#openstack-meeting-4 log

16:00:05 <Jeffrey4l> #startmeeting kolla
16:00:06 <openstack> Meeting started Wed Feb 21 16:00:05 2018 UTC and is due to finish in 60 minutes.  The chair is Jeffrey4l. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:07 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:09 <openstack> The meeting name has been set to 'kolla'
16:00:14 <Jeffrey4l> #topic rollcall
16:00:17 <duonghq> o/
16:00:27 <inc0> w00t for Jeffrey4l!!:) congrats man!
16:00:54 <Jeffrey4l> inc0, thanks ;D
16:01:11 <pbourke_> w00t :)
16:02:57 <Jeffrey4l> are guys on the way to Dublin ;D
16:03:26 <Jeffrey4l> #topic Announcements
16:03:55 <Jeffrey4l> ptl election result.
16:04:36 <Jeffrey4l> i am pleasure to be severd as PTL in the next cycle.
16:04:59 <Jeffrey4l> and thanks duonghq and pbourke_ can join the nomination too.
16:05:04 <sadasu> congratulations!
16:05:41 <Jeffrey4l> kolla is the hostest project with three nominators.
16:05:46 <Jeffrey4l> which is a good sign
16:06:43 <Jeffrey4l> 2. ptg meeting will be hold on next week.
16:07:13 <Jeffrey4l> hope guys could enjoy it and next weekly meeting will be canceled.
16:07:41 <Jeffrey4l> 3. at the same time, kolla rc1 tag and queens branch will be created at next week too.
16:08:04 <Jeffrey4l> so any critical bug should be resolved and merged ASAP
16:08:10 <mgoddard_> o/
16:08:11 <Jeffrey4l> anything else?
16:08:42 <caoyuan> hi
16:08:58 <Jeffrey4l> sup caoyuan
16:09:10 <Jeffrey4l> gusse no. let us move on.
16:09:13 <Jeffrey4l> #topic Security bug in gates https://bugs.launchpad.net/kolla-ansible/+bug/1749326 (inc0)
16:09:13 <caoyuan> :)
16:09:14 <hrw> o/
16:09:14 <openstack> Launchpad bug 1749326 in kolla-ansible "Exploitable services exposed on community test nodes" [Critical,Confirmed]
16:09:20 <rwellum> Congrats Jeffrey4l !!!
16:09:24 <Jeffrey4l> inc0, your floor
16:09:35 <Jeffrey4l> thanks rwellum
16:09:39 <inc0> so fungi got msg from one of cloud providers that our memcached is open for attack
16:09:43 <inc0> which makes sense,
16:10:10 <inc0> right now in multinode gates we drop iptables rules
16:10:26 <Jeffrey4l> i am curiosity why only oraclelinux related jobs are point out?
16:10:35 <inc0> https://github.com/openstack/kolla-ansible/blob/master/tests/pre.yml#L36
16:10:38 <pbourke_> wondering that also
16:10:41 <inc0> just a correlation
16:10:51 <inc0> my guess is that all of gates are in fact affected
16:11:00 <Jeffrey4l> i think so too.
16:11:11 <pbourke_> so... since we're moving to fernet
16:11:22 <pbourke_> can we just drop memcached and problem solved?
16:11:28 <inc0> well dropping memcached fully isn't going solve it
16:11:46 <inc0> it will for master, but pike and queens gates are still vulnerable
16:11:49 <Jeffrey4l> any i think we can do nothing for this. become event iptables rules are added, memcached port should be exported still for mulit node access.
16:12:13 <Jeffrey4l> pbourke_, inc0 we can not drop memcached. it is widely used in openstack , not only for uuid token
16:12:14 <inc0> we can add multinode gates to allow traffic only from other nodes
16:12:25 <pbourke_> I just mean drop it from the gates
16:12:30 <inc0> instead of iptables -F - add rules that'll allow all traffic based on dest
16:12:30 <pbourke_> not from the project
16:12:50 <Jeffrey4l> inc0, " allow traffic only from other nodes" +1
16:13:13 <inc0> thing is, I don't think I will be able to do it, got a lot on my plate
16:13:25 <inc0> so looking for volunteers:)
16:13:32 <Jeffrey4l> i am afraid other project have the same issue, like mariadb.
16:13:44 <inc0> right, so my thinking was
16:13:54 <inc0> restore regular iptables rules, which were pretty strict
16:14:04 <fungi> yeah, if you could block it on the nodes' real interfaces and have it only exposed across the overlay network that would certainly solve the risk
16:14:05 <inc0> and add new rule that will allow all from nodes
16:14:18 <inc0> fungi: we can't use overlay network tho
16:14:27 <inc0> not in the way it's implemented today in zuul
16:14:31 <fungi> oh, you don't tunnel between nodes in your multinode jobs?
16:14:34 <Jeffrey4l> for overylay, we can set up a vxlan interface to use.
