Hi, On November 23, 2022 8:08:59 PM UTC, Ben Cotton <bcotton(a)redhat.com&gt; wrote: This sounds great, but it would be nice if the documentation could be expanded, before we flick the switch that makes this the default in Fedora. Especially as this sounds like something that could simplify our (=the i3 SIG) kickstart and custom scripts. > >== Release Notes == >Fedora Linux now ships with a framework for setting up first-boot >services and uses this to install multimedia software and remove the >installer software from the system after installation. >

On Fri, Dec 9, 2022 at 8:23 AM Timothée Ravier <siosm(a)fedoraproject.org&gt; wrote: Adding network-online.target is not hard, I could do that easily enough. I would need to change the way the service starts to use a flag instead of purely relying on firstboot mode though, since I can't make firstboot run on, well not firstboot if I rely on systemd firstboot. Mutating the system is sort of the point? I could just make it a no-op for Silverblue/Kinoite, but the Workstation WG wanted it universally applicable, so I did that legwork. Aside from GNOME and KDE Plasma, nobody has an initial setup interface. We'd have to do this in Anaconda's initial setup wizard. I would have to build a dedicated application instead, which would displease everyone. :) That was intentional. -- 真実はいつも一つ！/ Always, there's only one truth!

On Fri, Dec 9, 2022, at 10:59 AM, Timothée Ravier wrote: (I'm only kind of following this thread and I agree we should not enable layering by default) But a note: from the rpm-ostree perspective, we intend to still fully support client side layering. Obviously this change suddenly makes it very straightforward to do derivative server-side layering/builds, and there's been a lot of excitement around that. I do expect most even semi-technical users to do this. But it's not clear to me that we should say that's the *only* path and at a technical level today a lot of work went into keeping that functionality. For example, today for OpenShift for example we client side package layer kernel-rt and a few other things. I obviously want us to move to always building an image, but it needs some work. There's also valid use cases around things like "I want to ssh to this one machine and install kernel-debug".

On Wed, 2022-11-23 at 15:08 -0500, Ben Cotton wrote: Aren't some Fedora spins still using Initial Setup (not to be confused with Gnome Initial Setup) ? That would get it removed as well, if the anaconda package is uninstaled. But I guess this new tool could be hooked only after Initial Setup has finished running during the first boot - by which point it should by fine to remove Anaconda & Initial Setup from the system.

The main issue with this change for Silverblue/Kinoite is that this introduces client side layering by default for all users. To understand why this is not a good idea, I need to recap a few things: how rpm-ostree client side layering works, the general goal behind rpm-ostree and image based updates and what we're trying to do in https://fedoraproject.org/wiki/Changes/OstreeNativeContainerStable. First, let's start with rpm-ostree client side layering. When you update a "pristine" Silverblue system, the following happens: 1. rpm-ostree looks into the remote ostree repo for the latest version commit and downloads all the files needed for it into the local repo. 2. Once this is done, it creates a new deployments, which is a new copy of /usr made mostly of hardlinks to the repo. 3. Then you can reboot and you're done. When you enable client side layering, because you want to change something in the image, remove a package, add a new one, etc., the following happens: 1. rpm-ostree has to fetch the needed files into the repo like in the previous case (step 1). 2. But then, instead of creating directly creating a new deployment, it creates a temporary one with the content of the latest commit. 3. From this temporary deployment, rpm-ostree is able to fetch all RPM metadata from the Fedora repos, then resolve the dependencies for the added/replaced/removed packages and download the RPMs as needed. 4. It will then create a temporary writable overlay on top of the temporary deployment, perform the package installations, replacements, removals and optionally rebuild the initrd. 5. Then it will process the files in this overlay to create a new ostree commit. 6. Finally, it will deploy this new commit into a new deployment to be used after a reboot. Given the additional steps required when client side layering is used, updates will take longer to be downloaded, prepared and installed and will require more CPU and memory. Additionally, any operation done on the temporary deployment may fail: missing dependencies, conflicts, wrong package signatures, etc. The idea behind rpm-ostree hybrid model is that you don't have to manage package conflicts, installation, etc. on the client side and instead rely on the server composing a working image for you. With client side layering, this guarantee goes away and the user will have to intervene when it fails. This is the main reason why we recommend to be careful with client side layering: it may fail and you'll have to figure out why, just like you need to figure out dependency resolutions issues on a classic DNF based system. The main goal of Silverblue is to get rid of this issue in the first place by relying only on images by default. Users may choose to override things in the image but they would have to do that on purpose, via the command line, hopefully knowing that they are now responsible when something fails. Note that neither GNOME Software nor Plasma Discover support managing client side layered packages right now. GNOME Sofware pre-downloads packages, essentially making the first step invisible to the user and only then notifies the user to trigger the 2nd and 3rd steps. Plasma Discover is not yet capable of doing that but I'm working on it. So yes, client side layering is fully supported in Silverblue/Kinoite as it enables debugging, testing, workarounds, etc. but we don't want to expose users to it by default as this is not a good user experience. One solution to reduce the time taken by client side layering and those issues mentioned above is to move the package overrides back to the server side by using a layering approach similar to the one used to build containers. This is the goal of this change: https://fedoraproject.org/wiki/Changes/OstreeNativeContainerStable. It enables users to make custom builds of Silverblue/Kinoite with their own selection of packages and changes and then to distribute them as an image to their systems, getting the full benefits of pure image based updates back if they don't do any local changes anymore. I hope that explained things in more details.

