dustymabe changed the topic of #fedora-coreos to: Fedora CoreOS :: Find out more at https://getfedora.org/coreos/ :: Logs at https://libera.irclog.whitequark.org/fedora-coreos
gursewak has quit [Ping timeout: 264 seconds]
gursewak has joined #fedora-coreos
gursewak has quit [Ping timeout: 268 seconds]
jpn has joined #fedora-coreos
jpn has quit [Ping timeout: 272 seconds]
plarsen has quit [Quit: NullPointerException!]
astonishingriver has joined #fedora-coreos
mnguyen_ has joined #fedora-coreos
mnguyen has quit [Ping timeout: 268 seconds]
gursewak has joined #fedora-coreos
misuto has quit [Remote host closed the connection]
misuto has joined #fedora-coreos
gursewak has quit [Ping timeout: 240 seconds]
gursewak has joined #fedora-coreos
bgilbert has quit [Ping timeout: 255 seconds]
gursewak has quit [Ping timeout: 272 seconds]
gursewak has joined #fedora-coreos
gursewak has quit [Ping timeout: 268 seconds]
jcajka has joined #fedora-coreos
mnguyen has joined #fedora-coreos
mnguyen_ has quit [Ping timeout: 268 seconds]
ksinny has joined #fedora-coreos
Betal has quit [Quit: WeeChat 3.6]
gursewak has joined #fedora-coreos
crobinso has joined #fedora-coreos
jpn has joined #fedora-coreos
wolfshappen has quit [Quit: later]
jpn has quit [Ping timeout: 268 seconds]
jpn has joined #fedora-coreos
jpn has quit [Ping timeout: 240 seconds]
paragan has joined #fedora-coreos
jpn has joined #fedora-coreos
jpn has quit [Ping timeout: 244 seconds]
jpn has joined #fedora-coreos
gursewak_ has joined #fedora-coreos
gursewak has quit [Ping timeout: 268 seconds]
jpn has quit [Ping timeout: 268 seconds]
vgoyal has joined #fedora-coreos
bgilbert has joined #fedora-coreos
nalind has joined #fedora-coreos
jpn has joined #fedora-coreos
jpn has quit [Ping timeout: 268 seconds]
jpn has joined #fedora-coreos
<dustymabe> mass rebuild going on right now in Fedora.. which means some of our pipeline builds might fail because signing is taking a long time
mheon has joined #fedora-coreos
wolfshappen has joined #fedora-coreos
jpn has quit [Ping timeout: 268 seconds]
plarsen has joined #fedora-coreos
jpn has joined #fedora-coreos
jpn has quit [Ping timeout: 240 seconds]
jpn has joined #fedora-coreos
jpn has quit [Ping timeout: 268 seconds]
jpn has joined #fedora-coreos
jcajka has quit [Quit: Leaving]
ravanelli has quit [Remote host closed the connection]
stereobutter[m] has quit [Quit: You have been kicked for being idle]
paragan has quit [Quit: Leaving]
fifofonix has joined #fedora-coreos
<fifofonix> Reviewing month's enhancements documentation i see the enhancement to remove userdata for vSphere/fusion.
nb[m] has joined #fedora-coreos
nbsadminaccount- has joined #fedora-coreos
<fifofonix> Was there any consideration/thought ever given to somehow doing the same for cloud providers?
<fifofonix> I was wondering whether there would be a way to somehow reduce what is in cloud userdata by leveraging the layering stuff in some kind of structured way thereby improving security in some scenarios.
jpn has quit [Ping timeout: 268 seconds]
Betal has joined #fedora-coreos
<bgilbert> fifofonix: Ignition now removes userdata for every platform where we know of a way to remove it.
<bgilbert> fifofonix: there are some additional platforms that provide a control-plane API call to remove userdata, but the VM can't use that API without the user's credentials, so we don't try to do anything on those either
<bgilbert> fifofonix: if you know of additional platforms where the VM is allowed to modify/delete userdata, please do let us know. I'd like to support that functionality wherever we can.
