Stephen Gallagher
2014-02-25 20:42:39 UTC
So, the Workstation group has done a truly fantastic job these last
couple of weeks designing their Technical Specification[1]. At today's
Server WG meeting, the topic came up about the "Core Services and
Features" section of this document. I think that much of it is reusable
for the Server Technical Specification, so I'm going to go through it
and make comments and recommendations. Please add your own thoughts and
I'll get them up on the wiki tomorrow.
> === File system ===
>
> The default file system type for workstation installs should be
> btrfs.
The default file system is definitely up for some debate, but I'd make
an argument for using XFS atop LVM[1] for the default filesystem in
the Fedora Server, at least in part because Red Hat's storage experts
have done the research for us already and determined that XFS is the
recommended fit for Red Hat Enterprise Linux 7.
Btrfs still makes me somewhat nervous, given that its upstream doesn't
consider it stable[3].
>
> === Service management ===
>
> Systemd provides ways to control and monitor the activity and
> status of system services, resources they require, etc. System
> services are expected to provide systemd units. See the systemd
> [http://0pointer.de/public/systemd-man/systemd.unit.html
> documentation].
>
I think we want to go along with this, but make a stronger statement
about systemd units.
"System services *must* provide systemd units to be included in the
Fedora Server standard installation."
> === Logging ===
>
> The systemd journal will be used as the local storage backend for
> system logs. For 'managed' scenarios (e.g the 'developer in a
> large organization' use case of the PRD), it will be possible to
> collect the logs in a centralized location, off the local machine.
>
> Applications and services can either use the syslog API or the
> journal APIs for their logging. See the journal API
> [http://0pointer.de/public/systemd-man/sd-journal.html
> documentation].
>
I agree with this as well. We should focus on the use of journald as
the preferred log aggregator and make sure that it is fully capable of
aggregating those logs centrally. The advantages provided by
journald's structured logging will make processing of those logs much
easier.
That said, for the immediate future I think we also need to mandate
that the system MUST continue to be capable of exporting traditional
syslog messages to existing log aggregation systems.
> === Networking ===
>
> Network devices and connections will be controlled by
> NetworkManager. This includes support for VPN, which is relevant
> for 'corporate' scenarios. Applications are advised to use
> higher-level APIs (such as
> [https://developer.gnome.org/gio/stable/GNetworkMonitor.html
> GNetworkMonitor] in GIO) to monitor online status.
>
This is going to be the contentious point, I expect. We've already
seen some chatter on this list around systemd-networkd and of course
there's a long history of wariness around NetworkManager as a
replacement for traditional network scripts.
This will need to come to a vote, but here are my feelings on the matter:
== Network Scripts ==
+ Powerful, stable and widely deployed.
- Configuration requires modification of a large number of plaintext
files. Central management of this configuration is difficult and
generally requires tools like Puppet and Chef to be deployed to do
so reliably.
- Complex configuration is highly prone to accidents necessitating a
visit from the "crash cart" in the data center.
== Network Manager ==
+ Powerful and (now) stable with support for enterprise features like
bridging and bonding.
+ Consistent API allows for simplified configuration with fewer
opportunities for producing an unusable system.
+ Default networking stack for RHEL 7 means it will get considerable
bugfixing resources allocated to it.
- Requires a running daemon on the system (though work is under way to
have the daemon shut down except when needed)
- Bad PR history means that some administrators view it unfavorably
== systemd-networkd ==
+ Very low overhead, tight integration with low-level plumbing
- Immature with few features. Only saw its first release this month.
- Not currently available on Fedora[4]
My personal view is that NetworkManager is the best option *today*
(understanding full well that there will need to be a fair amount of
marketing effort to educate people on how far it has come in the last
couple years), while systemd-networkd may become a highly interesting
option in the future. Given our focus in Fedora Server on making
configuration more approachable, I can't really see us recommending
network scripts as the *default* offering.
> === Firewall ===
>
> A firewall in its default configuration may not interfere with the
> normal operation of programs installed by default.
I would extend this statement to include that the deployment of Server
Roles should also adjust the firewall operation in a manner consistent
with user expectation.
