16:30:10 <dustymabe> #startmeeting fedora_coreos_meeting
16:30:10 <zodbot> Meeting started Wed Apr 22 16:30:10 2020 UTC.
16:30:10 <zodbot> This meeting is logged and archived in a public location.
16:30:10 <zodbot> The chair is dustymabe. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:30:10 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:30:10 <zodbot> The meeting name has been set to 'fedora_coreos_meeting'
16:30:14 <dustymabe> #topic roll call
16:30:21 <cyberpear> .hello2
16:30:22 <zodbot> cyberpear: cyberpear 'James Cassell' <fedoraproject@cyberpear.com>
16:30:38 <jlebon> .hello2
16:30:39 <zodbot> jlebon: jlebon 'None' <jonathan@jlebon.com>
16:30:44 <dustymabe> .hello2
16:30:45 <zodbot> dustymabe: dustymabe 'Dusty Mabe' <dusty@dustymabe.com>
16:30:47 <darkmuggle> .hello2
16:30:48 <zodbot> darkmuggle: darkmuggle 'None' <me@darkmuggle.org>
16:30:53 <skunkerk> .hello sohank2602
16:30:54 <zodbot> skunkerk: sohank2602 'Sohan Kunkerkar' <skunkerk@redhat.com>
16:31:02 <lorbus> .hello2
16:31:03 <zodbot> lorbus: lorbus 'Christian Glombek' <cglombek@redhat.com>
16:31:41 <kaeso[m]> .hello lucab
16:31:42 <zodbot> kaeso[m]: lucab 'Luca Bruno' <lucab@redhat.com>
16:32:35 <dustymabe> #chair cyberpear jlebon skunkerk lorbus kaeso[m]
16:32:35 <zodbot> Current chairs: cyberpear dustymabe jlebon kaeso[m] lorbus skunkerk
16:33:40 <dustymabe> #topic Action items from last meeting
16:33:45 <dustymabe> * dustymabe to open an 'include audit' ticket to discuss things we want
16:33:47 <dustymabe> to fix and links to tracker issues
16:34:26 <dustymabe> #info dustymabe opened the include audit ticket with relevant summary from last meeting: https://github.com/coreos/fedora-coreos-tracker/issues/461
16:34:47 <dustymabe> looks that was the only action item from last meeting
16:35:03 <dustymabe> #topic meeting agenda
16:35:45 <dustymabe> #info reminder that if there are tickets or issues you would like to discuss in the meetings please add a meeting label to the issue or comment in the ticket to request a meeting label be added
16:36:09 <dustymabe> For today we have two meeting tickets that are non-technical in nature
16:36:33 <dustymabe> #topic 2020-04-22: gather status update for Fedora Council
16:36:37 <dustymabe> #link https://github.com/coreos/fedora-coreos-tracker/issues/450
16:37:28 <dustymabe> The summary here is that there is a higher place in Fedora where different Editions report back periodicially to raise awareness.
16:38:06 <dustymabe> We should start taking part in this process. One way to do that is to try to gather some info ~ once a month in these meetings and take it back to the counci
16:38:09 <dustymabe> council*
16:38:36 <dustymabe> So... What are some things we've done over the past month that are high level wins for the project?
16:38:40 <jlebon> is this just for the council, or does it end up in other more user-facing places?
16:39:43 <dustymabe> I think ben cotten does a blog about them too
16:39:56 <dustymabe> on one of the Fedora blogs
16:40:58 * dustymabe notes this probably can overlap with us getting our release notes story in a better place
16:41:01 <dustymabe> https://github.com/coreos/fedora-coreos-tracker/issues/194
16:41:53 <dustymabe> - got image uploads going into GCP
16:42:11 <dustymabe> - producing digitalocean artifacts that can be used with the custom image upload option
16:42:39 <jlebon> - got next and next-devel streams set up
16:42:50 <dustymabe> I think pierro777 was mentioning something about exoscale having FCOS properly in there now too
16:43:03 <jlebon> - something about static networking/nmtui UX?
16:43:10 <kaeso[m]> - deployed all expected release-engineering streams: stable, testing, next
16:43:51 <dustymabe> jlebon: yeah I'll mention NM in the initrd - I'll hold off on nmtui because the installer work hasn't landed in a release yet
16:44:28 <cyberpear> When do we think we'll rebase to F32?
16:44:30 <dustymabe> jlebon: osmet, probably for the next report ?