<fifofonix> got it. no way i know of to remove from aws say. obvs never include secrets in userdata. but even then you often have to have scripts which have ways/means of deriving secret 0. moving that to the layering might make sense as a use case?
<bgilbert> fifofonix: Ignition's current recommendations are at https://coreos.github.io/ignition/operator-notes/#secrets
<bgilbert> but saying "use Hashicorp Vault" is not the same as a worked example. some additional work is needed here
<bgilbert> I can't speak to the layering side of things unfortunately
<bgilbert> (haven't followed layering closely)
<fifofonix> i'm using vault already with the trust model. but you can still spy my scripts which spell out how that interaction happens in userdata. i'm thinking maybe best practice is to push that into a private fcos image.
<bgilbert> I think ideally vault would bind to a local trust root e.g. a TPM
<fifofonix> bgilbert: thanks for that link btw.
<bgilbert> +1
<bgilbert> I don't think we're actively working on this currently, so if you'd like to contribute any docs, that'd be awesome
<bgilbert> if you develop a model that works well for you
<fifofonix> i'm going to stew on it further. i'm already applying one of the mitigations in your link (networkpolicies) to restrict access to metadata but security in layers is the way forward - think i need to implement the other mitigator listed, ie. subsidiary ignition script at secure https location. thnks.
<bgilbert> +1
jpn has joined #fedora-coreos
ravanelli has joined #fedora-coreos
ksinny has quit [Remote host closed the connection]
jpn has quit [Ping timeout: 268 seconds]
phynecs has joined #fedora-coreos
<phynecs> anyone using vultr to run coreos? (if this is the wrong chat to ask just tell me ^^)
<phynecs> because I don't have it available as en OS when creating a new VM
<phynecs> even though they are advertising it here: https://www.vultr.com/servers/fedora-coreos/
jpn has joined #fedora-coreos
ksinny has joined #fedora-coreos
ksinny has quit [Remote host closed the connection]
mnguyen_ has joined #fedora-coreos
mnguyen has quit [Ping timeout: 268 seconds]
ravanelli has quit [Remote host closed the connection]
jpn has quit [Ping timeout: 268 seconds]
<phynecs> @dustymabe thx will have a look
jpn has joined #fedora-coreos
jpn has quit [Ping timeout: 255 seconds]
phynecs has quit [Ping timeout: 276 seconds]
phynecs has joined #fedora-coreos
jpn has joined #fedora-coreos
gursewak_ has quit [Remote host closed the connection]
gursewak_ has joined #fedora-coreos
ravanelli has joined #fedora-coreos
jpn has quit [Ping timeout: 272 seconds]
jpn has joined #fedora-coreos
jpn has quit [Ping timeout: 272 seconds]
<dustymabe> walters: want to address https://github.com/coreos/coreos-assembler/pull/3001#issuecomment-1191854687 and then override/merge ?
<walters> i can get that change into another PR?
<dustymabe> but shouldn't it go in the same commit that removed the code the comment was referring to?
<walters> sure, pushed
<dustymabe> thanks!
<dustymabe> I'll comment in the COSA issue
<dustymabe> and close it
mnguyen has joined #fedora-coreos
mnguyen_ has quit [Ping timeout: 268 seconds]
saqali_ has quit [Quit: Leaving]
jpn has joined #fedora-coreos
gursewak_ has quit [Remote host closed the connection]
gursewak_ has joined #fedora-coreos
bgilbert has quit [Ping timeout: 276 seconds]
ravanelli has quit [Remote host closed the connection]
phynecs has quit [Read error: Connection reset by peer]
phynecs has joined #fedora-coreos
jpn has quit [Ping timeout: 240 seconds]
jbrooks has quit [Remote host closed the connection]
nalind has quit [Quit: bye]
crobinso has quit [Ping timeout: 272 seconds]
phynecs has quit [Ping timeout: 255 seconds]
jpn has joined #fedora-coreos
mheon has quit [Ping timeout: 260 seconds]
gursewak_ has quit [Ping timeout: 255 seconds]
plarsen has quit [Quit: NullPointerException!]