Hi folks!
So at this week's blocker review meeting, the fact that we don't have explicit networking requirements in the release criteria really started to bite us. In the past we have squeezed networking-related issues in under other criteria, but for some issues that's really difficult, notably VPN issues. So, we agreed we should draft some explicit networking criteria.
This turns out to be a big area and quite hard to cover (who'd've thought!), but here is at least a first draft for us to start from. My proposal would be to add this to the Basic criteria. I have left out some wikitext stuff from the proposal for clarity; I'd add it back in on actually applying the proposed changes. It's just formatting stuff, nothing that'd change the meaning. Anyone have thoughts, complaints, alternative approaches, supplements? Thanks!
=== Network requirements ===
Each of these requirements apply to both installer and installed system environments. For any given installer environment, the 'default network configuration tools' are considered to be those the installer documents as supported ways to configure networking (e.g. for anaconda-based environments, configuration via kernel command line options, a kickstart, or interactively in anaconda itself are included).
==== Basic networking ====
It must be possible to establish both IPv4 and IPv6 network connections using DHCP and static addressing. The default network configuration tools for the console and for release-blocking desktops must work well enough to allow typical network connection configuration operations without major workarounds. Standard network functions such as address resolution and connections with common protocols such as ping, HTTP and ssh must work as expected.
Footnote titled "Supported hardware": Supported network hardware is hardware for which the Fedora kernel includes drivers and, where necessary, for which a firmware package is available. If support for a commonly-used piece or type of network hardware that would usually be present is omitted, that may constitute a violation of this criterion, after consideration of the [[Blocker_Bug_FAQ|hardware-dependent- issues|normal factors for hardware-dependent issues]]. Similarly, violations of this criteria that are hardware or configuration dependent are, as usual, subject to consideration of those factors when determining whether they are release-blocking
==== VPN connections ====
Using the default network configuration tools for the console and for release-blocking desktops, it must be possible to establish a working connection to common OpenVPN, openconnect-supported and vpnc-supported VNC servers with typical configurations.
Footnote title "Supported servers and configurations": As there are many different VPN server applications and configurations, blocker reviewers must use their best judgment in determining whether violations of this criterion are likely to be encountered commonly enough to block a release, and if so, at which milestone. As a general principle, the more people are likely to use affected servers and the less complicated the configuration required to hit the bug, the more likely it is to be a blocker.
On Fri, Aug 21, 2020 at 6:11 PM Adam Williamson adamwill@fedoraproject.org wrote:
==== Basic networking ====
It must be possible to establish both IPv4 and IPv6 network connections using DHCP and static addressing. The default network configuration tools for the console and for release-blocking desktops must work well enough to allow typical network connection configuration operations without major workarounds. Standard network functions such as address resolution and connections with common protocols such as ping, HTTP and ssh must work as expected.
What about mDNS?
Something to the effect that if it's installed and enabled by a default package set for an edition, it should work (resolve and respond). That means it would apply to Workstation and KDE. It wouldn't apply to Cloud, or Server. I'm not sure if IoT enables it.
-- Chris Murphy
On Fri, 2020-08-21 at 17:11 -0700, Adam Williamson wrote:
Hi folks!
So at this week's blocker review meeting, the fact that we don't have explicit networking requirements in the release criteria really started to bite us. In the past we have squeezed networking-related issues in under other criteria, but for some issues that's really difficult, notably VPN issues. So, we agreed we should draft some explicit networking criteria.
Update: here's a second draft with feedback so far incorporated, thanks to everyone. Still mulling over whether/how to split it more across milestones.
=== Network requirements ===
Each of these requirements apply to both installer and installed system environments. For any given installer environment, the 'default network configuration tools' are considered to be those the installer documents as supported ways to configure networking (e.g. for anaconda-based environments, configuration via kernel command line options, a kickstart, or interactively in anaconda itself are included).
==== Basic networking ====
It must be possible to establish both IPv4 and IPv6 network connections using both typical router-provided addressing systems (e.g. DHCP on IPv4 or SLAAC or IPv6) and static addressing. The default network configuration tools for the console, for release-blocking desktops and for installer environments must work well enough to allow typical network connection configuration operations without major workarounds. Standard network functions such as address resolution and connections with common protocols such as ping, HTTP and ssh must work as expected.
Footnote titled "Supported hardware": Supported network hardware is hardware for which the Fedora kernel includes drivers and, where necessary, for which a firmware package is available. If support for a commonly-used piece or type of network hardware that would usually be present is omitted, that may constitute a violation of this criterion, after consideration of the [[Blocker_Bug_FAQ|hardware-dependent- issues|normal factors for hardware-dependent issues]]. Similarly, violations of this criteria that are hardware or configuration dependent are, as usual, subject to consideration of those factors when determining whether they are release-blocking
==== VPN connections ====
Using the default network configuration tools for the console and for release-blocking desktops, it must be possible to establish a working connection to common OpenVPN, openconnect-supported and vpnc-supported VPN servers with typical configurations.