> We should detect when the system is on a public or untrusted
> network and prevent the user from unwanted sharing of e.g. music or
> other media in this situation. A firewall (and network zones as
> currently implemented by firewalld) may or may not be part of a
> solution to this.
>
The concept of network zones should probably be basically ignored for
Fedora Server, as we should generally default to closing all ports
except for those made available for installed Roles. (Also, the Role
configuration should optionally be able to specify on which interfaces
it wishes to operate, so we can restrict internal vs. external
operation in a multi-homed environment).
> === SELinux ===
>
> SELinux will be enabled in enforcing mode, using the targeted
> policy.
>
+1000
The base install and all approved Server Roles must operate in
targeted enforcing mode.
> === Problem reporting ===
>
> Problems and error conditions (e.g. kernel oopses, Selinux AVCs,
> application crashes, OOM, disk errors) should all be reported in
> the systemd journal.
Ack
> Sending this information to a central place (like abrt does for
> crashes today) should be possible, but not mandatory. Depending on
> the use case, it may be turned off, enabled manually on a
> case-by-case basis, or entirely automatic without user
> intervention.
>
In the case of the Fedora Server, I think that reporting information
to a central location must be mandatory. Most servers in real-world
deployment are headless in a datacenter somewhere. Administrators will
need to be able to see all issues from a standard console.
Also, we need to keep in mind that the majority of servers will *not*
have visibility to the internet, so transmitting ABRT results directly
to Bugzilla is often impossible. We will need to be able to aggregate
the issues on a network-local management server. (Note: IMHO this is
not a blocker requirement on F21)
> === Session tracking ===
>
> Logind will be used as the session tracking facility.
>
> Applications that need to interact with sessions can use the
> logind
> [http://www.freedesktop.org/software/systemd/man/sd_session_is_active.html
>
>
library API], the
> [http://www.freedesktop.org/wiki/Software/systemd/logind/ D-Bus
> API], or a higher-level API
>
+1
> === Account handling ===
>
> SSSD is providing the backing storage for identity management. For
> 'managed' scenarios (e.g. the 'developer in a large organization'
> use case of the PRD), it will be possible to configure it to rely
> on a directory service for this information. The accountsservice
> is providing a D-Bus interface for user account information; this
> may be integrated into SSSD at some point.
>
> Depending on their needs, application and services can either use
> the POSIX APIs (getpwent(), etc) or the accountsservice D-Bus
> interface to obtain user information.
>
As the Fedora Server is more likely than Workstation to require
central management, I think we need to adopt this wholeheartedly.
Also, realmd should be considered a core piece of our story, as it
enables automatic configuration of SSSD with either FreeIPA (our
Domain Controller Role) or Active Directory (Microsoft Windows Domain
Controller).
> === Software updates ===
>
> gnome-software will use PackageKit with the hawkey backend to
> obtain and install software updates for packaged applications and
> the OS itself. The recommendation for applications is to use the
> PackageKit APIs to interact with the underlying packaging system.
>
Software updates on a server system should be designed in such a way
that they can be enforced centrally. With Fedora Server, this probably
means picking one of the common config management systems such as
Puppet, Chef, Red Hat Satellite or else relying on OpenLMI for
performing central software upgrades.
For single-server manipulation, I think we should focus on supporting
yum/dnf.
> === Miscellaneous system information ===
>
> System locale, timezone, hostname, etc. will be managed through
> the services provided by systemd for this purpose. See developer
> documentation for
> [http://www.freedesktop.org/wiki/Software/systemd/localed/
> localed],
> [http://www.freedesktop.org/wiki/Software/systemd/timedated/
> timedated] and
> [http://www.freedesktop.org/wiki/Software/systemd/hostnamed/
> hostnamed]
>
I also think we should stick with the systemd-offered mechanisms for
this functionality (and I know that Cockpit is already interfacing
with much of it).
> === Virtualization ===
>
> libvirt-daemon will be used to manage virtualization capabilities.
>
We probably want to use libvirt-daemon for virtualization and focus on
systemd-nspawn for containerization.
