12:29:44 <jdieter> #startmeeting Using Fedora Atomic as workstation 12:29:44 <zodbot> Meeting started Wed Aug 3 12:29:44 2016 UTC. The chair is jdieter. Information about MeetBot at http://wiki.debian.org/MeetBot. 12:29:44 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 12:29:44 <zodbot> The meeting name has been set to 'using_fedora_atomic_as_workstation' 12:29:56 <jdieter> #meetingname flock2016 12:29:56 <zodbot> The meeting name has been set to 'flock2016' 12:31:16 <jdieter> Hi, Good afternoon, everyone 12:31:29 <jdieter> This is my best attended session every 12:31:33 <jdieter> *applause* 12:31:51 <jdieter> Let's first prove that I'm not going to be bs'ing here 12:32:19 <jdieter> This laptop is now running rpm-ostree at this moment 12:32:26 <jdieter> And has been since January of this year 12:32:32 <jdieter> Presentation over! 12:32:34 <jdieter> ;) 12:32:58 <jdieter> I told people about this, and they said I should tell people about this because it's not trivial 12:33:49 <jdieter> To make marketing happy, I can't call it Atomic, but instead call it rpm-ostree 12:33:57 <jdieter> First some background 12:34:06 <jdieter> #topic Background 12:34:15 <jdieter> Why use it? 12:34:23 <jdieter> The entire root filesystem is read-only and signed 12:34:35 <jdieter> If anything gets changed, you'll see it. 12:34:53 <jdieter> I'm currently running Rawhide and I updated this morning 12:35:02 <jdieter> I dared to do this because if it failed (and it did), I could reverse 12:35:21 <jdieter> Wireless was broken so I reverted it. 12:35:29 <jdieter> Also, it's fun!!! 12:35:38 <jdieter> #topic Limitations 12:35:46 <jdieter> There are no workstation trees available 12:35:49 <jdieter> Dave is working on that 12:35:57 <jdieter> You'll need to build your own trees 12:36:07 <jdieter> You'll want custom packages, and you can't do that right now 12:36:32 <jdieter> rpm-ostree has a lot of bugs, and the fixes come slowly (if at all) 12:37:00 <jdieter> comps is not supported 12:37:08 <jdieter> You have to specify each package by hand 12:37:51 <jdieter> Since, you can't add applications (r/o root), you can use docker/vms/Flatpak 12:38:03 <jdieter> Except I haven't managed to get Flatpak working yet 12:38:08 <jdieter> I've gone mostly the docker route 12:38:29 <jdieter> In the end it will be good, but it will cause a lot of pain to set up 12:38:32 <jdieter> #Setting up 12:38:44 <jdieter> Creating a tree 12:39:00 <jdieter> You have a lot of decisions to make. Some will want to use Gnome 12:39:09 <jdieter> Some people will want to use Emacs, but I want to use vim 12:39:19 <jdieter> And, no, I'm not getting into a war here 12:39:56 <jdieter> I have a separate machine that tries to compose a new tree every five minutes, and if it succeeds, sends it to S3 12:40:15 <jdieter> You need to then create the tree file 12:40:29 <jdieter> There's some documentation 12:40:37 <jdieter> My stuff is all public 12:40:51 <jdieter> You'll want to use scripts, otherwise it's a lot of work 12:41:17 <jdieter> I've got a script that creates a full tree file from a tree file with comps groups. 12:41:27 <jdieter> You then compose the tree file into a tree 12:41:33 <jdieter> Hopefully it works 12:41:53 <jdieter> You will run into problems 12:42:03 <jdieter> dracut-rescue can't be installed, or it will break the compose 12:42:22 <jdieter> You'll have to test, and then go back to the compose step 12:42:32 <jdieter> I've had to repeat up to 100 times 12:43:26 <jdieter> To get it to the point where it's usable for daily use 12:43:32 <jdieter> To just get it to boot is much less hard 12:44:00 <jdieter> Q: Could you just run rpm -qa to get a list of rpms and add them to the tree? 12:44:26 <jdieter> A: Yes, you'll end up with a bunch of extra packages, but it should work 12:44:46 <jdieter> *comment from audience* You should be a provenpackager 12:44:48 <jdieter> I am 12:45:00 <jdieter> *comment from audience* You should fix the packages 12:45:02 <jdieter> I do 12:45:10 <jdieter> Except docker 12:45:17 <jdieter> #topic Deploying the tree 12:45:33 <jdieter> The method I like is a netinstall with a kickstart 12:46:06 <jdieter> About once a month I reimage because rpm-ostree has garbage collection issues 12:46:17 <jdieter> ostreesetup --osname=... --url=... 12:46:24 <jdieter> That is the command to kick off the deployment 12:46:50 <jdieter> Q: What partition setup are you using? 