16:30:10 #startmeeting fedora_coreos_meeting 16:30:10 Meeting started Wed Apr 22 16:30:10 2020 UTC. 16:30:10 This meeting is logged and archived in a public location. 16:30:10 The chair is dustymabe. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:30:10 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:30:10 The meeting name has been set to 'fedora_coreos_meeting' 16:30:14 #topic roll call 16:30:21 .hello2 16:30:22 cyberpear: cyberpear 'James Cassell' 16:30:38 .hello2 16:30:39 jlebon: jlebon 'None' 16:30:44 .hello2 16:30:45 dustymabe: dustymabe 'Dusty Mabe' 16:30:47 .hello2 16:30:48 darkmuggle: darkmuggle 'None' 16:30:53 .hello sohank2602 16:30:54 skunkerk: sohank2602 'Sohan Kunkerkar' 16:31:02 .hello2 16:31:03 lorbus: lorbus 'Christian Glombek' 16:31:41 .hello lucab 16:31:42 kaeso[m]: lucab 'Luca Bruno' 16:32:35 #chair cyberpear jlebon skunkerk lorbus kaeso[m] 16:32:35 Current chairs: cyberpear dustymabe jlebon kaeso[m] lorbus skunkerk 16:33:40 #topic Action items from last meeting 16:33:45 * dustymabe to open an 'include audit' ticket to discuss things we want 16:33:47 to fix and links to tracker issues 16:34:26 #info dustymabe opened the include audit ticket with relevant summary from last meeting: https://github.com/coreos/fedora-coreos-tracker/issues/461 16:34:47 looks that was the only action item from last meeting 16:35:03 #topic meeting agenda 16:35:45 #info reminder that if there are tickets or issues you would like to discuss in the meetings please add a meeting label to the issue or comment in the ticket to request a meeting label be added 16:36:09 For today we have two meeting tickets that are non-technical in nature 16:36:33 #topic 2020-04-22: gather status update for Fedora Council 16:36:37 #link https://github.com/coreos/fedora-coreos-tracker/issues/450 16:37:28 The summary here is that there is a higher place in Fedora where different Editions report back periodicially to raise awareness. 16:38:06 We should start taking part in this process. One way to do that is to try to gather some info ~ once a month in these meetings and take it back to the counci 16:38:09 council* 16:38:36 So... What are some things we've done over the past month that are high level wins for the project? 16:38:40 is this just for the council, or does it end up in other more user-facing places? 16:39:43 I think ben cotten does a blog about them too 16:39:56 on one of the Fedora blogs 16:40:58 * dustymabe notes this probably can overlap with us getting our release notes story in a better place 16:41:01 https://github.com/coreos/fedora-coreos-tracker/issues/194 16:41:53 - got image uploads going into GCP 16:42:11 - producing digitalocean artifacts that can be used with the custom image upload option 16:42:39 - got next and next-devel streams set up 16:42:50 I think pierro777 was mentioning something about exoscale having FCOS properly in there now too 16:43:03 - something about static networking/nmtui UX? 16:43:10 - deployed all expected release-engineering streams: stable, testing, next 16:43:51 jlebon: yeah I'll mention NM in the initrd - I'll hold off on nmtui because the installer work hasn't landed in a release yet 16:44:28 When do we think we'll rebase to F32? 16:44:30 jlebon: osmet, probably for the next report ? 16:44:50 dustymabe: yeah, probably 16:45:50 cyberpear: likely within a month of GA i'd say 16:45:58 cyberpear: no official plans yet. i think the general thoughts when we were first coming up with this design is that we'd transition a month or so after N gets released. It may be a little longer for f32 just because we are still setting up all the machinery and might want to give it a little more soak time 16:46:21 jlebon: which reminds me.. we need to add a docs page for our next stream 16:46:35 and probably send a coreos-status email about it to raise some awareness 16:47:20 anything else for the council status update ? 16:47:32 hmm, doesn't seem like https://docs.fedoraproject.org/en-US/fedora-coreos/ talks about streams much actually 16:47:48 so yeah, should probably be part of updating that :) 16:48:23 :) - would love a PR - that being said please let me know if you start to work on it so we both don't 16:48:28 the metal 4k work? 16:48:47 i've got to come up with some text to send mattdm about `next` for the f32 release too 16:48:56 kaeso[m]: good point 16:49:20 hmm, not sure if that's within the last month, but since it's our first update, sure :P 16:50:24 I think we've got quite the list.. Thanks all for helping compile that 16:51:14 if you think of any more that we didn't mention, please do add them to the ticket https://github.com/coreos/fedora-coreos-tracker/issues/194 16:52:00 #topic 4 (or 5) bullet points for marketing infographic 16:52:08 #link https://github.com/coreos/fedora-coreos-tracker/issues/462 16:52:57 TL;DR let's come up with a pitch for FCOS so we can get a sweet looking infographic we can use 16:53:15 The one for Fedora Server is at https://pagure.io/design/issue/647#comment-579419 16:54:02 kaeso[m]: had a nice proposal: 16:54:07 Automation-friendly provisioning 16:54:09 Focused on clusters and containerized workflows 16:54:11 Multiple rolling streams 16:54:13 Atomic version-control for OS content 16:54:15 Auto-updates by default 16:54:23 ah, I missed the existing format, my items are probably too verbose then 16:55:14 kaeso[m]: we might be able to pare down the number of words in the title of each bullet 16:55:24 and add detail in the paragraph 16:56:13 we can probably trim all of them down, like "Automated provisioning" "OS versioning" and such 16:56:27 nice, kaeso[m] captured it well I think 16:56:31 Should we make a toplevel bullet for security? 