16:00:13 <sgallagh> #startmeeting ELN (2022-07-29)
16:00:13 <zodbot> Meeting started Fri Jul 29 16:00:13 2022 UTC.
16:00:13 <zodbot> This meeting is logged and archived in a public location.
16:00:13 <zodbot> The chair is sgallagh. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
16:00:13 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:00:13 <zodbot> The meeting name has been set to 'eln_(2022-07-29)'
16:00:13 <sgallagh> #meetingname eln
16:00:13 <zodbot> The meeting name has been set to 'eln'
16:00:13 <sgallagh> #topic init process
16:00:13 <sgallagh> .hi
16:00:14 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com>
16:00:33 <tdawson> Howdy
16:00:40 <sgallagh> #meetingname eln
16:00:40 <zodbot> The meeting name has been set to 'eln'
16:00:42 <zodbot> sgallagh: Error: Can't start another meeting, one is in progress.
16:00:44 <sgallagh> #topic init process
16:00:47 <sgallagh> .hi
16:00:48 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com>
16:01:21 <sgallagh> Ah there we go
16:01:32 <tdawson> Yep ... we're now officially a meeting.
16:01:53 <sgallagh> Ahoy, Troy
16:02:10 <tdawson> I not only remembered this week, but I'm on time. :)
16:03:10 <sgallagh> pbrobinson: Do you happen to be around to answer some questions about IMA signing? That's one of our agenda topics today. (Sorry for the lack of notice)
16:03:58 <sgallagh> Davide Cavalca, Conan Kudo Are you around today?
16:04:35 <davide> we're both at SCALE this week
16:04:40 <sgallagh> Ahh
16:04:41 <davide> I'm around right now though
16:05:05 <sgallagh> I have two topics for discussion, both hopefully quick:
16:05:44 <sgallagh> 1) Do we want to enable IMA signing for ELN packages?
16:05:44 <sgallagh> 2) We've got kernel issues preventing the creation of aarch64 and ppc64le container images, which is blocking Anaconda efforts.
16:05:55 <sgallagh> #topic IMA Signing
16:06:08 <sgallagh> #link https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
16:06:51 <sgallagh> This is currently enabled for all non-ELN Fedora packages.
16:07:26 <sgallagh> I'll admit, I don't really know what value IMA signing provides to Fedora, so I'm not sure if we want it for ELN either.
16:08:12 <davide> is IMA signing something that will eventually end up enabled in RHEL 10 / CentOS 10?
16:08:14 <sgallagh> Yes
16:08:27 <davide> then it seems reasonable to do it in ELN
16:08:45 <sgallagh> But it's essentially a verification tool, confirming that files from RPM have not been tampered with
16:09:15 <sgallagh> So naturally things will be signed with a different key in Fedora, CentOS Stream and RHEL
16:09:17 <tdawson> In my mind it's like rpm -V ... but not needing to go through rpm.
16:09:58 <sgallagh> I'm uncertain if the value outweighs the resources needed to do the signing.
16:10:06 <smooge> hello sorry late
16:10:20 <sgallagh> And I'm not comfortable with "Eh, why not?" as a justification :-)
16:10:26 <tdawson> In Fedora, when do the packages get these IMA signatures?
16:10:58 <sgallagh> I assume when the rest of the RPM is also signed, but I haven't looked.
16:11:17 <davide> my general feeling is that we want to be as close as possible to what the next RHEL/CentOS will be, so that folks can use ELN to get a preview of what's to come and get ahead of any surprises
16:11:22 <smooge> I think the part of sigul to do this is being worked on currently
16:11:47 <davide> in this case, even if the key will be different, the existance of the feature and it being enabled makes it possible for folks that want to leverage it to start evaluating things and playing with it
16:11:51 <smooge> sigul is the tool which does signatures of diferent types
16:12:02 <sgallagh> smooge: nirik asked me the other day if we want it enabled, which I took to mean that the means already exist
16:12:21 <sgallagh> Davide Cavalca: That's fair enough.
16:12:24 <nirik> yes, it's just some config we need to set now...
16:12:33 <smooge> well they were actively doing work on part of the system that day and I think it was a 'do I need to drop this config in'
16:13:22 <smooge> I am with davide on this. It is going to take 'work' in various parts of enterprises to use this
16:13:38 <Eighth_Doctor> .hello ngompa
16:13:39 * Eighth_Doctor waves
16:13:39 <zodbot> Eighth_Doctor: ngompa 'Neal Gompa' <ngompa13@gmail.com>
16:13:46 * sgallagh waves back
16:13:56 <salimma> .hi
16:13:56 <Eighth_Doctor> IMA is already enabled in EL9
16:13:56 <zodbot> salimma: salimma 'Michel Alexandre Salim' <michel@michel-slm.name>
16:13:57 <smooge> if most of the enterprises only get to use it when EL10 comes out, I doubt they will use/deploy IMA until EL11/12
16:14:02 <Eighth_Doctor> so we should have it in ELN
16:14:28 <sgallagh> smooge: As Conan Kudo noted, RHEL 9 also shipped with it
16:14:29 * Eighth_Doctor remembers the pain around IMA enablement in EL9
16:15:14 <smooge> well colour me surprised.. I watched Fedora more closely than EL for once
16:15:33 <smooge> thank you
16:15:41 * sgallagh throws a bucket of paint at smooge
16:16:02 <tdawson> I didn't know paint came in the color "suprise"
16:16:06 <sgallagh> OK, I'm not hearing anyone say "we shouldn't do this".
