#airshipit log

14:00:03 <ian-pittwood> #startmeeting airship
14:00:03 <openstack> Meeting started Tue Apr 21 14:00:03 2020 UTC and is due to finish in 60 minutes.  The chair is ian-pittwood. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:04 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:06 <openstack> The meeting name has been set to 'airship'
14:00:11 <ian-pittwood> Good morning everyone!
14:00:14 <mattmceuen> o/ GM!
14:00:22 <airship-irc-bot1> <dwalt> o/
14:00:24 <howell> o/
14:00:26 <ian-pittwood> #topic rollcall
14:00:52 <ian-pittwood> Here's our agenda in case anyone wasn't in here when alex sent it https://etherpad.opendev.org/p/airship-meeting-2020-04-21
14:01:09 <airship-irc-bot1> <alexander.hughes> o/
14:01:15 <ian-pittwood> I'll give everyone a few minutes to look it over and add anything they would like
14:03:15 <ian-pittwood> I'm not seeing any activity on the agenda so we can go ahead and get into it
14:03:17 <ian-pittwood> #topic Announcement: Cluster API dev env instructions posted to blog
14:03:24 <ian-pittwood> I believe this is alexander.hughes
14:03:35 <ian-pittwood> #link https://www.airshipit.org/blog/cluster-api-development-environment/
14:04:00 <airship-irc-bot1> <alexander.hughes> Yep, just a quick announcement that we've opened up the blog to showcase work done to spread lessons learned.  the first post in that category is setting up a CAPI dev environment.
14:04:17 <airship-irc-bot1> <alexander.hughes> If you have other work you'd like to showcase, airship blog is a great place to do it
14:04:46 <ian-pittwood> Awesome, thanks for taking the time to make those instrucutions
14:05:09 <ian-pittwood> Sounds like we're good to go onto the next topic
14:05:19 <ian-pittwood> #topic Announcement: Retire AIAB repo
14:05:30 <ian-pittwood> Not sure who this one is
14:05:41 <ian-pittwood> #link https://review.opendev.org/720155
14:05:50 <ian-pittwood> #link https://review.opendev.org/720160
14:06:27 <airship-irc-bot1> <alexander.hughes> I believe these are Roman's, perhaps we move them to call for reviews
14:06:34 <ian-pittwood> Looks like these changes will deprecate AIAB. As always, reviews are appreciated!
14:06:42 <mattmceuen> I think we should go forward with that if AIAB project is no longer in use.  Do we know whether that's the case?
14:06:44 <ian-pittwood> Sure, we can link them there again as well
14:07:02 <ian-pittwood> Does anyone here make use of AIAB?
14:07:05 <mattmceuen> Or is e.g. the multinode gate scripting still in use?
14:07:25 <airship-irc-bot1> <alexander.hughes> I got a message about a week ago asking if AIAB was still up to date, that the individual wanted to get their feet wet with Airship1
14:07:32 <airship-irc-bot1> <alexander.hughes> Is there a better alternative to AIAB for this?
14:07:51 <mattmceuen> yeah, aiab single node was moved to treasuremap project a while back
14:08:00 <airship-irc-bot1> <sirajudeen.yasin> We were using aiab for virtual airtship gating, now we moved to treasuremap
14:08:03 <mattmceuen> and for multinode, there were plans/wip to do the same
14:08:07 <mattmceuen> but I'm not sure on the status
14:08:10 <ian-pittwood> So essentially this is just finishing up a repository migration?
