Bug#919508: ITP: warewulf -- systems management suite for Linux clusters
Hi Roland,
On Thu, Jan 31, 2019 at 3:10 AM Roland Fehrenbacher <rfehren@debian.org> wrote:
>
> >>>>> "BS" == Brian Smith <bsmith@systemfabricworks.com> writes:
>
> Hi Brian,
>
> while I appreciate your initiative, I'm a bit skeptical about the
> inclusion of warewulf in Debian for the following reasons:
>
> a) Development in the project has stalled for quite a while. It used to
> be basically a one-man show driven by Gregory M. Kurtzer who now runs a
> startup (https://www.sylabs.io/) pushing the singularity container
> software.
>
Agreed that the github repository is not seeing a lot of new development work.
They are responding to issues and incorporating pull requests. The warewulf
project doesn't look dead.
>
> b) The software is quite complex and involves system components which
> are rather security critical. Given that we cannot count on upstream
> concerning fixing security issues, I consider it a substantial risk that
> we might have a hard time struggling with critical security bugs.
>
The major security problem I found is the use of embedded software tarballs
that would not be receiving any security updates unless addressed specifically
by warewulf developers. The work I have done removes the warewulf dependency
upon the embedded tarballs and uses the binaries delivered by the
standard Debian
packages.
I'm still going through the scripts, so there my be glaring issues
that I'm not aware of.
Searching the web hasn't revealed any major security discussions
regarding warewulf.
If there is a link to such an article or you wish to specify what you
found, please let me
know.
>
> c) Given its complexity, the software is also rather involved
> concerning its packaging process. Hence, I believe it only makes sense to
> include it in Debian if there is a strong commitment from you and at
> least one other DD for the long-term maintenance.
>
I had hoped to share my work with the Debian community. If there is
little support
for including the package, then I agree that the ITP is a wasted effort.
> Because of these points I wouldn't be in favor of including warewulf in
> Debian. I looked at it myself about a possible inclusion in our own
> cluster OS Qlustar for a while, but didn't find it suitable for
> basically the above reasons.
>
> Please note, this is only my personal opinion and if the majority of the
> Debian HPC team thinks otherwise, I have no problem with it. I just
> think it's better to have this discussion now, rather than after you have
> done all the work and it possibly would have been in vain ...
>
Thanks for responding and bringing up your concerns. I'm having to do the
packaging and fixes already for my own project. Getting it fully vetted and
suitable for upload is, obviously, a much bigger effort.
>
> Cheers,
>
> Roland
>
> BS> Package: wnpp Severity: wishlist Owner: "Brian T. Smith"
> BS> <bsmith@systemfabricworks.com> X-Debbugs-CC:
> BS> debian-devel@lists.debian.org, debian-hpc@lists.debian.org
>
> BS> * Package name : warewulf
> BS> Version : 3.8.1 Upstream Author : Gregory M. Kurtzer
> BS> <gmkurtzer@gmail.com>
> BS> * URL : https://warewulf.lbl.gov/
> BS> * License : BSD-3-Clause-like
> BS> Programming Lang: Perl, Bourne, Bash Description : Systems
> BS> management suite for Linux clusters
>
> BS> Warewulf is an operating system management toolkit designed to
> BS> facilitate large scale deployments of systems on physical,
> BS> virtual and cloud-based infrastructures. It facilitates elastic
> BS> and large deployments consisting of groups of homogenous
> BS> systems.
>
> BS> Compute nodes are managed via the warewulf suite that is
> BS> installed to a head node. The head node executes services used
> BS> to provision the operating system to compute nodes, which
> BS> execute an iPXE agent. The essential services are tftpd, dhcpd,
> BS> httpd and nfsd. Warewulf consists of a set of scripts which
> BS> automate configuration of these services via a command-line
> BS> interface.
>
> BS> The upstream Warewulf source package includes embedded source
> BS> tarballs for parted, ipxe, e2fsprogs, busybox, libarchive and
> BS> unionfs. Thus, the upstream builds include binary code for these
> BS> packages that are already available for Debian. A goal of this
> BS> project is to remove these embedded packages from the build and
> BS> ship packages that target the "all" architecture.
>
> BS> Warewulf's upstream build also includes packaging of a compute
> BS> node initrd image, created from the embedded packages. The
> BS> Debian package will not include an initrd image. Rather, a
> BS> script to create the initrd image via mkinitramfs and custom
> BS> hooks will be used by the administrator to build the compute
> BS> node initrd image after installing warewulf to the head node.
> BS> This technique has the benefit of easing an administrator's task
> BS> of updating the initrd image, when necessary.
>
> BS> Warewulf is used by administrators who need to manage clusters
> BS> of linux computers, and also by those who need to deploy
> BS> operating system images over a LAN. I use it in my development
> BS> environment for these purposes.
>
> BS> I plan to maintain Warewulf within the debian-hpc team, of which
> BS> I am a member. As my role is Debian Maintainer, the initial
> BS> upload will require assistance from a sponsor.
--
Brian T. Smith
System Fabric Works
Senior Technical Staff
bsmith@systemfabricworks.com
GPG Key: 0xB3C2C7B73BA3CD7F
Reply to: