09:00:16 <jdieter> #startmeeting Towards an Atomic Workstation 09:00:16 <zodbot> Meeting started Tue Aug 2 09:00:16 2016 UTC. The chair is jdieter. Information about MeetBot at http://wiki.debian.org/MeetBot. 09:00:16 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 09:00:16 <zodbot> The meeting name has been set to 'towards_an_atomic_workstation' 09:00:30 <jdieter> #meetingname flock2016 09:00:30 <zodbot> The meeting name has been set to 'flock2016' 09:00:56 <jdieter> So, what's the Fedora workstation? 09:01:00 <jdieter> Christian gave a talk an hour ago about it 09:01:09 <jdieter> Basically, it's a developer workstation 09:01:30 <jdieter> It's a traditional desktop, but slanted towards developers 09:01:40 <jdieter> We use lots of stuff from freedesktop.org 09:01:56 <jdieter> It's not just the graphical environment 09:02:03 <jdieter> Lots of other additional applications 09:02:06 <jdieter> Libreoffice is the big one 09:02:13 <jdieter> Mostly a pretty stock GNOME installation 09:02:18 <jdieter> With some other things 09:02:25 <jdieter> So what do we want to do next? 09:02:45 <jdieter> A lot of what we're doing right now is potentially changing how we distribute applications 09:03:08 <sgallagh> You can think of it as a way to sandbox applications 09:03:15 <jdieter> Flatpak is a way of sandboxing and distributing applications 09:03:23 <jdieter> Sandboxing isn't quite there yet 09:03:32 <sgallagh> A lot of the sandboxing features aren't finished. They depend on Wayland and cgroups features that are still being worked on 09:03:44 <jdieter> It has a concept of runtimes 09:04:02 <jdieter> A collection of libraries and dependencies which a application needs to run 09:04:15 <sgallagh> A collection of libraries and features like Cairo, gstreamers etc. that an application might expect to have available is a runtime 09:04:30 <sgallagh> There might be different layers: base, freedesktop, gnome, etc. 09:04:33 <jdieter> We don't anticipate that there will be too many runtimes available 09:04:47 <sgallagh> You also have applications that may include some pieces that are traditionally part of the runtime 09:05:02 <jdieter> You can include a library with an applications 09:05:17 <jdieter> Graphical support is ready right now 09:05:19 <sgallagh> Such as bundling different versions of software from the runtime or packages that would have reasons not to be in the runtime (such as legal) 09:05:50 <jdieter> Most of the stuff has been backported to F24, so it's pretty usable 09:06:11 <jdieter> Right now, any application has access to anything the user has access to 09:06:49 <jdieter> What FlatPak does is use user-namespaces, cgroups, etc and bind-mounts an empty system to give the application very limited acccess 09:06:53 <sgallagh> Flatpak uses kernel namespaces to give applications access to very limited capabilities 09:07:26 <jdieter> We have special interfaces to dbus 09:07:40 <jdieter> Sandboxing isn't quite fully fledged yet 09:07:41 <sgallagh> Sandbox isn't fully fleshed yet, but it's coming along. 09:07:51 <sgallagh> Using gsettings is complicated and still being worked on 09:08:01 <sgallagh> The code doesn't exist in usable form ye 09:08:02 <sgallagh> *yet 09:08:21 <sgallagh> We will take later about Portals which will give access to things that would normally be prevented. 