16:30:48 #startmeeting fedora_coreos_meeting 16:30:48 Meeting started Wed Apr 28 16:30:48 2021 UTC. 16:30:48 This meeting is logged and archived in a public location. 16:30:48 The chair is travier. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:30:48 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:30:48 The meeting name has been set to 'fedora_coreos_meeting' 16:30:50 .hello2 16:30:50 jaimelm: jaimelm 'Jaime Magiera' 16:30:50 .hello sohank2602 16:30:53 darkmuggle: darkmuggle 'None' 16:30:53 .hello2 16:30:55 skunkerk: sohank2602 'Sohan Kunkerkar' 16:30:56 .hi 16:30:56 .hello2 16:30:58 slowrie: slowrie 'Stephen Lowrie' 16:31:01 cyberpear: cyberpear 'James Cassell' 16:31:02 #topic roll call 16:31:03 .hello2 16:31:04 fifofonix: fifofonix 'Fifo Phonics' 16:31:06 davdunc: davdunc 'David Duncan' 16:31:37 #chair lorbus jlebon jaimelm skunkerk slowrie cyberpear davdunc fifofonix 16:31:37 Current chairs: cyberpear davdunc fifofonix jaimelm jlebon lorbus skunkerk slowrie travier 16:31:43 .hello siosm 16:31:44 travier: siosm 'Timothée Ravier' 16:32:01 .hello2 16:32:02 dustymabe: dustymabe 'Dusty Mabe' 16:32:13 #chair darkmuggle dustymabe 16:32:13 Current chairs: cyberpear darkmuggle davdunc dustymabe fifofonix jaimelm jlebon lorbus skunkerk slowrie travier 16:34:03 #topic Action items from last meeting 16:34:25 I can not find any action from last meeting so I guess we will skip that 16:34:49 my bad 16:34:54 was looking at the wrong logs 16:35:30 jlebon and dustymabe to write up proposal for https://github.com/coreos/fedora-coreos-tracker/issues/785 16:35:30 bgilbert to investigate updating the Ignition type registration 16:35:30 travier to summarize outcome in https://github.com/coreos/fedora-coreos-tracker/issues/768 16:35:30 jaimelm to create a ticket to track text edit updates for .ign/.bu 16:35:30 jaimelm bring nft changes to attention of OKD WG/developers for feedback 16:35:36 .hello jasonbrooks 16:35:37 jbrooks: jasonbrooks 'Jason Brooks' 16:35:47 #chair jbrooks 16:35:47 Current chairs: cyberpear darkmuggle davdunc dustymabe fifofonix jaimelm jbrooks jlebon lorbus skunkerk slowrie travier 16:36:22 #info jlebon and dustymabe posted proposal in https://github.com/coreos/fedora-coreos-tracker/pull/801 16:36:25 I've been completing my action so I won't re-action it 16:36:52 👍 16:37:24 #link https://github.com/coreos/fedora-coreos-tracker/issues/799 16:37:49 nft task is in process 16:38:08 jaimelm++ 16:38:08 dustymabe: Karma for jaimelm changed to 1 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 16:38:30 #action bgilbert to investigate updating the Ignition type registration 16:38:39 .hello2 16:38:40 lucab: lucab 'Luca Bruno' 16:38:41 #action jaimelm bring nft changes to attention of OKD WG/developers for feedback 16:38:47 #chair lucab 16:38:47 Current chairs: cyberpear darkmuggle davdunc dustymabe fifofonix jaimelm jbrooks jlebon lorbus lucab skunkerk slowrie travier 16:39:14 alright, moving on 16:39:29 What topic should go first? 16:39:45 either works 16:39:48 Oh, there's been a cleanup :) 16:40:12 #topic Fedora Test day for our next stream (Fedora 34) 16:40:18 #link https://github.com/coreos/fedora-coreos-tracker/issues/797 16:40:50 jaimelm dustymabe want to take that one? 16:40:52 FYI: the test day/week started on Monday this week 16:41:09 if you havne't had a chance to participate already there are a few items left that haven't been touched 16:41:28 anybody who participates gets a fedora badge (if I can wrangle nb) :) 16:41:48 seems like we haven't found anything to earth shattering so far, but we have found some needed updates to the docs etc.. 16:42:26 .hello2 16:42:27 walters: walters 'Colin Walters' 16:42:56 travier: that's all I had 16:43:07 #chair walters 16:43:07 Current chairs: cyberpear darkmuggle davdunc dustymabe fifofonix jaimelm jbrooks jlebon lorbus lucab skunkerk slowrie travier walters 16:43:15 ok, let's move on 16:43:17 specifically, looks like we're missing exoscale and ibm cloud 16:43:25 jlebon: I'm doing ibm cloud now 16:43:29 sweet 16:43:31 anybody want to volunteer for exoscale? 16:43:48 also we need to add vultr to the list of test cases - maybe sumantrom_ can help us with that 16:44:00 dustymabe: do we have a community account at exoscale? 16:44:07 jlebon: I think so 16:44:13 * dustymabe checks creds 16:44:24 i can give it a whirl 16:44:26 oh also, we should add an openstack test ! 16:44:34 * jaimelm notes dustymabe has street cred 16:44:51 :D 16:44:51 dustymabe, I will do that 16:44:52 :) 16:45:01 sumantrom_: can you add one for vultr and one for openstack? 