fesco
LOGS
17:03:52 <dgilmore> #startmeeting FESCO (2014-06-25)
17:03:52 <zodbot> Meeting started Wed Jun 25 17:03:52 2014 UTC.  The chair is dgilmore. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:03:52 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
17:03:55 <nirik> yep
17:03:58 <dgilmore> #meetingname fesco
17:03:58 <zodbot> The meeting name has been set to 'fesco'
17:03:58 <dgilmore> #chair abadger1999 dgilmore jwb kylem mattdm mitr mmaslano nirik pjones  sgallagh t8m
17:03:58 <zodbot> Current chairs: abadger1999 dgilmore jwb kylem mattdm mitr mmaslano nirik pjones sgallagh t8m
17:04:01 <pingou> mattdm: nice timing :)
17:04:01 <dgilmore> #topic init process
17:04:03 <pjones> hello.
17:04:06 <mattdm> magic!
17:04:06 <mitr> Hello
17:04:08 <kylem> bueller.
17:04:08 <nirik> morning
17:04:26 <abadger1999> Hola
17:04:27 <dgilmore> looks like we have enough folks
17:04:31 <mattdm> I have a hard stop at 10 before the hour, btw.
17:04:33 <dgilmore> lets get started
17:04:40 * jreznik is around
17:04:45 <dgilmore> mattdm: its a short agenda
17:05:22 <dgilmore> #topic #1310 Reconsidering rpcbind's exception allowing it to start by default
17:05:26 <dgilmore> .fesco 1310
17:05:27 <dgilmore> https://fedorahosted.org/fesco/ticket/1310
17:05:28 <zodbot> dgilmore: #1310 (Reconsidering rpcbind's exception allowing it to start by default) – FESCo - https://fedorahosted.org/fesco/ticket/1310
17:06:55 <dgilmore> not sure where we are with this
17:07:10 <nirik> we were waiting for some feedback from steved..
17:07:18 <nirik> which doesn't seem to have happened.
17:07:28 <dgilmore> yeah
17:07:48 <nirik> but if it's needed for the client, I'm inclined to leave it autostarting (at least for now)
17:08:00 <dgilmore> i know it is needed for the client
17:08:04 <mattdm> the comment about it being socket-activated seems like a balancing factor.
17:08:13 <abadger1999> s/autostarting/start by default/ ?
17:08:19 <mattdm> that is, it's not _really_ autostarted unless needed?
17:08:27 <dgilmore> The question seems to be can rpcbind be started automatically when you go to mount a nfsv3 share
17:08:28 <abadger1999> I think steved asked whether it would start on-demand.
17:08:37 <mitr> mattdm: From a security/risk limitation perspective socket activation makes no differene.
17:09:09 <mattdm> mitr true. but from a resource consumption one it does.
17:10:11 * abadger1999 notes that socket activation is something that fesco should be addressing in its "autostart" list but currently hasn't set precedent by doing so.
17:10:32 <mattdm> abadger1999: yeah
17:11:15 <dgilmore> I guess someone need to test if rpcbind starts when needed, and if it doesn't can it be made to do so
17:12:03 <mitr> Do I read steved's note right that on the client, we need rpcbind running but not necessarily network reachable?  Having the default localhost-only but enabled would be much more attractive to me.
17:12:24 <mattdm> mitr yes, I think that's correct
17:13:07 <amluto> IIUC the client needs nfs-lock.service (unless -o nolock is set), and nfs-lock.service requires rpcbind.service
17:13:19 <dgilmore> So the question is will this type of network activity (remote and local) cause rpcbind to start before its needed? If the answer is yes, then good I will be more than willing to try.
17:13:39 <amluto> so the only likely regression i can think of is that maybe omitting -o nolock behaves better if rpcbind is running (but not nfs-lock.service) than if rpcbind isn't running
17:14:45 <nirik> so, wait another week for steved? assign one of us to just do the testing?