09:08:23 <jdieter> I'll talk about portals, which is how users get access to the system 09:09:21 <jdieter> Questions about liability if patent-encumbered libraries in a Flatpak 09:09:33 <sgallagh> Security updates haven't really been solved yet. 09:09:53 <sgallagh> Person who ships the runtime is responsible for maintaining it (e.g. distribution vs the application) 09:10:18 <jdieter> This is a social problem 09:10:50 <sgallagh> As an application developer, you can override anything on the system that you need to. It remains to be seen what an acceptable level of overlap is. 09:10:50 <jdieter> You can override system libraries by putting different versions of libraries in your Flatpak 09:11:09 <jdieter> This does somewhat lessen the impact of the distribution as a whole 09:12:06 <jdieter> Flatpak may be safer than a distribution package as they don't have access to everything 09:12:37 <sgallagh> The reason for having the runtime as a single blob is to remove the situation where packages updated individually causes other packages to fail. Things will be tested and updated as a unit. 09:13:17 <jdieter> We're not sure what updates will look like. 09:13:23 <jdieter> We hope they'll be more stable 09:13:39 <jdieter> #topic An ostree Fedora 09:14:14 <jdieter> An ostree workstation uses ostree for filesystem versioning 09:14:16 <sgallagh> An ostree workstation is going to use ostree for producing versioned, bootable filesystem trs 09:14:18 <sgallagh> *trees 09:14:26 <jdieter> It's like git for a full filesystem 09:14:53 <jdieter> rpm-ostree takes RPMs and puts them into an ostree repository 09:14:59 <sgallagh> Something that's useful from the Fedora side is rpm-ostree, which takes packages from the distribution and puts them into the repo 09:15:40 <jdieter> THis is done on the server 09:16:13 <jdieter> THe filesystem is mostly read-only 09:16:32 <jdieter> The RPM database is read-only 09:17:00 <sgallagh> You can use package layering to inject whatever packages you want into your local system (but not on the server side) 09:17:00 <jdieter> There's package layering support to add things on top of rpm-ostree 09:17:11 <jdieter> Q: Why would you need the RPM database 09:17:13 <sgallagh> Q: Why would you need an RPM database? 09:17:25 <jdieter> A: Lots of things in Fedora expect it 09:17:26 <sgallagh> A: Many things in Fedora require the database. 09:17:40 <jdieter> Can get changelogs 09:17:49 <jdieter> Lots of enterprises use the RPM database for inventory 09:17:57 <jdieter> And it's a well-known API 09:18:38 <jdieter> Will be composed from ostree for base OS 09:18:47 <sgallagh> We think that you're going to be using flatpaks for applications in the future 09:19:23 <jdieter> Users get to test applications without affecting rest of OS 09:19:53 <jdieter> This can be tested in Fedora 24 09:20:09 <jdieter> It *doesn't* work in Fedora 24 09:20:15 <jdieter> But we're planning to backport it 09:20:18 <jdieter> * from audience 09:20:55 <jdieter> #topics improvements over traditional package management 09:21:04 <jdieter> #topic #meetingname flock2016 09:21:26 <jdieter> #topic improvements over traditional package management 09:22:03 <jdieter> The first advantage is that the whole update is done at once 09:22:18 <jdieter> Compose is done on the server, the updates/rollback on the client 09:23:05 <jdieter> Updates only happen on reboot 09:23:47 <jdieter> From a developer's point of view, it's really good 09:24:09 <jdieter> Currently constrained by distributions for which version of application you use 09:24:39 <jdieter> With this, you can get a newer application into user's hands much easier 09:24:50 <jdieter> Or get users to try development version 09:25:35 <jdieter> If you ever want to use Flatpak to bundle an application, it's actually pretty easy 09:25:53 <jdieter> Some small changes, but it's not very difficult 09:26:06 <jdieter> There's a trust model as well 09:26:14 <jdieter> Flatpak uses GPG signatures in repositories 09:26:48 <jdieter> Not sure how it will scale 09:27:35 <jdieter> If you want to make sure users are using *your* version of the application, Flatpak allows you to do that 09:27:49 <jdieter> Helps with QA 09:28:20 <jdieter> #topic rpm-ostree basics 