#openstack-barbican log

12:00:09 <redrobot> #startmeeting barbican
12:00:10 <openstack> Meeting started Tue Jun 26 12:00:09 2018 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:00:11 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:00:13 <openstack> The meeting name has been set to 'barbican'
12:00:19 <redrobot> #topic Roll Call
12:00:53 <namnh> hi
12:00:58 <namnh> o/
12:01:06 <redrobot> ✋
12:01:09 <redrobot> hi namnh!
12:01:32 <lxkong> hi guys
12:01:54 <namnh> hi redrobot :)
12:01:54 <Luzi> o/
12:01:58 <Luzi> hi all
12:02:00 <ducnv> o/
12:03:08 <redrobot> lots of folks here today! 😁
12:03:25 <redrobot> Here is the link to the agenda:
12:03:27 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican
12:03:41 <redrobot> which I'm not sure anyone uses...
12:03:46 <redrobot> so we're just going to wing it again
12:04:07 <namnh> :)
12:04:46 <redrobot> Let's see..
12:04:52 <redrobot> #topic Action Items from last meeting
12:04:53 <namnh> LOL, sorry, i did not append my topic today, so can I still discuss as usual
12:05:01 <redrobot> #link http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-19-12.01.html
12:05:19 <redrobot> "Luzi to add a story to Storyboard for adding AES 512 keys to barbican"
12:05:37 <Luzi> done
12:05:43 <Luzi> and up for review
12:05:58 <Luzi> https://review.openstack.org/#/c/577096/
12:06:00 <redrobot> #link https://storyboard.openstack.org/#!/story/2002612
12:06:14 <redrobot> #link https://review.openstack.org/#/c/577096/
12:06:32 <redrobot> I have not had a chance to review, unfortunately.  But I'll try to get to it this week for sure.
12:06:53 <redrobot> anything you need to mention Luzi ?
12:07:40 <Luzi> not really
12:07:47 <redrobot> ok, moving on
12:08:08 <redrobot> "redrobot to follow up with infra team regarding the meeting time change on the eavesdrop website"
12:08:23 <redrobot> I didn't talk to the infra folks... but the time has been updated on the eavesdrop site:
12:08:40 <redrobot> #link http://eavesdrop.openstack.org/#Barbican_Meeting
12:08:45 <redrobot> so I think we're good on that
12:08:57 <redrobot> ok, moving on
12:09:41 <redrobot> #topic Castellan key store as base service
12:09:47 <redrobot> #link https://review.openstack.org/#/c/572656/
12:10:16 <redrobot> looks like the patch to openstack/governance has merged
12:10:18 <redrobot> which is awesome
12:10:30 <redrobot> 🎉🎉🎉
12:11:01 <redrobot> I think Castellan still needs some TLC, but I don't have any patches to talk about right now.
12:11:02 <namnh> great news
12:12:11 <redrobot> that's all I have for Castellan...
12:12:15 <redrobot> any questions/comments?
12:13:44 <redrobot> ok, moving on
12:13:52 <redrobot> namnh, you said you had a topic to talk about?
12:14:28 <namnh> yeah, for rolling upgrade in barbican. that I am taking care
12:14:41 <redrobot> #topic Rolling Upgrades
12:14:43 <redrobot> namnh, go ahead
12:15:03 <namnh> some patch sets. https://review.openstack.org/#/c/500244
12:15:31 <namnh> which i would like to get some reviews
12:15:53 <namnh> redrobot: would you mind helping me to review the patch sets.
12:16:29 <namnh> normally, Ade will review the patches for me. but i don't see him recently
12:16:56 <redrobot> I've started looking at the OVO[3] patch.  Unfortunately, my review has been quite slow as I am not familiar with a lot of the stuff that is being changed.
12:17:00 <namnh> do you know reasons?
12:17:14 <redrobot> yeah, Ade has been on vacation for about 2 weeks
12:17:22 <redrobot> I think he _may_ be back next week?
12:17:44 <redrobot> that's why I've been doing the meetings the last couple of weeks. 😬
12:18:08 <namnh> I understood, thanks :)
12:18:26 <redrobot> Luzi, ducnv lxkong please feel free to review as well ☝
12:19:04 <redrobot> anything else you want to comment about namnh ?
12:19:16 <namnh> moreover, I am writing unit-tests for it. you can review it, and i think it will be easy for you to understand
12:19:31 <namnh> https://review.openstack.org/#/c/576409
12:19:48 <namnh> i will push more patch set about unit-test on this week.
