| *** mhen_ is now known as mhen | 01:56 | |
| xek | #startmeeting barbican | 12:00 |
|---|---|---|
| opendevmeet | Meeting started Tue Oct 3 12:00:52 2023 UTC and is due to finish in 60 minutes. The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot. | 12:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 12:00 |
| opendevmeet | The meeting name has been set to 'barbican' | 12:00 |
| xek | #topic Roll Call | 12:01 |
| xek | Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar | 12:01 |
| rajiv | hi | 12:01 |
| mharley | o/ | 12:02 |
| rajiv | do we have the weekly meeting today ? | 12:02 |
| lpiwowar | o/ | 12:03 |
| xek | morning :) | 12:04 |
| xek | @rajiv yep, it has just started | 12:04 |
| rajiv | yo! | 12:04 |
| xek | As usual our agenda can be found here: | 12:04 |
| xek | #link https://etherpad.openstack.org/p/barbican-weekly-meeting | 12:04 |
| xek | Just the usual items today | 12:04 |
| xek | #topic Review Past Meeting Action Items | 12:04 |
| xek | #link https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-09-05-12.00.html | 12:05 |
| xek | There was a patch fixing the python-barbicanclient gate, which is already merged | 12:05 |
| xek | #link https://review.opendev.org/c/openstack/python-barbicanclient/+/894738 | 12:06 |
| xek | #topic Liaison Updates | 12:07 |
| xek | It's the final week of Bobcat | 12:07 |
| dmendiza[m] | 🙋 | 12:07 |
| dmendiza[m] | Welcome back, Grzegorz Grasza ! | 12:08 |
| xek | Morning @dmendiza :) | 12:08 |
| xek | During my PTO secret consumers were reverted in castellan bobcat https://review.opendev.org/q/topic:revert-castellan-bobcat | 12:08 |
| xek | as it broke services requirements cross-job | 12:09 |
| xek | Not much we can do at this point, but the changes are still on the main branch, so they're scheduled to go in in the next cycle | 12:09 |
| xek | That's all from me | 12:10 |
| xek | @lpiwowar any updates from QA? | 12:12 |
| lpiwowar | From the QE side I do not have any updates | 12:12 |
| lpiwowar | But if there is something urgent you need me to take a look at. I will do so:) | 12:12 |
| xek | @lpiwowar ack, thanks! | 12:13 |
| xek | #topic Open Discussion | 12:13 |
| rajiv | Hey, i have 3 questions. | 12:13 |
| rajiv | 1. Can we upgrade from Zed to Bobcat directly now ? | 12:14 |
| xek | Barbican didn't have any breaking changes in Bobcat, so it should be fine | 12:14 |
| rajiv | cool! | 12:15 |
| rajiv | 2. is there a fix for CVE-2023-1636 ? the associated articles dont provide a fix yet | 12:15 |
| xek | This CVE is related to how Barbican is deployed, presumably in TripleO | 12:17 |
| rajiv | okay, i have a custom policy file with custom roles, which means i am not impacted ? will there be any details updated in the associated CVE links ? | 12:18 |
| rajiv | my barbican setup in production runs on kubernetes | 12:18 |
| xek | There are some details here: https://access.redhat.com/security/cve/cve-2023-1636 | 12:18 |
| xek | if you are running in kubernetes this CVE doesn't apply to you | 12:19 |
| rajiv | yes i was referring to this article but wasnt sure. Thanks for confirming. | 12:20 |
| rajiv | 3. Any update on bug request : https://bugs.launchpad.net/barbican/+bug/2036506 | 12:20 |
| xek | the main issue in TripleO is that the host network namespace is shared with the host and between containers | 12:20 |
| rajiv | ack | 12:21 |
| xek | I don't have any updates on the above bug | 12:22 |
| xek | @dmendiza is it on your radar? | 12:23 |
| dmendiza[m] | I saw the report but haven't looked into it | 12:25 |
| rajiv | i have QA device if we wish to troubleshoot! | 12:25 |
| rajiv | also, i am running barbican on FIPS mode, docu says its not supported. Should i raise a bug request ? | 12:26 |
| xek | yeah, we'll probably need it to test that any fix is compatible with both versions | 12:26 |
| rajiv | i approached Thales if they could push a commit but they denied to associate. | 12:27 |