On Thu, 2022-12-15 at 00:11 +0000, Michael Catanzaro via devel wrote: Well, except that we ship Firefox in the default OS image and to make that play video, overlaying openh264 is *exactly* what's needed. That sucks, though. It needs fixing somehow. Hopefully not by just telling people to use the upstream Flathub Firefox, because I appreciate the work our maintainer does to provide a build with (IMHO) superior choices. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net

Working on having a better Firefox shipped as a Flatpak by default will please a lot of people that as asking for Firefox to be removed from the base image: https://github.com/fedora-silverblue/issue-tracker/issues/288 If we can have Cisco host a container image with openh264 as a Flatpak extension then that would be great as the extension would be pulled down automatically during flatpak update.

On 15/12/2022 01:38, Adam Williamson wrote: Flathub's Firefox is the worst Firefox ever on Linux. They are still building it with ASLR and hardening disabled and for a limited number of architectures. They also don't use the Flathub's infra for building this package and uploading prebuilt ostree blob. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 15/12/2022 11:24, Vitaly Zaitsev wrote: Also, we can update the openh264 package and include all needed reverse weak dependencies there: Supplements: plasma-workspace Supplements: gnome-shell Supplements: $any_other_DE_meta_package$ No FESCo exceptions will be required because this package is from a third-party Cisco repository. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 15/12/2022 12:03, Neal Gompa wrote: Maybe we can change the system-upgrade plugin to bypass such behavior on system upgrades? -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 15/12/2022 12:53, Neal Gompa wrote: On new installations, weak dependencies will be installed automatically out of the box. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 15/12/2022 13:34, Neal Gompa wrote: It should be fixed then. Please report this issue to dnf component. Some suggestions for current implementation: 1. Please rewrite the first run script from Bash to Python. Running bash scripts as root is extremely dangerous. One mistake or empty variable can cause a disaster. Example: rm -rf /usr/$foo. If the $foo variable is empty, it will wipe the entire /usr. Also everyone can inject any commands and execute them as root. Example: $foo = '; curl .... | bash'. 2. Please do a network presence check before doing anything. Most users store Wi-Fi passwords in a KDE/GNOME keyring and there is no network access during the boot. The script will fail instantly. 3. Please check if the full ffmpeg-libs or libavcodec-freeworld are installed. In such configurations, OpenH264 is not needed. 4. Please implement an opt-out switch. Some users don't want openh264 from Cisco's third-party repository to be installed. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

Using weak deps was our original plan, but problem is it broke due to https://fedoraproject.org/wiki/Changes/ExcludeFromWeakAutodetect and we surely do not want to revert that. Also, it was less robust because it required dummy firefox and totem updates to cause the weak deps to be pulled in, and we regularly forgot to prepare those zero-day updates. I agree that the script needs to be robust to the absence of network connectivity on first boot. That can happen for a variety of reasons. I don't agree that it needs an opt-out switch. (a) It should not be behind the existing third-party software opt-out switch, because this open source software is built for Fedora, by Fedora, and signed by Fedora. It uses a third-party host purely for legal reasons. (b) Adding a second GUI configuration switch would result in a confusing user experience. (c) It's easy for technical users to uninstall openh264 and disable the repo if desired. (d) You can also do your first boot without internet connected, then disable the systemd service to stop it from running in the first place if you really want it to never get installed.