16:29:39 <dustymabe> #startmeeting fedora_coreos_meeting
16:29:39 <zodbot> Meeting started Wed Nov  2 16:29:39 2022 UTC.
16:29:39 <zodbot> This meeting is logged and archived in a public location.
16:29:39 <zodbot> The chair is dustymabe. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
16:29:39 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:29:39 <zodbot> The meeting name has been set to 'fedora_coreos_meeting'
16:29:43 <dustymabe> #topic roll call
16:30:05 <jdoss> .hello2
16:30:06 <zodbot> jdoss: jdoss 'Joe Doss' <joe@solidadmin.com>
16:30:07 <jbrooks> .hello jasonbrooks
16:30:08 <gursewak> .hi
16:30:09 <zodbot> jbrooks: jasonbrooks 'Jason Brooks' <jbrooks@redhat.com>
16:30:12 <zodbot> gursewak: gursewak 'Gursewak Singh' <gurssing@redhat.com>
16:30:38 <jlebon> .hello2
16:30:39 <zodbot> jlebon: jlebon 'None' <jonathan@jlebon.com>
16:30:44 <c4rt0> Hi all!
16:31:08 <lucab> .hi
16:31:09 <zodbot> lucab: lucab 'Luca BRUNO' <lucab@redhat.com>
16:31:14 <dustymabe> .hi
16:31:15 <zodbot> dustymabe: dustymabe 'Dusty Mabe' <dusty@dustymabe.com>
16:31:23 <fifofonix> .hi
16:31:25 <zodbot> fifofonix: fifofonix 'Fifo Phonics' <fifofonix@gmail.com>
16:31:31 <dustymabe> #chair jdoss jbrooks gursewak jlebon c4rt0 lucab fifofonix
16:31:31 <zodbot> Current chairs: c4rt0 dustymabe fifofonix gursewak jbrooks jdoss jlebon lucab
16:31:47 <c4rt0> .hi
16:31:48 <zodbot> c4rt0: c4rt0 'Adam Piasecki' <c4rt0gr4ph3r@gmail.com>
16:31:54 <bgilbert> .hi
16:31:55 <zodbot> bgilbert: bgilbert 'Benjamin Gilbert' <bgilbert@backtick.net>
16:32:17 <dustymabe> #chair bgilbert
16:32:17 <zodbot> Current chairs: bgilbert c4rt0 dustymabe fifofonix gursewak jbrooks jdoss jlebon lucab
16:33:12 <dustymabe> #topic Action items from last meeting
16:33:23 <dustymabe> This is all we had in the list:
16:33:26 <dustymabe> * bgilbert will follow up on https://github.com/coreos/fedora-coreos-tracker/issues/567 re. VMware
16:33:35 <bgilbert> done
16:34:05 <dustymabe> #info bgilbert addressed VMWare concerns in https://github.com/coreos/fedora-coreos-tracker/issues/567#issuecomment-1294655290
16:34:43 <copperi[m]> .hello copperi
16:34:43 <zodbot> copperi[m]: copperi 'Jan Kuparinen' <copper_fin@hotmail.com>
16:34:44 <jmarrero> .hi
16:34:46 <zodbot> jmarrero: jmarrero 'Joseph Marrero' <jmarrero@redhat.com>
16:34:50 <dustymabe> ok we're a bit light on topics but we have some security ones to FYI at least
16:35:01 <dustymabe> #chair copperi[m] jmarrero
16:35:01 <zodbot> Current chairs: bgilbert c4rt0 copperi[m] dustymabe fifofonix gursewak jbrooks jdoss jlebon jmarrero lucab
16:35:10 <dustymabe> #topic Update OpenSSL for CVE-2022-3786 and CVE-2022-3602
16:35:16 <dustymabe> #link https://github.com/coreos/fedora-coreos-tracker/issues/1329
16:35:53 <dustymabe> #info the `testing` and `next` streams have a fix for the OpenSSL CVEs - `stable` will roll out later today
16:36:19 <dustymabe> I haven't heard or seen any issues related to the updates? has anyone else?
16:36:38 <jlebon> haven't either
16:36:46 <jdoss> Nothing
16:36:51 <dustymabe> ack
16:37:05 <dustymabe> i'll move on to the next topic
16:37:22 <dustymabe> #topic Non-default OSTree deployments accessible without GRUB password (CVE-2022-3675)
16:37:28 <dustymabe> #link https://github.com/coreos/fedora-coreos-tracker/issues/1333
16:37:57 <bgilbert> jlebon maybe?
16:38:31 <dustymabe> This was a new security issue related to FCOS - it was made public yesterday.
16:38:49 <bgilbert> or I can take it
16:38:57 <jlebon> bgilbert: feel free :)
16:39:00 <dustymabe> The announcement with relevant information is at https://discussion.fedoraproject.org/t/non-default-ostree-deployments-accessible-without-grub-password-cve-2022-3675/43715
16:39:09 <jlebon> you did most of the work there
16:39:19 <bgilbert> jlebon found it :-)
16:39:33 <bgilbert> the relates to the recently-added GRUB password support
16:39:38 <jdoss> is this a smelt it you dealt it kind of thing?
16:39:48 <bgilbert> jdoss: just trying to give credit :-P
16:39:55 <jdoss> hahah fair enough
16:40:12 <bgilbert> if you enable a GRUB password with Butane, GRUB is supposed to prevent anyone at the GRUB console from:
16:40:43 <bgilbert> getting to the GRUB command line, modifying menu entries (including changing kernel arguments), or booting deployments other than the latest
16:40:49 <bgilbert> ...without entering a password.
