16:30:17 #startmeeting fedora_coreos_meeting 16:30:17 Meeting started Wed Jul 7 16:30:17 2021 UTC. 16:30:17 This meeting is logged and archived in a public location. 16:30:17 The chair is jlebon. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:30:17 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:30:17 The meeting name has been set to 'fedora_coreos_meeting' 16:30:24 #topic roll call 16:30:25 .hello2 16:30:26 darkmuggle: darkmuggle 'None' 16:30:34 #chair darkmuggle 16:30:34 Current chairs: darkmuggle jlebon 16:30:41 .hi 16:30:41 bgilbert: bgilbert 'Benjamin Gilbert' 16:30:44 #chair bgilbert 16:30:44 Current chairs: bgilbert darkmuggle jlebon 16:31:08 .hello jasonbrooks 16:31:11 jbrooks: jasonbrooks 'Jason Brooks' 16:31:14 #chair jbrooks 16:31:14 Current chairs: bgilbert darkmuggle jbrooks jlebon 16:31:45 .hi 16:31:46 lucab: lucab 'Luca Bruno' 16:32:13 #chair lucab 16:32:13 Current chairs: bgilbert darkmuggle jbrooks jlebon lucab 16:32:34 #chair jaimelm 16:32:34 Current chairs: bgilbert darkmuggle jaimelm jbrooks jlebon lucab 16:32:56 .hello2 16:32:57 jaimelm: jaimelm 'Jaime Magiera' 16:33:29 i expect a smaller crowd today. i'll leave off the juicier tickets for the video meeting next week, and we can tackle a few smaller ones today. 16:33:50 so it should be a shorter meeting 16:33:57 .hi 16:33:58 lorbus: lorbus 'Christian Glombek' 16:34:02 #chair lorbus 16:34:02 Current chairs: bgilbert darkmuggle jaimelm jbrooks jlebon lorbus lucab 16:34:26 * jlebon waits 30s more 16:35:05 #topic Action items from last meeting 16:35:26 .hello siosm 16:35:27 travier: siosm 'Timothée Ravier' 16:35:31 * bgilbert to file ticket to consider switching Ignition/Afterburn to reference GCE metadata server by IP 16:35:34 * jaimelm to investigate F35: CHANGE: CompilerPolicy Change #872 * darkmuggle to investigate F35: CHANGE: DNS Over TLS #873 16:35:37 * jlebon to investigate F35: CHANGE: "Fedora Linux" in /etc/os-release #874 16:35:40 * darkmuggle to investigate F35: CHANGE: More flexible use of SSSD fast cache for local users #875 16:35:43 * lucab to investigate F35: CHANGE: OpenSSL3.0 #876 16:35:45 * jlebon to investigate F35: CHANGE: RPM 4.17 #877 16:35:48 * dustymabe to investigate F35: CHANGE: Remove nscd #879 16:35:50 * walters to investigate F35: CHANGE: DNF/RPM Copy on Write enablement for all variants #878 16:35:53 #chair travier 16:35:53 Current chairs: bgilbert darkmuggle jaimelm jbrooks jlebon lorbus lucab travier 16:35:54 ok, my suggestion is to not tackle the CHANGE ones today and leave that for next week 16:35:59 #info bgilbert filed https://github.com/coreos/fedora-coreos-tracker/issues/891 16:36:01 Goo idea 16:36:05 also, good idea 16:36:32 ehhh, instead of re-actioning them all, let's do: 16:36:59 #action look at the action items from the previous meeting for F35 CHANGE-related items 16:37:57 ok to move on? 16:38:03 +1 16:38:16 #topic Consider referencing GCP metadata service by IP in Ignition/Afterburn 16:38:19 #link https://github.com/coreos/fedora-coreos-tracker/issues/891 16:38:39 bgilbert filed this, but I tagged it for this meeting 16:39:02 from lucab's comment, it sounds like it should be safe to assume the IP will not change 16:39:21 cool 16:39:39 I did ask some GCP contacts, and they pointed out the fact that even Google is hardcoding it in a few places 16:39:48 +1, thanks lucab 16:39:50 the idea here is: there have already been two exploits that poison the metadata.google.internal hostname 16:39:57 lucab: +1 16:40:13 that's helpful info lucab 16:40:24 and an attack that overrides the metadata service is catastrophic for security 16:40:25 they are still asking internally, but I doubt I'll get a more explicit answer anytime soon 16:40:47 so if we can just assume 169.254.169.254, maybe we should 16:41:03 agree with that, yeah 16:41:18 so I guess we can go ahead now, or wait a bunch more days to see if there are further followups 16:41:45 but all the signs so far point to "should be fine" 16:41:48 i think this might've been answeredin the previous meeting but: are there any other clouds for which the question should also be asked? 16:42:04 my biggest objection is that its not documented 16:42:14 right now GCP says to use the DNS 16:42:36 and while it should be safe, I'd much rather we get the word from on high that its fine 16:43:24 plumbing the depths of my memory during days at $other_employer they use the DNS endpoints for doing image testing 16:43:31 jlebon: just looked through the Ignition codebase. the only other provider that uses a hostname is Packet, and that one uses HTTPS 16:43:39 it is documented as the links from Luca points out 16:43:41 darkmuggle: was lucab's comment in that ticket not convincing? 