16:29:52 #startmeeting fedora_coreos_meeting 16:29:52 Meeting started Wed Jun 30 16:29:52 2021 UTC. 16:29:52 This meeting is logged and archived in a public location. 16:29:52 The chair is jlebon. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:29:52 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:29:52 The meeting name has been set to 'fedora_coreos_meeting' 16:30:05 .hi 16:30:06 lucab: lucab 'Luca Bruno' 16:30:06 .hi 16:30:09 dustymabe: dustymabe 'Dusty Mabe' 16:30:12 #topic roll call 16:30:16 .hello jasonbrooks 16:30:18 jbrooks: jasonbrooks 'Jason Brooks' 16:30:20 .hi 16:30:24 #chair lucab dustymabe jbrooks fifofonix 16:30:24 Current chairs: dustymabe fifofonix jbrooks jlebon lucab 16:30:24 fifofonix: fifofonix 'Fifo Phonics' 16:30:31 .hello2 16:30:31 .hi 16:30:31 jaimelm: jaimelm 'Jaime Magiera' 16:30:34 bgilbert: bgilbert 'Benjamin Gilbert' 16:30:43 .hello miabbott 16:30:44 miabbott: miabbott 'Micah Abbott' 16:30:56 #chair jaimelm bgilbert miabbott 16:30:56 Current chairs: bgilbert dustymabe fifofonix jaimelm jbrooks jlebon lucab miabbott 16:31:01 .hello2 16:31:02 davdunc: davdunc 'David Duncan' 16:31:02 .hello sohank2602 16:31:04 skunkerk: sohank2602 'Sohan Kunkerkar' 16:31:35 #chair davdunc skunkerk 16:31:35 Current chairs: bgilbert davdunc dustymabe fifofonix jaimelm jbrooks jlebon lucab miabbott skunkerk 16:32:26 .hello siosm 16:32:29 travier: siosm 'Timothée Ravier' 16:33:09 #chair travier 16:33:09 Current chairs: bgilbert davdunc dustymabe fifofonix jaimelm jbrooks jlebon lucab miabbott skunkerk travier 16:33:17 ok, 30s more :) 16:34:12 .hello2 16:34:13 darkmuggle: darkmuggle 'None' 16:34:20 #chair darkmuggle 16:34:20 Current chairs: bgilbert darkmuggle davdunc dustymabe fifofonix jaimelm jbrooks jlebon lucab miabbott skunkerk travier 16:34:25 alrighty, welcome all! let's get started 16:34:33 #topic Action items from last meeting 16:34:41 * dustymabe to create ticket about making single node optimizations that don't enhance kubernetes and possible ways to integrate better with k8s distributions 16:34:53 #info dustymabe filed https://github.com/coreos/fedora-coreos-tracker/issues/880 16:35:00 👆 16:35:05 and that's all! 16:35:10 👍 16:35:32 ok, we've got quite a few tickets today, so it's not likely we'll get through all of them 16:35:35 let's start with... 16:35:49 #topic Potential security vulnerability related to metadata.google.internal usage on GCP 16:35:53 #link https://github.com/coreos/fedora-coreos-tracker/issues/885 16:36:04 travier: want to introduce this one? 16:36:42 Sure 16:37:41 This is a report about a potential issue with the GCP internal metadata domain name 16:38:18 The original report does not mention nor concern FCOS but this might impact us wrt Afterburn or Ignition 16:38:39 Discussion is ongoing regarding wether or nor we are impacted and if we should make changes 16:39:34 This would only be of concerns if an attacker has local network access in your cluster (compromised host or container with local network access) and only on node first boot. 16:40:08 EOI (end of introduction) 16:40:42 (or if the attacker has remote network access and you're not using the GCE firewall to block DHCP packets) 16:41:02 * jaimelm will use that in conversion "Hi Bob, this is Jane. EOI." 16:41:19 should we switch afterburn and ignition to use IPs anyway? 16:42:04 If they are guaranteed to be stable then I guess this would remove any potential DNS issue from first boot which could be a good thing? 16:42:12 (also, do we not run Afterburn SSH key fetching on every boot on GCP?) 16:42:38 FWIW, I'd like to see GCP exposing an HTTPS endpoint and us using whatever valid SAN is in there 16:43:08 the canonical endpoint is the DNS name: https://cloud.google.com/compute/docs/storing-retrieving-metadata 16:44:03 Missing in this conversation is that the vulnerability is specific to ISC DHCP Client 16:44:11 yes we run Afterburn SSH key fetching on each boot on GCP 16:44:11 I agree with darkmuggle's comment 16:44:12 We're using NetworkManager, which used a different XID calculation. 