16:30:10 <dustymabe> #startmeeting fedora_coreos_meeting 16:30:10 <zodbot> Meeting started Wed Apr 22 16:30:10 2020 UTC. 16:30:10 <zodbot> This meeting is logged and archived in a public location. 16:30:10 <zodbot> The chair is dustymabe. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:30:10 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:30:10 <zodbot> The meeting name has been set to 'fedora_coreos_meeting' 16:30:14 <dustymabe> #topic roll call 16:30:21 <cyberpear> .hello2 16:30:22 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com> 16:30:38 <jlebon> .hello2 16:30:39 <zodbot> jlebon: jlebon 'None' <jonathan@jlebon.com> 16:30:44 <dustymabe> .hello2 16:30:45 <zodbot> dustymabe: dustymabe 'Dusty Mabe' <dusty@dustymabe.com> 16:30:47 <darkmuggle> .hello2 16:30:48 <zodbot> darkmuggle: darkmuggle 'None' <me@darkmuggle.org> 16:30:53 <skunkerk> .hello sohank2602 16:30:54 <zodbot> skunkerk: sohank2602 'Sohan Kunkerkar' <skunkerk@redhat.com> 16:31:02 <lorbus> .hello2 16:31:03 <zodbot> lorbus: lorbus 'Christian Glombek' <cglombek@redhat.com> 16:31:41 <kaeso[m]> .hello lucab 16:31:42 <zodbot> kaeso[m]: lucab 'Luca Bruno' <lucab@redhat.com> 16:32:35 <dustymabe> #chair cyberpear jlebon skunkerk lorbus kaeso[m] 16:32:35 <zodbot> Current chairs: cyberpear dustymabe jlebon kaeso[m] lorbus skunkerk 16:33:40 <dustymabe> #topic Action items from last meeting 16:33:45 <dustymabe> * dustymabe to open an 'include audit' ticket to discuss things we want 16:33:47 <dustymabe> to fix and links to tracker issues 16:34:26 <dustymabe> #info dustymabe opened the include audit ticket with relevant summary from last meeting: https://github.com/coreos/fedora-coreos-tracker/issues/461 16:34:47 <dustymabe> looks that was the only action item from last meeting 16:35:03 <dustymabe> #topic meeting agenda 16:35:45 <dustymabe> #info reminder that if there are tickets or issues you would like to discuss in the meetings please add a meeting label to the issue or comment in the ticket to request a meeting label be added 16:36:09 <dustymabe> For today we have two meeting tickets that are non-technical in nature 16:36:33 <dustymabe> #topic 2020-04-22: gather status update for Fedora Council 16:36:37 <dustymabe> #link https://github.com/coreos/fedora-coreos-tracker/issues/450 16:37:28 <dustymabe> The summary here is that there is a higher place in Fedora where different Editions report back periodicially to raise awareness. 16:38:06 <dustymabe> We should start taking part in this process. One way to do that is to try to gather some info ~ once a month in these meetings and take it back to the counci 16:38:09 <dustymabe> council* 16:38:36 <dustymabe> So... What are some things we've done over the past month that are high level wins for the project? 16:38:40 <jlebon> is this just for the council, or does it end up in other more user-facing places? 16:39:43 <dustymabe> I think ben cotten does a blog about them too 16:39:56 <dustymabe> on one of the Fedora blogs 16:40:58 * dustymabe notes this probably can overlap with us getting our release notes story in a better place 16:41:01 <dustymabe> https://github.com/coreos/fedora-coreos-tracker/issues/194 16:41:53 <dustymabe> - got image uploads going into GCP 16:42:11 <dustymabe> - producing digitalocean artifacts that can be used with the custom image upload option 16:42:39 <jlebon> - got next and next-devel streams set up 16:42:50 <dustymabe> I think pierro777 was mentioning something about exoscale having FCOS properly in there now too 16:43:03 <jlebon> - something about static networking/nmtui UX? 16:43:10 <kaeso[m]> - deployed all expected release-engineering streams: stable, testing, next 16:43:51 <dustymabe> jlebon: yeah I'll mention NM in the initrd - I'll hold off on nmtui because the installer work hasn't landed in a release yet 16:44:28 <cyberpear> When do we think we'll rebase to F32? 16:44:30 <dustymabe> jlebon: osmet, probably for the next report ? 16:44:50 <jlebon> dustymabe: yeah, probably 16:45:50 <jlebon> cyberpear: likely within a month of GA i'd say 16:45:58 <dustymabe> cyberpear: no official plans yet. i think the general thoughts when we were first coming up with this design is that we'd transition a month or so after N gets released. It may be a little longer for f32 just because we are still setting up all the machinery and might want to give it a little more soak time 16:46:21 <dustymabe> jlebon: which reminds me.. we need to add a docs page for our next stream 16:46:35 <dustymabe> and probably send a coreos-status email about it to raise some awareness 16:47:20 <dustymabe> anything else for the council status update ? 16:47:32 <jlebon> hmm, doesn't seem like https://docs.fedoraproject.org/en-US/fedora-coreos/ talks about streams much actually 16:47:48 <jlebon> so yeah, should probably be part of updating that :) 16:48:23 <dustymabe> :) - would love a PR - that being said please let me know if you start to work on it so we both don't 16:48:28 <kaeso[m]> the metal 4k work? 16:48:47 <dustymabe> i've got to come up with some text to send mattdm about `next` for the f32 release too 16:48:56 <dustymabe> kaeso[m]: good point 16:49:20 <jlebon> hmm, not sure if that's within the last month, but since it's our first update, sure :P 16:50:24 <dustymabe> I think we've got quite the list.. Thanks all for helping compile that 16:51:14 <dustymabe> if you think of any more that we didn't mention, please do add them to the ticket https://github.com/coreos/fedora-coreos-tracker/issues/194 16:52:00 <dustymabe> #topic 4 (or 5) bullet points for marketing infographic 16:52:08 <dustymabe> #link https://github.com/coreos/fedora-coreos-tracker/issues/462 16:52:57 <dustymabe> TL;DR let's come up with a pitch for FCOS so we can get a sweet looking infographic we can use 16:53:15 <dustymabe> The one for Fedora Server is at https://pagure.io/design/issue/647#comment-579419 16:54:02 <dustymabe> kaeso[m]: had a nice proposal: 16:54:07 <dustymabe> Automation-friendly provisioning 16:54:09 <dustymabe> Focused on clusters and containerized workflows 16:54:11 <dustymabe> Multiple rolling streams 16:54:13 <dustymabe> Atomic version-control for OS content 16:54:15 <dustymabe> Auto-updates by default 16:54:23 <kaeso[m]> ah, I missed the existing format, my items are probably too verbose then 16:55:14 <dustymabe> kaeso[m]: we might be able to pare down the number of words in the title of each bullet 16:55:24 <dustymabe> and add detail in the paragraph 16:56:13 <kaeso[m]> we can probably trim all of them down, like "Automated provisioning" "OS versioning" and such 16:56:27 <jlebon> nice, kaeso[m] captured it well I think 16:56:31 <dustymabe> Should we make a toplevel bullet for security? 16:56:52 <dustymabe> we could lump SELinux in the benefits, if so 16:57:47 <kaeso[m]> I'm personally against advertising "security" anywhere 16:58:28 <dustymabe> yeah.. just was trying to add SELinux in there, which I think can be considered a big win compared to other container OS offerings 16:58:54 <dustymabe> - Automated provisioning 16:59:00 <dustymabe> - OS versioning 16:59:13 <dustymabe> - Automatic Updates 16:59:45 <dustymabe> - Cloud Native Friendly (<-- not sure about that one, the blurb would mention clusters and containers) 17:00:49 <dustymabe> possibly Security (SElinux, readonly filesystems, etc) 17:00:57 <kaeso[m]> "Cloud Native" would do it I think 17:00:58 <jlebon> - Container optimized 17:01:56 <miabbott> maybe just "SELinux enabled" 17:01:57 <dustymabe> jlebon: would that be in addtion to "Cloud Native" 17:02:25 <jlebon> maybe just "Simple provisioning" instead of "Automated provisioning" ? that way we don't repeat automat* and it's not as long 17:03:01 <dustymabe> I don't think Simple conveys wheat we want to say, though 17:03:20 <jlebon> dustymabe: hmm, i guess it could be folded into the paragraph, though cloud native doesn't necessarily imply "container optimized" 17:04:03 <dustymabe> right but at least cloud native is ambiguous.. I think the word Simple actually leads people in the wrong direction 17:04:26 <dustymabe> I don't personally think Ignition is more simple than other provisioning tooling.. I do think it's more powerful though 17:05:47 <dustymabe> we could just say "Ignition for Provisioning" or something along those terms 17:06:02 <dustymabe> to highlight the tech and add the details about why it's better in the paragraph 17:06:44 <jlebon> sure, that WFM 17:07:04 <kaeso[m]> Ignitable! 