16:44:50 <jlebon> dustymabe: yeah, probably
16:45:50 <jlebon> cyberpear: likely within a month of GA i'd say
16:45:58 <dustymabe> cyberpear: no official plans yet. i think the general thoughts when we were first coming up with this design is that we'd transition a month or so after N gets released. It may be a little longer for f32 just because we are still setting up all the machinery and might want to give it a little more soak time
16:46:21 <dustymabe> jlebon: which reminds me.. we need to add a docs page for our next stream
16:46:35 <dustymabe> and probably send a coreos-status email about it to raise some awareness
16:47:20 <dustymabe> anything else for the council status update ?
16:47:32 <jlebon> hmm, doesn't seem like https://docs.fedoraproject.org/en-US/fedora-coreos/ talks about streams much actually
16:47:48 <jlebon> so yeah, should probably be part of updating that :)
16:48:23 <dustymabe> :) - would love a PR - that being said please let me know if you start to work on it so we both don't
16:48:28 <kaeso[m]> the metal 4k work?
16:48:47 <dustymabe> i've got to come up with some text to send mattdm about `next` for the f32 release too
16:48:56 <dustymabe> kaeso[m]: good point
16:49:20 <jlebon> hmm, not sure if that's within the last month, but since it's our first update, sure :P
16:50:24 <dustymabe> I think we've got quite the list.. Thanks all for helping compile that
16:51:14 <dustymabe> if you think of any more that we didn't mention, please do add them to the ticket https://github.com/coreos/fedora-coreos-tracker/issues/194
16:52:00 <dustymabe> #topic 4 (or 5) bullet points for marketing infographic
16:52:08 <dustymabe> #link https://github.com/coreos/fedora-coreos-tracker/issues/462
16:52:57 <dustymabe> TL;DR let's come up with a pitch for FCOS so we can get a sweet looking infographic we can use
16:53:15 <dustymabe> The one for Fedora Server is at https://pagure.io/design/issue/647#comment-579419
16:54:02 <dustymabe> kaeso[m]: had a nice proposal:
16:54:07 <dustymabe> Automation-friendly provisioning
16:54:09 <dustymabe> Focused on clusters and containerized workflows
16:54:11 <dustymabe> Multiple rolling streams
16:54:13 <dustymabe> Atomic version-control for OS content
16:54:15 <dustymabe> Auto-updates by default
16:54:23 <kaeso[m]> ah, I missed the existing format, my items are probably too verbose then
16:55:14 <dustymabe> kaeso[m]: we might be able to pare down the number of words in the title of each bullet
16:55:24 <dustymabe> and add detail in the paragraph
16:56:13 <kaeso[m]> we can probably trim all of them down, like "Automated provisioning" "OS versioning" and such
16:56:27 <jlebon> nice, kaeso[m] captured it well I think
16:56:31 <dustymabe> Should we make a toplevel bullet for security?
16:56:52 <dustymabe> we could lump SELinux in the benefits, if so
16:57:47 <kaeso[m]> I'm personally against advertising "security" anywhere
16:58:28 <dustymabe> yeah.. just was trying to add SELinux in there, which I think can be considered a big win compared to other container OS offerings
16:58:54 <dustymabe> - Automated provisioning
16:59:00 <dustymabe> - OS versioning
16:59:13 <dustymabe> - Automatic Updates
16:59:45 <dustymabe> - Cloud Native Friendly (<-- not sure about that one, the blurb would mention clusters and containers)
17:00:49 <dustymabe> possibly Security (SElinux, readonly filesystems, etc)
17:00:57 <kaeso[m]> "Cloud Native" would do it I think
17:00:58 <jlebon> - Container optimized
17:01:56 <miabbott> maybe just "SELinux enabled"
17:01:57 <dustymabe> jlebon: would that be in addtion to "Cloud Native"
17:02:25 <jlebon> maybe just "Simple provisioning" instead of "Automated provisioning" ? that way we don't repeat automat* and it's not as long
17:03:01 <dustymabe> I don't think Simple conveys wheat we want to say, though
17:03:20 <jlebon> dustymabe: hmm, i guess it could be folded into the paragraph, though cloud native doesn't necessarily imply "container optimized"
17:04:03 <dustymabe> right but at least cloud native is ambiguous.. I think the word Simple actually leads people in the wrong direction
17:04:26 <dustymabe> I don't personally think Ignition is more simple than other provisioning tooling.. I do think it's more powerful though
17:05:47 <dustymabe> we could just say "Ignition for Provisioning" or something along those terms
17:06:02 <dustymabe> to highlight the tech and add the details about why it's better in the paragraph
17:06:44 <jlebon> sure, that WFM
17:07:04 <kaeso[m]> Ignitable!
