#openstack-meeting log

09:00:24 <yuval> #startmeeting karbor
09:00:24 <openstack> Meeting started Tue Aug  1 09:00:24 2017 UTC and is due to finish in 60 minutes.  The chair is yuval. Information about MeetBot at http://wiki.debian.org/MeetBot.
09:00:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
09:00:27 <openstack> The meeting name has been set to 'karbor'
09:00:34 <yuval> Hello everybody and welcome to Karbor's biweekly meeting
09:00:40 <chenying> hi
09:01:07 <liujiong> hi yuanying chenying
09:01:07 <yuval> hey chenying
09:01:22 <liujiong> hi yuval
09:01:31 <zhonghua2> hi
09:01:32 <yuval> hey liujiong
09:01:51 <liujiong> :)
09:01:54 <yushb> hey
09:02:00 <yuval> hey yushb
09:02:05 <jiaopengju> hi
09:02:10 <yuval> #info chenying liujiong yushb jiaopengju in meeting
09:02:29 <yuval> good to see all of you here
09:02:46 <edisonxiang> hello:)
09:02:52 <yuval> hey edisonxiang!
09:02:52 <chenying> #info zhonghua2
09:03:08 <edisonxiang> hello yuval
09:03:21 <yuval> #info zhonghua2 edisonxiang in meeting
09:03:50 <yuval> Let's start with the first topic on the agenda
09:04:03 <yuval> #topic Pike Status
09:04:44 <yuval> Next week is RC1 target week
09:05:04 <yuval> and on August 21th we enter final RC week
09:05:45 <chenying> yuval So the feature patches need be merged this week?
09:05:47 <yuval> we have made quite a progress in the last two weeks
09:05:55 <yuval> chenying: this week or the next
09:06:07 <chenying> ok.
09:06:07 <yuval> chenying: the RC will be created at the end of next week, afaik
09:07:07 <yuval> if there are any patches you think should be merged, please say so
09:07:39 <yuval> I'm currently aware about the operation log patches, the heat patches
09:08:19 <chenying> Operation Engine: Support Trigger Multi Node   what about this patch?
09:08:46 <yuval> chenying: as you pointed out to me, more work is required on that. I'll try to finish by the end of next week
09:08:51 <chenying> It  seems that it need be updated.
09:09:10 <chenying> yuval Sound good.
09:09:41 <yuval> anything else?
09:10:02 <jiaopengju> I will try to add retry for s3 bank plugin
09:10:17 <chenying> There is a topic submitted by
09:10:17 <chenying> yushb.
09:10:20 <yuval> jiaopengju: hope to see this one
09:10:27 <yuval> chenying: getting to it next
09:10:32 <jiaopengju> yuval: ok
09:10:41 <yuval> another thing
09:11:00 <yuval> The Sydney summit is on, and the voting for talks is open
09:11:02 <yuval> https://www.openstack.org/summit/sydney-2017/vote-for-speakers
09:11:37 <yuval> A few sessions about Karbor have been submitted. You can use search for "Karbor" to see them
09:11:49 <yuval> if there is any talk you'd like to hear, please vote for it
09:12:24 <yuval> #topic Barbican integration
09:13:05 <yushb> yes, I added this topic.
09:13:07 <yuval> that's by yushb?
09:13:14 <yuval> go ahead :)
09:13:54 <yushb> we want to integrate barbican to backup keys
09:14:47 <chenying> yushb Can you give some usecases about it?
09:14:57 <yuval> yushb: to be honest, I'm not very familiar with barbican. Does barbican have some sort of backup, or would you like to backup them to the bank?
09:15:47 <liujiong> barbican is key manager service in openstack, currently it doesn't have backup function implemented yet.
09:16:34 <liujiong> Does karbor require the backup function implemented in barbican side?
09:17:16 <yuval> liujiong: not really. But some services do have their own backup API (i.e Cinder), and that's something Karbor can support
09:18:47 <liujiong> ok, actually, backing up key materials is a normal usecase. That's why we're seeking the possibility to integrate with karbor.
09:19:11 <chenying> yushb The the backup function about barbican resource could be  implemented  in plugins. It can call backup api like cinder, or you can implement it in plugin it self.
09:20:00 <yushb> chenying yeah, I know about it.
09:20:26 <yuval> Placing the keys in the bank + metadata sounds quite easy. What about security? Is it used to backup private keys as well?
09:21:10 <chenying> https://ethercalc.openstack.org/karbor-queens  it seem that the task 'Support barbican protection plugin
09:21:11 <chenying> ' has been added to this link.
09:21:53 <yuval> looking at barbican's api, maybe I mean: we intend to backup the secret payload, right? Placing it in the bank as is, seem to induce a security issue
09:22:10 <chandankumar> Hello,
09:22:57 <liujiong> yuval: yep, indeed backing up private key is something need discussion
09:23:33 <chenying> hi chandankumar
09:23:53 <chandankumar> chenying: i was checking karbor project there is no tempest plugin there
09:24:22 <chandankumar> chenying: is there any plan to add create tempest plugin in a seperate repo for karbor in Queens cycle?
