20:00:45 <dave-mccowan> #startmeeting barbican 20:00:45 <openstack> Meeting started Mon Sep 26 20:00:45 2016 UTC and is due to finish in 60 minutes. The chair is dave-mccowan. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:00:47 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:00:50 <openstack> The meeting name has been set to 'barbican' 20:01:07 <dave-mccowan> Hello Barbicaneers 20:01:21 <panatl> o/ 20:01:26 <dave-mccowan> #topic rollcall 20:01:27 <Jiahao> hi 20:01:28 <panatl> hello dave 20:01:37 <panatl> o/ 20:01:48 <redrobot> o/ 20:02:33 <woodster_> o/ 20:02:47 * woodster_ not used to redrobot wave there 20:03:06 <dave-mccowan> strange new world woodster_ :-) 20:03:12 <arunkant> o/ 20:03:49 <woodster_> ha! 20:03:54 * dave-mccowan channeling redrobot ... we have a few barbicaneers here today 20:04:04 <redrobot> haha 20:04:16 <dave-mccowan> as usual, our agenda is here https://wiki.openstack.org/wiki/Meetings/Barbican#Agenda 20:04:46 <dave-mccowan> #topic gate are busted 20:05:12 <dave-mccowan> arunkant discovered this morning that our gates are busted due to a version upgrade to pecan 20:05:32 <dave-mccowan> we have 4 failures in functional tests and 6 in unit tests related to deleting ACLs 20:05:42 * redrobot ran into failures last Friday T__T 20:06:05 <dave-mccowan> we have competing interests: 1) getting gates to work, 2) not changing our API. 20:06:51 <woodster_> the pecan bump requires an API change? 20:06:59 <arunkant> dave-mccowan: should be explictly set status code to 200 ..as default behavior is changed .. 20:07:26 <dave-mccowan> it's interesting. at least it's showing up in our tests in a very narrow case. our API doc and implementation says when ACL is deleted successfully, we return 200 and an empty body. 20:07:46 <dave-mccowan> when we successfully delete other resources (secrets, containers), we return 204 and an empty body. 20:08:09 <dave-mccowan> to keep our doc and behavior consistent, we have to trick-out pecan to keep sending 200 with an empty body. 20:08:26 <woodster_> wonderful 20:08:28 <alee_> o/ 20:08:41 <redrobot> I do agree that 204 seems like the better response, but fixing success response codes is a no-no for api compatibility 20:08:52 <redrobot> so we're stuck with the 200s until /v2 someday 20:09:38 <dave-mccowan> so to keep /v1 and be good stewards of our API, we need to figure out how to trick out pecan to keep sending 200 with an empty body. 20:09:47 <woodster_> yeah, sucks that slipped through though 20:10:24 <dave-mccowan> the change in pecan is with a json renderer... so part of the fix might be to not use the json template for delete acl. 20:10:36 <dave-mccowan> we need to be careful for unintended changes. 20:11:02 <dave-mccowan> i'm working on it now, but if we there any pecan experts willing to chip in, please let me know 20:11:37 <dave-mccowan> also... for some reason this gate failure is also showing up in stable/newton branch. :-( so, i think we'll need to spin an RC2. 20:12:17 <woodster_> I recall Oz was our last pecan expert? 20:12:34 <dave-mccowan> to wrap up this topic... gates are broken, so hold off on rechecks, etc. until this is fixed. 20:13:05 <dave-mccowan> #topic Newton release 20:13:24 <dave-mccowan> other than the broken gates, is there any other fix that needs to go into Newton? 20:13:44 <Jiahao> Hi Barbicaneers, I am first time here. It seems like Barbican is still not working with Neutron Lbaas TLS for non-admin tenant. 20:13:56 <Jiahao> My update is here: https://bugs.launchpad.net/barbican/+bug/1592612/comments/5 20:13:58 <openstack> Launchpad bug 1592612 in neutron "LBaaS TLS is not working with non-admin tenant" [Undecided,New] 20:14:18 <dave-mccowan> welcome Jiahao 20:14:26 <Jiahao> Thx 20:14:54 <dave-mccowan> is this new behavior, or is this the first time you've tried this? 20:15:22 <Jiahao> It stucks since late 2015 20:15:46 <Jiahao> initially we think is only caused by bug #1519170 20:15:47 <openstack> bug 1519170 in octavia "LBaaS user needs permissions to POST consumers" [High,Confirmed] https://launchpad.net/bugs/1519170 20:16:04 <dave-mccowan> Jiahao please ask for help in #openstack-barbican right after this meeting. we're working through an agenda now. 20:16:07 <Jiahao> which was fixed like 2 week ago 20:16:15 <Jiahao> sure 20:16:16 <diazjf> o/ 20:16:21 <Jiahao> will do 20:16:37 <dave-mccowan> are there any other bugs that might be Newton showstoppers? 20:17:18 <dave-mccowan> moving on... 20:17:29 <dave-mccowan> #topic midcycle action item review 20:17:54 <dave-mccowan> there were a few action items taking in the etherpad during the midcycle. 