#openstack-meeting-4 log

15:01:32 <TravT> #startmeeting openstack search
15:01:32 <nikhil_k> TravT: hi
15:01:34 <openstack> Meeting started Thu Aug 13 15:01:32 2015 UTC and is due to finish in 60 minutes.  The chair is TravT. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:35 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:35 <david-lyle> o/
15:01:38 <openstack> The meeting name has been set to 'openstack_search'
15:01:39 <sjmc7> hi!
15:01:42 <lakshmiS> o/
15:01:45 <TravT> o/
15:01:47 <nikhil_k> o/
15:02:07 <TravT> How is everybody this fine day
15:02:08 <TravT> ?
15:02:16 <sigmavirus24> o/
15:02:17 <rosmaita> o/
15:02:21 <sjmc7> enjoying the airshow practice
15:02:38 <TravT> Sounds interesting
15:02:52 <TravT> Okay, here's the meeting agenda.  Please add any topics that you see fit.
15:02:53 <TravT> https://etherpad.openstack.org/p/search-team-meeting-agenda
15:03:10 <TravT> I don't have any general status updates today.
15:03:24 <TravT> #topic Testing - python 3
15:03:40 <TravT> This patch merged:     Patch Merged (Thanks Sergey!): https://review.openstack.org/#/c/209939/
15:03:49 <sjmc7> yeah, that's awesome
15:03:56 <TravT> So, I went ahead and put up a patch for zuul gate jobs
15:04:09 <TravT> to add py3 tests
15:04:09 <TravT> Gate Jobs review up: https://review.openstack.org/#/c/212103/
15:04:11 <wokuma> o/
15:04:34 <TravT> if there is any reason we shouldn't do that, speak now or forever hold your peace.
15:05:18 <lakshmiS> only reason we didnt do before was to keep it simple when we started searchlight code merge
15:05:27 <nikhil_k> +1 to that
15:05:31 <TravT> that's what I remember as well.
15:05:36 <sjmc7> yeah, go for it
15:05:48 <TravT> and moving py 3.4 is a priority from the cross project meetings
15:06:20 <nikhil_k> TravT: umm, for may be 1 year more :)
15:06:37 <nikhil_k> but +1 to avoid regression!
15:06:50 <TravT> that's like nothing in openstack time
15:06:54 <TravT> :)
15:07:20 <TravT> #topic Planning a liberty 3 prioritization discussion
15:07:45 <nikhil_k> ha :)
15:07:50 <TravT> As you might have seen, I put up a doodle poll
15:07:51 <TravT> http://doodle.com/99kzigdbmed57g7s
15:08:25 <lakshmiS> seems like there's only one option left :)
15:08:28 <TravT> Current responses point to tomorrow at 8 AM pactific
15:08:40 <sigmavirus24> hah
15:08:42 <sigmavirus24> works for me
15:08:47 <rosmaita> works for me
15:08:51 <sjmc7> yep
15:09:28 <TravT> So, next question is should we just do it in the IRC room or do it via a video call.
15:09:33 <sigmavirus24> IRC
15:09:40 <sigmavirus24> (is my vote)
15:09:48 <sigmavirus24> I'll probably be on a separate video call all day tomorrow
15:10:00 <nikhil_k> either works for me
15:10:26 <sjmc7> irc has the advantage of being logged automatically
15:10:46 <lakshmiS> sigmavirus24: all day video call sounds boring
15:10:58 <sigmavirus24> lakshmiS: it is
15:12:27 <lakshmiS> irc+1
15:14:41 <lakshmiS> i guess TravT doesnt want IRC
15:14:47 <TravT> well, that was fun
15:15:03 <TravT> what'd i miss?
15:15:03 <sjmc7> :D
15:15:05 <nikhil_k> :D
15:15:29 <TravT> sorry, i got disconnected
15:15:30 <lakshmiS> fun was nothing happened
15:15:34 <nikhil_k> TravT: we talked about your leaving irc just  when we voted for irc meeting :P
15:15:40 <nikhil_k> you*
15:15:55 <TravT> Not sure if this sent or not. So re-pasting
15:16:02 <TravT> either also works for me.  i do like the rich-ness of verbal discussion, but i don't want to leave you out sigmavirus24, so let's go IRC
15:16:11 <TravT> I don't think it'll take very long, TBH
15:16:14 <sigmavirus24> TravT: you can leave me out
15:16:25 <sigmavirus24> I leave myself out of things often
15:16:28 <TravT> Sounds like everybody voted IRC
15:16:45 <TravT> sigmavirus24: not going to let you off the hook that easy.