> === Display manager ===
>
> gdm will be used as the display manager. It is responsible for
> showing a login screen on each seat. It will be able to launch
> both X-based sessions and Wayland sessions.
>
> Desktop environments are expected to make themselves known as an
> available session option on the login screen by dropping a
> .desktop file into /usr/share/xsessions (or its wayland
> equivalent).
>
> Other facilities provided by the display manager include screen
> unlock authentication and user switching.
>
Display manager is irrelevant to the Server product.
> === Accessibility ===
>
> The accessibility support in the workstation includes a screen
> reader, a high-contrast theme and a zoom capability, amongst
> others. The screen reading is provided through orca, which runs as
> a session service and requires the at-spi infrastructure.
> Applications are expected to provide suitable information to the
> screen reader via the toolkit's accessibility support. Applications
> are also expected to work acceptably in the high-contrast theme.
> The zoom is implemented in the desktop shell and does not need any
> application support.
>
Accessibility on the server is a topic I'm fairly comfortable with
deferring to the management tools such as Cockpit and Katello/Foreman.
On the pure command-line, I think the most we can do is assert that
any interactive operation we enable should have a configurable timeout
to deal with potentially slow typists.
> === Input Methods ===
>
> The input method framework on the workstation is provided by ibus.
> Input methods and keyboard layouts can be configured in the
> control-center, and selected in shell keyboard menu. The supported
> application toolkits all support ibus.
>
I'm not sure this is a situation we need to get ourselves involved in.
Most interaction will be in the shell, so hopefully the LOCALE setting
will be sufficient.
> === Graphics ===
>
> The workstation session will switch to using a Wayland compositor
> as soon as feasible. Until then, it will be based on X11. Even
> after the switch, an X server will be included, so applications can
> either connect to Wayland natively, or run as an X client.
>
Not applicable
> === Media support ===
>
> Sound hardware and audio streams will be managed by pulseaudio.
> Applications are recommended to use the
> [http://gstreamer.freedesktop.org/documentation/ gstreamer]
> framework for media playback.
>
Not applicable
> === Appearance ===
>
> The workstation will ship with a single theme, which will have
> support for the included toolkits: gtk3, qt and gtk2. Applications
> are expected to work well with this theme, as well as with the
> high-contrast theme that is used for accessibility. The theme will
> include a dark variant that applications can opt into using (this
> is most suitable for certain content-focused applications). The
> theme also includes an icon theme that provides named icons
> according to the icon-naming spec, plus symbolic variants.
>
> We will be using the Adwaita theme, with a yet-to-be-written qt
> variant.
>
As for "appearance", my view is that Cockpit should be the official
"face" of the Fedora Server. Opinions welcome :)
> === Application Integration ===
>
> Installed applications are expected to install a desktop file in
> /usr/share/applications and an application icon in the hicolor
> icon theme.
>
> Packaged applications are also expected to provide
> [http://people.freedesktop.org/~hughsient/appdata/ appdata] for
> use in the application installer.
>
Not applicable
> === System Installer ===
>
> The desired installation experience for the workstation product is
> to limit the pre-installation user interaction to the minimum. The
> storage configuration UI should be focused on the classes of
> hardware that are expected in workstation-class machines. Package
> selection is not necessary: the installer will install the
> workstation product as defined. Tweaks, customizations and software
> additions should be performed after the installation.
>
> One aspect of storage configuration that will be needed is support
> for dual-boot setups (preserving preexisting Windows or OS X
> installations), since e.g. students may be required to run
> software on those platforms for their coursework.
>
> gnome-initial-setup already provides support for post-install user
> creation, language selection, timezone configuration, etc. If
> necessary, it should be extended to cover all required setup
> tasks.
I'm not even sure where to begin here. The system installer discussion
probably needs to have its own thread.
[1] https://fedoraproject.org/wiki/Workstation/Technical_Specification
[2] I haven't got an opinion on traditional LVM vs. thinly-provisioned
LVM at this point.
