16:30:08 #startmeeting fedora_coreos_meeting 16:30:08 Meeting started Wed Mar 1 16:30:08 2023 UTC. 16:30:08 This meeting is logged and archived in a public location. 16:30:08 The chair is jlebon. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions. 16:30:08 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:30:08 The meeting name has been set to 'fedora_coreos_meeting' 16:30:12 #topic roll call 16:30:48 .hi 16:30:49 dustymabe: dustymabe 'Dusty Mabe' 16:31:09 .hi 16:31:10 ravanelli: ravanelli 'Renata Ravanelli' 16:31:13 #chair dustymabe ravanelli 16:31:13 Current chairs: dustymabe jlebon ravanelli 16:31:17 .hi apiaseck 16:31:18 c4rt0: c4rt0 'Adam Piasecki' 16:31:39 .hi 16:31:40 gursewak: gursewak 'Gursewak Singh' 16:31:40 #chair c4rt0 16:31:40 Current chairs: c4rt0 dustymabe jlebon ravanelli 16:31:47 #chair gursewak 16:31:47 Current chairs: c4rt0 dustymabe gursewak jlebon ravanelli 16:34:30 small group today :) 16:36:14 ok let's get started and see what we can accomplish 16:36:20 #topic Action items from last meeting 16:36:28 -ENOENT 16:36:58 #topic tracker: Fedora 38 changes considerations 16:37:03 #link https://github.com/coreos/fedora-coreos-tracker/issues/1357 16:37:17 dustymabe: want to go over the new items? 16:37:57 yeah. there are a number of things that dropped out of Fedor 37 16:38:01 Fedora 38 16:38:10 I assume because the change didn't make it in before branching 16:38:32 but there are a few new items 16:38:44 .hello spresti 16:38:45 spresti[m]: spresti 'Steven Presti' 16:38:53 #chair spresti 16:38:53 Current chairs: c4rt0 dustymabe gursewak jlebon ravanelli spresti 16:38:55 I think it's mostly 231 232 233 16:39:07 subtopic 231. cups-filters 2.0b 16:39:20 #info we don't ship cups, shouldn't affect us 16:39:24 +1 16:39:33 subtopic 232. IoT Simplified Installer] 16:39:42 #info this is specific to Fedora IoT 16:39:53 subtopic 233. Update python-packaging to version >= 22 16:39:57 #info we don't ship python 16:40:18 it relates to CoreOS in that it's a consumer of coreos-installer 16:40:38 oh.. for 232? 16:40:44 I didn't realize that relationship 16:41:04 so nothing we need to adapt in FCOS, but it's something to be aware of when discussing coreos-installer enhancements 16:41:14 yup 16:41:25 cool 16:41:28 thanks for bringing that up 16:41:59 jlebon: maybe we should go through the ⚠️ items 16:42:18 dustymabe: sounds good 16:42:39 #topic rawhide: upgrades fail with new openssh-9.0p1-10.fc38.1 16:42:43 #link https://github.com/coreos/fedora-coreos-tracker/issues/1394 16:42:57 this relates to change 118. 16:43:27 dustymabe: want to tackle that one? 16:43:27 indeed 16:43:57 I think we mostly have the update in https://github.com/coreos/fedora-coreos-tracker/issues/1394#issuecomment-1446828630 16:43:59 .hi 16:44:00 bgilbert: bgilbert 'Benjamin Gilbert' 16:44:05 #chair bgilbert 16:44:05 Current chairs: bgilbert c4rt0 dustymabe gursewak jlebon ravanelli spresti 16:44:14 indeed 16:44:16 @travier @jlebon and I discussed this last week. The two options we discussed were: 16:44:24 1. We roll out the changes early in Fedora 37, including an external execStartPre script for sshd that would detect non-conforming permissions and sleep for a period of time. The benefit of doing this is that after the sleep the user can still log in to the system. The negative of doing this is that it's more complex (and more work) and we could also somehow inject error if we don't test 16:44:26 comprehensively enough. 16:44:30 2. We go with the migration shipped by the RPM (we're working on an update to it to make it more palatable) and give users plenty of warning with a coreos-status post. 16:45:39 we were leaning towards 2. 