16:44:07 jlebon: well, I missed it 16:44:15 :) 16:44:15 nevermind 16:44:23 +1 16:44:27 +1 16:44:34 bgilbert: ack ok 16:44:50 bgilbert: want to do a #proposed? 16:45:14 It's kind documented transitively. The metadata server is the internal name server resolver. The internal name server resolver is at 169.254.169.254. 16:45:18 *kinda 16:45:20 #proposed we will switch Ignition and Afterburn to contact the GCP metadata service by IP instead of hostname 16:45:55 +1 16:46:13 can we add a "(unless further comments by $date)"? 16:46:14 +1 16:46:37 +1 16:46:47 lucab: I mean, actions are always subject to revision 16:46:57 it'll take a while for the PRs to percolate to the OS 16:47:04 do you have a specific concern? 16:47:27 we have until this hits stable to revert it 16:47:39 and even after if this turns out a bad idea 16:47:58 yes, this week is a bit of a short/slow one and I asked my contacts just this morning, I still have some hope for some additional feedback 16:48:15 The sysadmin in my has a built-in revulsion to using hardcoded IPs in code. 16:48:21 s/my/me/ 16:48:49 +1 on waiting 16:49:18 sounds fine to me too 16:49:21 lucab: sure, I can slow-roll the PRs 16:49:48 bgilbert: that'd be fine 16:50:33 #action we will switch Ignition and Afterburn to contact the GCP metadata service by IP instead of hostname, unless we receive significant information to the contrary by next week 16:50:37 ^ good? 16:50:42 +1 16:50:46 +1 16:50:51 you mean #agreed? 16:50:55 #undo 16:50:55 Removing item from minutes: ACTION by bgilbert at 16:50:33 : we will switch Ignition and Afterburn to contact the GCP metadata service by IP instead of hostname, unless we receive significant information to the contrary by next week 16:51:03 #agreed we will switch Ignition and Afterburn to contact the GCP metadata service by IP instead of hostname, unless we receive significant information to the contrary by next week 16:51:08 +2 16:51:14 * jlebon nods 16:51:21 cool cool 16:51:41 #topic /boot/ignition/config.ign permissions 0644 to 0600 16:51:46 #link https://github.com/coreos/fedora-coreos-tracker/issues/889 16:51:55 good call 16:52:10 bgilbert: want to introduce it? :) 16:52:14 sure 16:52:29 coreos-installer -i or -I writes an Ignition config to /boot/ignition/config.ign 16:52:33 *coreos-installer install 16:52:53 Ignition reads it, and then does not clean it up afterward 16:52:55 and it's world-readable. 16:53:18 the Ignition config may contain secrets, so we should not leave it lying around like that 16:53:31 no beuno 16:53:42 but the question is, how serious is this, and how should we address it 16:53:53 there's a PR up to make it mode 0600 16:53:54 right 16:54:08 there's also been some discussion about removing the file outright after Ignition completes 16:54:30 (note that this only affects coreos-installer scenarios, not cloud images) 16:54:42 but there's also the question of existing installs. 16:55:11 for comparison on clouds: my understanding is that on some platforms, it sticks around and anyone can request it from the metadata server, right? 16:55:31 jlebon: yes, and we have open docs bugs to document that fact 16:55:35 are you thinking an selinux profile? 16:56:04 jlebon: but that's a common problem across OSes. this one is specific to us. 16:56:18 darkmuggle: doesn't seem worth it. there's no real reason for us to retain that file at all 16:56:35 in terms of severity: the file is not normally accessible to containers, and the default core user already has passwordless sudo 16:56:42 bgilbert: right ok. so i guess the hypothetical question is: if a cloud provided a mechanism to have it removed, then there's no reason we wouldn't leverage it, right? 16:56:51 I think we should remove it. If it has a local root account password, having it there is an easy local root 16:56:53 if the user creates additional unprivileged users, they will have access where they shouldn't 16:57:08 jlebon: correct. we currently do not, though. 16:57:32 +1 on removing. In general, a defining a clean up process would be useful moving forward. 