From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 875F823D7EE for ; Sat, 23 Aug 2025 12:33:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755952409; cv=none; b=IEG3KNNVP4pgFxpjf/P3bLlmPXmdgsq8jCl5nRtZjFgSDptoHC8IYcyjrTJYnQ8Mf/e2DligD/WC76CIfCn1fgnmKWmk4yI7XJ8H0TVRF1zsT6/lOz3P1fO7NxsrXfCedOsuBuB3Kd2mqKzZgR8XrA+Ddc+Iyu4vtmUUQAGx6eU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755952409; c=relaxed/simple; bh=zFJ5TnClvuBhNPEwwkj6U0OQanbnbr5hkCMfeNcZnjE=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=fb2AQUtZiL7t9WpahcOw+7+Wq960F/Eu1jkb1sQYlFWEiz7iRTEFf7F0vJNLN+6knWcJLDvAoUr4C4FaHm+oQOK2tVU1/Nd/8obBUtC4y6vGhLudKzP0DRMBq1BiaRazfjOdzUNTUT/dIVL7CiWnzwdwAiZLxZ+iNlnmUEEE/WI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PZwXDqcg; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PZwXDqcg" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1AB62C4CEE7; Sat, 23 Aug 2025 12:33:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1755952409; bh=zFJ5TnClvuBhNPEwwkj6U0OQanbnbr5hkCMfeNcZnjE=; h=Date:Reply-To:Subject:To:Cc:References:From:In-Reply-To:From; b=PZwXDqcgOb9AVjpr3a/q0wPD22ELJpwj6WVS9fOsESikrUcQsBh+FR+zRujAjswSs x3rjaR+0rTvMH17yhuOAiW9IAm+hQ/NRkzusl2LZVjHXqNiYU1rdyA3RTNmpUbGfkH eejTDioHRzgLyqEBYoCIqGExXgumzeV6yJnbVcjKD2vCvsUs1SnQZbX/2fw+mV5y6W TsNFIWzsMuWCWNV+1k3ywmFWjcuUTGdfMFeIFYNUzaZ/7seRkNtsm6S4c+iHetdbbn 0Rq6we3Cicy4yt6hlH3cP0DCjlvwqKSTZX0dwdwaLO0suomeknKZccNnRiaassGWzP o8UgpSOBbZkrQ== Message-ID: Date: Sat, 23 Aug 2025 14:33:26 +0200 Precedence: bulk X-Mailing-List: kdevops@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Reply-To: Daniel Gomez Subject: Re: [RFC PATCH] storage-subsystem: correct playbooks for Fedora distro To: Luis Chamberlain , Chuck Lever Cc: Viacheslav Dubeyko , "slava@dubeyko.com" , "kdevops@lists.linux.dev" References: <20250814190917.1231289-3-slava@dubeyko.com> <33316fc7-74b9-4243-b717-42ed6a69347e@kernel.org> <0b3d5de7-4cd9-480f-b3e0-f134485660af@oracle.com> <7fb0a977fb2434d39d57da501b85fd6023774a3a.camel@ibm.com> <0ac0fc76-317f-4d77-9107-31b456d81f78@oracle.com> <340e60e4-096a-432a-801d-69d51a1fd426@kernel.org> Content-Language: en-US From: Daniel Gomez Organization: kernel.org In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 23/08/2025 01.14, Luis Chamberlain wrote: > On Fri, Aug 22, 2025 at 09:50:14AM -0400, Chuck Lever wrote: >> On 8/22/25 4:34 AM, Daniel Gomez wrote: >>> On 22/08/2025 04.18, Luis Chamberlain wrote: >>>> On Fri, Aug 15, 2025 at 02:29:33PM -0400, Chuck Lever wrote: >>>>> Unfortunately your experience is typical of first time kdevops users. It >>>>> took me several months of swearing to get it working the first time, but >>>>> I was a total newbie to Ansible and libvirt when I started. >>>> >>>> I think we can make things better with NixOs as a default for future >>>> ramp ups, but this is *theoretical*. So here's what I think we should do: >>>> >>>> 1) Add NixOS >>>> 2) Evaluate if we should just require user session >>>> >>>> We can test 1) without making it a default for a while and see if really >>>> a lot of the distro pains are overcome. >>>> >>>> 2) Would affect debian based users, and requires more review from others. >>>> >>>> What else can we do? >>>> >>>> Maybe just get claude to support selinux / apparmor? >>> >>> Besides selinux/apparmor and libvirt user uri session support, I'd add: >>> >>> * Remove sudo privilege escalation for the localhost (controller node) >>> * This implies manual user configuration for running kdevops: user/group >>> configuration, package installation, etc >>> * Review/update kdevops docs regarding how to set up the controller node to >>> be kdevops-ready >>> * Note: We don't need to remove it entirely, just make this path optional > > Yes, that would be good. > >> +1 (or more). A sleeker security profile would do wonders for kdevops >> adoption. > > It seems we're all in agreement. > >> Another thought would be to construct a GitHub Action that builds a >> kdevops RPM (or .deb) for us. Stick all the control host dependencies >> in that. Privilege would then be needed only when kdevops is installed. What do you mean? Can you elaborate? I'm not sure what would be packed in that RPM/deb file. Just the runtime dependencies kdevops depends on? > > All the above sounds like weekend kdevops claude code projects, but my > experience is showing that the hard part with claude is not the > generation but the curation / review of the code it generates, so that > adds an extra amount of time. But despite all that, I suspect we can Agree. > get all this done in about two months. The ordering is important, ie > it would not make sense to build rpms / debs until we have selinux and > appramore thing resolved, and making the sudo on localhost stuff optional > as well. Agree. > > So let's order our priorities and see who is willing to help tackle > some of these challenges: > > * nixos -- I have a branch now, seems to work but I gotta debug ssh That's good! Can you clarify if you refer to controller node NixOS support? or guest support? > * apparmor / selinux: I can take this on next > > Left on the TODO path towards shiny goals, any takers? > > * make sudo optional for localhost > * make libvirt user session work on debian based systems, and once > that works, ensure that system session still works. Once that > is done we flip the switch to make user session default > * Decide on if we want to remove FIRST_RUN or do we use that for > future deb / rpm installation > * Make optional: > - systemd services > - SSH configurations > * debian/control / rpm spec file. Maybe nix packaging too? > > BTW I'm curious about the goal of making systemd services optional, > did you mean things like systemd-journal and things like that? And > mirroring? Yes, all these services we depend on. But I don't think we can sandbox systemd services. But ensuring they all can run as user services allows us to remove sudo. For system systemd services, should they be part of the RPM/deb package? > > What about ssh configurations do we need to review? Perhaps to not > require passwordless sudo? I also meant sandboxing. I think Chuck prefers using ssh instead of ssh -F , which makes sense. But some users may not want kdevops settings scattered across their system. What about a kdevopsctl thing? e.g. kdevopsctl ssh vm. > >> Don't forget Ansible. I have a patch that adds a requirements.yml file; >> it pulls the latest collections and installs them under the Ansible >> user's home directory. Will post soon. I'm curious about this too. Why is that needed? My understanding from this thread [1] is that we should stride to have distro packages. Link: https://lore.kernel.org/kdevops/ZrUGoziFf2WSSUVs@bombadil.infradead.org/ [1] > > Curious more about this. A very long time ago I had used ansible-galaxy > to move tons of thing out to it, but in the end it turned out to be an > extreme hassle to manage all things. So the project ended up converging > brining all roles into the project. > > But if this is for roles out side of kdevops, I think it makes sense. > > Luis