17:15:20 <dgilmore> lets wait one week, for further feedback, if none then we get someone to do some testing and provide it
17:15:55 <abadger1999> And be sure to comment on the ticket what we're wanting to know :-)
17:15:59 <nirik> +1
17:16:07 <dgilmore> abadger1999: already writing it up
17:16:10 <mattdm> okay, sure. doesn't seem urgent
17:16:11 <abadger1999> Cool.
17:16:12 <mattdm> +1
17:16:54 * kylem can do the testing.
17:17:18 <kylem> i can also harass steved tomorrow.
17:17:23 <dgilmore> kylem: okay
17:17:30 <mattdm> kylem: do both! :)
17:17:41 <kylem> i'll update the ticket before the next meeting with whatever the result is.
17:17:57 * jwb shows up
17:17:59 <dgilmore> #action kylem to test and harass steved to find out if things can be made to work for nfsv3
17:17:59 <abadger1999> Thanks
17:18:13 <dgilmore> kylem: thanks i wont add anything to the ticket then
17:18:23 <kylem> ok. no problemo.
17:18:30 <dgilmore> lets move on
17:18:31 <dgilmore> #topic #1311 Disable syscall auditing by default
17:18:31 <dgilmore> .fesco 1311
17:18:33 <dgilmore> https://fedorahosted.org/fesco/ticket/1311
17:18:33 <zodbot> dgilmore: #1311 (Disable syscall auditing by default) – FESCo - https://fedorahosted.org/fesco/ticket/1311
17:19:31 <dgilmore> are waiting further info here on the actual performance impact
17:19:42 <dgilmore> I think we are waiting further info here on the actual performance impact
17:19:44 <mattdm> I got some feedback from steve grubb
17:19:56 <mattdm> he, in turn, is waiting for the performance team to do some testing
17:20:35 <dgilmore> okay, so wait a week for more feedback?
17:20:41 <dgilmore> or should we wait longer?
17:20:53 <mattdm> I'll ping and ask the rough timeline
17:21:21 <dgilmore> okay lets update the ticket when we know when we should expect feedback so we can skip until then
17:21:36 <mattdm> however, he did say that it's probably going to be on a slower schedule than fedora might like
17:21:57 <kylem> nobody has made a particularly good case why it should stay on...
17:22:12 <kylem> besides "it helps sometimes"
17:22:32 * nirik nods.
17:22:44 <dgilmore> indeed
17:22:47 <kylem> then again, if a handful of ns per syscall is really a performance concern, you can turn it off yourself anyway.
17:22:51 <pjones> with the counterpoint "it clearly hurts sometimes"
17:22:55 <kylem> pjones, indeed.
17:23:01 <mattdm> kylem correct. I think the case is basically: if it's on in fedora, people are more likely to notice when something goes wrong and we get this feedback, which helps for the few people for whom it is vital
17:23:03 <kylem> amluto makes a good point wrt security too.
17:23:03 <pjones> and "it doesn't seem to be maintained, so it will hurt more in the future"
17:23:22 <kylem> (then again, the same is true for a lot of kernel code.)
17:24:03 <amluto> this particular piece of kernel code is unusual in that seccomp can't protect against it
17:24:29 <pjones> kylem: yeah, but not much of the code you're referencing is on /every/ syscall path
17:24:34 <mattdm> And, from my point of view... I appreciate that role of fedora in general, but I don't think that very many people are actually using it in fedora in a way that really helps
17:24:38 <kylem> indeed. frankly, i turn it off anyway, so i'm +1.
17:24:45 <kylem> ;-)
17:24:46 <mitr> pjones: The 32-on-64 case is AFAIK being actively addressed right now; the code is maintained but nobody is actively looking for bugs every week
17:25:00 <nirik> if we want to turn it off, we should be clear which way we want to turn it off. ;)
17:25:02 <pjones> mitr: well, that's some consolation.
17:25:30 <amluto> mitr: what 32-on-64 case?  is there yet another bug i don't know about?
17:25:35 <mitr> nirik: yeah; I'd be fairly strongly against kicking it out of the kernel; the default rule to disable it for all processes would be quite fine
17:25:50 * nirik nods. Just need to be clear.
