffey> I was reading and joined "on time"
15:16:57 <davdunc> dduffey: stop bragging. :)
15:18:19 <dduffey> I would have been late without you
15:18:38 <Eighth_Doctor> I'm having power issues right now
15:18:50 <davdunc> #topic Action items from last meeting
15:18:57 <davdunc> Eighth_Doctor: too much power?
15:19:04 <davdunc> :D
15:19:33 <cjp256> .hello cjp256
15:19:34 <zodbot> cjp256: cjp256 'Chris Patterson' <cjp256@gmail.com>
15:19:41 <Eighth_Doctor> alas, not enough :(
15:21:59 <davdunc> okay. meeting notes fail.
15:23:02 * mhayden would like to submit the cloud guidelines stuff as a topic for today 😉
15:23:11 <davdunc> mhayden: that sounds good.
15:23:23 <mhayden> also, the FESCo walinuxagent issue deserves some attention
15:23:28 * davdunc Let's start with business from the last meeting that dduffey would like to get done.
15:23:58 <davdunc> #topic kickstart for the azure marketplace
15:24:39 <davdunc> so we have that FESCo ticket that is standing in the conversation.
15:24:56 <cjp256> https://pagure.io/fesco/issue/2849
15:25:06 <davdunc> #link https://pagure.io/fesco/issue/2849
15:25:21 <davdunc> #chair cjp256
15:25:21 <zodbot> Current chairs: Eighth_Doctor cjp256 davdunc dduffey mhayden mikelo ngompa spotz
15:25:35 <davdunc> thanks cjp256 for the link.
15:25:43 <mhayden> cjp256++
15:25:45 <zodbot> mhayden: Karma for cjp256 changed to 1 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
15:26:01 * davdunc mhayden: would you like to open up?
15:26:18 <cjp256> no problem.  I opened up a PR upstream WALinuxAgent to add the conditionvirtualiation=microsoft to get their opinion on that
15:27:21 * davdunc this seems like a good change and I would love to see it on the other agents of similar type.
15:27:23 <mhayden> sgallagh has a good suggestion there about putting in a conditional that would keep the service from running if it's not running on a microsoft hypervisor
15:27:41 <mhayden> i'd like to do the same for google's images now that i finished packaging the agents, so i'm watching closely
15:28:04 <davdunc> yea. and similarly the SSM agent
15:28:16 <davdunc> ssm agent for AWS
15:28:17 <mhayden> indeed
15:28:57 <davdunc> i think it's a great basic stopgap, so we know that there is a modification from what is intended (signed).
15:29:10 <sgallagh> To be fair, it was Neal's comment that I was endorsing.
15:29:28 <davdunc> #chair sgallagh
15:29:28 <zodbot> Current chairs: Eighth_Doctor cjp256 davdunc dduffey mhayden mikelo ngompa sgallagh spotz
15:29:48 <sgallagh> I'd also check on Google's agents, because I think they do the option 1) internally (but I could be misremembering)
15:30:51 <davdunc> well, I think it's a good policy to prevent accidental action.
15:31:13 <Eighth_Doctor> I don't know if you can actually check for google? they're a kvm based thingy
15:31:14 <Eighth_Doctor> so option 1 was required there, afaik
15:31:34 <davdunc> There is always the expectation that this kind of thing is better upstream, but is this something we can make a part of our build logic?
15:31:44 <dduffey> That's probably a good suggestion to bring back to walinuxagent team cjp256, any harm in checking twice?
15:32:13 <Eighth_Doctor> https://www.freedesktop.org/software/systemd/man/systemd-detect-virt.html
15:32:23 <cjp256> mhayden: I assume your request for a devel thread is still relevant, is there anything in particular outcome you are looking for? or is just a notification of the fesco ticket?
15:32:43 <Eighth_Doctor> maybe it'd be worth asking the GCP folks if they could add something to systemd-detect-virt for GCP
15:32:43 <sgallagh> Yeah, Google isn't specifically identified by `systemd-detect-virt`
15:32:43 <Eighth_Doctor> just to add a second guard
15:32:47 <dduffey> "That's" == walinuxagent startup checking internally
15:32:48 <sgallagh> That would be a good idea in general
15:33:05 <mhayden> yeah, if we go this route, we need some way to know when we are running on google
15:33:22 <mhayden> *OR* this could be done in the image build so that walinuxagent is only installed on an image meant for azure
15:33:26 <Eighth_Doctor> aws xen is also not detectable, so davdunc, could you find out if that's a thing that could be added?
15:33:43 <sgallagh> Actually, in general I'd prefer the `systemd-detect-virt` enhancements because that could be useful for other applications as well.
15:33:54 <dduffey> mhayden, I think was the plan, but there was concern that someone may accidently try to run the azure image somewhere else
15:33:58 <mhayden> within RHEL, we only put the walinuxagent in the image that is shipped to azure. it doesn't show up in any other cloud images
15:34:24 <sgallagh> mhayden: That's not possible to guarantee though
15:34:37 <davdunc> Eighth_Doctor: there is a serial no identifier for all machines there.  It was built for software license host identification and is in all instances.
15:34:59 <mhayden> sgallagh: well, true, someone could take an azure image to aws but they would have a bad time
15:34:59 <sgallagh> Anyone can do a `dnf install walinuxagent` or pull it in via a (possibly malicious) dependency.
15:35:03 <davdunc> +1 to sgallagh idea here.
15:35:35 <Eighth_Doctor> walinuxagent is also required for local hyperv
15:36:02 <Eighth_Doctor> despite the name, it's the guest agent for all Hyper-V based hypervisor platforms
15:36:35 <davdunc> well, I like the idea of the detection in the systemd and it could definitely be extended to more local environments, could it not?
