16:29:32 #startmeeting fedora_coreos_meeting 16:29:32 Meeting started Wed Jul 21 16:29:32 2021 UTC. 16:29:32 This meeting is logged and archived in a public location. 16:29:32 The chair is dustymabe. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:29:32 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:29:32 The meeting name has been set to 'fedora_coreos_meeting' 16:29:39 #topic roll call 16:29:43 .hu 16:29:45 .hi 16:29:46 dustymabe: dustymabe 'Dusty Mabe' 16:30:56 .hello siosm 16:30:57 travier: siosm 'Timothée Ravier' 16:31:22 .hello miabbott 16:31:23 miabbott: miabbott 'Micah Abbott' 16:31:26 .hello jasonbrooks 16:31:27 jbrooks: jasonbrooks 'Jason Brooks' 16:31:36 .hello2 16:31:37 jlebon: jlebon 'None' 16:31:45 .hi 16:31:46 bgilbert: bgilbert 'Benjamin Gilbert' 16:31:48 .hello2 16:31:49 darkmuggle: darkmuggle 'None' 16:32:03 .hello2 16:32:04 davdunc: davdunc 'David Duncan' 16:32:23 #chair travier miabbott jbrooks jlebon bgilbert darkmuggle davdunc 16:32:23 Current chairs: bgilbert darkmuggle davdunc dustymabe jbrooks jlebon miabbott travier 16:32:27 .hello sohank2602 16:32:28 skunkerk: sohank2602 'Sohan Kunkerkar' 16:33:25 .hi 16:33:26 lucab: lucab 'Luca Bruno' 16:34:14 #chair skunkerk lucab 16:34:14 Current chairs: bgilbert darkmuggle davdunc dustymabe jbrooks jlebon lucab miabbott skunkerk travier 16:34:17 welcome all 16:34:29 #topic Action items from last meeting 16:35:14 i think the only real action was for me to update #892 with the notes from the discussion 16:35:37 #info dustymabe updated #892 with the notes from the video meeting discussion: https://github.com/coreos/fedora-coreos-tracker/issues/892#issuecomment-880907947 16:35:51 I don't think we had anything else concretely actionable 16:35:58 * dustymabe moves on in a few seconds 16:36:10 #topic Flock to Fedora 2021 (5th to 7th August 2021) - CFP closes 23rd July 16:36:15 #link https://github.com/coreos/fedora-coreos-tracker/issues/894 16:36:20 i'll touch on this briefly 16:36:36 travier and I just submitted a talk, jdoss has submitted one and I think jlebon is going to do a deep dive talk 16:36:46 if anyone else is interested the CFP closes this week 16:36:49 EOM 16:37:25 would be really nice to do a half day hackfest for docs, but I don't have the cycles to drive it this time 16:37:35 if anybody is interested, let me know :) 16:37:43 (EOM?) 16:37:49 EOM :) 16:37:55 oh, "end of message" 16:38:03 :) 16:38:05 meaning I'm done, which I think continued to talk 16:38:16 next topic 16:38:23 #topic tracker: Fedora 35 changes considerations 16:38:29 #link https://github.com/coreos/fedora-coreos-tracker/issues/856 16:38:43 ok we've got some tickets assigned to people. can we get status updates? 16:38:48 https://github.com/coreos/fedora-coreos-tracker/issues?q=is%3Aissue+is%3Aopen+label%3AF35-changes 16:39:30 darkmuggle: jaimelm: lucab: walters: I think have open items 16:40:40 * dustymabe thinks jaimelm and walters aren't here today - jlebon can you check on walters for this and I'll check on jaimelm? 16:40:51 dustymabe: ack will do 16:41:04 darkmuggle lucab are here toady I believe 16:41:38 I have no updates this week due to other pressing issues. I'll have it for next week. 16:41:44 darkmuggle++ 16:41:44 dustymabe: Karma for darkmuggle changed to 2 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 16:42:04 I think lucab made progress - but not sure if the work he posted was all that was needed or just the tip of the iceberg 16:42:10 I did a round of updates for new openssl crates in all our projects using it. The status is tracked in the ticket. Bootupd needs to get the CI fixed first, afterburn and coreos-installer will be fine upon the next release, zincati and rpm-ostree are already fine. 16:42:39 lucab: is that the totality of the changes that are needed? or are those just some of it and there are a lot more? 16:42:49 i.e. when the bootupd change merges can we close it out? 16:43:22 That's all I can think of. When they are all released and packaged, we