Footnote titled "Supported servers and configurations": As there are many different VPN server applications and configurations, blocker reviewers must use their best judgment in determining whether violations of this criterion are likely to be encountered commonly enough to block a release, and if so, at which milestone. As a general principle, the more people are likely to use affected servers and the less complicated the configuration required to hit the bug, the more likely it is to be a blocker.
[Sorry for the double post, somewhere along the way desktop@ and kde@ were dropped, so I'm re-adding them and that means double post for test@ and devel@.]
Re: add working mDNS to the criterion
The IPP Everywhere specification requires clients to support DNS-SD (mDNS is part of that) or WS-Discovery. Printers are required to support both DNS-SD and WS-Discovery. Avahi and systemd-resolved support DNS-SD, functionally equating DNS-SD and mDNS.
Final release criterion says printing via the generic IPP driver must work. This implies discovery or you can't print. Or accept a craptastic user experience by fudging the requirement to say, well as long as an IP address works, the criterion is met.
It's even less of a leap if folks can't discover other services like SMB shares. That's more common than printing.
Between avahi and systemd-resolved, I'm not sure which one is more dependable for blocking on. Or whether their maintainers would be on board with such a criterion. At least for F33, Avahi is what we're using on desktops for this. Both resolve and respond are disabled in systemd-resolved so if it's better to do this with systemd-resolved, then it probably needs a Fedora 34 feature proposal.
-- Chris Murphy
On Fri, Aug 28, 2020 at 7:52 PM Chris Murphy lists@colorremedies.com wrote:
The IPP Everywhere specification requires clients to support DNS-SD (mDNS is part of that) or WS-Discovery. Printers are required to support both DNS-SD and WS-Discovery. Avahi and systemd-resolved support DNS-SD, functionally equating DNS-SD and mDNS.
From the spec:
"Printers MUST publish a text (TXT) record that provides service information over mDNS. Printers that support dynamic DNS updates MUST publish separate TXT records for each domain that is updated."
I'm not completely certain, but I'm wondering whether it's possible to print IPP Everywhere at all, if DNS-SD or WS-Discovery aren't working on the client. Even having the IP address might not be enough.
I guess one way to test it would be to run the printing test case with an IPP Everywhere printer, and try to print with avahi stopped.
On Sat, Aug 29, 2020 at 4:34 AM Chris Murphy lists@colorremedies.com wrote:
On Fri, Aug 28, 2020 at 7:52 PM Chris Murphy lists@colorremedies.com wrote:
The IPP Everywhere specification requires clients to support DNS-SD (mDNS is part of that) or WS-Discovery. Printers are required to support both DNS-SD and WS-Discovery. Avahi and systemd-resolved support DNS-SD, functionally equating DNS-SD and mDNS.
From the spec:
"Printers MUST publish a text (TXT) record that provides service information over mDNS. Printers that support dynamic DNS updates MUST publish separate TXT records for each domain that is updated."
I'm not completely certain, but I'm wondering whether it's possible to print IPP Everywhere at all, if DNS-SD or WS-Discovery aren't working on the client. Even having the IP address might not be enough.
I guess one way to test it would be to run the printing test case with an IPP Everywhere printer, and try to print with avahi stopped.
Adding +Marek Kasik mkasik@redhat.com and +Zdenek Dohnal zdohnal@redhat.com who might know the answer.
Tom
On Fri, Aug 28, 2020 at 7:52 pm, Chris Murphy lists@colorremedies.com wrote:
Between avahi and systemd-resolved, I'm not sure which one is more dependable for blocking on. Or whether their maintainers would be on board with such a criterion. At least for F33, Avahi is what we're using on desktops for this. Both resolve and respond are disabled in systemd-resolved so if it's better to do this with systemd-resolved, then it probably needs a Fedora 34 feature proposal.
I don't know how to test mDNS, but it has been reported that it's broken in F33:
https://bugzilla.redhat.com/show_bug.cgi?id=1867830
That and the openconnect bug currently threaten the systemd-resolved change proposal.
Michael
On Sat, Aug 29, 2020 at 1:59 AM Adam Williamson adamwill@fedoraproject.org wrote:
On Fri, 2020-08-21 at 17:11 -0700, Adam Williamson wrote:
Hi folks!
So at this week's blocker review meeting, the fact that we don't have explicit networking requirements in the release criteria really started to bite us. In the past we have squeezed networking-related issues in under other criteria, but for some issues that's really difficult, notably VPN issues. So, we agreed we should draft some explicit networking criteria.
Update: here's a second draft with feedback so far incorporated, thanks to everyone. Still mulling over whether/how to split it more across milestones.
=== Network requirements ===
Each of these requirements apply to both installer and installed system environments. For any given installer environment, the 'default network configuration tools' are considered to be those the installer documents as supported ways to configure networking (e.g. for anaconda-based environments, configuration via kernel command line options, a kickstart, or interactively in anaconda itself are included).