15:36:59 <davdunc> plus it solves the problem for additional distributions/flavors
15:37:17 <sgallagh> mhayden: I'm (maybe too) concerned about sophisticated attacks where someone tricks a system into loading that service and then hijacks it using a known vulnerability.
15:37:25 <sgallagh> So limiting that vector to actual Microsoft hypervisors is... better.
15:37:41 <mhayden> well, we have those issues with other packages, too
15:37:48 <davdunc> indeed.
15:38:06 <mhayden> walinuxagent is sort of a trusted rootkit 🤷🏻‍♂️
15:38:11 <dduffey> I share sgallagh's concern, would not want that to happen
15:38:21 <sgallagh> Which is why we have the "doesn't alter other packages" rule :)
15:38:25 <cjp256> we could back to the starting point and just enable it in the Azure kickstart :D
15:38:32 <sgallagh> (For enabling by default)
15:38:54 <dduffey> for clarity, what other packages does it alter?
15:40:28 <mhayden> i know walinuxagent can install additional packages if requested
15:40:36 <mhayden> or adjust certain services
15:40:46 <mhayden> (among other things)
15:40:51 <sgallagh> dduffey: My understanding is that it can tweak a wide variety of system configs
15:40:54 <davdunc> cjp256: that solves the problem of "enabled by default"
15:41:05 <sgallagh> 🚩🚩🚩
15:41:52 <mhayden> at a high level we're trading off "walinuxagent provides value to fedora users in azure via automation they get with other images" versus "walinuxagent does a lot of things that raise concerns with users"
15:41:56 <davdunc> sgallagh: that's the role of both it and cloud-init
15:42:26 <sgallagh> Oh, I'm aware.
15:42:44 <sgallagh> Those red flags are why it's being discussed rather than waved on through
15:42:49 <mhayden> azure + cloud-init minus walinuxagent is still a fully-functional cloud experience
15:43:10 <davdunc> understood. I think this was your intent to broaden the scope and have a way forward for the future.
15:43:18 <davdunc> sgallagh: ^
15:43:50 <sgallagh> Exactly
15:44:25 <dduffey> Agree we should not wave on through.  If we can get concrete on improvements to walinuxagent to address common concerns we can take that back
15:45:23 <davdunc> I am way more +1 on the systemd-detect-virt as the enabler.
15:46:15 * davdunc is that on the table here too?
15:46:51 <sgallagh> davdunc: That's already available and is exactly the MR that cjp256 just sent upstream
15:47:01 <davdunc> gotcha.
15:47:02 <sgallagh> We can carry it in Fedora until upstream decides on it, to not block.
15:47:27 <davdunc> I see.
15:48:45 <cjp256> I can open a MR for that in Fedora
15:49:31 <mhayden> sounds like we're moving forward on this one 😉 baby steps!
15:50:01 <davdunc> yea. I am excited. I think we have a clear concept now for how this _should_ by handled in this and other agents of the sort.
15:50:24 <mhayden> 👏🏻
15:50:26 <davdunc> especially since the "not-invented-here" bug is so severe in every case.
15:50:38 <cjp256> 👍
15:50:52 <mhayden> 🎊
15:51:11 <mhayden> sgallagh++
15:51:11 <zodbot> mhayden: Karma for sgallagh changed to 1 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
15:51:17 <davdunc> but with the right handles in the virt identify, then we are golden!
15:51:23 <davdunc> sgallagh++
15:51:23 <zodbot> davdunc: Karma for sgallagh changed to 2 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
15:51:27 * davdunc for sure!
15:52:19 <davdunc> okay.
15:53:00 * davdunc do we have a summary for what we think is the actual result of this discussion?
15:54:02 <davdunc> dduffey: could you give it a shot?
15:54:24 <dduffey> passing to cjp256
15:55:38 <cjp256> Open MR to Fedora's WALinuxAgent package to set ConditionVirtualization=microsoft.  Continue to follow up with upstream to make sure they have no objection.
15:55:53 <dduffey> cjp256++
15:55:53 <zodbot> dduffey: Karma for cjp256 changed to 2 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
15:56:14 <davdunc> cjp256: thanks. That's great.
15:56:53 <cjp256> Only question is if a devel thread is still appropriate, and what its contents should include.
15:59:20 <sgallagh> I think updating the FESCo ticket with the plan summary is probably sufficient.
15:59:21 <davdunc> so here is my summary. We want to ensure that any of the bespoke agents are enabled only in the environments for which they are intended. In order to ensure this, the cloud team intends to instruct them to use the systemd-describe-virt results. If the results of that output do not provide suitable detail to match the environment, then we will work with the agent provider to determine the best path forward.
15:59:47 <sgallagh> mhayden and I can take it from there, I suspect.
15:59:59 <sgallagh> davdunc: Sounds perfect to me
16:00:48 <dduffey> davdunc++
16:00:48 <zodbot> dduffey: Karma for davdunc changed to 1 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
16:00:50 <davdunc> sgallagh: thanks. I want this to be appropriate for mhayden's document that we will get to ... uh next time. :)
16:01:09 <davdunc> should we vote here?
16:01:19 <davdunc> or just agree?
16:01:36 <geppetto> Do you want us to run the FPC meeting in a different room?
16:02:10 <gotmax> 2 seems open
16:02:22 <cjp256> next week I'll start asking the harder questions, like how we get the Azure images generated :)
16:02:24 <davdunc> sorry, getting delays
16:02:35 <gotmax> .nextmeeting #fedora-meeting2
16:02:36 <zodbot> gotmax: b'There are no meetings scheduled for #fedora-meeting2.'
16:02:50 <davdunc> geppetto gotmax that's very kind.
16:02:58 <davdunc> we can get out of the way though.
16:03:24 <dduffey> and the following week how do we make sure in guest updates don't break :)