can close it. 16:43:41 nice - wasn't sure if there were "non rust" things we needed to consider 16:44:14 #info lucab is tracking all changes for openssl and we should be able to close out #876 soon 16:44:29 ok I think that's all for this topic for this week but... 16:44:40 golang things are not concerned, and the only C things are ostree and rpm-ostree which I think are already fine 16:44:58 #action dustymabe to re-index and look for newly submitted change proposals for f35 that we need to consider 16:45:12 i'm sure there are some new ones that weren't on our original list so I'll do ^^ for next week 16:45:35 * dustymabe moves on to next topic soon 16:45:55 #topic policy: setting single node defaults that don't enhance kubernetes 16:45:58 #link https://github.com/coreos/fedora-coreos-tracker/issues/880 16:46:15 ok I feel like we're beating a dead horse here, but I want to try to close this topic off 16:46:27 from my temperature taking I think we are at something like: 16:46:32 #propsed We implement the single node optimized defaults now for "new installs". We add documentation for k8s distributors. Before we automigrate existing nodes in the future we'll revisit the feature flags proposal. 16:46:35 sigh 16:46:45 #proposed We implement the single node optimized defaults now for "new installs". We add documentation for k8s distributors. Before we automigrate existing nodes in the future we'll revisit the feature flags proposal. 16:47:29 does that accurately reflect the summation of our discussions on the topic? 16:47:29 it's a breaking change, so we can't do it now. we need a deprecation period. 16:47:36 ack, assuming the heads up to k8s distributors has sufficient time 16:48:16 right, but the amount of time required should be much smaller because it's only for new nodes, right? 16:48:31 still will require the distributors to implement changes 16:48:32 This still needs 3 months at least 16:48:59 I think we should follow the same process we did for cgroups v2 16:49:17 ok fair 16:49:28 dustymabe: no, there's nothing special about new nodes 16:49:39 we want clusters to autoscale using the current release images 16:49:57 personally, i think we can just talk to OKD and Typhoon to make sure they're aware and land on a reasonable time 16:50:13 First write docs to keep existing behavior, then warn about the change, then wait X (3 minimum) months 16:50:39 3 months feels like overkill to me if both of those communities are ready to go, but not against either 16:50:51 bgilbert: right, I'm just thinking figuring out how to implement the change for new nodes will be easier than the distributors trying to figure out how to update configuration on their existing nodes 16:50:55 jlebon: I think we should assume we have users who don't talk to us :-) 16:51:10 #proposed We implement the single node optimized defaults now for "new installs" with an appropriate amount of time allowed for kubernetes distributors to update their provisioning. We add documentation for k8s distributors. Before we automigrate existing nodes in the future we'll revisit the feature flags proposal. 16:51:39 better ^^ ? 16:51:53 wording quibble: s/distributors/distributors and users/ 16:52:11 (i.e., include DIYers in our thinking) 16:52:26 yeah let me also update to not include the word "now" 16:53:12 #proposed After an appropriate period of notice we implement the single node optimized defaults for "new installs". We add documentation for k8s distributors. Before we automigrate existing nodes in the future we'll revisit the feature flags proposal. 16:53:23 better? 16:53:33 ack 16:54:04 * dustymabe ack 16:54:29 ack, though the last sentence is a bit odd 16:55:01 are we planning to automigrate? it's just service enablement in this case 16:55:26 yeah, my thinking there is that before we automigrate existing nodes (if we ever do) we probably would want to re-visit the feature flags proposal and consider it as a way to help delivery 16:55:47 I can strike that sentence if desired 16:55:54 "If we automigrate existing nodes in the future, we'll revisit the feature flags proposal first"? 