[3] https://btrfs.wiki.kernel.org/index.php/FAQ#Is_btrfs_stable.3F
[4]
http://lists.freedesktop.org/archives/systemd-devel/2014-February/017146.html
couple of weeks designing their Technical Specification[1]. At today's
Server WG meeting, the topic came up about the "Core Services and
Features" section of this document. I think that much of it is reusable
for the Server Technical Specification, so I'm going to go through it
and make comments and recommendations. Please add your own thoughts and
I'll get them up on the wiki tomorrow.
> === File system ===
>
> The default file system type for workstation installs should be
> btrfs.
The default file system is definitely up for some debate, but I'd make
an argument for using XFS atop LVM[1] for the default filesystem in
the Fedora Server, at least in part because Red Hat's storage experts
have done the research for us already and determined that XFS is the
recommended fit for Red Hat Enterprise Linux 7.
Btrfs still makes me somewhat nervous, given that its upstream doesn't
consider it stable[3].
>
> === Service management ===
>
> Systemd provides ways to control and monitor the activity and
> status of system services, resources they require, etc. System
> services are expected to provide systemd units. See the systemd
> [http://0pointer.de/public/systemd-man/systemd.unit.html
> documentation].
>
I think we want to go along with this, but make a stronger statement
about systemd units.
"System services *must* provide systemd units to be included in the
Fedora Server standard installation."
> === Logging ===
>
> The systemd journal will be used as the local storage backend for
> system logs. For 'managed' scenarios (e.g the 'developer in a
> large organization' use case of the PRD), it will be possible to
> collect the logs in a centralized location, off the local machine.
>
> Applications and services can either use the syslog API or the
> journal APIs for their logging. See the journal API
> [http://0pointer.de/public/systemd-man/sd-journal.html
> documentation].
>
I agree with this as well. We should focus on the use of journald as
the preferred log aggregator and make sure that it is fully capable of
aggregating those logs centrally. The advantages provided by
journald's structured logging will make processing of those logs much
easier.
That said, for the immediate future I think we also need to mandate
that the system MUST continue to be capable of exporting traditional
syslog messages to existing log aggregation systems.
> === Networking ===
>
> Network devices and connections will be controlled by
> NetworkManager. This includes support for VPN, which is relevant
> for 'corporate' scenarios. Applications are advised to use
> higher-level APIs (such as
> [https://developer.gnome.org/gio/stable/GNetworkMonitor.html
> GNetworkMonitor] in GIO) to monitor online status.
>
This is going to be the contentious point, I expect. We've already
seen some chatter on this list around systemd-networkd and of course
there's a long history of wariness around NetworkManager as a
replacement for traditional network scripts.
This will need to come to a vote, but here are my feelings on the matter:
== Network Scripts ==
+ Powerful, stable and widely deployed.
- Configuration requires modification of a large number of plaintext
files. Central management of this configuration is difficult and
generally requires tools like Puppet and Chef to be deployed to do
so reliably.
- Complex configuration is highly prone to accidents necessitating a
visit from the "crash cart" in the data center.
== Network Manager ==
+ Powerful and (now) stable with support for enterprise features like
bridging and bonding.
+ Consistent API allows for simplified configuration with fewer
opportunities for producing an unusable system.
+ Default networking stack for RHEL 7 means it will get considerable
bugfixing resources allocated to it.
- Requires a running daemon on the system (though work is under way to
have the daemon shut down except when needed)
- Bad PR history means that some administrators view it unfavorably
== systemd-networkd ==
+ Very low overhead, tight integration with low-level plumbing
- Immature with few features. Only saw its first release this month.
- Not currently available on Fedora[4]
My personal view is that NetworkManager is the best option *today*
(understanding full well that there will need to be a fair amount of
marketing effort to educate people on how far it has come in the last
couple years), while systemd-networkd may become a highly interesting
option in the future. Given our focus in Fedora Server on making
configuration more approachable, I can't really see us recommending
network scripts as the *default* offering.
> === Firewall ===
>
> A firewall in its default configuration may not interfere with the
> normal operation of programs installed by default.
I would extend this statement to include that the deployment of Server
Roles should also adjust the firewall operation in a manner consistent
with user expectation.