16:56:52 we could lump SELinux in the benefits, if so 16:57:47 I'm personally against advertising "security" anywhere 16:58:28 yeah.. just was trying to add SELinux in there, which I think can be considered a big win compared to other container OS offerings 16:58:54 - Automated provisioning 16:59:00 - OS versioning 16:59:13 - Automatic Updates 16:59:45 - Cloud Native Friendly (<-- not sure about that one, the blurb would mention clusters and containers) 17:00:49 possibly Security (SElinux, readonly filesystems, etc) 17:00:57 "Cloud Native" would do it I think 17:00:58 - Container optimized 17:01:56 maybe just "SELinux enabled" 17:01:57 jlebon: would that be in addtion to "Cloud Native" 17:02:25 maybe just "Simple provisioning" instead of "Automated provisioning" ? that way we don't repeat automat* and it's not as long 17:03:01 I don't think Simple conveys wheat we want to say, though 17:03:20 dustymabe: hmm, i guess it could be folded into the paragraph, though cloud native doesn't necessarily imply "container optimized" 17:04:03 right but at least cloud native is ambiguous.. I think the word Simple actually leads people in the wrong direction 17:04:26 I don't personally think Ignition is more simple than other provisioning tooling.. I do think it's more powerful though 17:05:47 we could just say "Ignition for Provisioning" or something along those terms 17:06:02 to highlight the tech and add the details about why it's better in the paragraph 17:06:44 sure, that WFM 17:07:04 Ignitable! 17:07:07 ;) 17:07:07 :)y 17:07:20 ok I think the only one we're kind of up in the air on is Security 17:08:22 basically I think it would be nice to say something about readonly filesystems (rpm-ostree but not saying the word immutable), SELinux, etc.. 17:08:50 maybe something softer like "Security Minded" ? 17:08:52 we could incorporate those bits into some of the other bullet points 17:09:21 "locked down", "tighter control" 17:09:23 "no firewall by default"? 17:09:25 none of these are great 17:09:31 cyberpear: ouch :) 17:09:56 we should probably reconsider that stance on non-clouds but maybe we should take it to another meeting or ticket 17:10:01 cyberpear: haha 17:10:41 I understand that cloud images have considered it okay industry-wide, but for any non-cloud, I'm not aware of folks considering it okay 17:11:15 (all my cloud images have firewalld), but I understand off #topic 17:11:17 any other suggestions before we close off this topic ? 17:12:47 #topic open floor 17:13:56 so, since I mentioned it... what was the "tl;dr" for not shipping a firewall? 17:14:02 #info we now have a `next` stream released - please go use it and report any issues as it will eventually become the basis for Fedora CoreOS 17:14:14 I think part of it was not wanting python for firewalld? 17:14:34 cyberpear: https://github.com/coreos/fedora-coreos-tracker/issues/467#issuecomment-617283081 17:14:37 I wish firewalld was non-python. anybody up for a rewrite in C or rust? trollface 17:14:42 #link https://getfedora.org/en/coreos/download?tab=cloud_launchable&stream=next 17:15:11 cyberpear: yeh, we've decided not to ship the Python interpreter in the OS base... 17:15:38 hmm I don't really think it was related to iptables vs firewalld though 17:15:53 I'm feeling mounting pressure on https://github.com/coreos/fedora-coreos-tracker/issues/404, it would be good to have the RPM reshaped quickly 17:16:01 gotta admit that firewalld's UX is great 17:16:05 even if we did include firewalld. making it enabled by default would be a separate decision 17:16:06 then we'd need fcct to also support firewall 17:16:17 firewalld dropins wouldn't be nice, though, since XML 17:16:24 the CLI is really awesome 17:16:41 the only thing it doesn't do well for me is outbound filtering 17:17:37 kaeso[m]: and there is an open request to get the rpm reshaped ? 17:17:44 I haven't looked... does RHCOS have a firewall? 17:18:18 dustymabe: https://github.com/coreos/fedora-coreos-tracker/issues/404#issuecomment-600003946 17:19:01 kaeso[m]: no traction upstream, huh? 17:19:47 next best option is to open a PR.. intermediate plan could be to just delete the pieces we don't want at rpm-ostree compose time while we wait on upstream. 17:19:55 cyberpear: containerized services in openshift/kubernetes run in the overlay network, which has its own filtering policy 17:20:03 the only problem with doing that is it makes it hard to "layer" the other pieces if the user really does need it 17:20:10 (which is exactly Colin point in link above) 17:20:43 dustymabe: not in a hurry, just wondering if anybody is in touch with the RPM maintainer 17:21:06 Paul P Komkoff Jr is the assignee - don't know him 17:22:51 cyberpear: maybe open a ticket and we can have a proper discussion.. i'd encourage you to leave firewalld out of it though as it's a question of enabled firewall by default and not a tech choice, correct? 17:24:28 any other items for open floor before we close out? 17:25:48 #endmeeting