Replies: 1 comment 2 replies
-
|
Hey Colin. I don't think Passim makes sense at all in OCP -- or any of the other IoT products. A good question for you would be how you'd like to disable it -- e.g. is it easier to drop in a config file somewhere or disable a systemd preset or something? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, disabling systemd units is easy, in the same way that the docs recommend disabling the unbound timer (and hence getting DNSSEC updates via the same channel as OS updates). We could leave this conversation at that. But that doesn't really lead towards any kind of larger picture holistic story. And if you're planning to make fwupd hard depend on passim, requires users who want fwupd to ship unnecessary code. A pluggable architecture would help; one possible avenue for that is shipping firmware in OCI artifacts. OCI artifacts very much come from the world of "container registries basically are abstract CDNs, let's use them that way", and several public registries support them. And the major point is that tools to mirror OCI can "Just work' with artifacts. |
Beta Was this translation helpful? Give feedback.
-
Well, yes in that libpassim is needed, but no as in the passimd daemon isn't required -- if it's disabled or removed then fwupd just ignores it. Maybe it makes sense to split out passim-libs for this exact usecase.
I think Miguel in the oCTO team is working on exactly that. |
Beta Was this translation helpful? Give feedback.
-
Creating a thread here based on https://lists.fedoraproject.org/archives/list/[email protected]/message/IJ5J6EK3J2ZQAM4LWOW2D6SQWFY6FZ66/ because the issue isn't really Fedora specific at all.
I'm an architect on Red Hat OpenShift and there we live and breathe container images, and so do our customers.
Many, many important installations run disconnected from the Internet, and customers use mirroring for this. Crucially for OCP 4, the only things one needs to know how to mirror are the RHCOS disk image (ISO, qcow2, etc.) and container images - not even RPMs! (And not ostree, which is now since 4.12 actually a native container image too)
We've had issues in the past where customers report bugs about things shipped in the OS that just unilaterally reach out to the Internet that aren't container images. One of these is the unbound DNSSEC update timer.
Passim/fwupd would be another one of these.
Basically my feedback is: I have opinions on passim as an overall whole, but certainly if we were to try to ship it in OCP I would probably disable the default upstream server connectivity and really require the update payloads for firmware to come as a versioned container image with the platform - just from a change management perspective, but also to support disconnected mirroring. And we're already discussing peer-to-peer container image fetches in some scenarios, we don't really need another peer-to-peer thing.
Beta Was this translation helpful? Give feedback.
All reactions