| rajiv | I also found SoftHSM also doesnt support CKM_AES_CBC_PAD wrapping mechanism, more details are provided here : | 12:27 |
| rajiv | https://github.com/opendnssec/SoftHSMv2/issues/405 | 12:27 |
| rajiv | https://github.com/opendnssec/SoftHSMv2/issues/229 | 12:27 |
| rajiv | thanks, how do we plan to fix this ? is there a project workflow i need to setup ? | 12:28 |
| xek | @rajiv I think the documentation says it's not supported, since we don't have a voting set of tests for FIPS | 12:28 |
| rajiv | okay, i can write few tests, but how can barbican test if FIPS mode is ON ? there isnt any API or DB to check right ? | 12:30 |
| xek | Next step is to submit a patch, but I can't make any estimate on when and who could create one | 12:30 |
| rajiv | apart p11 plugin enabled, or few changes seen in the kek_data table to confirm, know ? | 12:31 |
| xek | There were some tests using a centos image with fips enabled | 12:31 |
| xek | Those were running the usual functional test | 12:31 |
| xek | ade_lee was working on that | 12:31 |
| rajiv | i see, but i dont see any now, talking about tests, there isnt any here right ? https://github.com/openstack/barbican-tempest-plugin | 12:32 |
| xek | yeah, I don't see this either, those would show up as a separate job in the review board | 12:33 |
| dmendiza[m] | RE: Luna in FIPS mode, I'm not sure it's been tested in a long time. | 12:34 |
| xek | but I suppose we could update the documentation with any pointers to how to run in fips, with a note that it's not currently tested in CI | 12:34 |
| rajiv | okay, do i follow up bi-weekly for Thales patch ? or how do you recommend ? | 12:35 |
| dmendiza[m] | rajiv If you want to work on a patch we can review it when you have it ready | 12:35 |
| dmendiza[m] | RE: test, there are no HSM specific tests, we basically just run the same tests against a Barbican deployment that has an HSM | 12:35 |
| dmendiza[m] | the tests should work regardless of backend | 12:36 |
| rajiv | i am unsure on how or where to start, any hints is highly appreciated ? | 12:36 |
| dmendiza[m] | the reason we don't test at the gate is because we don't have public access to an HSM that can be used on every patch that is submitted to barbican. | 12:36 |
| rajiv | ack wrt tests | 12:36 |
| rajiv | maybe send the patch across and i could test it ? | 12:37 |
| xek | I only evoked @dmendiza since he has more experience with HSMs, but I'm not expecting he has the time to prepare a patch | 12:41 |
| xek | I'm sure we'll have the time to review a patch, but I'm not sure about creating one | 12:42 |
| rajiv | oh ok | 12:42 |
| rajiv | do we still support storyboard ? or do i need to raise another issue via opendev. | 12:44 |
| rajiv | This is another of my old bugs : https://storyboard.openstack.org/#!/story/2009322 | 12:44 |
| xek | Please re-add it to launchpad | 12:45 |
| xek | Ok, let's continue to the last topic | 12:46 |
| xek | #topic Bug Review | 12:47 |
| xek | I don't see any new bugs, apart from those already mentioned | 12:47 |
| xek | Looks like that's it for today | 12:48 |
| xek | I'm on PTO for the next 2 weeks | 12:50 |
| xek | this one was planned a while ago :) | 12:51 |
| xek | So it looks like we'll be skipping the next 2 weekly meetings | 12:51 |
| xek | Unless @dmendiza wants to chair? | 12:52 |
| dmendiza[m] | I can cover for you | 12:52 |
| xek | ok, cool, thanks! | 12:52 |
| xek | We skipped a bunch of meetings last month, but I just had to take this unexpected PTO... | 12:53 |
| xek | Anyway, thanks for attendance, see you in 3 weeks! | 12:53 |
| xek | #endmeeting | 12:54 |
| opendevmeet | Meeting ended Tue Oct 3 12:54:38 2023 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 12:54 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-10-03-12.00.html | 12:54 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-10-03-12.00.txt | 12:54 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-10-03-12.00.log.html | 12:54 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!