16:44:21 in the ticket 16:45:07 there are multiple factors mitigating the vulnerability for FCOS. it may still be worth switching to using the IP for defense in depth. 16:46:30 Do we have any guarantee that the IP will not change? 16:48:12 currently unknown, I think. we should probably not expect to come to any conclusions in this meeting. 16:48:46 If its more unlikely for a take over with NM than ISC DHCP, then the prudent course would be to see what GCP does. 16:48:56 ok, so it sounds like right now we should just stand by for now 16:49:11 we should also see what the Security Team says 16:49:21 +1 16:49:39 let's track the "switch to IP" as a ticket on either Afterburn or Ignition? 16:50:13 or maybe another tracker ticket since we'd probably want to do the same to both? 16:50:19 ^^ 16:50:30 bgilbert: could you file that? 16:50:59 I could, but I was assuming we'd use the existing ticket for that 16:51:26 either we should switch to IP to mitigate this type of vulnerability, or we should not switch because it isn't worth doing to mitigate this type of vulnerability 16:52:17 actually, I've just talked myself out of that, nvm 16:52:17 ahh ok, wasn't sure if lucab was implying it'd be something worth doing on its own 16:52:31 fair, although I would have assume this ticket to be closed in a few days once we confirm that NM is unaffected 16:52:39 #action bgilbert to file ticket to consider switching Ignition/Afterburn to reference GCE metadata server by IP 16:52:48 ok cool :) 16:52:54 let's move on 16:53:09 #topic tracker: Fedora 35 changes considerations 16:53:12 #link https://github.com/coreos/fedora-coreos-tracker/issues/856 16:53:38 dustymabe: want to discuss that one? 16:54:37 hmm, he might be AFK. i'll take it 16:54:44 he appears to be missing in action. let's move on? 16:54:56 dustymabe filed a separate tracker issue for each f35 change we should look into 16:55:22 here 16:55:23 so now we need to actually look at each of them and assess the situation 16:55:39 yep. I filed sub tickets for each item we wanted to discuss further 16:55:56 we were thinking of just assigning them all to different people to share the load 16:56:00 can we get volunteers to own running the investigations/discussion to ground? 16:56:27 #link https://github.com/coreos/fedora-coreos-tracker/issues?q=is%3Aissue+is%3Aopen+label%3AF35-changes 16:57:16 dustymabe: there's so many, maybe it's easier to build a pool of people, and then we randomly assign them? 16:57:38 I'll take https://github.com/coreos/fedora-coreos-tracker/issues/873 16:57:40 yeah, though I do think some of us here are experts in some topics more than others 16:57:56 i.e. rpm related things - clearly someone who works on rpm-ostree would be more qualified 16:58:18 jlebon: whatever you think works best 16:58:45 ok i took the RPM 4.17 and the "Fedora Linux" one 16:58:51 * jaimelm will take 872 16:59:00 * dustymabe will take #879 16:59:00 I'll take the SSSD one 875 too 16:59:09 bgilbert, lucab, darkmuggle, walters, travier: could each of you at least take one? 16:59:30 darkmuggle, jaimelm: +1 17:00:05 spoken for #873, 877, 874, 872, 879, 875 17:00:39 left: 876, 878 17:00:51 jaimelm: what's your GitHub handle again? 17:01:27 #action jaimelm to investigate F35: CHANGE: CompilerPolicy Change #872 17:01:37 I'm taking #876 17:01:37 JaimeMagiera 17:01:44 #action darkmuggle to investigate F35: CHANGE: DNS Over TLS #873 17:02:03 #action jlebon to investigate F35: CHANGE: "Fedora Linux" in /etc/os-release #874 17:02:23 #action darkmuggle to investigate F35: CHANGE: More flexible use of SSSD fast cache for local users #875 17:02:46 #action lucab to investigate F35: CHANGE: OpenSSL3.0 #876 17:03:05 #action jlebon to investigate F35: CHANGE: RPM 4.17 #877 17:03:21 #action dustymabe to investigate F35: CHANGE: Remove nscd #879 17:03:31 i think the only one not spoken for is #878 17:03:34 walters: i assigned you #878. feel free to unassign yourself if you're not interested :) 17:03:39 F35: CHANGE: DNF/RPM Copy on Write enablement for