16:45:07 sumantrom_++ 16:45:14 yes I can :) 16:45:15 I think I've given out all my cookies 16:45:28 jlebon: I'll try to figure out how to get you exoscale creds 16:45:37 ack, +1 16:46:17 dustymabe: does exoscale support saml? 16:46:59 .hello2 16:46:59 bgilbert: bgilbert 'Benjamin Gilbert' 16:47:11 #chair bgilbert 16:47:11 Current chairs: bgilbert cyberpear darkmuggle davdunc dustymabe fifofonix jaimelm jbrooks jlebon lorbus lucab skunkerk slowrie travier walters 16:47:28 davdunc: not sure on that one 16:47:43 dustymabe: I don't think so. 16:47:53 dustymabe: heh looks like i've already got exoscale creds 16:48:02 with some balance remaining 16:49:00 jlebon: nice! 16:49:29 Feel like we can move on? 16:49:33 +1 16:49:36 +1 16:49:46 #topic Document the FCOS release cadence guidelines 16:49:52 #link https://github.com/coreos/fedora-coreos-tracker/issues/785 16:50:11 jlebon dustymabe ? 16:50:32 yep. we have a proposal 16:50:46 https://github.com/coreos/fedora-coreos-tracker/issues/785#issuecomment-827142247 16:50:53 figured it would be better to have something concrete 16:51:12 does the wording in that pull request look like what we were looking for with the request? 16:51:17 #link https://github.com/coreos/fedora-coreos-tracker/issues/785#issuecomment-827142247 16:51:21 jdoss: around? 16:51:41 the important new part is here: https://github.com/dustymabe/fedora-coreos-tracker/blob/dusty-major-rebases/Design.md#major-fedora-version-rebases 16:52:56 I like that 16:53:04 this is essentially what we're doing for the f34 rebase right now 16:53:24 so we'll be testing it at the same time :) 16:53:33 This does however mean that we get more stable releases for a short time 16:53:59 correct there are tradeoffs, but we decided to go for "simple" even if it is a bit more churn 16:53:59 indeed 16:54:00 (which is not a bad thing either) 16:54:03 I'd advocate for releasing to `testing` shortly after Final Freeze, as that's when changes basically stop except for Freeze Exceptions and Blockers 16:54:04 +1 16:54:32 makes sense 16:54:53 cyberpear: yeah we might accelerate the schedule for F35 16:54:58 and many fewer changes during Final Freeze than in the weeks after release when many packages get routine updates 16:55:14 in which case we'll revisit this text 16:55:49 I think it's a first good step toward having us release at the same time as the rest of Fedora for a later release 16:56:44 yeah, once we get more confidence in the process we can get closer and closer to GA 16:56:47 cyberpear: if we move testing that early but not stable, it means there's less coverage for the N-1 that'll still be going into stable leading up to GA 16:57:28 right, once we switch over testing we're on a clock for that going into stable 16:57:28 i can definitely imagine moving testing on GA though 16:57:44 I think the end goal should be to rebase to `stable` shortly after a release is declared GO, possibly same day as release day 16:57:44 otherwise we've got no pipeline 16:57:59 cyberpear: in an ideal world, I think I agree with you 16:58:18 Sounds great 16:59:35 ok, so the real question is.. does that text look good for now for f34? 16:59:43 +1 16:59:56 +1 16:59:58 as we get a little more "ahead of the ball" we'll update it to get closer and closer to GA 17:00:46 It's good for now, and will likely be a learning experience for moving next release. 17:01:02 ok - last remaining question that jlebon and I had 17:01:13 +1 on jaimem's words 17:01:26 is this something that needs to go in the upstream documentation? we were fine leaving it where similar text already existed (in the Design.md doc) 17:01:44 keep in mind, if you say "yes" you get to volunteer to add it to the upstream documentation 17:01:46 +1 looks good 17:01:52 hehe 17:02:37 The test day shows good community participation 17:02:44 i guess it'd probably go somewhere on this page if we did that: https://docs.fedoraproject.org/en-US/fedora-coreos/update-streams/ 17:02:48 +1 for tracker docs, feels too process related for user facing docs 17:03:21 ok cool. that's all I had for this topic 17:03:30 travier: that's my inclination as well 17:03:41 I think we want to encourage not looking at the underlying version of Fedora 17:04:05 excepted for test days :D 17:04:38 :) 17:04:50 Moving to open floor in 30 sec 17:05:55 #topic Open Floor 17:06:21 nothing for me here. thanks all for helping test 17:07:00 dustymabe: did you want to discuss https://github.com/coreos/fedora-coreos-tracker/issues/796 ? 17:07:56 * dustymabe looks 17:08:08 sure, we can 17:08:30 hum, I have mixed feelings. Leaving that always on could be a potential security issue? 17:08:32 basically we have some things that can wait infinitely in the initramfs (ignition fetching configs is one example) 17:08:49 it will need to be off for the aws images. 