Etienne Champetier

I redo my own testing on fully up to date OS usually, CI often use old base image

For a bit more context, at my job we have an 'appliance' based on Alma 8 / rpm-ostree and out of maybe 200 deployments, we had the ISO corrupted once...

@poncovka sorry about that, should be fixed now, can you approve the CI again ?

> Not opposed to this, but I think what you want to do instead is run `ostree fsck`. It would be a bit slower as it needs to read back...

> An entirely different approach here would be for Anaconda to use dm-verity - and as a bonus, this would also cover the integrity of other data, including Anaconda itself....

> Disconnected isn't exotic at all. A really key sub-reason we're doing the "container native" ostree is so that these cases users/customers can mirror the OS updates into a disconnected...

> Why it is required to search the `.dynamic` section when starting processes via `procd_add_jail`? What did `procd` passed to `-r` or `-w`? This is a bug. ujail only mounts...

> I beleive nftables does not have brouting feature for that reason I am using fw3 iptables / ebtables. nftables can definitly do stateful L2 filtering, you just need to...

VXLAN offload works with many 10G NICs, disabling by default will hurt performance for those, and each card can have different offload toggle, for the qede driver + IPIP you...

Sometimes the bug is with the driver + firmware combination, it's endless. Best thing would be to have Calico send packets using raw sockets and receive them on another node...