16:56:02 sure 16:56:16 don't forget the `distributors and users` change 16:56:21 (making this for new installs only will require a barrier release) 16:56:52 miabbott: I removed the first "distributors" word in the proposed, which I think is what BG was talking about 16:57:06 #proposed After an appropriate period of notice we implement the single node optimized defaults for "new installs". We add documentation for k8s distributors. If we automigrate existing nodes in the future, we'll revisit the feature flags proposal first. 16:57:21 dustymabe: yeah, but doesn't hurt to add it anyway 16:57:26 bgilbert: +1 16:57:39 #proposed After an appropriate period of notice we implement the single node optimized defaults for "new installs". We add documentation for k8s distributors and users. If we automigrate existing nodes in the future, we'll revisit the feature flags proposal first. 16:57:42 travier: why? 16:58:04 How do you not enable a service for existing installs? 16:58:04 ahh, well - "may" require a barrier release 16:58:19 depends on the change I guess 16:58:32 travier: presets? 16:58:55 they are applied to existing system with rpm-ostree if I'm not mistaken 16:59:18 travier: yes, if we need barrier releases to pull this off, then we'll put them in place 16:59:28 call for ack/nack on current proposed? 16:59:38 this is not a counter point, just a notice 16:59:42 ack 17:00:01 ack 17:00:35 ack 17:00:51 * dustymabe ack 17:00:54 any others? 17:00:59 ack 17:01:08 ack 17:01:25 #agreed After an appropriate period of notice we implement the single node optimized defaults for "new installs". We add documentation for k8s distributors and users. If we automigrate existing nodes in the future, we'll revisit the feature flags proposal first. 17:01:26 semi-ack, didn't follow all the details but the overall seems sane 17:01:35 thanks all, thanks walters 17:01:45 #topic New Package Request: oci-seccomp-bpf-hook 17:01:50 #link https://github.com/coreos/fedora-coreos-tracker/issues/887 17:03:04 i think package layering seems fine for this 17:03:43 yeah, also is this OKD specific? 17:04:01 they do some fancy stuff in their build system to configure FCOS so maybe could be done there 17:04:05 it's useful for anyone who wants to use seccomp for their containers 17:04:30 but yeah, i don't think it makes sense in the host by default IMO 17:04:30 I do share jlebon's feedbacks there: 1) no need to build the profile on each node, it can be done offline 2) they probably want OKD/OCP extensions to automate an operator there 17:04:33 I see, so the use specifically for them was the operator, but this is generally usefull too 17:05:04 llvm-libs > This makes it hard to include :/ 17:06:11 hmm I guess it depends on whether one would *always* trace the container and only periodically regenerate policy or whether there's a separate "training phase" e.g. on a dedicated node 17:06:28 #proposed Given the required dependencies and the specifics of the use case we thing this is a good candidate for package layering/extensions and not for inclusion in the base OSTree. The seccomp profiles can also be generated offline and included to remove the need to have it installed at all? 17:06:39 is that last sentence in the #proposed true? 17:06:42 lucab: ^^ 17:06:52 Yeah I'm pretty sure 17:07:08 +1 17:07:09 that's my understanding 17:07:12 maybe I should say "and included via Ignition" 17:07:15 yup my uinderstanding as well 17:07:26 +1 17:07:31 #proposed Given the required dependencies and the specifics of the use case we thing this is a good candidate for package layering/extensions and not for inclusion in the base OSTree. The seccomp profiles can also be generated offline and included via Ignition, which will remove the need to have it installed at all. 17:07:51 *think 17:08:02 #undo 17:08:02 Removing item from minutes: 17:08:11 walters: i would think you'd train it on known