14:08:14 <airship-irc-bot1> <alexander.hughes> so still using AIAB, just moved to a new home
14:08:30 <mattmceuen> @sirajudeen.yasin that's great to know
14:08:37 <mattmceuen> yep @alexander.hughes exactly
14:08:51 <mattmceuen> I would suggest we give this a one-week soak period before merging
14:08:57 <ian-pittwood> +1
14:09:05 <mattmceuen> and I'll take an action item to communicate this out and make sure everyone's looped in
14:09:13 <ian-pittwood> Thanks, mattmceuen
14:09:45 <ian-pittwood> Sounds like we can move to the next topic and maybe follow-up on this in the next meeting to check its status
14:09:59 <ian-pittwood> #topic Announcement: Upcoming OSF PTG June 1-5
14:10:04 <mattmceuen> ah yes, that's me
14:10:07 <ian-pittwood> All yours mattmceuen
14:10:20 <ian-pittwood> #link     https://ethercalc.openstack.org/126u8ek25noy
14:10:30 <mattmceuen> As has been brought up in the mailing list, we have an OSF-wide virtual PTG event coming up, June 1-5
14:10:53 <mattmceuen> everyone's still early in the planning process - if you keep an eye on that calendar, more teams will continue to sign up for slots
14:11:15 <mattmceuen> Airship will be meeting on Thurs/Fri, US am / Europe PM
14:11:30 <mattmceuen> But there will likely be some cross-project meetings earlier in the week that we'll want to join
14:11:40 <mattmceuen> As it gets closer we can start to put an agenda together
14:11:47 <mattmceuen> That's all I have on that, any questions?
14:12:31 <airship-irc-bot1> <alexander.hughes> just a suggestion that as we plan the agenda we try to plan it in blocks so people can join specific blocks for specific topics if they can't make full day
14:12:42 <ian-pittwood> +1
14:12:43 <airship-irc-bot1> <alexander.hughes> will also make recordings more manageable
14:13:00 <mattmceuen> good thought, and the OSF folks planning it already put a 4-hour cap on it to prevent burnout as well :)
14:13:11 <mattmceuen> so when I said Thurs/Fri, what I should have said was 4 hours each day
14:13:25 <mattmceuen> but your point still holds - let's aim for that when we agenda-ize
14:13:31 <airship-irc-bot1> <alexander.hughes> :slightly_smiling_face:
14:13:47 <ian-pittwood> Any other questions?
14:14:26 <ian-pittwood> If not, then we can go to the next topic. Thanks, mattmceuen!
14:14:37 <ian-pittwood> #topic airship2 security
14:14:46 <ian-pittwood> I believe this is alexander.hughes
14:15:27 <airship-irc-bot1> <alexander.hughes> A while back we discussed in Airship1 projects moving all the projects away from root as default container user, and instead floated the idea of a common "airship" user.  I looked through the newer projects airshipctl, images, ui to see if we were using root again and found these two docker images
14:15:39 <airship-irc-bot1> <alexander.hughes> is there any reason that debian-isogen or ipa-downloader-image can't be run as an airship user?
14:15:51 <airship-irc-bot1> <alexander.hughes> or any non-root user?
14:16:28 <airship-irc-bot1> <alexander.hughes> dockerfiles for context in case you don't have agenda open:
14:16:28 <airship-irc-bot1> <alexander.hughes> https://opendev.org/airship/images/src/branch/master/debian-isogen/Dockerfile
14:16:33 <airship-irc-bot1> <alexander.hughes> https://opendev.org/airship/images/src/branch/master/ipa-downloader-image/Dockerfile
14:16:37 <mattmceuen> I suspect they don't need to run as root
14:16:56 <mattmceuen> +1 to converting them away from root
14:17:19 <jtwill98> +1 as well
14:17:19 <airship-irc-bot1> <alexander.hughes> any disagreement?  if not I'll push a quick patch addressing each of these
14:17:32 <mattmceuen> thanks Alex!
14:17:53 <airship-irc-bot1> <alexander.hughes> the other item related to security is file permissions.  in pegleg we took a strict approach of creating all files with 640 permissions
14:17:58 <mattmceuen> I suppose any disagreements we missed can be sorted in the patchset conversation
14:17:58 <ian-pittwood> Sounds good! Thanks, alexander.hughes!
14:18:27 <ian-pittwood> Yeah agreed
14:18:30 <airship-irc-bot1> <alexander.hughes> have we started thinking about doing the same, or taking a more relaxed approach and only doing 640 for secrets in airshipctl?  things like testing kustomize build for example will generate to a file, if specified, as 664
14:18:51 <jtwill98> 640 permissions is good.
14:19:02 <mattmceuen> Interesting.  Do you know if the kustomize permissions are configurable?