16:57:32 right, sure. just trying to establish where we want to go, and we should try to be consistent across cloud and metal 16:57:33 travier: our docs encourage the use of a strong password hash, fwiw 16:57:45 invariably, there will be more things to clean up down the road I bet. 16:57:50 jlebon: +1 16:58:00 #link https://github.com/coreos/fedora-coreos-docs/issues/306 16:58:04 for the docs changes 16:58:41 IOW, looking at this at the higher level, our stance should be something like: on platforms where possible, we should scrub the Ignition config after provisioning is complete 16:58:49 +1 16:58:52 +1 16:58:56 that one is for removing the config from the metadata server 16:59:04 this one is for firewalling the metadata server: 16:59:05 #link https://github.com/coreos/fedora-coreos-docs/issues/272 16:59:14 jlebon: +1 16:59:44 actually that implies that docs#306 should be a code bug instead 17:00:13 yeah, i think you're right 17:00:14 +1 17:00:27 for Ignition? Instances will usually not have enough access to remove user-data 17:00:45 that's the "where possible" bit :) 17:00:56 travier: ah, it's a control-plane operation? ouch 17:00:59 but that could be for the MCO for example 17:01:05 ^ 17:01:18 oh you're talking about the firewall 17:02:00 jlebon: I wasn't. I misunderstood 17:02:04 It's 'gcloud compute instances remove-metadata' so I think you need the corresponding account access 17:02:07 right 17:02:23 okay, so, wrt cleaning up our messes 17:03:00 my initial view is that this isn't a major fire in default configurations, since we're not leaking to anyone unprivileged 17:03:02 Creating a good 'on boot' fixup to remove all those ignition config files lying there is going to be tricky to not mess the /boot RW remount 17:03:25 but that we should clean up existing systems nonetheless 17:03:51 travier: I haven't followed the /boot RO saga. we can't just remount RW in a mount namespace and do the thing? 17:03:57 Or we could simply make an announcement and mount an empty RO directory on top of the /boot/ignition instead to avoid doing the remount 17:04:19 travier: we'd have to keep doing that forever though 17:05:06 bgilbert: it should work. I vaguely recall issues if something else tries to remount RW at the same tim 17:05:16 remounting rw in a mount namespace sounds like it should work, yeah. ignition-firstboot-complete currently dues that 17:05:38 systemd-tmpfile? 17:05:44 of note, there's possible version skew between coreos-installer and the OS. but we could fix this by changing firstboot-complete to remove the file + a barrier release that removes it on existing nodes 17:05:49 bgilbert: forever only if we find the folder in /boot 17:06:04 and then fixing the perms in coreos-installer is just belt + suspenders redundancy 17:06:05 my strawman is to just ship a systemd service which does this gated on ConditionPathExists, but we don't make it a barrier and instead just drop it until we have a barrier for whatever other reason 17:06:17 darkmuggle: needs rw remount, so can't be just tmpfiles 17:06:21 systemd-tpmfiles can not remount RW and remove 17:06:27 ah 17:06:47 jlebon: I like that, yeah 17:06:55 travier: conditionally forever is still forever :-P 17:07:10 +1 for shipping like jlebon said until we have another barrier 17:07:12 :) 17:07:21 +1 17:07:29 travier: it can we add an ExecStart :) 17:07:33 proposed incoming 17:07:38 *if we add 17:08:07 lucab: to systemd-tmpfiles.service? yuck :) 17:08:18 :) 17:08:20 :D 17:08:45 * jlebon waits for bgilbert's proposal 17:08:54 We will have to make sure this unit is well ordered to not break systems 17:09:06 #proposed we will change firstboot-complete to delete /boot/ignition/config.ign. we will also add a systemd service that removes /boot/ignition/config.ign on existing nodes, and ship that service until after the next barrier release. in parallel, we will change coreos-installer to write /boot/ignition/config.ign with mode 0600. 17:09:29 well done sir 17:09:32 ack 17:09:36 +1 17:09:56 +1 17:10:01 travier: we have a lot of flexibility in the ordering, thankfully 17:10:32 this will be made easier by what i'm working on with moving firstboot-complete to f-c-c 17:10:38 jlebon: yup 17:10:46 (i have pending code which makes it a proper script too) 17:10:53 nice 17:11:12 have everyone voted? Time to move on? 17:11:25 #action we will change firstboot-complete to delete /boot/ignition/config.ign. we will also add a systemd service that removes /boot/ignition/config.ign on existing nodes, and ship that service until after the next barrier release. in parallel, we will change coreos-installer to write /boot/ignition/config.ign with mode 0600. 17:11:38 s/#action/#agreed/ 17:11:50 .... 