15:16:50 <TravT> ;)
15:16:51 <sigmavirus24> damnit
15:17:02 <nikhil_k> haha
15:17:22 <TravT> okay, so tomorrow i'll put out a courtesy reminder
15:17:51 <TravT> I'm adding a topic here
15:17:59 <TravT> #topic discussing security bugs
15:18:20 <TravT> i was watching some of the discussion in the glance meeting just now
15:18:42 <TravT> sigmavirus24, you were talking about what we should and shouldn't discuss in meetings when it comes to vulnerabilities
15:19:10 <TravT> would you or somebody else like to repeat that?
15:19:27 <sigmavirus24> certainly
15:19:27 <sigmavirus24> so
15:19:34 <sigmavirus24> talking about open bugs in meetings is fine
15:19:41 <sigmavirus24> if a bug has been privately reported though
15:19:46 <sigmavirus24> then we shouldn't
15:19:48 <sigmavirus24> A) Link to it
15:19:54 <sigmavirus24> B) Discuss the bug number
15:19:57 <sigmavirus24> C) Discuss the contents
15:20:00 <sigmavirus24> D) Discuss the patch
15:20:08 <sigmavirus24> E) Add random people to it unless they're vetted security cores
15:20:36 <sigmavirus24> Basically when something is reported, the only people on the bug should be teh VMT, the security liaison, the PTL
15:20:43 <nikhil_k> F) Dates
15:20:47 <sigmavirus24> Right
15:21:00 <sigmavirus24> Patches are developed as attachments to the bug report
15:21:11 <sigmavirus24> Once a patch seems to fix the issue, a core or two are added to review it on the bug report
15:21:29 <sigmavirus24> Once they're satisfied, then a disclosure date is set, the stakeholders are emailed by a VMT member
15:21:46 <sigmavirus24> And then on teh disclosure date, the patch is proposed to gerrit the cores that were added auto-approve it
15:21:53 <sigmavirus24> And we have a successful security process
15:22:03 <nikhil_k> \o/
15:22:10 <TravT> great synopsis
15:22:19 <sigmavirus24> There's a really good wiki page about all of this
15:22:26 <sigmavirus24> So that makes me wonder, do we have a security liaison?
15:22:34 <sigmavirus24> Or a security team?
15:22:34 <TravT> now for reporting, there is a Information Type field.
15:22:38 <david-lyle> TravT: and nikhil_k once we have a release, you will need a core-sec group
15:22:51 <nikhil_k> david-lyle: good point
15:22:59 <david-lyle> as sigmavirus24 was pointing out
15:23:13 <nikhil_k> liaison(s) == core sec group
15:23:31 <TravT> what if a security related bug is reported and is set as public?
15:23:39 <david-lyle> then it stays open
15:23:45 <sjmc7> fix it quick!
15:23:51 <nikhil_k> someone needs to take it up and fi it
15:23:57 <david-lyle> it's already disclosed at that point
15:23:59 <nikhil_k> usually the responsibility of the core sec group
15:24:03 <david-lyle> no, undisclosing
15:24:10 <nikhil_k> so they needs to be part of cores in general
15:24:29 <nikhil_k> need*
15:24:37 <nikhil_k> today is my un-grammar day
15:24:40 <sigmavirus24> So the other thing is, NEVER add the security group
15:24:45 <TravT> everyday is my un-grammar day
15:24:47 * david-lyle doesn't limit to one day
15:24:50 <sigmavirus24> the VMT and the OpenStack Security Group on Launchpad are two very different teams
15:25:16 <sigmavirus24> If you add the OSSG it's as good as publicly disclosing
15:25:38 <lakshmiS> sigmavirus24: can you point to the wiki link
15:25:44 <sigmavirus24> lakshmiS: let me look
15:25:46 <david-lyle> yes, when a bug is properly submitted the VMT is usually on it before the project tream
15:26:09 <sigmavirus24> #linkhttps://wiki.openstack.org/wiki/Vulnerability_Management
15:26:15 <sigmavirus24> #link https://wiki.openstack.org/wiki/Vulnerability_Management
15:26:22 <sigmavirus24> david-lyle: right
15:26:29 <sigmavirus24> That assumes the bug tracker is appropriately configured
15:26:35 <nikhil_k> basically, as a practice you can add Tristan Cacqueray, ttx and (or) Jeremy Stanley
15:26:38 <TravT> looks like it is moved here
15:26:38 <sigmavirus24> glance_store (was?) is not configured appropriately
15:26:41 <TravT> #link https://security.openstack.org/vmt-process.html
15:26:53 <sigmavirus24> TravT: yeah,
15:27:04 <sigmavirus24> I think the links in the wiki (which comes up first on Google) are to that
15:27:48 <TravT> Since we haven't done a release yet, I think we're okay.  But we've already had a few security bugs reported as public.
15:28:07 <TravT> But moving forward, we should follow that process.