09:24:24 <chenying> Yes karbor only have fullstack tests.
09:24:59 <chandankumar> chenying: sorry what is fullstack tests?
09:25:01 <yuval> chandankumar: we are now discussing barbican integration. Mind discussing tempest after that?
09:25:08 <chandankumar> yuval: sure
09:25:16 <yuval> chandankumar: thanks
09:25:43 <yuval> yushb: liujiong: any idea about storing secret payload on the bank?
09:27:19 <liujiong> yuval: you mean karbor as a storage backend for barbican?
09:28:28 <liujiong> yuval: what's bank plugin used for?
09:28:30 <yuval> liujiong: Karbor is using the bank (i.e swift, s3, etc.) for storing backup metadata and sometimes data itself (depending on the protection plugin). One possible implementation for Barbican secrets would be, store the secret payload and metadata on the bank.
09:28:54 <yuval> liujiong: = store the data on swift or s3 (for example)
09:29:45 <yuval> liujiong: this induces a security issue: anyone with access to the bank could get the secret payload
09:32:43 <liujiong> yuval: ok, so people can access bank means they can access all the data stored in bank?
09:32:44 <yuval> liujiong: I guess there are other solutions. Maybe ask the Barbican backend store for an encrypted dump
09:33:11 <jiaopengju> yuval liujiong: maybe we can store it as binary file?
09:34:53 <yuval> jiaopengju: sounds good, but that binary file must be encrypted, right?
09:34:56 <yushb> yuval : Now in barbican service, keys are stored after encrypted.
09:36:04 <jiaopengju> yuval: it seems yes
09:36:10 <yuval> yushb: afaik, they are stored in a backend secret store https://docs.openstack.org/barbican/latest/install/barbican-backend.html
09:36:27 <yuval> yushb: a few problems with that:
09:36:29 <liujiong> yuval jiaopengju: then another problem, how to protect the encryption keys of karbor.
09:36:31 <chenying> liujiong:  can the encrypted data can be restore by  barbican service directly?
09:36:43 <yuval> yushb: 1. we don't want to speak to the backend store, behind barbican's back
09:37:04 <yuval> yushb: 2. we would be able to restore only into the same backend store
09:37:21 <yuval> liujiong: good point
09:38:50 <yuval> I'll have to stop here and move to the next subject, but there is plenty to continue to speak about. I suggest we meet in Karbor channel, tomorrow at 07:00 UTC (15:00 China time) to discuss it in depth
09:39:10 <yuval> liujiong: jiaopengju: jiaopengju: chenying: are you ok with that?
09:39:17 <liujiong> yuval: fine with me
09:39:20 <yuval> yushb:
09:39:28 <yushb> fine
09:39:34 <chenying> sure
09:39:52 <jiaopengju> ok
09:39:53 <yuval> great
09:40:01 <yuval> will move to tempest chandankumar
09:40:04 <yuval> #topic Tempest
09:40:54 <yuval> chandankumar: Currently Karbor uses a DSVM gate and tests Karbor's APIs without tempest
09:41:31 <chandankumar> yuval: is there any plan to use tempest plugin in future?
09:42:16 <chenying> IMO they are repetitive about integration tests.
09:43:35 <yuval> chandankumar: tbh, a bit embarassing, but I'm not very familiar with tempest
09:44:14 <chandankumar> yuval: no problem i was asking because in queens there is a tempest split goal to a seperate repo, i am volunteering for the same
09:44:26 <liujiong> looks like fullstack is integration test
09:44:49 <chandankumar> yuval: tempest provides a set of stable api through which you can create tempest plugin
09:45:23 <chandankumar> through plugin tempest discovers the tests and all the api/scenario tests related to karbor will resides with the plugin
09:45:43 <yuval> #link https://governance.openstack.org/tc/goals/queens/split-tempest-plugins.html
09:45:47 <chandankumar> yuval: since there is currently on tempest plugin in karbor so there is no issue
09:45:53 <yuval> chandankumar: thanks for pointing that out
09:46:23 <yuval> chandankumar: adding a tempest plugin for karbor means that we have to be aware of the split and do it correctly, I guess
09:46:25 <chandankumar> yuval: but if you need any help, please let me know i will be hanging around on #openstack-qa channel
09:46:54 <chandankumar> yuval: yes
09:47:01 <yuval> chandankumar: that's great, thank you :D
09:47:20 <chandankumar> yuval: since there is no tempest plugin for karbor so creating it from scratch is not hard
09:47:42 <yuval> #topic Open Discussion
09:47:54 <yuval> Anything else you would like to speak about?
09:49:14 <yuval> thanks for attending :)
09:49:15 <yuval> #endmeeting