16:41:31 <bgilbert> we had a regression in the "booting old deployments" part
16:42:12 <bgilbert> machines are affected based on the FCOS version they were _installed_ from, not the version they're currently running
16:42:42 <bgilbert> so for a couple months, new installs with GRUB passwords would allow old deployments to be booted.
16:43:54 <bgilbert> this isn't a major vulnerability, but we got a CVE number for it because it is a small one: it allows an unprivileged person with access to the console at boot time to boot into an older OS release, potentially reverting security updates from the latest release.
16:44:21 <bgilbert> for anyone who's especially concerned about this, the announcement has manual steps for closing the hole immediately
16:44:33 <dustymabe> 👍
16:44:42 <bgilbert> otherwise, today's releases will stop introducing the hole for new installs
16:44:49 <dustymabe> thanks bgilbert and jlebon for working to close that hole
16:44:56 <bgilbert> for existing installs, we're rolling out an automatic fix for affected nodes, on the normal release schedule
16:45:26 <bgilbert> i.e., today's next and testing releases will fix existing machines on those streams, and the subsequent stable release in two weeks will fix existing stable machines
16:46:31 <bgilbert> thanks again to jlebon for finding this, and thanks to dustymabe and jlebon for helping coordinate the fix alongside the F37 rebase and the OpenSSL fix <3
16:46:46 <bgilbert> any questions/concerns?
16:46:48 <dustymabe> exciting times in FCOS release coordination
16:46:51 <jlebon> :)
16:47:38 <dustymabe> thank you for the context and info bgilbert
16:48:14 <jlebon> i think the biggest takeaway for me is we need to be more thorough on test coverage
16:48:24 <dustymabe> #info please see the announcement for more context on the nature of the security issue and the release fix schedule: https://discussion.fedoraproject.org/t/non-default-ostree-deployments-accessible-without-grub-password-cve-2022-3675/43715
16:48:25 <jlebon> especially for security features
16:49:08 <bgilbert> +1 jlebon
16:50:14 <dustymabe> ok the remaining issues tagged with meeting - one of them is for travier to introduce and I don't think he is here today and the other one is kind of a reminder that we need to work on a few tasks to unblock ppc64le
16:50:29 <dustymabe> i propose we go straight to open floor (unless any other topics are worth bringing up standalone)
16:50:41 <spresti[m]> Sorry for being late (catching up)
16:50:49 <dustymabe> #chair spresti[m]
16:50:49 <zodbot> Current chairs: bgilbert c4rt0 copperi[m] dustymabe fifofonix gursewak jbrooks jdoss jlebon jmarrero lucab spresti[m]
16:51:26 <jlebon> SGTM
16:51:47 <dustymabe> #topic open floor
16:51:56 <dustymabe> anybody with any topics for open floor?
16:52:16 <jdoss> If you have not tried the layered container stuff. Give it a shot. I am loving it!
16:52:52 <dustymabe> nice
16:52:55 <fifofonix> (would love to see a youtube walkthrough or similar of that container layering stuff)
16:53:26 <dustymabe> I think jmarrero is going to talk about it a bit at the fedora release party coming up (is that this Friday?)
16:53:32 <jdoss> I gave an internal demo to my eng team about shipping our app in a container layer and it was well received.
16:53:48 <jmarrero> Yeah this Friiday, hopefully with enough time for a quick demo.
16:54:14 <jlebon> i'll note we discovered an issue where `next` nodes currently are using recompiled selinux policies OOTB
16:54:21 <jlebon> #link https://github.com/openshift/os/issues/1036#issuecomment-1299168792
16:54:30 <dustymabe> jdoss: so let me get this right.. your higher level application is no longer running as a container but as software delivered via "layering"?
16:54:44 <jlebon> it doesn't affect stable and testing yet, and we're working on working around it before it gets there
16:55:16 <jdoss> I am shipping  container tarballs of our multi service app in one big FCOS layer.
16:55:58 <dustymabe> but how is it run once the system is up? via podman, or directly on the host?
16:56:01 <walters> What are "container tarballs" in this context?
16:56:06 <jdoss> and using systemd to launch everything. We are using podman (kube play) to pull the stuff out of our SaaS k8s and translating it to systemd units with Podman.
16:56:48 <dustymabe> jlebon++
16:56:57 <jdoss> I will push up my demo repo and post it in #fedora-coreos this week. I demo'ed using Paperless NGX as the app getting shipped.
16:57:32 <walters> OK, we actually are building up some support for embedding stock container images inside ostree commits, see https://github.com/ostreedev/ostree/pull/2717
16:57:42 <dustymabe> jdoss: cool. Yeah the reason I ask the question is I'm trying to make sure users still run their applications in containers
16:58:13 <jdoss> 100% we have every service in a container running in a Podman pod.
16:58:17 <dustymabe> perfect
16:58:43 <walters> (I'm trying to not create a hard barrier, but rather a spectrum of flexible tools)
16:59:04 <jdoss> we are just using the FCOS container layer to version everything https://quay.io/repository/quickvm/paperless-ngx?tab=tags
16:59:30 <jdoss> I can explain more in #fedora-coreos when I get the repo pushed up.
16:59:39 <dustymabe> any other topics for open floor
16:59:58 <fifofonix> perhaps we should advertise the FCOS agenda item on release party to the fedoracoreos list?  but i''m going to try and make it now i know about it!
17:00:28 <dustymabe> yeah - maybe at least a discussion forum post and maybe a tweet
17:01:13 <dustymabe> any other topics for open floor?
17:01:30 <jdoss> byeeeeeeeee
17:01:37 <jdoss> Thanks dusty for running the meeting
17:01:42 <dustymabe> #endmeeting