15:28:32 <nikhil_k> I think we are okay for now, given people would be deploying with a risk anyways
15:28:37 <fungi> yep, please reach out to one of the vmt when you have time and we can clear it up
15:28:48 <david-lyle> I think the suggestion is configure launchpad properly and have a team/individuals properly assigned by release time
15:29:04 <sigmavirus24> david-lyle: +1
15:29:13 <TravT> david-lyle, sounds good
15:29:13 <sigmavirus24> we should have this in place before searchlight 1.0.0
15:29:29 <sigmavirus24> that way once we have 1.0.0, we don't need to scramble on the first report
15:29:43 <TravT> so, i would nominate all cores on this meeting to be a part of sec-core group.
15:29:54 <TravT> but how is that normally done?
15:30:07 <sigmavirus24> fungi: ?
15:30:09 <nikhil_k> I think that's fair given the diverse set of focus/expertise
15:30:14 <david-lyle> in Horizon it's a subset of core plus a non-core
15:30:30 <sjmc7> i'm very trustworthy
15:30:48 <nikhil_k> basically if we see something in designate we need someone with domain k/w on that, if nova then so
15:30:48 * TravT never believes somebody who says that about themselves
15:30:58 <fungi> TravT: generally it depends on the size of your core reviewer group
15:31:45 <fungi> if it's just a handful of people and they're familiar enough with the embargoed security patch proposal/review process such that they can successfully avoid accidentally leaking information prematurely, then that's fine
15:32:23 <nikhil_k> one idea: to start with we should ask 2 volunteer security liaisons. they can do the needed delegation once an intial pass is completed
15:32:23 <fungi> for projects the size of, say, nova it doesn't make sense to have two dozen people automatically subscribed to a vulnerability report. might as well just be public at that point
15:33:41 <fungi> but yeah, by default for repos in a governance deliverable tagged vulnerability:managed there is a vmt liaison (by default the ptl) and then some subset of the project-team's core reviewers identified with a projectname-coresec group in lp
15:33:51 <sigmavirus24> Also, I should point out that respected members of the larger sec community are turning against embargoed disclosures
15:34:08 <TravT> sigmavirus24, what does that mean?
15:34:20 <sigmavirus24> It doesn't affect us
15:34:25 <fungi> for deliverables that are not officially vulnerability:managed you can mostly follow the same processes we publish, and we're happy to help you out in getting familiar with them
15:34:29 <sigmavirus24> But, there would be no private disclosure of the bug in a private bug report
15:34:49 <sigmavirus24> Just food for thought is all
15:35:29 <fungi> right, for any of you who attended my talk at oscon, i tried to underscore that our vmt is taking a pretty hard line on only embargoing things that really benefit from it (where the embargo effort is eclipsed by the potential impact of having the bug public without available fixes)
15:35:35 <TravT> ok, well, i have about 6 people (including me) that I think are candidates for seccore group.
15:36:13 <fungi> yeah, so you'd create a searchlight-coresec group in launchpad and invite them
15:36:30 <TravT> Ok, that sounds like a good way to go about it.
15:37:00 <TravT> nikhil_k, sigmavirus24, can we have a side discussion on this later, before I do that?
15:38:18 <TravT> fungi: thanks for the info.
15:38:42 <TravT> now that we've had that topic, let's move on.
15:39:08 <TravT> #topic Bug review
15:39:24 <TravT> what helped prompt the above
15:39:34 <TravT> is we have a security bug right now...
15:39:41 <TravT> as it turns out, it is really just configuration.
15:39:54 <sjmc7> i'll test this today
15:39:54 <TravT> so, documentation + devstack settings.
15:39:57 <sjmc7> yesterday exploded
15:39:57 <TravT> Fix for Authentication not Happening: https://review.openstack.org/#/c/211047/
15:40:14 <TravT> thanks sjmc7
15:40:28 <TravT> if other could also take a look that'd be great.
15:42:13 <TravT> There is another related bug, which it appears sjmc7 has triaged
15:42:33 <TravT> could use some reviews on his fix:
15:42:35 <TravT> https://bugs.launchpad.net/searchlight/+bug/1484285
15:42:35 <openstack> Launchpad bug 1484285 in OpenStack Search (Searchlight) "Elasticsearch unable to parse query when using non-admin user" [Critical,In progress] - Assigned to Steve McLellan (sjmc7)
15:42:41 <sigmavirus24> TravT: no objection
15:42:58 <TravT> lakshmiS: i had notified you of that one last night.
15:43:06 <TravT> did you also look at it?