all variants 17:04:03 #action walters to investigate F35: CHANGE: DNF/RPM Copy on Write enablement for all variants #878 17:04:04 i think that's all of them 17:04:10 \o/ 17:04:17 there's probably new ones we need to add to the list 17:04:20 but that's a good start 17:04:27 thanks all for volunteering 17:04:30 thank you all! 17:04:32 ok, let's move on 17:04:44 #topic Differing behavior for aarch64 vs x86_64 disk images 17:04:49 #link https://github.com/coreos/fedora-coreos-tracker/issues/855 17:05:05 dustymabe: want to (re-)introduce this one? 17:05:25 mostly just read https://github.com/coreos/fedora-coreos-tracker/issues/855#issuecomment-867131221 17:05:41 and then please vote here in chat with A or B 17:06:13 A => match partition numbers, enhance documentation 17:06:19 B => don't make any changes, enhance documentation 17:06:36 B 17:06:41 B 17:06:52 B 17:06:54 A 17:06:59 B 17:07:30 A 17:07:59 * dustymabe sets timer to 30 seconds 17:08:20 B 17:08:36 i'd be open to revisit if multiple users get sufficiently confused by this 17:08:55 (I'm skipping as I don't have a good idea) 17:09:24 #agreed we will keep our paritioning set up for different architectures as it currently is and enhance our documentation for #855 17:09:24 B: 5 A:2 Abstain:1 17:09:41 👍 17:09:41 all good with the agreed? otherwise I'll undo 17:09:56 +1 17:10:01 * dustymabe yields floor back to jlebon 17:10:13 thanks dustymabe! 17:10:56 #topic policy: setting single node defaults that don't enhance kubernetes 17:10:59 #link https://github.com/coreos/fedora-coreos-tracker/issues/880 17:11:38 dustymabe: do you want to introduce this one too, or should I? i think most of us are familiar since we discussed it last week already 17:11:48 * jaimelm is familiar 17:12:49 jlebon: if you don't mind, you 17:13:07 ack ok 17:14:43 so I think at this point, it boils down to: "do we want to try to adapt services which conflict with k8s dynamically, or do we leave it to the k8s stack to configure FCOS accordingly" 17:15:56 to take the example of systemd-oomd, should we set it up so that e.g. if we detect k8s is in use, then we default to disabled? and also, how does that detection work? 17:16:54 i think from our previous discussion we were leaning towards allowing ourselves to make changes that might not be useful for k8s 17:17:16 the open question in my mind was how exactly (as jlebon mentioned) 17:17:27 I'd prefer if we don't do things for use cases we don't control as it will be really hard for k8s users to follow that (as we don't know which version of k8s is run) 17:17:31 do we basically enable them by default and provide docs for kube integraters 17:17:32 I'd vote that we do containers really well, but provide the sugar for the Kube world. 17:17:35 bgilbert raised a good point last time which was that if we default to possibly breaking k8s changes, then we need a policy for rolling out those changes 17:18:09 or do we try to auto detect and behave differently according to "kube or not" 17:18:13 We will never be able to engineering well against the unknowable versions and packages. 17:18:14 yes, I think that potentially k8s breaking changes should be new install 17:18:29 new install only* 17:19:13 right agreed re. version skew. we're just not tightly coupled enough to make sure we don't mess up 17:19:14 Documenting the unwanted features for k8s users with the versions they were introduced for operators should be reasonably doable 17:19:29 "unwanted" 17:20:37 I don't want to speak for the engineering folks for OKD, but we do already diverge and plan to diverse where necessary from the standard FCOS. That's essentially what the machine-os repo does. 17:20:46 diverge& 17:20:52 (I'm not 100% convinced yet we should focus no single node however) 17:21:08 darkmuggle: +1 to that 17:21:09 on* 17:21:28 yea I think the value is at scale. 17:21:35 I'd thought of another bad idea -- Butane plugin's akin to Terraforms -- to allow for the Kube world to make it easy for their users. 