flock2016
LOGS
12:29:44 <jdieter> #startmeeting Using Fedora Atomic as workstation
12:29:44 <zodbot> Meeting started Wed Aug  3 12:29:44 2016 UTC.  The chair is jdieter. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:29:44 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
12:29:44 <zodbot> The meeting name has been set to 'using_fedora_atomic_as_workstation'
12:29:56 <jdieter> #meetingname flock2016
12:29:56 <zodbot> The meeting name has been set to 'flock2016'
12:31:16 <jdieter> Hi, Good afternoon, everyone
12:31:29 <jdieter> This is my best attended session every
12:31:33 <jdieter> *applause*
12:31:51 <jdieter> Let's first prove that I'm not going to be bs'ing here
12:32:19 <jdieter> This laptop is now running rpm-ostree at this moment
12:32:26 <jdieter> And has been since January of this year
12:32:32 <jdieter> Presentation over!
12:32:34 <jdieter> ;)
12:32:58 <jdieter> I told people about this, and they said I should tell people about this because it's not trivial
12:33:49 <jdieter> To make marketing happy, I can't call it Atomic, but instead call it rpm-ostree
12:33:57 <jdieter> First some background
12:34:06 <jdieter> #topic Background
12:34:15 <jdieter> Why use it?
12:34:23 <jdieter> The entire root filesystem is read-only and signed
12:34:35 <jdieter> If anything gets changed, you'll see it.
12:34:53 <jdieter> I'm currently running Rawhide and I updated this morning
12:35:02 <jdieter> I dared to do this because if it failed (and it did), I could reverse
12:35:21 <jdieter> Wireless was broken so I reverted it.
12:35:29 <jdieter> Also, it's fun!!!
12:35:38 <jdieter> #topic Limitations
12:35:46 <jdieter> There are no workstation trees available
12:35:49 <jdieter> Dave is working on that
12:35:57 <jdieter> You'll need to build your own trees
12:36:07 <jdieter> You'll want custom packages, and you can't do that right now
12:36:32 <jdieter> rpm-ostree has a lot of bugs, and the fixes come slowly (if at all)
12:37:00 <jdieter> comps is not supported
12:37:08 <jdieter> You have to specify each package by hand
12:37:51 <jdieter> Since, you can't add applications (r/o root), you can use docker/vms/Flatpak
12:38:03 <jdieter> Except I haven't managed to get Flatpak working yet
12:38:08 <jdieter> I've gone mostly the docker route
12:38:29 <jdieter> In the end it will be good, but it will cause a lot of pain to set up
12:38:32 <jdieter> #Setting up
12:38:44 <jdieter> Creating a tree
12:39:00 <jdieter> You have a lot of decisions to make.  Some will want to use Gnome
12:39:09 <jdieter> Some people will want to use Emacs, but I want to use vim
12:39:19 <jdieter> And, no, I'm not getting into a war here
12:39:56 <jdieter> I have a separate machine that tries to compose a new tree every five minutes, and if it succeeds, sends it to S3
12:40:15 <jdieter> You need to then create the tree file
12:40:29 <jdieter> There's some documentation
12:40:37 <jdieter> My stuff is all public
12:40:51 <jdieter> You'll want to use scripts, otherwise it's a lot of work
12:41:17 <jdieter> I've got a script that creates a full tree file from a tree file with comps groups.
12:41:27 <jdieter> You  then compose the tree file into a tree
12:41:33 <jdieter> Hopefully it works
12:41:53 <jdieter> You will run into problems
12:42:03 <jdieter> dracut-rescue can't be installed, or it will break the compose
12:42:22 <jdieter> You'll have to test, and then go back to the compose step
12:42:32 <jdieter> I've had to repeat up to 100 times
12:43:26 <jdieter> To get it to the point where it's usable for daily use
12:43:32 <jdieter> To just get it to boot is much less hard
12:44:00 <jdieter> Q: Could you just run rpm -qa to get a list of rpms and add them to the tree?
12:44:26 <jdieter> A: Yes, you'll end up with a bunch of extra packages, but it should work
12:44:46 <jdieter> *comment from audience* You should be a provenpackager
12:44:48 <jdieter> I am
12:45:00 <jdieter> *comment from audience* You should fix the packages
12:45:02 <jdieter> I do
12:45:10 <jdieter> Except docker
12:45:17 <jdieter> #topic Deploying the tree
12:45:33 <jdieter> The method I like is a netinstall with a kickstart
12:46:06 <jdieter> About once a month I reimage because rpm-ostree has garbage collection issues
12:46:17 <jdieter> ostreesetup --osname=... --url=...
12:46:24 <jdieter> That is the command to kick off the deployment
12:46:50 <jdieter> Q: What partition setup are you using?