20:18:24 <dave-mccowan> i just want to follow up until we decide they are done, or reassigned, or not needed any more. 20:18:51 <alee_> dave-mccowan, link? 20:18:51 <dave-mccowan> redrobot you had a bulk of these. any updates? (or request to pass them off?) 20:19:02 <dave-mccowan> https://etherpad.openstack.org/p/barbican-newton-midcycle-topics 20:19:47 * redrobot scans etherpad 20:20:53 <redrobot> line 18 is done 20:21:17 <redrobot> I sent out an email to the dev mailing list to announce deprecation of certificate issuance 20:21:28 <redrobot> #link http://lists.openstack.org/pipermail/openstack-dev/2016-September/103793.html 20:21:48 <redrobot> there were no responses, so I assume we're good to go with deprecation 20:21:48 <dave-mccowan> thanks redrobot 20:21:58 <redrobot> I'm punting on the blogs 20:22:38 <alee_> dave-mccowan, I still think the blogs are a good idea 20:23:05 <redrobot> Enabling integrations would be good to have 20:23:11 <alee_> dave-mccowan, (although of course I have not done the RH one yet) 20:23:43 <redrobot> I can't remember if Deployment Guide is the same as the Installation Guide we've started? 20:23:51 <redrobot> line 48 20:23:55 <dave-mccowan> i think the first step is to get all the information (how-to use barbican with other projects) in one place, then we can reformat into docs, blogs, presentations, tv commercials, etc. 20:24:00 <alee_> redrobot, I think so -- we need to finish it 20:24:41 <diazjf> dave-mccowan, I'll work on the IBM blog. Just takes some time to get through the marketing/docs people. 20:25:22 <dave-mccowan> what's a good next step to make progress on this? it'd be nice to have something ready to share in barcelona. 20:26:08 <dave-mccowan> start collecting info in an etherpad? 20:26:14 <redrobot> probably configure jobs in infra to publish the guide somewhere? 20:27:02 <dave-mccowan> #action dave-mccowan find out where deployment guides need to be to get credit for maturity index 20:27:04 <redrobot> or wiki? 20:27:20 <alee_> redrobot, dave-mccowan - there a number of different initiatives here 1) blog usage at different companies 2) collect and document integrations 3) deployment/install guide 20:27:36 <alee_> maybe a wiki to track progress on each one? 20:27:45 <alee_> or etherpad .. 20:28:13 <dave-mccowan> there seems to be an overlap of content for each deliverable. to have a good source for verified content for these? 20:28:53 <redrobot> I think raising the maturity level would be a good goal to have 20:29:07 <alee_> dave-mccowan, well we can put it all on the same etherpad. but they are slightly different cases 20:29:19 <alee_> and yeah the maturity level thing is another initiative 20:30:12 <alee_> dave-mccowan, I suggest you create an etherpad and we can start adding action items for each. 20:30:23 <alee_> and track progress that way 20:30:38 <dave-mccowan> #action dave-mccowan start an etherpad with a to-do list to track documentation initiatives 20:31:05 <alee_> we can re-examine each week .. 20:31:28 <redrobot> alee_ dave-mccowan +1 20:31:45 <dave-mccowan> sounds good. moving on.... 20:31:48 <dave-mccowan> #topic Ocata Design Summit 20:32:05 <dave-mccowan> https://etherpad.openstack.org/p/barbican-ocata-design-summit 20:32:20 <dave-mccowan> please add your name to top if you plan to attend any of our sessions. 20:32:41 <dave-mccowan> redrobot reserved 6 work rooms and one fish bowl for us. our schedule in on that etherpad 20:32:56 <dave-mccowan> please add session ideas and vote for ones you like 20:33:28 <dave-mccowan> we also need a good fishbowl idea. fishbowls are designed for a project to get input and have discussions from the broader community. 20:34:18 <kfarr> o/ 20:34:28 <woodster_> cross-project gate jobs might draw some good interest 20:34:48 <dave-mccowan> hi kfarr 20:34:55 <alee_> woodster_, possibly 20:35:06 <kfarr> woodster_ +1 20:35:13 <dave-mccowan> we're adding ideas to https://etherpad.openstack.org/p/barbican-ocata-design-summit now 20:35:27 <woodster_> The architecture working group is interested in use cases for barbican as well...the integration tests might dove tail with those as well 20:36:09 <alee_> woodster_, what use cases (other than what is already there?) 20:36:54 <alee_> woodster_, maybe add that to the discussion topics 20:37:01 <woodster_> alee_: undercloud stuff as well as user-facing use cases. I think they'd like to formalize those use cases. 20:37:48 <woodster_> might be worth attending their Thursday 2pm CDT meetings 20:38:00 <alee_> woodster_, well - we'd definitely like to figure out what those use cases are .. 20:38:15 <dave-mccowan> woodster_ do you want to add those to the etherpad? 20:38:42 <woodster_> I'll carve out a placeholder section in there 20:39:20 <alee_> woodster_, are you in the architecture wg meetigs? 20:40:08 <alee_> dave-mccowan, might be good idea for you to attend perhaps. I can try too on occasion .. 