17:25:58 <mitr> amluto: I'd expect everything to be discussed on linux-audit (but I'm not subscribed there)
17:26:03 <abadger1999> mitr: +1
17:26:44 <mitr> I'm still not _thrilled_ with disabling it, and dwalsh does say that it is somewhat useful, but nobody has been too strongly fighting for leaving it on either, so...
17:27:26 * nirik is ok with the disable for all processes config option.
17:27:34 * pjones is too
17:28:53 <mattdm> Is there a way we can turn it off in the cloud image which allows auditd to not be installed/running?
17:29:21 <jwb> isn't that what nirik just mentioned?
17:29:27 <mitr> mattdm: You need to run an auditctl command (i.e. have the package installed) but that doesn't require auditd running
17:29:41 <dgilmore> im okay with turning off for all processes, especially if we document a way to turn it on for the use cases where it is useful
17:29:48 <mitr> mattdm: That might be deviating from the default setup somewhat but AFAIK is fairly feasible
17:31:07 <amluto> mattdm: if nothing has ever enabled audit (that is, auditctl -e 1 or the equivalent never happens after boot), then syscall auditing will be off
17:31:17 <amluto> I think that, if auditd is not installed, then that's what happens
17:31:59 <mattdm> Okay -- I thought someone told me otherwise. But I may just be confused. This is definitely not an area of expertise for me -- we never had to audit things at this level at my sysadmin jobs :)
17:32:21 <dgilmore> should we vote on something or wait?
17:32:36 <pjones> mitr: that might be an argument for splitting the package into a -daemon and -tools or somesuch
17:32:47 <kylem> well, i assume we're not going to change f20, so i don't see harm in deferring the vote another week for rawhide.
17:33:02 <dgilmore> we wont change f20
17:33:15 <mitr> dgilmore: If we could expect to hear back from the perf team soon enough, I don't see harm in waiting (but then I don't see much harm in just flipping it now and perhaps flipping it back later)
17:33:18 <dgilmore> lets see if some magic data comes back soon
17:33:28 <mitr> pjones: It might; I'm not so intent on saving every 100 kb
17:33:40 <mattdm> mitr, pjones yes, it is small.
17:34:07 <abadger1999> mitr: I feel the same as you.
17:35:04 <mattdm> I'm +1 to mitr's parenthetical proposal
17:35:24 <mattdm> flip it now, and leave open the possibility of flipping it back if more data comes in
17:35:32 <abadger1999> +1 to mitr's proposal as well.
17:35:42 * nirik is +1 too
17:35:53 <mitr> Count me as +1 to either :)
17:36:36 <dgilmore> #proposal turn off syscall auditing for all processes by default. we will reevaluate when we get infor from the perf team
17:36:38 <pjones> Might be worth flipping it now and seeing if we get any anecdata in return.
17:36:46 <pjones> dgilmore: +1
17:36:47 <dgilmore> #proposal turn off syscall auditing for all processes by default. we will reevaluate when we get info from the perf team
17:36:56 <mattdm> dgilmore: +1
17:37:00 * dgilmore fixes typo
17:37:02 <nirik> dgilmore: +1
17:37:04 <abadger1999> dgilmore: +1
17:37:37 <dgilmore> since mitr did not actually put up a proposal
17:37:52 <dgilmore> we need one more +1 i think
17:37:57 <mitr> dgilmore: +1
17:38:03 <dgilmore> though i am +1 to my proposal
17:38:39 <dgilmore> #agreed turn off syscall auditing for all processes by default. we will reevaluate when we get info from the perf team (6-0-0)
17:38:52 <dgilmore> #topic #1312 F22 System Wide Change: Replace Yum With DNF - http://fedoraproject.org/wiki/Changes/ReplaceYumWithDNF
17:38:57 <dgilmore> .fesco 1312
17:38:57 <dgilmore> https://fedorahosted.org/fesco/ticket/1312
17:38:57 <zodbot> dgilmore: #1312 (F22 System Wide Change: Replace Yum With DNF - http://fedoraproject.org/wiki/Changes/ReplaceYumWithDNF) – FESCo - https://fedorahosted.org/fesco/ticket/1312
17:39:18 <dgilmore> didnt we approve this last week?