workloads. presumably the idea is that in prod you already know what it needs and everything else should be blocked 17:08:20 #proposed Given the required dependencies and the specifics of the use case we think this is a good candidate for package layering/extensions and not for inclusion in the base OSTree. The seccomp profiles can also be generated offline and included via Ignition, which will remove the need to have it installed at all. 17:08:21 #link https://github.com/coreos/fedora-coreos-tracker/issues/887 17:08:40 +1 17:09:03 ack 17:09:08 * dustymabe ack 17:09:18 +1 17:09:30 ack 17:09:31 +1 17:09:46 #agreed Given the required dependencies and the specifics of the use case we think this is a good candidate for package layering/extensions and not for inclusion in the base OSTree. The seccomp profiles can also be generated offline and included via Ignition, which will remove the need to have it installed at all. 17:10:00 #topic coordinating default hostname with other Fedora editions 17:10:03 #link https://github.com/coreos/fedora-coreos-tracker/issues/902 17:10:17 #link https://github.com/coreos/fedora-coreos-tracker/issues/902 17:10:52 maybe link it one more time just in case :) 17:10:56 ok I added this one. basically do we want to keep our "`localhost` is default hostname" forever and if yes should we try to advocate for making a change at a higher leve 17:11:16 jlebon: :) - my client is playing tricks on me today 17:11:45 i think we should advocate for a change, but match whatever we decide in the end 17:12:04 "we decide" -> Fedora as a whole 17:12:09 jlebon: I guess we can break this out into two topics 17:12:35 1. should we advocate for the change at a higher level 17:12:37 and 17:12:54 2. if the change at a higher level is rejected, do we continue to carry the change or do we fall in line? 17:13:33 where "we" == FCOS 17:13:34 dustymabe: yeah makes sense 17:13:56 On which other editions do you want that to happen? 17:14:22 Because I don't understand why other edition would want to use another default 17:14:26 editions* 17:14:30 travier: I'm thinking the arguments around this topic originally were " workstation needs it this way" 17:14:30 what's the ideal state? 'fedora' as a default hostname has seemed strange to me ever since they made the change 17:14:49 because of avahi or mDNS or something 17:15:08 i think it'd be Server, IoT, and CoreOS 17:15:10 so the thoughts there are - if that's true, let's try to make that change only apply to workstation 17:15:20 was there a change proposal for this one when it hit the other fedora editions? 17:15:22 and also DNS driven by DHCP client ID 17:15:22 s/workstation/workstation like/ 17:15:54 cyberpear: I don't think so. I think it just landed in f33 17:17:00 I can not find a change proposal 17:17:09 which is not great 17:17:09 travier: there wasn't one 17:17:18 https://bugzilla.redhat.com/show_bug.cgi?id=1892235#c13 17:17:56 so.. we could take this topic to a subtopic and ask "what are the arguments for keeping it at `localhost`" 17:18:10 the reasoning I can think of can be poked holes in 17:18:23 1. peoples scripts assume localhost == unconfigured 17:18:37 2. it's expected when there is no outher source for hostname 17:18:53 s/expected/generally expected/ 17:19:05 but those aren't super compelling 17:19:22 i'd be interested in other more compelling reasons 17:20:24 marco... 17:21:13 moving on.. 17:21:34 i think the argument is things implicitly depended on it and let's not break them? 17:21:43 i don't think it's just scripts which assume localhost == unconfigured. lucab pointed out it's a reserved identifier 17:22:45 so is that an argument for more compelling arguments? 17:22:47 https://en.wikipedia.org/wiki/Localhost#IETF_standards 17:23:07 ok I was going with: #proposed we start a discussion with FESCO about potentially updating the default hostname to be localhost for server like editions. If that is rejected we fall in line and migrate to `fedora` for the default hostname like the rest of the Fedora editions. 