16:46:12 interested in bgilbert's thoughts 16:46:28 * dustymabe is reminded that we need to make further updates and test https://src.fedoraproject.org/rpms/openssh/pull-request/39 so the maintainer can then merge it 16:46:54 btw, another con of 1. is that it breaks host key signing 16:47:48 jlebon: couldn't we technically rollout the permissions (setgid) change to that binary too? 16:47:48 well, i guess we would not do it on systems where we detect it 16:48:33 dustymabe: i think so 16:49:35 hmm, yeah that could be a nice path. so then the main downside is it's more work 16:50:09 well, it's more work and we could get it wrong too 16:50:15 :) 16:50:34 i'm OK with either path, but am a bit gassed when it comes to "extra effort" things right now 16:50:51 yeah, I think I'd lean option 2 to reduce effort 16:51:06 +1 16:51:20 also, doesn't option 2 benefit other rpm-ostree-based editions more? 16:51:40 bgilbert: we have to do option 2 anyway 16:51:47 okay 16:51:52 i.e. we need to get that PR tested and merged 16:52:27 i guess the difference between the two options here is: "do we do something extra to try to prevent users from getting locked out in a worst case scenario" 16:53:23 right, even if we get something wrong in 1, it wouldn't break sshd 16:53:44 well. it depends on how wrong we got it :) 16:54:49 sure, i think we'd have to mess up harder to break it entirely :) 16:55:06 anyway, cool with 2. though still feeling uneasy about it 16:55:36 #proposed? 16:56:52 #proposed we will go with option 2, where we will rely on an updated migration service shipped by sshd that works on OSTree-based systems and give a heads up on coreos-status 16:57:06 +1 16:58:11 anyone else? bgilbert? 16:58:13 +1 16:58:26 #agreed we will go with option 2, where we will rely on an updated migration service shipped by sshd that works on OSTree-based systems and give a heads up on coreos-status 16:58:28 now - to split up the remaining work :) 16:59:04 dustymabe: maybe we can discuss that OOB? 16:59:04 we need to get the RPM update finished/merged (preferrably before beta goes out so it can get wide testing for all of FEdora) 16:59:12 and we need someone to do the status post 16:59:38 jlebon: WFM 16:59:48 +1 17:00:02 #topic F38 Change: Shorter Shutdown Timer 17:00:05 #link https://github.com/coreos/fedora-coreos-tracker/issues/1404 17:00:43 looks like maybe we are on our own here? 17:00:55 travier opened an MR in https://src.fedoraproject.org/rpms/fedora-release/pull-request/249 for keeping the previous default in FCOS 17:00:58 pinged mhayden and davdunc in the ticket to see what they thought 17:01:40 Just as an info: We (server) are still discussing 17:02:04 pboy: +1 17:02:09 pboy: good to know 17:02:21 pboy: any short summary? 17:02:28 i guess we can get that MR merged for now and other editions can apply the same change in follow-ups? 17:02:35 My tendency is to keep the default 17:02:52 Some are for shorter timeout. 17:03:25 pboy: yeah, the default is nice 17:03:41 Collin Walters argments espresses my concerns. 17:03:45 i just with the default was only changed for "desktop like editions" where the value is greatest (IMO) 17:03:57 s/with/wish 17:04:46 pboy: indeed 17:05:30 I guess we can agree to try to get the PR merged and the RPM built so we can include it? 17:05:32 jlebon: ^^ 17:05:32 it'd be cool if we had a way to structure operating systems with like a core and derived things from it 17:06:21 dustymabe: WFM. want to try a #proposed? 17:06:25 (and not, for example also try to make boots prettier for desktop systems by wedging a systemd unit into grub in the core grub package) 17:06:44 jlebon: go for it if you don't mind 17:07:32 #proposed we will get the fedora-release MR merged which currently only affects FCOS for now so that we can include it and verify it 17:08:03 +1 17:08:41 #agreed we will get the fedora-release MR merged which currently only affects FCOS for now so that we can include it and verify it 17:08:56 dustymabe: did you want to talk about https://github.com/coreos/fedora-coreos-tracker/issues/1350 ? 17:09:59 it's been on our list for a while to discuss. I think we maybe want to wait until we have more people here to discuss.. but maybe we have enought today? 