16:14:34 <inc0> because it uses ovs
16:14:54 <inc0> and our ovs in container conflicts with ovs used by overlay
16:15:02 <fungi> got it, namespace issues i guess
16:15:04 <inc0> we would need to re-implement this with linuxbridge
16:15:28 <Jeffrey4l> inc0, we can use overlay for api_interface and use the direct physical interface for network_interface
16:15:28 <fungi> i think we had a linuxbridge implementation in devstack-gate which you might be able to excavate from git history if you need a starting point
16:15:30 <inc0> that would be best, but also quite hard
16:15:47 <inc0> Jeffrey4l: or other way around
16:16:05 <inc0> in any case, someone would need to write it;)
16:16:07 <fungi> but regardless, you could of course also just hardcode the corresponding ip addresses of other nodes into iptables and do direct communication between them
16:16:20 <inc0> I think this will be quickest
16:16:21 <Jeffrey4l> the root issue is: memcache do not support authorization, right? fungi
16:16:21 <fungi> since you don't currently have an overlay to make that simpler
16:16:27 <inc0> and time is crucial here
16:17:20 <fungi> Jeffrey4l: yes, and the provider is primarily concerned that memcached can be leveraged by a miscreant to launch attacks against other systems on the internet
16:18:10 <fungi> particularly its udp access methods
16:18:31 <fungi> since the client address can be spoofed and used in an amplified reflection attack
16:18:50 <Jeffrey4l> got. i think we can implement inc0 idea, adding iptables rules.
16:19:09 <pbourke_> so I can propose to try and fix this during the PTG next week
16:19:20 <Jeffrey4l> pbourke_, cool, thanks.
16:19:20 <inc0> long term we could also add vxlan linuxbridge to allow networking to spawned-by-us vms
16:19:31 <pbourke_> hopefully if a few of us sit down together we can fix it up quickly enough
16:19:31 <Jeffrey4l> inc0, +1
16:19:48 <inc0> pbourke_: a lot of infra people will be there, I'm sure they'll provide help if needed:)
16:19:51 <pbourke_> if we have trouble we can call by the infra room
16:20:01 <fungi> as soon as possible would be best of course, but i understand that everyone's time is at a premium
16:20:10 <inc0> thanks pbourke_ we'll be here reviewing
16:20:13 <pbourke_> fungi: will you be around next week?
16:20:15 <Jeffrey4l> pbourke_, i think just adding a few ansible tasks throught itpables module work.
16:20:27 <pbourke_> Jeffrey4l: roger
16:20:28 <fungi> pbourke_: i'll be "around dublin" next week if that's what you're asking
16:20:43 <Jeffrey4l> in "pre.yml" playbooks.
16:20:45 <pbourke_> fungi: yeah cool, I'll try say hi :)
16:20:56 <fungi> though i tend to be stretched pretty thin between infra, tc, foundation, election officials, vmt...
16:21:30 <fungi> but yes, happy to assist with anything you need if we can get our schedules to sync up
16:21:45 <Jeffrey4l> thanks fungi
16:21:56 <fungi> you bet! lmk if you need anything
16:22:13 <Jeffrey4l> we will
16:22:26 <Jeffrey4l> ok. let us move on next topic
16:22:34 <Jeffrey4l> #topic ptg plan https://etherpad.openstack.org/p/kolla-rocky-ptg-planning
16:22:45 <Jeffrey4l> #link https://etherpad.openstack.org/p/kolla-rocky-ptg-planning
16:22:47 <caoyuan> pbourke_ , call me, if need any help
16:22:56 <pbourke_> caoyuan: thanks!
16:23:03 <caoyuan> :)
16:23:05 <Jeffrey4l> please open the link
16:23:28 <Jeffrey4l> ptg is around the corner, we need schedule the topic agenda today.
16:23:48 <Jeffrey4l> we have three days slots during ptg.
16:23:49 <egonzalez> sorry, was in a meeting, regarding drop memcached, we cannot do it because nova console auth need it for multinode
16:23:54 <duonghq> who is going to the PTG?
16:23:59 <jmccarthy> o/
16:24:00 * egonzalez going
16:24:13 * hrw go
16:24:31 <Jeffrey4l> duonghq, there is a attendees confirm section on the page.
16:24:35 <mgoddard_> o/
16:24:59 <Jeffrey4l> since i can not be the Dublin, i have ask pbourke_ to hold the meeting.
16:25:03 <Jeffrey4l> thanks pbourke_
16:25:15 <duonghq> Jeffrey4l, I saw a guy who name is Jeffrey, it's you or other Jeffrey?
16:25:30 <Jeffrey4l> i will try to sync though mail or etherpad.
16:25:44 <Jeffrey4l> duonghq, yes. it is other gusy.
16:26:05 <duonghq> okay, I'm recalling that I saw that guy in Denver
16:26:17 <Jeffrey4l> now let us focus on the topic agenda schedule.
16:26:55 <duonghq> should we start voting for topic?
16:27:04 <Jeffrey4l> please add "+1" on the topic you would like to talk on ptg
16:27:13 <Jeffrey4l> duonghq, yes.
16:27:32 <Jeffrey4l> since we don't have much time. let us start a rough voting.
16:28:02 <Jeffrey4l> let us go back to irc after 10 min, please voting the topics.
