18:10:57 #startmeeting OpenStack Security Group 18:10:58 Meeting started Thu Apr 25 18:10:57 2013 UTC. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:10:59 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:11:01 The meeting name has been set to 'openstack_security_group' 18:11:27 I'll need to check the conference sessions to find the live migration stuff 18:11:47 live migrations depend on an ssh key 18:11:49 may be an ether pad 18:12:08 I know that I've spoken with Vish about this stuff a bit as well 18:12:10 either every compute node has every other machine's public key, or they just share a private key. 18:12:19 good times :-) 18:12:22 ya, so the general problem is as ewindisch says 18:12:25 oh, doesn't sound good :) 18:12:44 so let's talk a little about the message security work 18:12:49 #topic Message Queue Security 18:12:58 There's a very active email thread in -dev this morning 18:13:06 http://lists.openstack.org/pipermail/openstack-dev/2013-April/007916.html 18:13:15 this is a proposal from Red Hat 18:13:26 there was also a proposal by erindisch at the summit 18:13:34 arg.. that's ewindisch 18:14:04 I do agree with the notion that we should probably, as a community, decide on a single good path 18:14:07 any thoughts? 18:14:11 http://lists.openstack.org/pipermail/openstack-dev/2013-April/thread.html#7916 also for the full thread 18:14:50 bdpayne i'd like to reach a comprimse of sorts, since i believe there won't be a 1 ideal solution, but that doesn't mean we can't agree on something :-p 18:15:03 ewindisch what is your take? I haven't had a chance to read the full thread 18:15:19 The shared key solution is much more architecturally heavy, and the RedHat guys seem to gloss over that, imho. Basically, they suggest we take convenience over security, in some cases. 18:15:44 and if we remove the convenience for more security, we get more architecturally heavy. 18:16:05 that isn't necessarily a bad thing, but I feel they're a bit unwilling to admit it, at any rate. 18:16:18 ok, fair point 18:16:33 I feel like shared keys doesn't scale as well, which is basically what you're saying 18:16:39 and cloud is really all about scale 18:16:52 people are often scared of pki, but it has many benefits 18:17:58 a dev on our side had an interesting idea, about putting the control network in a vpn, securing that vpn, then leaving the rest of the stuff intact (and only opening the public url endpoints), but maybe thats different/not related 18:17:58 well, I would encourage people to chime in on the Red Hat thread 18:18:24 harlowja: I honestly think that is a different concern altogether. 18:18:26 that's not a bad idea, but it solves a different set of security problems 18:18:31 yeah, that 18:18:33 :-) 18:18:46 ya, it sounded neat, haha 18:18:59 also, ewindisch is your stuff available as a blueprint atm? 18:19:32 bdpayne: very roughly. It doesn't have details. It should. 18:19:51 given today's email thread, I wonder if it is time to flush it out 18:19:52 I can take an AI to update the blueprint with a more concrete proposal 18:20:00 and then have a discussion about pros and cons of each 18:20:05 i'd like that, i trust ewindisch with security more than i trust myself ;) 18:20:20 ewindisch I'm happy to help you out, if that's useful 18:20:22 maybe nsavin u can help also 18:20:24 just drop me a line 18:20:46 bdpayne: I'd appreciate it. 18:20:54 groovy 18:21:03 ok, I have one more topic to discuss 18:21:24 #topic OpenStack Security Configuration Guide 18:21:44 so this is coming together but there are still some details to finalize 18:22:04 cool 18:22:10 keith would have the latest, but I can give some updates 18:22:41 basically, we are still looking for June 18:22:55 the facilitator we wanted has a conflict with the first week in June 18:23:10 so we are looking for either a difference facilitator, or a different week 18:23:17 so that's in flux a bit 18:23:27 location appears to be out in Maryland 18:23:35 participation is at around 10 people or so 18:23:45 I'd love to got some more OpenStack specific people 18:24:05 which is to say we have a lot of security folks with a medium amount of OpenStack experience 18:24:20 I'd like to complement that with OpenStack people that have a medium amount of security experience (or more) 18:24:36 hopefully we'll have 2-3 more people that can be involved 18:24:51 bdpayne: are you seeking volunteers, recommendations? 18:24:52 commitment would be a full week out in Maryland sometime in June (likely 1st or 3rd week) 18:24:58 seeking volunteers atm 18:25:11 sorry, I'm not selling it well enough 18:25:13 :-) 18:25:30 lol 18:25:32 anyway, if you're interested, then drop me a line 18:25:38 bdpayne: I'd have to check on time availability, but I'm interested. 18:25:43 and I'll continue with more updates on this for future meetings 18:25:52 ewindisch sounds good, I think you'd be an assest 18:25:57 at any rate, I'm fairly local. 18:26:00 or asset, as the case may be 18:26:04 hmmm, i'll chat with y! people here 18:26:17 sounds great, thanks harlowja 18:26:17 can maybe volunteer one of them, haha 18:26:28 #topic Open Discussion 18:26:33 anything else for today? 18:26:41 (we normally just run til 18030 18:26:50 live migration stuff, i can sumarrize what i remember 18:26:51 *1830 18:26:54 ok 18:27:11 i remember stuff like, can we have an intermediary give those keys out for only the duration of live migration (aka a orchestration layer) or can we eliminate the sharing of those keys entirely via some other mechanism (orchestration layer possibly establishing a secure tunnel for the live migration and telling the compute nodes to use said tunnel...).... 18:27:22 Need to read the list and find your Information on the Security Document 18:27:29 some kind of intermediary that connects the hypervisors for the duration of the live migration (And resize operation) 18:27:50 i think it came up in https://etherpad.openstack.org/HavanaUnifyMigrateAndLiveMigrate but nothing documented there 18:28:28 i can fire an email to the main dev thread, asking if we should at least document it somewhere 18:28:40 ok, thanks for the details there… certainly worth collecting more info 18:29:06 def, i know at least at y! we don't want hypervisors talking to each other, so live migration is sorta hard in that case :-p 18:29:36 but an intermediary aiding that process might be acceptable 18:29:49 *hand-holding the hypervisors in a way, haha 18:30:01 interesting 18:30:07 ok, I think that's all for today 18:30:14 thanks everyone… nice to see some new faces in here 18:30:18 #endmeeting