09:28:30 <jdieter> I'm going to throw some random commands on the screen 09:28:53 <jdieter> https://pagure.io/workstation-ostree-config 09:28:58 <jdieter> This is a configuration I've put up 09:29:11 <jdieter> It's basically the workstation package set 09:29:17 <jdieter> Mostly everything works 09:29:54 <jdieter> You can also convert an existing filesystem to use ostree 09:30:05 <jdieter> There's a list of commands 09:30:23 <jdieter> It's ugly at the moment, but we hope people will be using an installer in the future 09:30:37 <jdieter> There are quite a few ways to create an install image 09:31:06 <jdieter> rpm-ostree-toolbox is a set of scripts on top of rpm-ostree which is on top of ostree 09:31:31 <jdieter> Koji doesn't use rpm-ostree-toolbox. It uses lorax 09:32:17 <jdieter> It's not really clear which method we're going to actually use 09:32:37 <jdieter> We want to keep anaconda, but there might be some things we don't want in it 09:32:47 <jdieter> #topic Current weak points in flatpak 09:33:01 <jdieter> Some applications are available as Flatpak, most are not 09:33:10 <jdieter> It's only been available since F24 09:33:26 <jdieter> I think the number of bundles will continue to increase 09:33:41 <jdieter> GNOME is doing continuous integration for testing 09:34:06 <jdieter> A portal sits between the sandbox and the host system 09:34:15 <jdieter> And allows you to poke holes in the sandbox 09:34:28 <jdieter> For instance, get access to webcams, joysticks, etc. 09:34:53 <jdieter> There's a lot of development, but it's not ready yet 09:35:03 <jdieter> File choosers are ready now 09:35:13 <jdieter> I think an audio portal is ready, so you can output sounds 09:35:40 <jdieter> Luckily mobile platforms have already blazed the trail for sensible defaults 09:36:01 <jdieter> The kernel sandboxing features haven't been heavily tested 09:36:15 <jdieter> Only a month ago, a vulnerability was found there 09:36:39 <jdieter> Depends on systemd -user sessions, so it's not available in RHEL 7 09:37:56 <jdieter> #topic Problems with an ostree Workstation 09:38:16 <jdieter> Alternatives don't work 09:38:33 <jdieter> We'll need to come up with new ways of doing those things 09:38:51 <jdieter> Packaging layering doesn't run %post scripts 09:38:57 <jdieter> Other limitations 09:39:10 <jdieter> Some people won't like needing to reboot for a new system. 09:39:43 <jdieter> SELinux updates cause breakages on a regular basis 09:39:59 <jdieter> There will be plenty more surprises, so we need more users and testers 09:40:15 <jdieter> Patrick will give a talk tomorrow about using it on his home system. 09:40:32 <jdieter> #topic Problems with creating ostree artifacts in Fedora 09:40:45 <jdieter> Koji doesn't yet know how to produce flatpak bundles 09:40:57 <jdieter> There isn't yet an easy way to create an ostree installer 09:41:42 <jdieter> rpm-ostree doesn't use comps as input for the package manifest 09:41:55 <jdieter> #topic Further resources 09:42:15 <jdieter> ostree: https://github.com/ostreedev/ostree 09:42:23 <jdieter> flatpak: http://flatpak.org 09:42:42 <jdieter> IRC: #fedora-workstation on freenode, #gnome-os on irc.gnome.org 09:43:06 <jdieter> Mailing List: https://lists.fedoraproject.org/archives/list/desktop@lists.fedoraproject.org/ 09:43:25 <jdieter> #topic Questions 09:44:59 <jdieter> There are plans to create Flatpak bundles out of rpms. 09:45:41 <jdieter> The idea is to give Koji the ability to create a Flatpak out of a spec file 11:29:47 <zodbot> michalrud: Error: Can't start another meeting, one is in progress. 11:30:01 <michalrud> #endmeeting 11:30:09 <zodbot> michalrud: Error: Can't start another meeting, one is in progress. 11:32:01 <michalrud> #endmeeting 11:33:19 <michalrud> #topic 11:36:48 <michalrud> #endmeeting