17:23:37 but now maybe 17:23:38 point 1 is a compelling reason. That's 2+ decades of expectation to to change. And there are people who work across multiple distros. 17:23:40 #proposed we start a discussion with FESCO about potentially updating the default hostname to be localhost for server like editions. If that is rejected then we re-visit if we want to carry the delta just in FCOS or not. 17:24:01 +1 to discuss and revisit 17:24:06 +1 17:24:11 sgtm 17:24:12 +1 17:24:15 * dustymabe ack 17:24:28 +1 17:24:34 #agreed we start a discussion with FESCO about potentially updating the default hostname to be localhost for server like editions. If that is rejected then we re-visit if we want to carry the delta just in FCOS or not. 17:24:38 I think we should keep an empty localhost default 17:24:55 #topic open floor 17:24:56 +1 17:24:56 (that's for later) 17:24:57 i wonder whether this would've gone through if it were a change proposal 17:25:15 jlebon: yeah, unfortunately the "inertia" is against us now 17:25:24 yeah definitely :( 17:25:40 hmm inertia would be a cool name for a project 17:25:58 dustymabe: once you get some project to use it, they'd never change it 17:26:02 #info we're working on updates for CVE-2021-33909 and CVE-2021-33910 (kernel and systemd) 17:26:03 anyone with anything for open floor - there was anothe topic on the docket but jaimelm wasn't here so we'll wait 17:26:08 #link https://github.com/coreos/fedora-coreos-tracker/issues/904 17:26:09 bgilbert: ha 17:26:30 bgilbert: thanks for that FYI. indeed 17:26:32 hehe 17:26:44 current plan is a 24-hour rollout for next and testing starting in 35 minutes, and a 24 or 36 hour rollout for stable starting tomorrow. 17:26:53 bgilbert++ 17:26:53 jlebon: Karma for bgilbert changed to 3 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 17:26:58 bgilbert: should we send a status post on that topic or just let it roll out? 17:27:10 bgilbert++ 17:27:13 bgilbert++ 17:27:33 #info we're deploying a one-off 5.12 kernel build that hasn't gone through Bodhi and includes unrelated changes, so please test the upcoming next and testing releases 17:28:09 * dustymabe will convert all my existing nodes 17:28:16 ^ that's because Fedora is in the middle of switching to 5.13. bad timing :-( 17:28:18 Hum, that sound like something we need to announce :/ 17:28:44 travier: yeah, maybe. what do folks think? 17:29:01 i'm cool with a status post on the $topic 17:29:08 it's the "unrelated" changes part that makes me think that 17:29:17 right 17:29:29 not the security update per se 17:29:37 yeah, the security fix is two lines 17:30:04 other opinions? jlebon, lucab? 17:30:13 was the 5.12 revision on top of which the patch was applied released through bodhi? 17:30:32 right, i guess not. that's the unrelated changes bit 17:31:05 yeah we bumped minor version number too, but not major 17:31:31 status post wfm 17:31:57 the last Bodhi 5.12 was 5.12.17; this is 19 17:32:32 the `stable` release kernel is kernel-5.12.12-300.fc34.x86_64 17:32:35 current stable 17:32:59 "testing == YOLO" 17:32:59 and testing was 5.12.14 17:33:26 so we're going up 5 point releases in testing, but 7 in stable 17:33:52 yeah, that's a bit of jump for a stable release without much field testing 17:34:03 yeah, I'll put together an email 17:34:18 we *could* just advance our promotion schedule and bump stable to match our currently rolling out `testing` 17:34:57 not sure if it's worth it, though 17:35:09 at least that exact content set would have run through some users 17:35:09 security fix + unrelated changes is not a great pattern 17:35:51 I'd lean toward taking the extra reboot 17:35:55 * dustymabe notes the time 17:35:57 i guess ideally we would've had two separate builds for testing/next and stable, but that's a lot of work for maintainers 17:36:27 my vote is to just roll with the current plan and email status 17:36:34 WFM 17:36:47 +1 17:36:52 +1 17:36:56 will end the meeting soon 17:37:15 #endmeeting