#openstack-meeting log

18:10:57 <bdpayne> #startmeeting OpenStack Security Group
18:10:58 <openstack> Meeting started Thu Apr 25 18:10:57 2013 UTC.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:10:59 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:11:01 <openstack> The meeting name has been set to 'openstack_security_group'
18:11:27 <bdpayne> I'll need to check the conference sessions to find the live migration stuff
18:11:47 <ewindisch> live migrations depend on an ssh key
18:11:49 <bdpayne> may be an ether pad
18:12:08 <bdpayne> I know that I've spoken with Vish about this stuff a bit as well
18:12:10 <ewindisch> either every compute node has every other machine's public key, or they just share a private key.
18:12:19 <bdpayne> good times :-)
18:12:22 <harlowja> ya, so the general problem is as ewindisch says
18:12:25 <nicolae_> oh, doesn't sound good :)
18:12:44 <bdpayne> so let's talk a little about the message security work
18:12:49 <bdpayne> #topic Message Queue Security
18:12:58 <bdpayne> There's a very active email thread in -dev this morning
18:13:06 <bdpayne> http://lists.openstack.org/pipermail/openstack-dev/2013-April/007916.html
18:13:15 <bdpayne> this is a proposal from Red Hat
18:13:26 <bdpayne> there was also a proposal by erindisch at the summit
18:13:34 <bdpayne> arg.. that's ewindisch
18:14:04 <bdpayne> I do agree with the notion that we should probably, as a community, decide on a single good path
18:14:07 <bdpayne> any thoughts?
18:14:11 <harlowja> http://lists.openstack.org/pipermail/openstack-dev/2013-April/thread.html#7916 also for the full thread
18:14:50 <harlowja> bdpayne i'd like to reach a comprimse of sorts, since i believe there won't be a 1 ideal solution, but that doesn't mean we can't agree on something :-p
18:15:03 <bdpayne> ewindisch what is your take?  I haven't had a chance to read the full thread
18:15:19 <ewindisch> The shared key solution is much more architecturally heavy, and the RedHat guys seem to gloss over that, imho. Basically, they suggest we take convenience over security, in some cases.
18:15:44 <ewindisch> and if we remove the convenience for more security, we get more architecturally heavy.
18:16:05 <ewindisch> that isn't necessarily a bad thing, but I feel they're a bit unwilling to admit it, at any rate.
18:16:18 <bdpayne> ok, fair point
18:16:33 <bdpayne> I feel like shared keys doesn't scale as well, which is basically what you're saying
18:16:39 <bdpayne> and cloud is really all about scale
18:16:52 <bdpayne> people are often scared of pki, but it has many benefits
18:17:58 <harlowja> a dev on our side had an interesting idea, about putting the control network in a vpn, securing that vpn, then leaving the rest of the stuff intact (and only opening the public url endpoints), but maybe thats different/not related
18:17:58 <bdpayne> well, I would encourage people to chime in on the Red Hat thread
18:18:24 <ewindisch> harlowja: I honestly think that is a different concern altogether.
18:18:26 <bdpayne> that's not a bad idea, but it solves a different set of security problems
18:18:31 <bdpayne> yeah, that
18:18:33 <bdpayne> :-)
18:18:46 <harlowja> ya, it sounded neat, haha
18:18:59 <bdpayne> also, ewindisch is your stuff available as a blueprint atm?
18:19:32 <ewindisch> bdpayne: very roughly. It doesn't have details. It should.
18:19:51 <bdpayne> given today's email thread, I wonder if it is time to flush it out
18:19:52 <ewindisch> I can take an AI to update the blueprint with a more concrete proposal
18:20:00 <bdpayne> and then have a discussion about pros and cons of each
18:20:05 <harlowja> i'd like that, i trust ewindisch with security more than i trust myself ;)
18:20:20 <bdpayne> ewindisch I'm happy to help you out, if that's useful
18:20:22 <harlowja> maybe nsavin u can help also
18:20:24 <bdpayne> just drop me a line
18:20:46 <ewindisch> bdpayne: I'd appreciate it.