==== Basic networking ====
It must be possible to establish both IPv4 and IPv6 network connections using both typical router-provided addressing systems (e.g. DHCP on IPv4 or SLAAC or IPv6) and static addressing. The default network configuration tools for the console, for release-blocking desktops and for installer environments must work well enough to allow typical network connection configuration operations without major workarounds. Standard network functions such as address resolution and connections with common protocols such as ping, HTTP and ssh must work as expected.
Footnote titled "Supported hardware": Supported network hardware is hardware for which the Fedora kernel includes drivers and, where necessary, for which a firmware package is available. If support for a commonly-used piece or type of network hardware that would usually be present is omitted, that may constitute a violation of this criterion, after consideration of the [[Blocker_Bug_FAQ|hardware-dependent- issues|normal factors for hardware-dependent issues]]. Similarly, violations of this criteria that are hardware or configuration dependent are, as usual, subject to consideration of those factors when determining whether they are release-blocking
==== VPN connections ====
Using the default network configuration tools for the console and for release-blocking desktops, it must be possible to establish a working connection to common OpenVPN, openconnect-supported and vpnc-supported VPN servers with typical configurations.
Footnote titled "Supported servers and configurations": As there are many different VPN server applications and configurations, blocker reviewers must use their best judgment in determining whether violations of this criterion are likely to be encountered commonly enough to block a release, and if so, at which milestone. As a general principle, the more people are likely to use affected servers and the less complicated the configuration required to hit the bug, the more likely it is to be a blocker.
Sounds good to me.
On Fri, 2020-08-28 at 16:59 -0700, Adam Williamson wrote:
On Fri, 2020-08-21 at 17:11 -0700, Adam Williamson wrote:
Hi folks!
So at this week's blocker review meeting, the fact that we don't have explicit networking requirements in the release criteria really started to bite us. In the past we have squeezed networking-related issues in under other criteria, but for some issues that's really difficult, notably VPN issues. So, we agreed we should draft some explicit networking criteria.
Update: here's a second draft with feedback so far incorporated, thanks to everyone. Still mulling over whether/how to split it more across milestones.
=== Network requirements ===
Each of these requirements apply to both installer and installed system environments. For any given installer environment, the 'default network configuration tools' are considered to be those the installer documents as supported ways to configure networking (e.g. for anaconda-based environments, configuration via kernel command line options, a kickstart, or interactively in anaconda itself are included).
==== Basic networking ====
It must be possible to establish both IPv4 and IPv6 network connections using both typical router-provided addressing systems (e.g. DHCP on IPv4 or SLAAC or IPv6) and static addressing. The default network configuration tools for the console, for release-blocking desktops and for installer environments must work well enough to allow typical network connection configuration operations without major workarounds. Standard network functions such as address resolution and connections with common protocols such as ping, HTTP and ssh must work as expected.
Footnote titled "Supported hardware": Supported network hardware is hardware for which the Fedora kernel includes drivers and, where necessary, for which a firmware package is available. If support for a commonly-used piece or type of network hardware that would usually be present is omitted, that may constitute a violation of this criterion, after consideration of the [[Blocker_Bug_FAQ|hardware-dependent- issues|normal factors for hardware-dependent issues]]. Similarly, violations of this criteria that are hardware or configuration dependent are, as usual, subject to consideration of those factors when determining whether they are release-blocking
==== VPN connections ====
Using the default network configuration tools for the console and for release-blocking desktops, it must be possible to establish a working connection to common OpenVPN, openconnect-supported and vpnc-supported VPN servers with typical configurations.
Footnote titled "Supported servers and configurations": As there are many different VPN server applications and configurations, blocker reviewers must use their best judgment in determining whether violations of this criterion are likely to be encountered commonly enough to block a release, and if so, at which milestone. As a general principle, the more people are likely to use affected servers and the less complicated the configuration required to hit the bug, the more likely it is to be a blocker.
So, uh, we sorta forgot about this. Kamil approved this draft, but nobody else gave any feedback on it. This topic is still relevant and we have a proposed VPN blocker today, so...any more feedback on this draft?
On Mon, Feb 28, 2022 at 09:37:03AM -0800, Adam Williamson wrote:
On Fri, 2020-08-28 at 16:59 -0700, Adam Williamson wrote:
It must be possible to establish both IPv4 and IPv6 network connections using both typical router-provided addressing systems (e.g. DHCP on IPv4 or SLAAC or IPv6) and static addressing. The default network
SLAAC is IPv6-only, but DHCP can be used with both IPv4 and IPv6 (DHCPv6).
So, uh, we sorta forgot about this. Kamil approved this draft, but nobody else gave any feedback on it. This topic is still relevant and we have a proposed VPN blocker today, so...any more feedback on this draft?
I generally support this.
On Mon, Feb 28, 2022 at 12:37 PM Adam Williamson adamwill@fedoraproject.org wrote:
So, uh, we sorta forgot about this. Kamil approved this draft, but nobody else gave any feedback on it. This topic is still relevant and we have a proposed VPN blocker today, so...any more feedback on this draft?
I think it's sound enough to start using. I'm sure we'll find all sorts of edge cases to argue over and eventually fix. That's the Fedora Way™.
desktop@lists.fedoraproject.org