20:00:45 <dave-mccowan> #startmeeting barbican
20:00:45 <openstack> Meeting started Mon Sep 26 20:00:45 2016 UTC and is due to finish in 60 minutes.  The chair is dave-mccowan. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:47 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:00:50 <openstack> The meeting name has been set to 'barbican'
20:01:07 <dave-mccowan> Hello Barbicaneers
20:01:21 <panatl> o/
20:01:26 <dave-mccowan> #topic rollcall
20:01:27 <Jiahao> hi
20:01:28 <panatl> hello dave
20:01:37 <panatl> o/
20:01:48 <redrobot> o/
20:02:33 <woodster_> o/
20:02:47 * woodster_ not used to redrobot wave there
20:03:06 <dave-mccowan> strange new world woodster_ :-)
20:03:12 <arunkant> o/
20:03:49 <woodster_> ha!
20:03:54 * dave-mccowan channeling redrobot ...   we have a few barbicaneers here today
20:04:04 <redrobot> haha
20:04:16 <dave-mccowan> as usual, our agenda is here https://wiki.openstack.org/wiki/Meetings/Barbican#Agenda
20:04:46 <dave-mccowan> #topic gate are busted
20:05:12 <dave-mccowan> arunkant discovered this morning that our gates are busted due to a version upgrade to pecan
20:05:32 <dave-mccowan> we have 4 failures in functional tests and 6 in unit tests related to deleting ACLs
20:05:42 * redrobot ran into failures last Friday T__T
20:06:05 <dave-mccowan> we have competing interests: 1) getting gates to work, 2) not changing our API.
20:06:51 <woodster_> the pecan bump requires an API change?
20:06:59 <arunkant> dave-mccowan: should be explictly set status code to 200 ..as default behavior is changed ..
20:07:26 <dave-mccowan> it's interesting.  at least it's showing up in our tests in a very narrow case.  our API doc and implementation says when ACL is deleted successfully, we return 200 and an empty body.
20:07:46 <dave-mccowan> when we successfully delete other resources (secrets, containers), we return 204 and an empty body.
20:08:09 <dave-mccowan> to keep our doc and behavior consistent, we have to trick-out pecan to keep sending 200 with an empty body.
20:08:26 <woodster_> wonderful
20:08:28 <alee_> o/
20:08:41 <redrobot> I do agree that 204 seems like the better response, but fixing success response codes is a no-no for api compatibility
20:08:52 <redrobot> so we're stuck with the 200s until /v2 someday
20:09:38 <dave-mccowan> so to keep /v1 and be good stewards of our API, we need to figure out how to trick out pecan to keep sending 200 with an empty body.
20:09:47 <woodster_> yeah, sucks that slipped through though
20:10:24 <dave-mccowan> the change in pecan is with a json renderer... so part of the fix might be to not use the json template for delete acl.
20:10:36 <dave-mccowan> we need to be careful for unintended changes.
20:11:02 <dave-mccowan> i'm working on it now, but if we there any pecan experts willing to chip in, please let me know
20:11:37 <dave-mccowan> also... for some reason this gate failure is also showing up in stable/newton branch. :-(  so, i think we'll need to spin an RC2.
20:12:17 <woodster_> I recall Oz was our last pecan expert?
20:12:34 <dave-mccowan> to wrap up this topic... gates are broken, so hold off on rechecks, etc. until this is fixed.
20:13:05 <dave-mccowan> #topic Newton release
20:13:24 <dave-mccowan> other than the broken gates, is there any other fix that needs to go into Newton?
20:13:44 <Jiahao> Hi Barbicaneers, I am first time here. It seems like Barbican is still not working with Neutron Lbaas TLS for non-admin tenant.
20:13:56 <Jiahao> My update is here: https://bugs.launchpad.net/barbican/+bug/1592612/comments/5
20:13:58 <openstack> Launchpad bug 1592612 in neutron "LBaaS TLS is not working with non-admin tenant" [Undecided,New]
20:14:18 <dave-mccowan> welcome Jiahao
20:14:26 <Jiahao> Thx
20:14:54 <dave-mccowan> is this new behavior, or is this the first time you've tried this?
20:15:22 <Jiahao> It stucks since late 2015
20:15:46 <Jiahao> initially we think is only caused by  bug #1519170
20:15:47 <openstack> bug 1519170 in octavia "LBaaS user needs permissions to POST consumers" [High,Confirmed] https://launchpad.net/bugs/1519170
20:16:04 <dave-mccowan> Jiahao please ask for help in #openstack-barbican right after this meeting.  we're working through an agenda now.
20:16:07 <Jiahao> which was fixed like 2 week ago
20:16:15 <Jiahao> sure
20:16:16 <diazjf> o/
20:16:21 <Jiahao> will do
20:16:37 <dave-mccowan> are there any other bugs that might be Newton showstoppers?
20:17:18 <dave-mccowan> moving on...
20:17:29 <dave-mccowan> #topic midcycle action item review
20:17:54 <dave-mccowan> there were a few action items taking in the etherpad during the midcycle.
20:18:24 <dave-mccowan> i just want to follow up until we decide they are done, or reassigned, or not needed any more.
20:18:51 <alee_> dave-mccowan, link?
20:18:51 <dave-mccowan> redrobot you had a bulk of these.  any updates?  (or request to pass them off?)
20:19:02 <dave-mccowan> https://etherpad.openstack.org/p/barbican-newton-midcycle-topics
20:19:47 * redrobot scans etherpad
20:20:53 <redrobot> line 18 is done
20:21:17 <redrobot> I sent out an email to the dev mailing list to announce deprecation of certificate issuance
20:21:28 <redrobot> #link http://lists.openstack.org/pipermail/openstack-dev/2016-September/103793.html
20:21:48 <redrobot> there were no responses, so I assume we're good to go with deprecation
20:21:48 <dave-mccowan> thanks redrobot
20:21:58 <redrobot> I'm punting on the blogs
20:22:38 <alee_> dave-mccowan, I still think the blogs are a good idea
20:23:05 <redrobot> Enabling integrations would be good to have
20:23:11 <alee_> dave-mccowan, (although of course I have not done the RH one yet)
20:23:43 <redrobot> I can't remember if Deployment Guide is the same as the Installation Guide we've started?
20:23:51 <redrobot> line 48
20:23:55 <dave-mccowan> i think the first step is to get all the information (how-to use barbican with other projects) in one place, then we can reformat into docs, blogs, presentations, tv commercials, etc.
20:24:00 <alee_> redrobot, I think so -- we need to finish it
20:24:41 <diazjf> dave-mccowan, I'll work on the IBM blog. Just takes some time to get through the marketing/docs people.
20:25:22 <dave-mccowan> what's a good next step to make progress on this?  it'd be nice to have something ready to share in barcelona.
20:26:08 <dave-mccowan> start collecting info in an etherpad?
20:26:14 <redrobot> probably configure jobs in infra to publish the guide somewhere?
20:27:02 <dave-mccowan> #action dave-mccowan find out where deployment guides need to be to get credit for maturity index
20:27:04 <redrobot> or wiki?
20:27:20 <alee_> redrobot, dave-mccowan - there a number of different initiatives here  1) blog usage at different companies 2) collect and document integrations 3) deployment/install guide
20:27:36 <alee_> maybe a wiki to track progress on each one?
20:27:45 <alee_> or etherpad ..
20:28:13 <dave-mccowan> there seems to be an overlap of content for each deliverable.  to have a good source for verified content for these?
20:28:53 <redrobot> I think raising the maturity level would be a good goal to have
20:29:07 <alee_> dave-mccowan, well we can put it all on the same etherpad.   but they are slightly different cases
20:29:19 <alee_> and yeah the maturity level thing is another initiative
20:30:12 <alee_> dave-mccowan, I suggest you create an etherpad and we can start adding action items for each.
20:30:23 <alee_> and track progress that way
20:30:38 <dave-mccowan> #action dave-mccowan start an etherpad with a to-do list to track documentation initiatives
20:31:05 <alee_> we can re-examine each week ..
20:31:28 <redrobot> alee_ dave-mccowan +1
20:31:45 <dave-mccowan> sounds good.  moving on....
20:31:48 <dave-mccowan> #topic Ocata Design Summit
20:32:05 <dave-mccowan> https://etherpad.openstack.org/p/barbican-ocata-design-summit
20:32:20 <dave-mccowan> please add your name to top if you plan to attend any of our sessions.
20:32:41 <dave-mccowan> redrobot reserved 6 work rooms and one fish bowl for us.  our schedule in on that etherpad
20:32:56 <dave-mccowan> please add session ideas and vote for ones you like
20:33:28 <dave-mccowan> we also need a good fishbowl idea.  fishbowls are designed for a project to get input and have discussions from the broader community.
20:34:18 <kfarr> o/
20:34:28 <woodster_> cross-project gate jobs might draw some good interest
20:34:48 <dave-mccowan> hi kfarr
20:34:55 <alee_> woodster_, possibly
20:35:06 <kfarr> woodster_ +1
20:35:13 <dave-mccowan> we're adding ideas to  https://etherpad.openstack.org/p/barbican-ocata-design-summit now
20:35:27 <woodster_> The architecture working group is interested in use cases for barbican as well...the integration tests might dove tail with those as well
20:36:09 <alee_> woodster_, what use cases (other than what is already there?)
20:36:54 <alee_> woodster_, maybe add that to the discussion topics
20:37:01 <woodster_> alee_: undercloud stuff as well as user-facing use cases. I think they'd like to formalize those use cases.
20:37:48 <woodster_> might be worth attending their Thursday 2pm CDT meetings
20:38:00 <alee_> woodster_, well - we'd definitely like to figure out what those use cases are ..
20:38:15 <dave-mccowan> woodster_ do you want to add those to the etherpad?
20:38:42 <woodster_> I'll carve out a placeholder section in there
20:39:20 <alee_> woodster_, are you in the architecture wg meetigs?
20:40:08 <alee_> dave-mccowan, might be good idea for you to attend perhaps.  I can try too on occasion ..