17:07:07 <kaeso[m]> ;) 17:07:07 <dustymabe> :)y 17:07:20 <dustymabe> ok I think the only one we're kind of up in the air on is Security 17:08:22 <dustymabe> basically I think it would be nice to say something about readonly filesystems (rpm-ostree but not saying the word immutable), SELinux, etc.. 17:08:50 <jlebon> maybe something softer like "Security Minded" ? 17:08:52 <dustymabe> we could incorporate those bits into some of the other bullet points 17:09:21 <dustymabe> "locked down", "tighter control" 17:09:23 <cyberpear> "no firewall by default"? 17:09:25 <dustymabe> none of these are great 17:09:31 <dustymabe> cyberpear: ouch :) 17:09:56 <dustymabe> we should probably reconsider that stance on non-clouds but maybe we should take it to another meeting or ticket 17:10:01 <jlebon> cyberpear: haha 17:10:41 <cyberpear> I understand that cloud images have considered it okay industry-wide, but for any non-cloud, I'm not aware of folks considering it okay 17:11:15 <cyberpear> (all my cloud images have firewalld), but I understand off #topic 17:11:17 <dustymabe> any other suggestions before we close off this topic ? 17:12:47 <dustymabe> #topic open floor 17:13:56 <cyberpear> so, since I mentioned it... what was the "tl;dr" for not shipping a firewall? 17:14:02 <dustymabe> #info we now have a `next` stream released - please go use it and report any issues as it will eventually become the basis for Fedora CoreOS 17:14:14 <cyberpear> I think part of it was not wanting python for firewalld? 17:14:34 <kaeso[m]> cyberpear: https://github.com/coreos/fedora-coreos-tracker/issues/467#issuecomment-617283081 17:14:37 <lorbus> I wish firewalld was non-python. anybody up for a rewrite in C or rust? trollface 17:14:42 <dustymabe> #link https://getfedora.org/en/coreos/download?tab=cloud_launchable&stream=next 17:15:11 <lorbus> cyberpear: yeh, we've decided not to ship the Python interpreter in the OS base... 17:15:38 <dustymabe> hmm I don't really think it was related to iptables vs firewalld though 17:15:53 <kaeso[m]> I'm feeling mounting pressure on https://github.com/coreos/fedora-coreos-tracker/issues/404, it would be good to have the RPM reshaped quickly 17:16:01 <lorbus> gotta admit that firewalld's UX is great 17:16:05 <dustymabe> even if we did include firewalld. making it enabled by default would be a separate decision 17:16:06 <cyberpear> then we'd need fcct to also support firewall 17:16:17 <cyberpear> firewalld dropins wouldn't be nice, though, since XML 17:16:24 <cyberpear> the CLI is really awesome 17:16:41 <cyberpear> the only thing it doesn't do well for me is outbound filtering 17:17:37 <dustymabe> kaeso[m]: and there is an open request to get the rpm reshaped ? 17:17:44 <cyberpear> I haven't looked... does RHCOS have a firewall? 17:18:18 <kaeso[m]> dustymabe: https://github.com/coreos/fedora-coreos-tracker/issues/404#issuecomment-600003946 17:19:01 <dustymabe> kaeso[m]: no traction upstream, huh? 17:19:47 <dustymabe> next best option is to open a PR.. intermediate plan could be to just delete the pieces we don't want at rpm-ostree compose time while we wait on upstream. 17:19:55 <kaeso[m]> cyberpear: containerized services in openshift/kubernetes run in the overlay network, which has its own filtering policy 17:20:03 <dustymabe> the only problem with doing that is it makes it hard to "layer" the other pieces if the user really does need it 17:20:10 <kaeso[m]> (which is exactly Colin point in link above) 17:20:43 <kaeso[m]> dustymabe: not in a hurry, just wondering if anybody is in touch with the RPM maintainer 17:21:06 <dustymabe> Paul P Komkoff Jr is the assignee - don't know him 17:22:51 <dustymabe> cyberpear: maybe open a ticket and we can have a proper discussion.. i'd encourage you to leave firewalld out of it though as it's a question of enabled firewall by default and not a tech choice, correct? 17:24:28 <dustymabe> any other items for open floor before we close out? 17:25:48 <dustymabe> #endmeeting