16:16:20 <smooge> tdawson, you clearly didn't have the painters we had
16:16:20 <sgallagh> Anyone want to dissent, or shall we go ahead with signing?
16:16:37 <tdawson> I guess I haven't said ... I say go ahead with the signing.
16:16:38 <sgallagh> tdawson: You might be surprised!
16:16:43 <tdawson> *laughs*
16:17:19 <sgallagh> #agreed In order to remain as close to RHEL as possible, we will enable IMA signing for Fedora ELN
16:17:28 <sgallagh> #topic aarch64 and ppc64le container image generation
16:17:28 <sgallagh> #link https://koji.fedoraproject.org/koji/taskinfo?taskID=90211307
16:17:37 <nirik> do note that this will just sign things as theyr are built moving forward, not everything...
16:17:42 * nirik can enable it. :)
16:18:20 <sgallagh> nirik: That's fine, worst case is that we pick it up at the next mass-rebuild
16:18:43 <sgallagh> #action nirik will enable the IMA signing for ELN
16:18:44 <sgallagh> Thank you, nirik
16:18:56 <smooge> would it help to have a releng ticket for that nirik ?
16:19:13 <sgallagh> I've worked out almost all of the various compose issues finally, but the last is container images for aarch64 and ppc64le
16:19:45 <nirik> meh, I was just gonna do it right now...
16:20:33 <sgallagh> I'll be honest; I really have no idea where to go next in terms of fixing these two
16:22:03 <sgallagh> (This is me not-so-subtly asking someone to step up and help)
16:23:17 <sgallagh> ...
16:23:35 <tdawson> (notes everyone taking one step back)
16:24:18 <sgallagh> Yeah, that's what I was afraid of
16:24:38 <sgallagh> OK, I'll continue to knock my head against it for a while longer
16:24:40 <tdawson> So ... what is the actual error happening.
16:24:58 <sgallagh> tdawson: That's the problem: I can't find out
16:24:59 <salimma> how urgent is this? I'll have more time in a couple more weeks
16:25:11 <salimma> and have a fast local aarch64 machine I can use to debug
16:25:14 <sgallagh> The image build process is hitting the 300 minute timeout and bailing.
16:25:20 <salimma> wow, that's... slow
16:25:23 <sgallagh> Err, sorry. 300s timeout without disk access
16:25:50 <sgallagh> But the only view we have of what's happening there is a screenshot of the VM which looks... normal
16:25:50 <tdawson> https://kojipkgs.fedoraproject.org//work/tasks/960/90190960/oz-ppc64le.log
16:26:46 <nirik> good ol oz. ;(
16:27:04 <sgallagh> Yeah, it's going to take a wizard to solve this one...
16:27:11 <nirik> sgallagh: if you can start one I might be able to get in on the libvirt console and see more...
16:27:43 <sgallagh> I'm not sure how to start just the image creation
16:27:55 <sgallagh> And the full compose takes about 2 hours
16:28:08 <nirik> it looks like it finished the install... something in post install failed.
16:28:28 <sgallagh> After the install, it reboots to see if it runs
16:28:33 <sgallagh> IIUC
16:28:41 <sgallagh> The screenshot looks like it just hung mid-boot
16:28:58 <sgallagh> #link https://kojipkgs.fedoraproject.org//work/tasks/1318/90211318/screenshot.ppm
16:29:36 <sgallagh> Wait... this looks different this time
16:30:08 <sgallagh> I think I may have been only looking at the aarch64 screenshot
16:30:53 <sgallagh> This may be actionable...
16:31:05 <sgallagh> OK, no need to hold the meeting open to debug this.
16:31:11 <sgallagh> #topic Open Floor
16:31:27 <nirik> humm... wait a sec... I think I might have seen this before.
16:33:28 <nirik> or at least something very like it. can discuss in #fedora-releng I guess.
16:33:43 <sgallagh> OK, thanks
16:33:44 <sgallagh> Any topics for Open Floor?
16:33:53 <tdawson> Nothing from me
16:34:48 <sgallagh> OK, I'll hold the meeting open two more minutes for anyone to chime in.
16:37:31 <smooge> close it
16:37:45 <smooge> its full of lava
16:37:58 <smooge> aaaaaaaa <<sizzle>>
16:40:16 <smooge> #endmeeting
16:45:03 <smooge> and not being chair or maybe on the internet won't allow me to end the meeting
16:48:11 <tdawson> It's ok ... sgallagh's sense of two minutes is longer than other peoples.
16:48:25 <sgallagh> #endmeeting