12:20:11 <redrobot> #help we need more reviews on namnh's OVO patches
12:20:12 <namnh> it will be great to get your comment.
12:20:20 <namnh> redrobot: thanks :)
12:20:24 <ducnv> redrobot, i am quite new :))
12:20:58 <namnh> redrobot: duc is my co-worker, he will join barbican team for now on :)
12:21:12 <redrobot> ducnv, welcome! 😁
12:21:50 <namnh> :))
12:22:05 <namnh> okay, that's all my comments
12:22:11 <ducnv> this is first day I join channel
12:23:16 <redrobot> ducnv, well, I'm glad you've decided to join us. 😁
12:23:20 <redrobot> ok, moving on
12:23:52 <redrobot> anyone else have topics that didn't make it to the Agenda?
12:25:23 <redrobot> I'll take that as a no.
12:25:38 <redrobot> I can't think of anything else off the top of my head
12:25:52 <lxkong> guys, may i ask a question? I asked several days ago but didn't get any answer. Not sure it's a good chance
12:26:04 <redrobot> lxkong, sure, what's up?
12:26:14 <lxkong> Did anyone of you already deploy Barbican in production?
12:26:33 <lxkong> I'm asking because we are going to deploy barbican in our cloud
12:27:06 <lxkong> but we are happy to know if there is anyone already done that, pitfalls, experiences, etc.
12:27:10 <Luzi> no but we are planning to do so
12:27:13 <redrobot> I deployed Barbican to production at Rackspace a couple of years ago.  Unfortunately, it's not online anymore.
12:27:34 <lxkong> redrobot: which secret store backend were you using?
12:27:49 <redrobot> PKCS#11 backed by Safenet Luna SA HSMs
12:27:57 <redrobot> we had 2x HSMs per deployment
12:28:00 <redrobot> for HA
12:28:26 <redrobot> as well as offsite key backups of the master keys in Safenet backup devices
12:29:02 <lxkong> there is an open source HSM implementation named SoftHSM, anyone has experince of it?
12:29:19 <lxkong> we are a small company relies on open source software
12:29:29 <lxkong> so maybe the hardware HSM is not our option :-(
12:30:16 <redrobot> I've played around with SoftHSM before
12:30:39 <lxkong> redrobot: did you try to integrate that with Barbican?
12:30:47 <lxkong> does that work?
12:30:50 <redrobot> to be honest, I think it may be more trouble than it's worth...  I think you may be able to get the same level of security with the SimpleCrypto backend
12:31:10 <redrobot> SoftHSM had some issues, as the mechanisms available are different than Safenet Luna's
12:31:23 <redrobot> even though they're both PKCS#11
12:31:36 <redrobot> but at the end of the day, SoftHSM is just a key in memory, just like SimpleCrypto
12:32:07 <lxkong> hmm...
12:32:10 <redrobot> SoftHSM v2 is supposed to be a lot better, but I'm not sure what the status of it is
12:32:35 <redrobot> it's been a couple of years since I looked at it, and v2 was just starting to be developed back then.
12:32:56 <lxkong> yeah, we are jsut going to evaluate v2
12:33:58 <lxkong> using PKCS#11 + SoftHSM will make it possible to migrate to hardware HSM in future, right?
12:34:37 <redrobot> lxkong, yes, I think so... especially if you can extract the master key from SoftHSM and store it in the real HSM
12:34:45 <redrobot> the p11 plugin may need some work
12:35:11 <redrobot> depending on what mechanisms SoftHSM v2 makes available
12:35:21 <lxkong> seems we will have a lot of work to do
12:35:37 <redrobot> yup 😬
12:36:04 <lxkong> redrobot: thanks so much for your answer
12:36:08 <redrobot> let me know if you run into issues with PKCS#11 as it is something that I'm super interested in
12:36:44 <lxkong> Luzi: you said you are also going to deploy barbican, anything wanna share?
12:36:50 <Luzi> we want
12:37:36 <Luzi> we are currently evaluating Safenet HSM
12:37:59 <lxkong> ok, you are rich :-)
12:38:25 <Luzi> i am not... i just work in a nice team :)
12:38:39 <lxkong> Luzi: good to know anyway, thanks
12:39:36 <lxkong> redrobot: i'm done
12:39:41 <redrobot> cool
12:39:45 <redrobot> any other topics?
12:40:54 <redrobot> alrighty then... looks like we're finished with 20 minutes to spare! 😁
12:40:59 <redrobot> #endmeeting