17:11:51 #undo 17:11:51 Removing item from minutes: ACTION by bgilbert at 17:11:25 : we will change firstboot-complete to delete /boot/ignition/config.ign. we will also add a systemd service that removes /boot/ignition/config.ign on existing nodes, and ship that service until after the next barrier release. in parallel, we will change coreos-installer to write /boot/ignition/config.ign with mode 0600. 17:11:56 heh 17:12:00 also: is there general agreement that we don't need to raise a major alarm about this one? 17:12:06 #agreed we will change firstboot-complete to delete /boot/ignition/config.ign. we will also add a systemd service that removes /boot/ignition/config.ign on existing nodes, and ship that service until after the next barrier release. in parallel, we will change coreos-installer to write /boot/ignition/config.ign with mode 0600. 17:12:38 should we have a coreos-status post? 17:12:45 I'm torned on the raising alarm side 17:12:58 This is just like the mode fixup change 17:13:08 also torn 17:13:08 ah, right 17:13:17 I'm conflicted on raising the alarm myself 17:13:43 I can see some some admin being used to seeing the ignition config in /boot 17:13:45 I think we are really missing a place to bring news to operator in a non alarming way while bringing visibility 17:13:52 we have the coreos-status 17:13:54 ml 17:13:55 It's probably best to wait until the fix is in to avoid undu panic and attempts to take advantage. 17:14:01 undo* 17:14:19 but the config /boot is platform specific 17:14:49 we could release-note it if we had release notes :-/ 17:14:53 did we end up making a post/email for the /etc mode bits? 17:14:59 travier: agreed. 17:15:14 no, but I think we should do one 17:15:32 but we have nowhere to put it 17:15:40 coreos-status is exactly that place, isn't it? 17:15:43 probably worth combining it then 17:15:46 jlebon: +1 17:15:50 beside the ml, which is not really a great format 17:16:06 This came up last Fall for something I thought we should post 17:16:13 but it works until we have something better 17:16:18 i think coreos-status is OK, we just need to make sure it's worded well 17:16:25 there's nothing for static informative stuff. 17:16:45 Let's do a combined coreos-status mail for those two issues 17:17:37 #proposed we will post to coreos-status about /etc mode bits and config.ign mode bits, timing to be determined 17:17:48 ack 17:17:49 +1 17:18:46 travier: ^ lgty? 17:18:54 +1 17:19:11 also darkmuggle 17:19:54 #action bgilbert to learn the difference between #agreed and #action 17:19:59 #agreed we will post to coreos-status about /etc mode bits and config.ign mode bits, timing to be determined 17:20:20 :) 17:20:24 heh 17:20:30 ok cool 17:20:53 thanks for bringing this up 17:20:57 let's leave it there for today for the tickets since the other ones are larger 17:21:08 #topic Open Floor 17:21:18 anyone has anything to bring up? 17:21:42 I was scrolling through some container-related posts and noticed a familiar logo in this one: https://www.koyeb.com/blog/the-koyeb-serverless-engine-from-kubernetes-to-nomad-firecracker-and-kuma 17:21:48 next week *should* be a video meeting 17:22:11 Ignition 3.3.0 stable spec is in `testing` and will be in the next `stable` 17:22:21 lucab: oh cool! 17:22:27 corresponding Butane release coming soon 17:22:49 Open Floor: It might be worth a discussion documentation style in the future. Several times when I've written docs, one person will sign off on it after a few suggested changes. Then someone else comes along with many suggested changes that change the tenor substantially. Perhaps a documentation style guide. 17:22:54 lucab: everytime that happens, it's like seeing your house on TV or something :) 17:23:08 bgilbert: +1 17:23:11 this spec has kernel-argument support and filesystem format `none` 17:23:41 jaimelm: are they usually style comments or technical comments? 17:23:42 jaimelm: that's a good point. we don't have a good maintainership story for docs right now 17:24:02 bgilbert: mostly style 17:24:02 it's kind of "everyone and no one" 17:24:10 doesn't Fedora have one? 17:24:25 used to. is it still around? 17:25:16 https://github.com/travier/fedora-coreos-nomad > Nomad on top of FCOS demo here 17:25:50 From my latest FCOS talk: https://twitter.com/siosm/status/1412396467659083779 17:26:16 jaimelm: can you make a tracker issue for this? we can tag it with the meeting label to bring it up in a future meeting 17:26:58 will do 17:27:00 travier: thanks for giving that talk! 17:27:16 I only found https://fedoraproject.org/wiki/Archive:Docs_Project_Style_Guide 17:28:11 * jlebon will close in 60s 17:29:11 #endmeeting