20:40:10 <woodster_> I attended one last week, that's when the barbican discussions last week came from 20:41:35 <dave-mccowan> #action get engaged with architecture wg to understand requirements 20:41:48 <woodster_> full disclosure, maybe 10% will be barbican specific, but they seem open to discussing use cases involving barbican which I think is worth attending. They are also trying to beef up arch docs in general which is interesting to some 20:42:07 <dave-mccowan> i recall they really wanted a turn-key solution, and they had questions if barbican alone could add value. 20:42:53 <alee_> woodster_, one of the things I have been hearing about is the idea of making barbican a less optional thing as a basic step towards improving security 20:43:12 <alee_> woodster_, dave-mccowan but to do that, we need to be quite a bit more mature 20:43:37 <alee_> which ties into the whole fucntional test gate thing for one thing 20:43:38 <woodster_> dave-mccowan Yep, and I mentiond Castellan as a way for projects to adapt into key manager support. 20:43:42 <alee_> and docs 20:44:19 <woodster_> alee_: yeah, maturity would be a good thing to work on, as well as solid gate checks 20:44:41 <alee_> woodster_, dave-mccowan the use cases envisaged by the arch wg might also be a good fishbowl topic .. 20:45:25 <alee_> woodster_, though its not clear how well formed these ideas are 20:45:30 <kfarr> it would be great to have a barbican / security gate for lots of features 20:45:49 <kfarr> like cinder volume encryption and encrypted ephemeral storage and glance image signing and verificaiton 20:46:45 <dave-mccowan> kfarr where is the best documentation on how to configure each of those? 20:47:42 <kfarr> dave-mccowan let me find them 20:48:01 <alee_> kfarr, +1 20:48:17 <kfarr> volume encryption: http://docs.openstack.org/mitaka/config-reference/block-storage/volume-encryption.html 20:48:47 <alee_> woodster_, I understand your concern about projects breaking things - but other projects are less inclined to create a gate just for barbican 20:48:48 <woodster_> kfarr: +1 20:49:25 <alee_> woodster_, on the other hand, we have a vested interest in motifying projects when they do break barbican 20:49:36 <kfarr> http://docs.openstack.org/security-guide/tenant-data/data-encryption.html has a blurb on both ephemeral disk encryption and volume encryption 20:49:46 <alee_> woodster_, and also have a nice place to showcase all the integrations 20:50:03 <dave-mccowan> after newton release is a good time to add gates. zuul gets busy near the end of a cycle 20:50:22 <dave-mccowan> kfarr thanks! 20:50:32 <dave-mccowan> #topic any other business 20:50:34 <woodster_> alee_: yeah the concern I have is if a barbican integration gate is broken, it gets lower priority to fix, and then if the issue is another project's commit, it could take a long time to get that addressed (if at all). So if there isn't a commitment by all projects to fix things ASAP, this effort could just flounder 20:50:34 <kfarr> image signature verification: http://docs.openstack.org/developer/glance/signature.html 20:50:39 <diazjf> dave-mccowan spec https://github.com/openstack/barbican-specs/blob/master/specs/newton/deployer-specific-secret-metadata.rst needs to be removed from the Newton Release. I was unable to implement it due to critical proprietary deliverables :( We can talk more about it during the summit. 20:51:00 <alee_> dave-mccowan, incidentally , as part of the barbican workship, there will be materials/ code created on how to integrate with barbican 20:51:02 <dave-mccowan> normally i'd ask for review links, but since the gate is busted... 20:51:12 <redrobot> womp womp 20:51:39 <redrobot> not sure if this is a newton showstopper, but I fixed this bug: https://bugs.launchpad.net/barbican/+bug/1627176 20:51:40 <openstack> Launchpad bug 1627176 in Barbican "Add secret to generic container with trailing slash fails" [Undecided,New] - Assigned to Douglas Mendizábal (dougmendizabal) 20:51:43 <alee_> woodster_, yeah - understood 20:53:26 <dave-mccowan> diazjf is there code that you want to remove? 20:53:49 <diazjf> dave-mccowan no code was merged. Just the spec should be removed. 20:55:05 <dave-mccowan> alee_ great. we should make sure we can leverage that material is as many channels as possible 20:57:10 <dave-mccowan> redrobot what needs to happen to release newton? we can talk later, but i'd appreciate help going through that. (or if you want to be the release steward, i'll just watch and take notes) 20:57:43 <redrobot> dave-mccowan sure thing 20:58:07 <redrobot> dave-mccowan I think the next step is letting the release manager know we may need an RC2 this week 20:58:32 <redrobot> dave-mccowan and we have to land the bugfixes in master 20:59:16 <dave-mccowan> redrobot please check if have the permissions i need in launchpad 20:59:28 <arunkant> dave-mccowan: this pecan issue will likely impact stable/mitaka as well (internally we see this issue in that branch). 20:59:54 <dave-mccowan> arunkant yes. thanks for identifying this. 21:00:07 <dave-mccowan> out of time.... thanks everyone! 21:00:15 <dave-mccowan> #endmeeting