17:10:06 it's certainly not urgent 17:10:45 we could also just discuss it and give a preliminary summary 17:10:50 good either way 17:10:55 sure 17:11:02 #topic evaluate inclusion of GPU firmware 17:11:05 #link https://github.com/coreos/fedora-coreos-tracker/issues/1350 17:12:19 dustymabe: go for it :) 17:12:58 jlebon: I think the TL;DR is that the gpu firmware got broken out into their own subpackages 17:13:08 and we lost them from FCOS for a period of time 17:13:23 we agreed to add them back, but also agreed to discuss in the future if we should remove them 17:13:31 i.e. space savings 17:14:06 i think my current stance is that it's more work to remove them than it is to leave them in so let's just leave them in 17:14:21 well. I guess maybe it's not a lot of work to remove them 17:14:51 but we would have to make sure things are communicated properly and provide people with "here's how to do it now" type of docs 17:15:06 i think the work to remove them lies mostly in evaluating the impact to users 17:15:12 i think the case we hit when they got removed was some GPU processing workloads stopped working 17:16:49 anybody with any other thoughts on this? 17:17:04 maybe we should keep them until we have container layering working well and documented? 17:17:28 jlebon: that could be part of the proposed "re-evaluate in future when..." 17:17:34 if we historically shipped them, and we have users using them, I'm not sure it's worth the effort to go through a deprecation and removal 17:17:46 bgilbert: that WFM too 17:18:07 we historically shipped their content because it was just all included in the linux-firmware package 17:18:16 right 17:18:17 also WFM 17:18:21 I think some of the problem now be that the GPU firmwares are getting larger 17:18:26 might make sense as part of a larger space-savings initiative in the future 17:18:32 +1 17:19:32 #proposed we will keep the firmwares for now as users currently rely on them. we may in the future remove them as part of a larger space-savings initiative. 17:20:07 jlebon: +1 - thought the question may be: do we close the issue or leave it open? 17:20:11 though* 17:20:46 dustymabe: i'd say close. we'd track a larger initiative in its own ticket. 17:21:17 +1 17:21:48 will assume bgilbert is +1 based on the above, so: 17:21:49 #agreed we will keep the firmwares for now as users currently rely on them. we may in the future remove them as part of a larger space-savings initiative. 17:21:56 +1 to proposed 17:22:02 :) 17:22:06 #topic Open Floor 17:22:12 I was going to suggest mentioning it in https://github.com/coreos/fedora-coreos-tracker/issues/186 but that's also closed 17:22:43 ok I have something 17:22:45 i think with layering, there's a bunch of things we could reconsider 17:22:59 well a few things I guess 17:23:09 we should get a talk or two submitted to devconf.cz 17:23:30 I think they were asking for more os distro talks 17:24:00 oh interesting. hadn't noticed it was in the summer this time 17:24:03 yep 17:24:11 the other thing I wanted to bring up 17:24:32 I just noticed after running my scripts today that one of the changes dropped off the list that definitely didn't get pushed to f39 17:24:36 so I did some investigation 17:24:43 and found a few missing changes 17:25:15 that maybe we should discuss real quick 17:25:52 sure 17:26:00 https://hackmd.io/T3F32w5aSiywOd_ekB8HKw?view 17:26:19 so item 104 z13 as the Baseline for IBM Z Hardware 17:26:30 item 105 Pcre Deprecation 17:26:44 item 117 Server Prohibits Byte-swapped Clients 17:26:55 item 118 Unified Kernel Support Phase 1 17:27:07 those are the ones that were missing 17:27:37 the Unified kernel one is something I hadn't looked at before 17:28:25 117 is a definite skip 17:28:34 jlebon: yep 17:28:43 the remaining ones, maybe we should discuss in the next meeting? i don't think it'll be real quick :) 17:29:33 yeah. UKI phase 1 is mostly optional stuff 17:29:47 not sure about the z13 baseline for IBM Z 17:29:51 ok we can do that next meeting 17:30:10 not sure either. i wonder what the baseline z for RHEL is 17:31:19 i would assume it's transparent to us and just means that *there may be* things we could do better in e.g. cosa but we'd need an s390x SME 17:31:59 ok, will close the meeting in 45s unless there's anything else 17:32:44 #endmeeting