16:29:45 <spsurya__> Jeffrey4l: sorry, just joined
16:29:55 <Jeffrey4l> np.
16:30:38 <Jeffrey4l> spsurya__, we are priorize the topics on https://etherpad.openstack.org/p/kolla-rocky-ptg-planning now.
16:31:41 <spsurya__> Jeffrey4l: nice
16:33:01 <spsurya__> Jeffrey4l: hope i would be at PTG
16:37:33 <egonzalez> anyone from k8s will attend PTG?
16:40:05 <Jeffrey4l> egonzalez, seems no.
16:40:19 <pbourke_> how many are working on kolla-k8s right now
16:40:55 <inc0> I know kfox and jascott are on helm-summit today
16:40:56 <Jeffrey4l> http://stackalytics.com/?module=kolla-kubernetes&metric=commits
16:41:04 <inc0> but neither are going to ptg
16:41:15 <Jeffrey4l> no much commits recently.
16:41:50 <pbourke_> Id like to see an honest conversation on the future of this project
16:42:12 <spsurya__> egonzalez: Jeffrey4l  Though i am not from kubernetes...but i have added this to my schedule on Tuesday
16:43:03 <Jeffrey4l> spsurya__, thanks.
16:43:10 <hrw> Jeffrey4l: thx for link. /me -> own commits
16:44:26 <Jeffrey4l> OK. thanks guys for voting topics.
16:44:36 <Jeffrey4l> we have some high priority topics now.
16:45:17 <Jeffrey4l> we will sort it out and move them to the agenda sections later.
16:45:35 <Jeffrey4l> anyone else is welcome to add comments
16:46:40 <spsurya__> rwellum: around ?
16:49:04 <Jeffrey4l> #topic Open Discussion
16:49:05 <Jeffrey4l> hrm, bot doesn't work?
16:49:06 <Jeffrey4l> anyway, any other topic wanna to talk?
16:50:08 <hrw> did someone added kolla to the list for group photo?
16:50:17 <Jeffrey4l> tbh, i am afraid about kolla-k8s project too. not much contributor now. and we have a strong competitor, openstack-helm
16:50:28 <Jeffrey4l> pbourke, ^^
16:50:38 <Jeffrey4l> hrw no.
16:50:50 <Jeffrey4l> i will add it after the meeting.
16:51:44 <egonzalez> should we have a cross session with others deployment tools?
16:51:45 <rwellum> Hi spsurya__
16:52:12 <spsurya__> egonzalez: +1
16:52:21 <spsurya__> rwellum: going to PTG ?
16:52:37 <Jeffrey4l> egonzalez, i am not sure how that happen. any idea inc0 ?
16:52:41 <egonzalez> I think we had a good discussion for healthchecks which was forgotten this release and could be really good to have
16:52:48 <egonzalez> *had in denver ptg
16:52:56 <rwellum> I am not going
16:53:41 <inc0> egonzalez Jeffrey4l yeah it was good last time
16:53:43 <Jeffrey4l> does anybody know what's the status of self-health-check in triplo project?
16:54:07 <inc0> Jeffrey4l: feel free to reach out to PTLs of OpenStack-Ansible, OpenStack-Helm, TripleO and other deployment tools
16:54:16 <rwellum> The main issue with kolla-k8s - is when they decided to split off from kolla-ansible - you guys are pouring new features and fixes into the project and they are not getting added to kolla-k8s
16:54:34 <egonzalez> asked to mandre and no progress was done in the cross project goal, guess they made some advance internally in tripleo
16:55:07 <Jeffrey4l> inc0, OK
16:55:58 <egonzalez> rwellum, problem having a single repository are merge privileges, should an ansible expert(no idea in k8s) merge a change related to k8s?
16:55:59 <Jeffrey4l> rwellum, that is a good point. But the mainly issue now is there are fewer contributor ;(
16:56:21 <egonzalez> rwellum, same on the other way
16:56:26 <Jeffrey4l> we can use launchpad to track the same issue for both kolla-anaisble and kolls-k8s
16:56:41 <rwellum> egonzalez: we should have identified a few people to do that - become experts in k8s
16:56:45 <Jeffrey4l> mostly, i think you are meaing the configuration changes.
16:56:50 <rwellum> Keep the two projects synced
16:57:54 <rwellum> I think Serguei stopped because of the tripleo talks - he didn't want to go back to jinja templates when he'd just converted to go
16:58:13 <rwellum> Jeffrey4l: yes
16:59:01 <Jeffrey4l> does serguei go to  triplo project? or openstack-helm? tw
16:59:04 <Jeffrey4l> rwellum, ^
16:59:24 <inc0> I don't know if he works with OpenStack upstream any more
16:59:27 <rwellum> Jeffrey4l: he has just focused on k8s - not openstack, I believe
16:59:40 <Jeffrey4l> i see thanks.
16:59:49 <pbourke_> I think there's a lot of confusion resulting from the existence of both kolla-k8s and openstack-helm
17:00:12 <Jeffrey4l> time is up. thanks for all guys comming. let us end the meeting and move to #openstack-kolla channle.
17:00:16 <Jeffrey4l> #endmeeting