18:20:54 <bdpayne> groovy
18:21:03 <bdpayne> ok, I have one more topic to discuss
18:21:24 <bdpayne> #topic OpenStack Security Configuration Guide
18:21:44 <bdpayne> so this is coming together but there are still some details to finalize
18:22:04 <harlowja> cool
18:22:10 <bdpayne> keith would have the latest, but I can give some updates
18:22:41 <bdpayne> basically, we are still looking for June
18:22:55 <bdpayne> the facilitator we wanted has a conflict with the first week in June
18:23:10 <bdpayne> so we are looking for either a difference facilitator, or a different week
18:23:17 <bdpayne> so that's in flux a bit
18:23:27 <bdpayne> location appears to be out in Maryland
18:23:35 <bdpayne> participation is at around 10 people or so
18:23:45 <bdpayne> I'd love to got some more OpenStack specific people
18:24:05 <bdpayne> which is to say we have a lot of security folks with a medium amount of OpenStack experience
18:24:20 <bdpayne> I'd like to complement that with OpenStack people that have a medium amount of security experience (or more)
18:24:36 <bdpayne> hopefully we'll have 2-3 more people that can be involved
18:24:51 <ewindisch> bdpayne: are you seeking volunteers, recommendations?
18:24:52 <bdpayne> commitment would be a full week out in Maryland sometime in June (likely 1st or 3rd week)
18:24:58 <bdpayne> seeking volunteers atm
18:25:11 <bdpayne> sorry, I'm not selling it well enough
18:25:13 <bdpayne> :-)
18:25:30 <harlowja> lol
18:25:32 <bdpayne> anyway, if you're interested, then drop me a line
18:25:38 <ewindisch> bdpayne: I'd have to check on time availability, but I'm interested.
18:25:43 <bdpayne> and I'll continue with more updates on this for future meetings
18:25:52 <bdpayne> ewindisch sounds good, I think you'd be an assest
18:25:57 <ewindisch> at any rate, I'm fairly local.
18:26:00 <bdpayne> or asset, as the case may be
18:26:04 <harlowja> hmmm, i'll chat with y! people here
18:26:17 <bdpayne> sounds great, thanks harlowja
18:26:17 <harlowja> can maybe volunteer one of them, haha
18:26:28 <bdpayne> #topic Open Discussion
18:26:33 <bdpayne> anything else for today?
18:26:41 <bdpayne> (we normally just run til 18030
18:26:50 <harlowja> live migration stuff, i can sumarrize what i remember
18:26:51 <bdpayne> *1830
18:26:54 <bdpayne> ok
18:27:11 <harlowja> i remember stuff like, can we have an intermediary give those keys out for only the duration of live migration (aka a orchestration layer) or can we eliminate the sharing of those keys entirely via some other mechanism (orchestration layer possibly establishing a secure tunnel for the live migration and telling the compute nodes to use said tunnel...)....
18:27:22 <Randy_Perryman> Need to read the list and find your Information on the Security Document
18:27:29 <harlowja> some kind of intermediary that connects the hypervisors for the duration of the live migration (And resize operation)
18:27:50 <harlowja> i think it came up in https://etherpad.openstack.org/HavanaUnifyMigrateAndLiveMigrate but nothing documented there
18:28:28 <harlowja> i can fire an email to the main dev thread, asking if we should at least document it somewhere
18:28:40 <bdpayne> ok, thanks for the details there… certainly worth collecting more info
18:29:06 <harlowja> def, i know at least at y! we don't want hypervisors talking to each other, so live migration is sorta hard in that case :-p
18:29:36 <harlowja> but an intermediary aiding that process might be acceptable
18:29:49 <harlowja> *hand-holding the hypervisors in a way, haha
18:30:01 <bdpayne> interesting
18:30:07 <bdpayne> ok, I think that's all for today
18:30:14 <bdpayne> thanks everyone… nice to see some new faces in here
18:30:18 <bdpayne> #endmeeting