15:43:32 <lakshmiS> yes i did, also looling through sjmc7 fix
15:43:35 <lakshmiS> looking
15:43:45 <TravT> ok, sounds good
15:44:08 <lakshmiS> i am still not sure how it worked before. I will be spending more time on it
15:44:39 <TravT> Fix for API root returns HTML instead of a list of versions: https://review.openstack.org/#/c/207864/
15:44:42 <sjmc7> it worked as an admin user
15:45:14 <TravT> the above ^ has several positive reviews.
15:45:24 <sjmc7> yeah, that one's good to go. even graham approved!
15:45:41 <TravT> just needs another +2'er with +A
15:46:46 <TravT> any other bugs specifically needing attention today?
15:47:00 <TravT> if not, would like to move to next topic
15:47:27 <sjmc7> not from me, aside from the other reviews waiting
15:47:43 <TravT> i had hoped to review more earlier this week,
15:47:55 <TravT> but that authentication bug took most my attention
15:48:15 <TravT> ok
15:48:29 <TravT> #topic     BP: Functional Tests https://blueprints.launchpad.net/searchlight/+spec/set-up-functional-tests
15:48:44 <nikhil_k> lakshmiS: that patch fixes more then just HTML right?
15:48:52 <nikhil_k> I mean, is intended to fix**
15:49:15 <TravT> #undo
15:49:16 <openstack> Removing item from minutes: <ircmeeting.items.Topic object at 0xa0a5d10>
15:49:19 <lakshmiS> prevent HTML output and provide version info similar to glance
15:50:01 <nikhil_k> lakshmiS: and the correct version listing in the discovery api response
15:50:30 <lakshmiS> nikhil_k: yes and it only has one api version for searchlight which is v1
15:50:45 <nikhil_k> may be a updated commit message (using the webui) with APIImpact flag for historical purposed?
15:50:57 <nikhil_k> purposes*
15:51:19 <lakshmiS> nikhil_k: sure
15:51:21 <nikhil_k> I can comment that on the patch
15:51:26 <nikhil_k> thanks lakshmiS
15:51:32 <sjmc7> https://review.openstack.org/#/c/207672/ should also have an APIImpact flag in that case
15:51:42 <sjmc7> since it changes the /search/plugins response
15:52:05 <nikhil_k> umm, yeah..
15:52:24 <TravT> sure, go ahead and add it.
15:52:49 <TravT> #topic https://blueprints.launchpad.net/searchlight/+spec/set-up-functional-tests
15:52:52 <nikhil_k> we can do a quick grep at the end of the cycle and say this is how the API has evolved
15:52:58 <nikhil_k> thanks TravT
15:53:12 <lakshmiS> so ceilometer assumes JDK and ES is already installed and there is no other known solution
15:53:21 <lakshmiS> https://github.com/openstack/ceilometer/blob/6f6f655766a1ab4a66e00ea7f95dabb56a654e8a/setup-test-env-es.sh
15:53:29 <lakshmiS> for functional tests
15:53:43 <sjmc7> that's what i did too. because it's hard :)
15:53:56 <lakshmiS> thats the same approach i am following unless anybody has something to say!
15:53:58 <sjmc7> i still think there's a lot of value in being able to run them locally even if integrating in CI is hard
15:54:21 <TravT> I agree
15:54:37 <nikhil_k> I see, it might be the only good solution for a bit
15:55:02 <lakshmiS> i will put the patch up for review then!
15:55:04 <TravT> I am not a fan of creating mock back-ends for integration tests
15:56:05 <nikhil_k> lakshmiS: I would like to work with you or on the review. there are a few things like avoiding sys variables that we should do. it broke glance many a times
15:56:22 <lakshmiS> nikhil_k: definetly
15:56:49 <TravT> because above might be mis-interpretted by others following along at home, just want to be clear that i feel that testing elasticsearch integration should be against real elasticsearch.
15:57:07 <sjmc7> yes
15:57:09 <sjmc7> i agree
15:57:22 <TravT> lakshmiS, that's great you have a patch ready
15:57:48 <TravT> ok, we are almost out of time.
15:58:04 <TravT> as usual, review what you can.
15:58:28 <nikhil_k> sjmc7: I think the nova plugin is failling silly
15:58:29 <TravT> Tomorrow we'll have a BP prioritization review in the room
15:58:37 <nikhil_k> https://review.openstack.org/#/c/198852/
15:58:42 <lakshmiS> which room? searchlight or meeting room?
15:58:47 <nikhil_k> sjmc7: may be a set() on the test should help
15:58:51 <TravT> #openstack-searchlight
15:59:22 <TravT> I'll send a courtesy reminder out
15:59:22 <nikhil_k> because, currently it's looking at the order of values in  resp
16:00:00 <wokuma> TravT, lakshmiS - don't forget the i18n meeting.
16:00:13 <TravT> thanks everybody
16:00:15 <lakshmiS> wokuma: thx for the reminder
16:00:18 <TravT> #endmeeting