> We should detect when the system is on a public or untrusted
> network and prevent the user from unwanted sharing of e.g. music or
> other media in this situation. A firewall (and network zones as
> currently implemented by firewalld) may or may not be part of a
> solution to this.
>
The concept of network zones should probably be basically ignored for
Fedora Server, as we should generally default to closing all ports
except for those made available for installed Roles. (Also, the Role
configuration should optionally be able to specify on which interfaces
it wishes to operate, so we can restrict internal vs. external
operation in a multi-homed environment).
> === SELinux ===
>
> SELinux will be enabled in enforcing mode, using the targeted
> policy.
>
+1000
The base install and all approved Server Roles must operate in
targeted enforcing mode.
> === Problem reporting ===
>
> Problems and error conditions (e.g. kernel oopses, Selinux AVCs,
> application crashes, OOM, disk errors) should all be reported in
> the systemd journal.
Ack
> Sending this information to a central place (like abrt does for
> crashes today) should be possible, but not mandatory. Depending on
> the use case, it may be turned off, enabled manually on a
> case-by-case basis, or entirely automatic without user
> intervention.
>
In the case of the Fedora Server, I think that reporting information
to a central location must be mandatory. Most servers in real-world
deployment are headless in a datacenter somewhere. Administrators will
need to be able to see all issues from a standard console.
Also, we need to keep in mind that the majority of servers will *not*
have visibility to the internet, so transmitting ABRT results directly
to Bugzilla is often impossible. We will need to be able to aggregate
the issues on a network-local management server. (Note: IMHO this is
not a blocker requirement on F21)
> === Session tracking ===
>
> Logind will be used as the session tracking facility.
>
> Applications that need to interact with sessions can use the
> logind
> [http://www.freedesktop.org/software/systemd/man/sd_session_is_active.html
>
>
library API], the
> [http://www.freedesktop.org/wiki/Software/systemd/logind/ D-Bus
> API], or a higher-level API
>
+1
> === Account handling ===
>
> SSSD is providing the backing storage for identity management. For
> 'managed' scenarios (e.g. the 'developer in a large organization'
> use case of the PRD), it will be possible to configure it to rely
> on a directory service for this information. The accountsservice
> is providing a D-Bus interface for user account information; this
> may be integrated into SSSD at some point.
>
> Depending on their needs, application and services can either use
> the POSIX APIs (getpwent(), etc) or the accountsservice D-Bus
> interface to obtain user information.
>
As the Fedora Server is more likely than Workstation to require
central management, I think we need to adopt this wholeheartedly.
Also, realmd should be considered a core piece of our story, as it
enables automatic configuration of SSSD with either FreeIPA (our
Domain Controller Role) or Active Directory (Microsoft Windows Domain
Controller).
> === Software updates ===
>
> gnome-software will use PackageKit with the hawkey backend to
> obtain and install software updates for packaged applications and
> the OS itself. The recommendation for applications is to use the
> PackageKit APIs to interact with the underlying packaging system.
>
Software updates on a server system should be designed in such a way
that they can be enforced centrally. With Fedora Server, this probably
means picking one of the common config management systems such as
Puppet, Chef, Red Hat Satellite or else relying on OpenLMI for
performing central software upgrades.
For single-server manipulation, I think we should focus on supporting
yum/dnf.
> === Miscellaneous system information ===
>
> System locale, timezone, hostname, etc. will be managed through
> the services provided by systemd for this purpose. See developer
> documentation for
> [http://www.freedesktop.org/wiki/Software/systemd/localed/
> localed],
> [http://www.freedesktop.org/wiki/Software/systemd/timedated/
> timedated] and
> [http://www.freedesktop.org/wiki/Software/systemd/hostnamed/
> hostnamed]
>
I also think we should stick with the systemd-offered mechanisms for
this functionality (and I know that Cockpit is already interfacing
with much of it).
> === Virtualization ===
>
> libvirt-daemon will be used to manage virtualization capabilities.
>
We probably want to use libvirt-daemon for virtualization and focus on
systemd-nspawn for containerization.