12:47:13 <jdieter> A: I use an LVM volume group
12:47:35 <jdieter> The / needs to be large enough to handle at least 2 full tree
12:47:59 <jdieter> Because of garbage collection issues
12:48:39 <jdieter> Q: What actually *is* signed
12:48:53 <jdieter> A: The tree and the objects in it
12:49:36 <jdieter> I think it signs the metadata and then the objects
12:49:48 <jdieter> But don't pin me down on that detail, because it's an implementation detail
12:50:01 <jdieter> Q: If you change a file, would that break the signature
12:50:19 <jdieter> A: Yes, you couldn't because it's read-only, but if you could, it would break the signature
12:50:57 <jdieter> I run secure provisioning that securely sets up LUKS, GRUB, and passwords
12:51:14 <jdieter> So I don't need to be present to do the provisioning
12:51:23 <jdieter> #topic Experiences
12:51:28 <jdieter> I like it
12:51:43 <jdieter> It will take quite a while to get used to when you first set it up
12:51:57 <jdieter> It will take quite a while to get setup if we don't get a tree from... David?
12:51:59 <jdieter> ;)
12:52:15 <jdieter> I like being able to rollback when things go wrong
12:52:38 <jdieter> If you're in a big company, you just rollback if the update fails
12:53:30 <jdieter> Q: When can I use this?
12:53:53 <jdieter> I have 200 desktops, all identical
12:54:13 <jdieter> I'm trying to work out how this works with my system?
12:54:53 <jdieter> A: You can have multiple trees that share packages.  So you'd compose a tree for each of your "images"
12:55:10 <jdieter> Q: Are you running anything in containers or just on the host system?
12:55:29 <jdieter> A: I run most of my development in docker, and the only thing on my host system is ssh and git.
12:56:21 <jdieter> The plan is that Flatpaks will provide user-specific applications
12:57:00 <jdieter> Q: Have you played with mlock and overlays to modify /home without modifying /home?
12:57:06 <jdieter> A: No, I have not
12:57:36 <jdieter> It's kind of cool
12:57:46 <jdieter> Q: Are you going to talk more about specific hiccups you ran into?
12:57:58 <jdieter> A: No, because most of them were specific to certain packages
12:58:20 <jdieter> Q: What about the current Fedora rpm-ostree isn't sufficient?
12:58:46 <jdieter> A: The current Atomic Host only has command-line
12:58:53 <jdieter> I have a GUI in my base system
12:59:07 <jdieter> Q: Do you do daily updates?
12:59:18 <jdieter> A: I tend to, unless I'm aware of a blocking bug
12:59:47 <jdieter> Q: How does it deal with a second update after you've updated once?
12:59:56 <jdieter> A: It always touches the inactive tree
13:00:09 <jdieter> Q: What issues have you had with Flatpak?
13:00:13 <jdieter> A: Let me show you
13:00:23 <jdieter> *Segmentation fault (core dumped)*
13:00:44 <jdieter> This is a tree from 2016-07-18
13:00:56 <jdieter> *from audience* You're probably missing glib-networking
13:01:36 <jdieter> Q: Why are you running a tree from 2016-07-18?
13:02:09 <jdieter> A: rpm-ostree doesn't work with insufficient logging for me to work out what's wrong
13:02:41 <jdieter> Q: How does this work with static networking?
13:02:49 <jdieter> A: /etc is not part of the read-only system
13:03:24 <jdieter> It's part of the tree, but changes to etc are done using a three-way merge
13:03:37 <jdieter> Q: How many problems did you have with %post scripts?
13:03:56 <jdieter> A: Loads of warnings, but only two packages actually crashed
13:04:20 <jdieter> *audience discussion about the scripts*
13:04:48 <jdieter> One of the main things you see are problems with things that try to talk with SELinux because it's not available during compose
13:05:07 <jdieter> #topic Resources
13:05:12 <jdieter> Here are my resources
13:05:33 <jdieter> https://patrick.uiterwijk.org
13:05:48 <jdieter> puiterwijk @ FreeNode
13:06:19 <jdieter> Q: Is it possible to install rpm-ostree on top of a regular system?
13:06:40 <jdieter> A: Yes, run a command and it will show up in GRUB
13:06:52 <jdieter> Q: Can this be used as part of QA?
13:06:57 <jdieter> A: Very likely, yes
13:07:13 <jdieter> Q: Should it be used as part of OpenQA?
13:07:19 <jdieter> A: Yes
13:08:25 <jdieter> *comment from audience* The QA advantage of ostree will be that you're testing exactly what people are using
13:09:35 <jdieter> *docker question*
13:11:31 <jdieter> Q: What's the minimum OS version you need to use ostree?
13:11:45 <jdieter> A: Fedora 22, RHEL 7.2
13:15:43 <jdieter> *applause*
13:15:46 <jdieter> #endmeeting