17:39:27 <nirik> yep
17:39:35 <mattdm> yeah there was something about asking the dnf maintainers here to talk more
17:39:44 <mattdm> but I don't actually have anything more to add :)
17:39:52 <mattdm> I said what I think
17:40:08 <mattdm> and after the devel mailing list I think it could use a nice calm rest
17:40:31 <dgilmore> okay, so lets get the ticket updated, actually invite dnf guys if we have questions for them
17:40:58 <dgilmore> #action dgilmore will look back at last weeks minutes and update the ticket appropriately
17:41:14 <dgilmore> #topic Next week's chair
17:41:24 <dgilmore> who wants to run the meeting next week?
17:41:33 <nirik> I've not done it in a while, I can
17:42:21 <dgilmore> #action nirik to run next weeks meeting
17:42:27 <dgilmore> #topic Open Floor
17:42:32 <mattdm> So.... https://fedorahosted.org/fesco/ticket/1317
17:42:36 <dgilmore> anyone have anything?
17:42:39 <mattdm> the election...
17:42:51 <nirik> yeah, we should move that forward
17:42:56 <mattdm> Last week, sgallagh tasked me with sending out an announcement as FPL
17:43:15 * kylem will be without internet in the wild and miss the meetings in 2 weeks and 3 weeks. apologies in advance.
17:43:15 <mattdm> but I'd like the details of what exactly is to be announced worked out :)
17:44:10 <mattdm> I'm happy to help and to send messages and lend voice and etc., but would someone else be able to drive this?
17:44:14 <nirik> proposal: nominations from announcement time to 2014-07-07, election from 2014-07-07 to 2014-07-14
17:44:28 <kylem> what is everyones thoughts about me stepping down to let notting's seat be re-elected?
17:44:40 <nirik> kylem: you can do so if you like. ;)
17:44:49 <mattdm> kylem If you want to, do it sooner rather than later :)
17:44:50 <abadger1999> yeah, entirely your choice to me.
17:44:55 <dgilmore> kylem: your choice
17:45:10 <pjones> what they all said.
17:45:11 <kylem> ok. i'll do that then. ;-)
17:45:21 <nirik> ok, so 3 seats?
17:45:23 <pjones> Alright, then we're electing 3 seats.
17:45:39 <kylem> sounds right to me.
17:45:48 <pjones> nirik: +1 to that timeline
17:45:58 <dgilmore> nirik: +1
17:46:04 <kylem> +1
17:46:29 <nirik> the last election we didn't do a questionare... we could do a townhall tho if desired. Not sure how usefull they have been.
17:46:38 <abadger1999> nirik: +1
17:46:58 <mattdm> nirik We should have some standard questions for the questionnaire
17:47:46 <mitr> nirik: The townhalls were always useful to me; knowing about a long-term contributor doesn't always mean knowing their thoughts on the questions of the day.
17:48:13 <nirik> mattdm: we could, but in the past we asked for people to ask, and got very little response...
17:48:16 <mattdm> I can be +1 to the timeline, but it might be nice to have another week for publicity and letting potential candidates think about it.
17:48:19 <nirik> we could do a townhall next week?
17:48:23 <dgilmore> i know last election cycle the townhalls didnt work out
17:48:26 <mattdm> nirik: yeah that's a whole problem with the whole thing.
17:48:34 <dgilmore> due to devconf and people travelling
17:48:37 <mattdm> ftr I tried to give some but I put them in the wrong place :)
17:49:04 <mattdm> in any case, I need to go.
17:49:47 <dgilmore> thanks mattdm
17:49:49 <kylem> thanks matt.
17:49:54 <nirik> ok.
17:50:12 <dgilmore> should we reuse the questions from last cycle?
17:50:33 <jreznik> any volunteer for elections wrangler? while talking about elections, maybe I missed it
17:50:55 <dgilmore> jreznik: not that I know of
17:51:05 <nirik> I've not seen one, but would be great to have one to nag everyone to keep things moving
17:52:17 <dgilmore> anyone want to volunteer to run the elections?