> === Display manager ===
>
> gdm will be used as the display manager. It is responsible for
> showing a login screen on each seat. It will be able to launch
> both X-based sessions and Wayland sessions.
>
> Desktop environments are expected to make themselves known as an
> available session option on the login screen by dropping a
> .desktop file into /usr/share/xsessions (or its wayland
> equivalent).
>
> Other facilities provided by the display manager include screen
> unlock authentication and user switching.
>
Display manager is irrelevant to the Server product.
> === Accessibility ===
>
> The accessibility support in the workstation includes a screen
> reader, a high-contrast theme and a zoom capability, amongst
> others. The screen reading is provided through orca, which runs as
> a session service and requires the at-spi infrastructure.
> Applications are expected to provide suitable information to the
> screen reader via the toolkit's accessibility support. Applications
> are also expected to work acceptably in the high-contrast theme.
> The zoom is implemented in the desktop shell and does not need any
> application support.
>
Accessibility on the server is a topic I'm fairly comfortable with
deferring to the management tools such as Cockpit and Katello/Foreman.
On the pure command-line, I think the most we can do is assert that
any interactive operation we enable should have a configurable timeout
to deal with potentially slow typists.
> === Input Methods ===
>
> The input method framework on the workstation is provided by ibus.
> Input methods and keyboard layouts can be configured in the
> control-center, and selected in shell keyboard menu. The supported
> application toolkits all support ibus.
>
I'm not sure this is a situation we need to get ourselves involved in.
Most interaction will be in the shell, so hopefully the LOCALE setting
will be sufficient.
> === Graphics ===
>
> The workstation session will switch to using a Wayland compositor
> as soon as feasible. Until then, it will be based on X11. Even
> after the switch, an X server will be included, so applications can
> either connect to Wayland natively, or run as an X client.
>
Not applicable
> === Media support ===
>
> Sound hardware and audio streams will be managed by pulseaudio.
> Applications are recommended to use the
> [http://gstreamer.freedesktop.org/documentation/ gstreamer]
> framework for media playback.
>
Not applicable
> === Appearance ===
>
> The workstation will ship with a single theme, which will have
> support for the included toolkits: gtk3, qt and gtk2. Applications
> are expected to work well with this theme, as well as with the
> high-contrast theme that is used for accessibility. The theme will
> include a dark variant that applications can opt into using (this
> is most suitable for certain content-focused applications). The
> theme also includes an icon theme that provides named icons
> according to the icon-naming spec, plus symbolic variants.
>
> We will be using the Adwaita theme, with a yet-to-be-written qt
> variant.
>
As for "appearance", my view is that Cockpit should be the official
"face" of the Fedora Server. Opinions welcome :)
> === Application Integration ===
>
> Installed applications are expected to install a desktop file in
> /usr/share/applications and an application icon in the hicolor
> icon theme.
>
> Packaged applications are also expected to provide
> [http://people.freedesktop.org/~hughsient/appdata/ appdata] for
> use in the application installer.
>
Not applicable
> === System Installer ===
>
> The desired installation experience for the workstation product is
> to limit the pre-installation user interaction to the minimum. The
> storage configuration UI should be focused on the classes of
> hardware that are expected in workstation-class machines. Package
> selection is not necessary: the installer will install the
> workstation product as defined. Tweaks, customizations and software
> additions should be performed after the installation.
>
> One aspect of storage configuration that will be needed is support
> for dual-boot setups (preserving preexisting Windows or OS X
> installations), since e.g. students may be required to run
> software on those platforms for their coursework.
>
> gnome-initial-setup already provides support for post-install user
> creation, language selection, timezone configuration, etc. If
> necessary, it should be extended to cover all required setup
> tasks.
I'm not even sure where to begin here. The system installer discussion
probably needs to have its own thread.
[1] https://fedoraproject.org/wiki/Workstation/Technical_Specification
[2] I haven't got an opinion on traditional LVM vs. thinly-provisioned
LVM at this point.
[3] https://btrfs.wiki.kernel.org/index.php/FAQ#Is_btrfs_stable.3F
[4]
http://lists.freedesktop.org/archives/systemd-devel/2014-February/017146.html