dustymabe reported a new issue against the project: `atomic-wg` that you are following:
``
CoreOS has a project called [ignition](https://github.com/coreos/ignition) that hooks into early boot processes in the initramfs (i.e. before and after the root filesystem is mounted) and allows for configuration of the system. This is an alternative to cloud-init, that is focused on specific tasks. Let's investigate this for Fedora and Atomic Host.
``
To reply, visit the link below or just reply to this email
https://pagure.io/atomic-wg/issue/450
jdoss reported a new issue against the project: `atomic-wg` that you are following:
``
There seems at least one thread [1] on the mailing list that talks about getting kernel modules built on Atomic, but nothing that I could find has been created here to figure out the best path forward on supporting kernel modules.
The use case that I am personally trying to fix is getting WireGuard working on Atomic. I maintain the RHEL/CentOS/Fedora Copr for WireGuard [2] and DKMS works pretty well for providing the WireGuard kernel module on non-atomic based installs. I have had some WireGuard users try and use the Copr RPMs on Atomic Host which resulted in failure. One of them was manually copying the .ko file over to get things working [3] and this isn't a really good solution long term. I now find myself in the same situation where I would like to use Wireguard on Atomic, so I am trying to figure out how to come up with a short term solution to this issue as the WireGuard devs work on getting WG pushed upstream into the mainline kernel. Even if that does happen somewhat soon, this problem will still impact others that need third party kernel modules working such as Nvidia drivers or third party monitoring services such as Sysdig [4]
I started looking at creating a system container / systemd unit file that builds a new container on boot if a new kernel is detected. The current idea is it would do the following:
1) Check to see if a new kernel module is needed
2) Bind mount the `kernel-devel` source from the Atomic Host into the container
3) Check out the current WireGuard source and build the module (manually or via DKMS)
4) Enable's the newly built kernel module via system container [5]
Some issues with this idea come to light quickly as the current Fedora Atomic Host snapshot has mismatching `kernel` and `kernel-devel` packages so building the module this way might not always work. I haven't fully figured out if this is the right path forward on getting kernel modules built. It seems that some folks have done somewhat similar things for CoreOS to get kernel module support for Nvidia based GPUs. [6] [7]
I turned to IRC to get some pointers on my above idea to solve this problem and @walters recommended that I start an issue.
[1] https://lists.projectatomic.io/projectatomic-archives/atomic-devel/2017-Nov…
[2] https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/
[3] https://lists.zx2c4.com/pipermail/wireguard/2017-August/001656.html
[4] https://sysdig.com/blog/dig-into-atomic-host/
[5] https://github.com/giuseppe/hellomod
[6] https://github.com/ryanolson/CoreOS-GPU
[6] https://github.com/src-d/coreos-nvidi7
``
To reply, visit the link below or just reply to this email
https://pagure.io/atomic-wg/issue/493
dustymabe opened a new pull-request against the project: `fedora-atomic` that you are following:
``
add a few modules to initramfs to enable vmw/hyperv
``
To reply, visit the link below or just reply to this email
https://pagure.io/fedora-atomic/pull-request/114
davdunc reported a new issue against the project: `atomic-wg` that you are following:
``
I have made arrangements with Mattdm to host Marketplace AMIs of F27 in the AWS Marketplace. These will be hosted by me as a member of the Fedora community. This allows us to get around certain legal issues that have heretofore prevented the images hosting.
* Need Fedora Marketing to assist with writeup for the listing.
* TODO F27 submission prior to release date (there is a security audit)
Account number for Marketplace deployment is 662243699625. This is legally separate from the FAS managed account.
``
To reply, visit the link below or just reply to this email
https://pagure.io/atomic-wg/issue/339
dustymabe reported a new issue against the project: `atomic-wg` that you are following:
``
[Flock](https://flocktofedora.org) has been announced and will take place Aug 8th-11th in Dresden Germany. The CFP is open and first round of reviews are due by 15th of June, with last round of reviews due by 15th of July.
Let's coordinate our talks for Flock!
``
To reply, visit the link below or just reply to this email
https://pagure.io/atomic-wg/issue/502
sinnykumari reported a new issue against the project: `atomic-wg` that you are following:
``
[Devconf.in 2018](https://devconf.info/in/2018) will be taking place on August 4-5, 2018. In today's [atomic-wg-apac meeting](https://meetbot.fedoraproject.org/fedora-meeting-1/2018-05-29/fedo… we discussed that it is possible to have atomic booth at the conference venue and @suraj353 will be helping us.
We will update further progress in this ticket.
``
To reply, visit the link below or just reply to this email
https://pagure.io/atomic-wg/issue/503
walters reported a new issue against the project: `atomic-wg` that you are following:
``
SELinux and containers - a fairly nontrivial difference we carry from other distributions (Ubuntu, CL) etc. that either don't use SELinux or aren't enforcing. See [this blog](https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/) for some discussion about the `:z/:Z` flags.
The fact that we require these labels to be set very, very commonly trips up people. And further, I think a big problem with `:z` is that it forces a relabel every time - it's much better to have the labels set up correctly in the first place!
Another related issue is that people do e.g. `-v /home/myuser:/home:z` which will completely break the OS which expects `/home/myuser` to be `user_home_dir_t` etc.
Hence, my proposal is: For Atomic Host, change `/var/srv` to be `system_u:object_r:container_share_t:s0` by default. It can then be *assumed* as a default interchange point for containers and the host - no labeling required.
Positives: We can start documenting this, and other tools (like a pet container one) can just assume this works.
Downsides: If we don't do this for classic as well, we'll have introduced a new special distinction between AH and classic - we currently have very few of those.
``
To reply, visit the link below or just reply to this email
https://pagure.io/atomic-wg/issue/505
jlebon opened a new pull-request against the project: `fedora-atomic` that you are following:
``
README.md: fix main manifest file
``
To reply, visit the link below or just reply to this email
https://pagure.io/fedora-atomic/pull-request/124