17:07:07 <kaeso[m]> ;)
17:07:07 <dustymabe> :)y
17:07:20 <dustymabe> ok I think the only one we're kind of up in the air on is Security
17:08:22 <dustymabe> basically I think it would be nice to say something about readonly filesystems (rpm-ostree but not saying the word immutable), SELinux, etc..
17:08:50 <jlebon> maybe something softer like "Security Minded" ?
17:08:52 <dustymabe> we could incorporate those bits into some of the other bullet points
17:09:21 <dustymabe> "locked down", "tighter control"
17:09:23 <cyberpear> "no firewall by default"?
17:09:25 <dustymabe> none of these are great
17:09:31 <dustymabe> cyberpear: ouch :)
17:09:56 <dustymabe> we should probably reconsider that stance on non-clouds but maybe we should take it to another meeting or ticket
17:10:01 <jlebon> cyberpear: haha
17:10:41 <cyberpear> I understand that cloud images have considered it okay industry-wide, but for any non-cloud, I'm not aware of folks considering it okay
17:11:15 <cyberpear> (all my cloud images have firewalld), but I understand off #topic
17:11:17 <dustymabe> any other suggestions before we close off this topic ?
17:12:47 <dustymabe> #topic open floor
17:13:56 <cyberpear> so, since I mentioned it... what was the "tl;dr" for not shipping a firewall?
17:14:02 <dustymabe> #info we now have a `next` stream released - please go use it and report any issues as it will eventually become the basis for Fedora CoreOS
17:14:14 <cyberpear> I think part of it was not wanting python for firewalld?
17:14:34 <kaeso[m]> cyberpear: https://github.com/coreos/fedora-coreos-tracker/issues/467#issuecomment-617283081
17:14:37 <lorbus> I wish firewalld was non-python. anybody up for a rewrite in C or rust? trollface
17:14:42 <dustymabe> #link https://getfedora.org/en/coreos/download?tab=cloud_launchable&stream=next
17:15:11 <lorbus> cyberpear: yeh, we've decided not to ship the Python interpreter in the OS base...
17:15:38 <dustymabe> hmm I don't really think it was related to iptables vs firewalld though
17:15:53 <kaeso[m]> I'm feeling mounting pressure on https://github.com/coreos/fedora-coreos-tracker/issues/404, it would be good to have the RPM reshaped quickly
17:16:01 <lorbus> gotta admit that firewalld's UX is great
17:16:05 <dustymabe> even if we did include firewalld. making it enabled by default would be a separate decision
17:16:06 <cyberpear> then we'd need fcct to also support firewall
17:16:17 <cyberpear> firewalld dropins wouldn't be nice, though, since XML
17:16:24 <cyberpear> the CLI is really awesome
17:16:41 <cyberpear> the only thing it doesn't do well for me is outbound filtering
17:17:37 <dustymabe> kaeso[m]: and there is an open request to get the rpm reshaped ?
17:17:44 <cyberpear> I haven't looked... does RHCOS have a firewall?
17:18:18 <kaeso[m]> dustymabe: https://github.com/coreos/fedora-coreos-tracker/issues/404#issuecomment-600003946
17:19:01 <dustymabe> kaeso[m]: no traction upstream, huh?
17:19:47 <dustymabe> next best option is to open a PR.. intermediate plan could be to just delete the pieces we don't want at rpm-ostree compose time while we wait on upstream.
17:19:55 <kaeso[m]> cyberpear: containerized services in openshift/kubernetes run in the overlay network, which has its own filtering policy
17:20:03 <dustymabe> the only problem with doing that is it makes it hard to "layer" the other pieces if the user really does need it
17:20:10 <kaeso[m]> (which is exactly Colin point in link above)
17:20:43 <kaeso[m]> dustymabe: not in a hurry, just wondering if anybody is in touch with the RPM maintainer
17:21:06 <dustymabe> Paul P Komkoff Jr is the assignee - don't know him
17:22:51 <dustymabe> cyberpear: maybe open a ticket and we can have a proper discussion.. i'd encourage you to leave firewalld out of it though as it's a question of enabled firewall by default and not a tech choice, correct?
17:24:28 <dustymabe> any other items for open floor before we close out?
17:25:48 <dustymabe> #endmeeting