17:09:00 sometimes it'd be nice to force them to break after a certain amount of time 17:09:12 dustymabe: I just got out of another meeting. I can respond to the PR with my thoughts w/r/t https://github.com/dustymabe/fedora-coreos-tracker/blob/dusty-major-rebases/Design.md#major-fedora-version-rebases 17:09:17 as I read the bug, it wouldn't be always on 17:09:27 right, it would be opt-in via a karg 17:09:28 correct, it wouldn't be always on by default 17:09:33 IIRC, aws now has Serial Console Access? 17:09:37 but your org could choose to have it always on 17:10:02 maybe we should also conditionalize that to first boot too? 17:10:06 the `rd.break` counterargument isn't a good one, because you never reach the rd.break shell if e.g. ignition loops forever 17:10:14 that's true cyberpear, but best practice is still to disable emergency shell. 17:10:22 makes sense 17:10:30 it's a good idea overall 17:10:42 agreed jaimelm 17:11:05 travier: what's the potential security issue? 17:11:48 so karg -> unit -> conditions -> on ? 17:12:19 if it's enabled post first boot and I figure out a way to trigger it on a locked down node otherwise then I get a root shell 17:12:49 We could just as easily make it only trigger on first boot 17:12:49 travier: yeah, if we want to limit it to firstboot then I'm cool with that 17:12:50 but it's initrd only so would require something timing out in the initrd post first boot 17:12:51 maybe enable it only for first boot? 17:12:53 do we have that? 17:13:05 We already know first boot based off the ignition first boot semantics 17:13:16 yeah, WFM 17:13:21 if it's first boot only then I'm +1 17:13:52 davdunc: I don't think this would apply to AWS really because the user would need to get in to add a kernel argument to tell it to happen 17:13:57 Technically a user could re-enable those but if a users inside your box to re-enable kargs, trigger reboots, and has serial console access you have such a massive security flaw already that I'm not sure we are preventing anything 17:14:01 the "do we have that?" was for potentially timing out services in initrd post first boot 17:14:14 dustymabe: sounds right. 17:14:32 but that does beg the question.. would we ever want to apply something like this to our cloud providers? 17:14:34 slowrie: +1 17:14:41 I'm not sure though, aren't the timeouts in the relevant services a better approach? 17:14:55 lucab: we've explicitly made them never time out 17:15:11 I don't think we can ever enable that by default 17:15:24 what value would we pick? 17:15:28 lucab: I read it more as a single way to specify a larger timeout for the whole thing rather than requiring going and editing the timeout of all the different services 17:15:29 basically this came up recently because we made the rootfs fetching (PXE) retry infinitely 17:15:55 but *sometimes* it is nice to get a shell and debug when fetching a remote resource doesn't work 17:16:15 i.e. was the problem DNS? did the system not get an IP? etc.. 17:16:22 I'm on board with all of that, but Ignition does allow setting an upper limit 17:16:23 so this idea popped into my head 17:16:45 lucab: oh it does? via a karg? 17:16:49 so if other services don't, perhaps we should start from there 17:17:13 lucab: what if you can not fetch the config? 17:18:00 well, good point 17:18:45 dustymabe: in the config itself, but I see the larger point 17:18:52 cool, so we think that in general it would probably be a good idea, just need to make sure it's not enabled by default and that it only applies to first boot 17:19:02 +1 17:19:10 can you make that a proposal? 17:19:27 +1 17:19:30 +1 17:19:48 +1 all SGTM 17:19:56 #proposed we think having a generic configurable timeout via a kernel argument to break if things wait infinitely would be useful. We just want to make sure that it's no on by default and that it only applies to the first boot of a machine. 17:20:13 +1 17:20:16 +1 17:20:22 +1 17:20:26 +1 17:21:14 +1 17:21:16 #agreed we think having a generic configurable timeout via a kernel argument to break if things wait infinitely would be useful. We just want to make sure that it's not on by default and that it only applies to the first boot of a machine. 17:21:24 bgilbert: lucab: you good with that ^^ ? 17:21:27 anything else? 17:21:41 +1 17:21:47 dustymabe: I think so 17:21:48 I'm okay with non-first-boot also 17:22:11 ok cool. travier nothing from me 17:22:30 I guess we can start conservative (first boot only) and expand if needed 17:22:54 Closing in 1min if nothing else comes up 17:23:31 access to change the kargs is equivalent to root on basically every distro afaik 17:24:09 that's not the context I would be concerned about 17:24:23 if that's what you're referring to 17:24:37 it is, but we can take this to #fedora-coreos if you want to close out 17:25:09 but I agree that this is a fairly hard to pull out thread 17:25:11 threat* 17:26:02 alright, closing 17:26:16 #endmeeting