12:47:13 <jdieter> A: I use an LVM volume group 12:47:35 <jdieter> The / needs to be large enough to handle at least 2 full tree 12:47:59 <jdieter> Because of garbage collection issues 12:48:39 <jdieter> Q: What actually *is* signed 12:48:53 <jdieter> A: The tree and the objects in it 12:49:36 <jdieter> I think it signs the metadata and then the objects 12:49:48 <jdieter> But don't pin me down on that detail, because it's an implementation detail 12:50:01 <jdieter> Q: If you change a file, would that break the signature 12:50:19 <jdieter> A: Yes, you couldn't because it's read-only, but if you could, it would break the signature 12:50:57 <jdieter> I run secure provisioning that securely sets up LUKS, GRUB, and passwords 12:51:14 <jdieter> So I don't need to be present to do the provisioning 12:51:23 <jdieter> #topic Experiences 12:51:28 <jdieter> I like it 12:51:43 <jdieter> It will take quite a while to get used to when you first set it up 12:51:57 <jdieter> It will take quite a while to get setup if we don't get a tree from... David? 12:51:59 <jdieter> ;) 12:52:15 <jdieter> I like being able to rollback when things go wrong 12:52:38 <jdieter> If you're in a big company, you just rollback if the update fails 12:53:30 <jdieter> Q: When can I use this? 12:53:53 <jdieter> I have 200 desktops, all identical 12:54:13 <jdieter> I'm trying to work out how this works with my system? 12:54:53 <jdieter> A: You can have multiple trees that share packages. So you'd compose a tree for each of your "images" 12:55:10 <jdieter> Q: Are you running anything in containers or just on the host system? 12:55:29 <jdieter> A: I run most of my development in docker, and the only thing on my host system is ssh and git. 12:56:21 <jdieter> The plan is that Flatpaks will provide user-specific applications 12:57:00 <jdieter> Q: Have you played with mlock and overlays to modify /home without modifying /home? 12:57:06 <jdieter> A: No, I have not 12:57:36 <jdieter> It's kind of cool 12:57:46 <jdieter> Q: Are you going to talk more about specific hiccups you ran into? 12:57:58 <jdieter> A: No, because most of them were specific to certain packages 12:58:20 <jdieter> Q: What about the current Fedora rpm-ostree isn't sufficient? 12:58:46 <jdieter> A: The current Atomic Host only has command-line 12:58:53 <jdieter> I have a GUI in my base system 12:59:07 <jdieter> Q: Do you do daily updates? 12:59:18 <jdieter> A: I tend to, unless I'm aware of a blocking bug 12:59:47 <jdieter> Q: How does it deal with a second update after you've updated once? 12:59:56 <jdieter> A: It always touches the inactive tree 13:00:09 <jdieter> Q: What issues have you had with Flatpak? 13:00:13 <jdieter> A: Let me show you 13:00:23 <jdieter> *Segmentation fault (core dumped)* 13:00:44 <jdieter> This is a tree from 2016-07-18 13:00:56 <jdieter> *from audience* You're probably missing glib-networking 13:01:36 <jdieter> Q: Why are you running a tree from 2016-07-18? 13:02:09 <jdieter> A: rpm-ostree doesn't work with insufficient logging for me to work out what's wrong 13:02:41 <jdieter> Q: How does this work with static networking? 13:02:49 <jdieter> A: /etc is not part of the read-only system 13:03:24 <jdieter> It's part of the tree, but changes to etc are done using a three-way merge 13:03:37 <jdieter> Q: How many problems did you have with %post scripts? 13:03:56 <jdieter> A: Loads of warnings, but only two packages actually crashed 13:04:20 <jdieter> *audience discussion about the scripts* 13:04:48 <jdieter> One of the main things you see are problems with things that try to talk with SELinux because it's not available during compose 13:05:07 <jdieter> #topic Resources 13:05:12 <jdieter> Here are my resources 13:05:33 <jdieter> https://patrick.uiterwijk.org 13:05:48 <jdieter> puiterwijk @ FreeNode 13:06:19 <jdieter> Q: Is it possible to install rpm-ostree on top of a regular system? 13:06:40 <jdieter> A: Yes, run a command and it will show up in GRUB 13:06:52 <jdieter> Q: Can this be used as part of QA? 13:06:57 <jdieter> A: Very likely, yes 13:07:13 <jdieter> Q: Should it be used as part of OpenQA? 13:07:19 <jdieter> A: Yes 13:08:25 <jdieter> *comment from audience* The QA advantage of ostree will be that you're testing exactly what people are using 13:09:35 <jdieter> *docker question* 13:11:31 <jdieter> Q: What's the minimum OS version you need to use ostree? 13:11:45 <jdieter> A: Fedora 22, RHEL 7.2 13:15:43 <jdieter> *applause* 13:15:46 <jdieter> #endmeeting