17:52:19 <jreznik> for special elections, it's maybe not as much needed as for standard ones
17:52:23 <dgilmore> abadger1999: ^
17:52:38 <jreznik> but it's always to have someone you know he's responsible for to avoid mess
17:53:08 * abadger1999 doesn't want to but is willing to handle the technical aspects (setting up the electrion in the election app and getting the results to the person making the announcement)
17:53:20 <abadger1999> Since I'm not running I can do that :-)
17:54:11 <dgilmore> abadger1999: so you will be the wrangler?
17:54:49 * dgilmore needs to run in a minute
17:54:50 <abadger1999> dgilmore: no.  I'll handle the technical side of it.
17:54:57 <dgilmore> abadger1999: okay just clarifying
17:55:10 <abadger1999> not the schedule/townhall/etc side.
17:55:36 <jreznik> I can help with schedule, as I always do it
17:55:40 <dgilmore> so we need a wrangler, we need to set a schedule and we need to work out questionaire, townhall details
17:56:13 <jreznik> but I never did that questionaire/townhall stuff
17:56:28 <dgilmore> jreznik: want to learn?>
17:57:07 <jreznik> dgilmore: why not? it's probably going to be easier if I do it whole with abadger1999 to setup bits
17:57:25 <dgilmore> #info jreznik to be election wrangler
17:57:42 <dgilmore> anything else we need to sort out here today?
17:57:46 <jreznik> what's the timeframe for it? asap?
17:57:55 <dgilmore> jreznik: yep
17:58:37 * nirik notes we sort of agreed on a schedule above... although mattdm wanted perhaps another week of lead time
17:59:06 <dgilmore> nirik: can you take over the last bit of the meeting please, i really need to run
17:59:23 <jreznik> nirik: ah, ok I see it
17:59:40 <nirik> dgilmore: sure. I think we are almost done...
17:59:45 <nirik> any other open floor business?
17:59:52 <jreznik> I'll take a look tomorrow, will update the ticket with proposal
18:00:01 <jreznik> nirik: one topic - schedule
18:00:04 <abadger1999> another week would be fine for me too.
18:00:05 <dgilmore> jreznik: nirik: thanks
18:00:15 * nirik would be ok moving the elections out another week too.
18:00:21 <kylem> indeed, i'm fine with pushing all dates in mattdm's original proposal out a week
18:00:42 <jreznik> we are still in "no earlier than" in the schedule and folks started pinging me if change freeze/branch is happening for real or they have more time
18:01:01 <nirik> jreznik: Yeah, I thought we finalized that a while ago, but perhaps I am wrong.
18:01:07 <mitr> jreznik: prooposal: s/no earlier than //g
18:01:12 <nirik> mitr: +1
18:01:28 <jreznik> it makes sense
18:01:32 <abadger1999> at least for change freeze and branch that makes sense.
18:02:08 <jreznik> abadger1999: well, we can remove "no earlier than" and continue with standard slipage from this point
18:02:19 <abadger1999> really.. we could slip no matter what the schedule says so  "no earlier than" is just telling people that hte schedule is more fluid than normal this time around.
18:02:28 <abadger1999> jreznik: yeah.  agreed.
18:02:46 <abadger1999> mitr: +1 to your proposal
18:02:47 <jreznik> maybe I just missed we agreed it's really that final, I consider it as final, just want final confirmation
18:03:38 <nirik> more votes please? thats +3 assuming mitr is for his proposal. ;)
18:03:45 * mitr is +1 for the record
18:03:54 <kylem> +1
18:04:00 <pjones> eh, +1 I guess.
18:04:49 <nirik> #agreed Will finalize current schedule and remove 'no earlier than' from milestones. (+5,0,0)
18:04:55 <nirik> anything else for open floor?
18:05:04 <jreznik> thanks!
18:06:30 <nirik> ok, if nothing else will close meeting in a random indeterminate time around a minute from now.
18:07:08 <abadger1999> :-)
18:07:11 <kylem> heh
18:07:23 <nirik> ok, thanks for coming everyone!
18:07:26 <nirik> #endmeeting