14:19:30 <airship-irc-bot1> <alexander.hughes> I don't, but would be happy to look into configuration and report back
14:20:04 <mattmceuen> I haven't thought this through with kustomize, but my gut sure doesn't like 644 permissions
14:20:21 <jtwill98> there always umask
14:20:23 <portdirect> what value does this provide?
14:20:55 <portdirect> if the directory that the repos etc are checked out in has the appropriate perms
14:21:48 <portdirect> would it not be better to get users to set appropriately restrictive perms on the root of their working dir
14:21:55 <mattmceuen> if it's configurable, seems like a reasonable thing to get for free
14:22:02 <mattmceuen> so you don't make as many assumptions
14:22:25 <airship-irc-bot1> <alexander.hughes> what's to stop me from kustomize build -o ~/test_dir
14:23:20 <portdirect> nothing
14:23:36 <portdirect> ~ implys your working on something in your home dir
14:23:52 <portdirect> so you should have complete authority over everything under it
14:24:06 <airship-irc-bot1> <alexander.hughes> my concern was that the driving force behind Pegleg switching to all 640 permissions on every file it generated was security entities from companies such as AT&T wanted to ensure all files had restrictive permissions
14:24:22 <portdirect> ah - yes thats as it has files all over the place
14:24:30 <portdirect> eg /tmp etc
14:24:43 <portdirect> if you keep everything under say ~/test_dir
14:24:47 <portdirect> you shuld be good
14:24:59 <portdirect> and if you did somching like chmod 0700 ~/test_dir
14:25:04 <portdirect> you should be better
14:25:38 <airship-irc-bot1> <alexander.hughes> agreed, but we can't guarantee user behavior.  only software.  so the question is do we make an effort to restrict to 640 at file creation time?
14:25:57 <portdirect> id say probably not
14:26:15 <mattmceuen> Let's at least see what options Kustomize has, alexander.hughes
14:26:16 <portdirect> but you could have a check that the working directoy was only readable by the current user
14:26:48 <airship-irc-bot1> <alexander.hughes> that solves for kustomize, but are we interested in say airshipctl document init
14:26:57 <mattmceuen> I would love not to have to explain to folks over and over why it's ok to have world-readable secrets, if that's an avoidable conversation :)
14:27:07 <portdirect> chmod 0700?
14:28:10 <ian-pittwood> Should the file permissions conversation perhaps be carried over to a design call?
14:28:25 <mattmceuen> Since airshipctl is in our control, I think it makes sense to create them with the permissions we want
14:28:34 <mattmceuen> Sure - design call sounds good
14:28:44 <airship-irc-bot1> <alexander.hughes> my thoughts too - especially as we progress to creating secrets via airshipctl
14:28:58 <jtwill98> I agree create them with correct permissions
14:29:08 <ian-pittwood> Ok, we can follow-up on this there. It would probably be easier to discuss verbally
14:29:25 <ian-pittwood> Anything else security-wise alexander.hughes?
14:29:34 <airship-irc-bot1> <alexander.hughes> ok to summarize then dockerfiles are getting adjusted to non-root users, file permissions going to Thursday design call
14:29:36 <airship-irc-bot1> <alexander.hughes> nope
14:29:47 <ian-pittwood> Yeah that sounds right
14:29:59 <mattmceuen> ty for bringing it up alexander.hughes
14:29:59 <ian-pittwood> Ok, on to free discussion
14:30:06 <ian-pittwood> #topic roundtable
14:30:33 <ian-pittwood> Anybody have anything they'd like to talk about?
14:32:03 <ian-pittwood> I will take the silence as a no
14:32:12 <ian-pittwood> #topic Review requests
14:32:30 <ian-pittwood> So here's the AIAB retirement changes again
14:32:38 <ian-pittwood> #link     https://review.opendev.org/720155
14:32:51 <ian-pittwood> #link https://review.opendev.org/720160
14:32:59 <ian-pittwood> and that's all I have here on the etherpad
14:33:03 <ian-pittwood> Anyone else?
14:34:02 <ian-pittwood> If not, thanks for joining everybody! Have a good week!
14:34:07 <ian-pittwood> #endmeeting