17:21:48 heh 17:21:53 If we take the reverse argument, it's also easy to document which options would improve single node use cases in a doc page 17:22:19 darkmuggle: you have good bad ideas (at first blush) 17:22:24 With Butane plugins the Cloud vendors and Kube vendors could write their own "sugar" for seeting defaults. 17:22:37 travier: I think my counter to that is: 17:22:39 travier: but then, we're essentially neither defaulting to single or k8s 17:22:47 s/seeting/setting/ 17:22:48 so it's the worst of both worlds 17:22:55 true 17:22:56 for kube usually people are running some advanced ignition config, so it's not as hard to bring in a few extra bits 17:23:20 for single node, they're usually starting much more "from scratch" 17:23:26 much more 17:23:40 the problem with the Butane approach is version skew. there's no relationship between Butane versions and FCOS versions. so the output of particular Butane sugar really can't change over time. 17:24:19 I'd still lean toward an "API version" kind of interface 17:24:33 bgilbert: right, I don't think we should do sugar. but having helper butane configs we keep up to date for the latest FCOS should be fine, right? 17:24:52 jlebon: sort of? 17:25:05 I don't think we should do sugar either. This would make Butane configs unknowable without the corresponding Butane binary 17:25:12 the plugin would support an "API" 17:25:40 jlebon: if some k8s distro is using an old Ignition config, how do we know not to start enabling some conflicting behavior? 17:25:46 darkmuggle: how does an API help? 17:26:05 Having Butane snippets in the doc alongside the notes about features introduced in version X would cover that better from my point of view 17:26:07 maybe we should limit discussion to.. allow single node specific defaults to be applied? yes or no 17:26:22 then we can probably talk about the best way to help the kube case 17:26:27 bgilbert: anytime you rebase your bootimages, you have to be aware of deprecation windows you're burning through 17:26:39 travier: that can get messy 17:26:52 bgilbert: let's table the butane plugin idea as out of scope for this meeting, and I'll propose something in the tracker or discuss in higher bandwidth 17:27:03 dustymabe: that would reign things in a bit. Probably a good idea. 17:27:17 we're almost at time. 17:27:19 dustymabe: good idea 17:27:32 jlebon: you should always be rebasing your bootimages. this isn't RHCOS :-) 17:27:39 ouch 17:27:42 +1 for single node focus if we carefully document things to disable for fk8s 17:27:53 i think the version skew complexity for k8s has already forced us to be more supportive of the single node case, so let's stop pretending we can support both single node/k8s reliably and focus on single node 17:28:36 given that we're almost at time, I'd propose tabling. seems like we have more discussion to do in the ticket 17:28:37 bgilbert: heh sure :) but then that implies that your old Ignition config is not guaranteed to work forever on new machines 17:29:00 yeah ok, let's keep chatting in the tracker! 17:29:01 any takeaways from this meeting? 17:29:04 bgilbert +1 17:29:40 we need to maybe prioritize meeting items differently. Something more than just the label. Seems like we keep pushing the edge. 17:29:54 dustymabe: hard to tell at this point :| 17:30:01 ok, let's to a quick open floor 17:30:14 #topic Open Floor 17:30:29 anything anyone wants to bring up? 17:30:32 jaimelm: is there a topic you want to see that hasn't been discussed (starved by other topics)? 17:31:46 jlebon: maybe discuss the video meeting. i.e. not having one next week because of people on vacations and such 17:31:47 I'll add the item (documentation style) for next meeting. 17:31:57 dustymabe: ahhh yes yes 17:32:02 we can still have an IRC meeting 17:32:07 but probably not video 17:32:10 move the video meeting or skip? 17:32:20 move one week 17:32:23 (for this coming month) 17:32:30 support 17:33:07 that's all I had for open floor 17:33:14 dustymabe: that sounds reasonable to me, thanks for bringing it up! 17:33:20 ok, closing in 30s 17:33:49 #endmeeting