20:40:10 <woodster_> I attended one last week, that's when the barbican discussions last week came from
20:41:35 <dave-mccowan> #action get engaged with architecture wg to understand requirements
20:41:48 <woodster_> full disclosure, maybe 10% will be barbican specific, but they seem open to discussing use cases involving barbican which I think is worth attending. They are also trying to beef up arch docs in general which is interesting to some
20:42:07 <dave-mccowan> i recall they really wanted a turn-key solution, and they had questions if barbican alone could add value.
20:42:53 <alee_> woodster_, one of the things I have been hearing about is the idea of making barbican a less optional thing as a basic step towards improving security
20:43:12 <alee_> woodster_, dave-mccowan but to do that, we need to be quite a bit more mature
20:43:37 <alee_> which ties into the whole fucntional test gate thing for one thing
20:43:38 <woodster_> dave-mccowan Yep, and I mentiond Castellan as a way for projects to adapt into key manager support.
20:43:42 <alee_> and docs
20:44:19 <woodster_> alee_: yeah, maturity would be a good thing to work on, as well as solid gate checks
20:44:41 <alee_> woodster_, dave-mccowan the use cases envisaged by the arch wg might also be a good fishbowl topic ..
20:45:25 <alee_> woodster_, though its not clear how well formed these ideas are
20:45:30 <kfarr> it would be great to have a barbican / security gate for lots of features
20:45:49 <kfarr> like cinder volume encryption and encrypted ephemeral storage and glance image signing and verificaiton
20:46:45 <dave-mccowan> kfarr where is the best documentation on how to configure each of those?
20:47:42 <kfarr> dave-mccowan let me find them
20:48:01 <alee_> kfarr, +1
20:48:17 <kfarr> volume encryption: http://docs.openstack.org/mitaka/config-reference/block-storage/volume-encryption.html
20:48:47 <alee_> woodster_, I understand your concern about projects breaking things - but other projects are less inclined to create a gate just for barbican
20:48:48 <woodster_> kfarr: +1
20:49:25 <alee_> woodster_, on the other hand, we have a vested interest in motifying projects when they do break barbican
20:49:36 <kfarr> http://docs.openstack.org/security-guide/tenant-data/data-encryption.html has a blurb on both ephemeral disk encryption and volume encryption
20:49:46 <alee_> woodster_, and also have a nice place to showcase all the integrations
20:50:03 <dave-mccowan> after newton release is a good time to add gates.  zuul gets busy near the end of a cycle
20:50:22 <dave-mccowan> kfarr thanks!
20:50:32 <dave-mccowan> #topic any other business
20:50:34 <woodster_> alee_: yeah the concern I have is if a barbican integration gate is broken, it gets lower priority to fix, and then if the issue is another project's commit, it could take a long time to get that addressed (if at all). So if there isn't a commitment by all projects to fix things ASAP, this effort could just flounder
20:50:34 <kfarr> image signature verification: http://docs.openstack.org/developer/glance/signature.html
20:50:39 <diazjf> dave-mccowan spec https://github.com/openstack/barbican-specs/blob/master/specs/newton/deployer-specific-secret-metadata.rst needs to be removed from the Newton Release. I was unable to implement it due to critical proprietary deliverables :( We can talk more about it during the summit.
20:51:00 <alee_> dave-mccowan, incidentally , as part of the barbican workship, there will be materials/ code created on how to integrate with barbican
20:51:02 <dave-mccowan> normally i'd ask for review links, but since the gate is busted...
20:51:12 <redrobot> womp womp
20:51:39 <redrobot> not sure if this is a newton showstopper, but I fixed this bug: https://bugs.launchpad.net/barbican/+bug/1627176
20:51:40 <openstack> Launchpad bug 1627176 in Barbican "Add secret to generic container with trailing slash fails" [Undecided,New] - Assigned to Douglas Mendizábal (dougmendizabal)
20:51:43 <alee_> woodster_, yeah - understood
20:53:26 <dave-mccowan> diazjf is there code that you want to remove?
20:53:49 <diazjf> dave-mccowan no code was merged. Just the spec should be removed.
20:55:05 <dave-mccowan> alee_ great.  we should make sure we can leverage that material is as many channels as possible
20:57:10 <dave-mccowan> redrobot what needs to happen to release newton?  we can talk later, but i'd appreciate help going through that.  (or if you want to be the release steward, i'll just watch and take notes)
20:57:43 <redrobot> dave-mccowan sure thing
20:58:07 <redrobot> dave-mccowan I think the next step is letting the release manager know we may need an RC2 this week
20:58:32 <redrobot> dave-mccowan and we have to land the bugfixes in master
20:59:16 <dave-mccowan> redrobot please check if have the permissions i need in launchpad
20:59:28 <arunkant> dave-mccowan: this pecan issue will likely impact stable/mitaka as well (internally we see this issue in that branch).
20:59:54 <dave-mccowan> arunkant yes.  thanks for identifying this.
21:00:07 <dave-mccowan> out of time....  thanks everyone!
21:00:15 <dave-mccowan> #endmeeting