#openstack-meeting log

18:01:26 <bdpayne> #startmeeting OpenStack Security Group
18:01:27 <openstack> Meeting started Thu Jun  6 18:01:26 2013 UTC.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:28 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:01:30 <openstack> The meeting name has been set to 'openstack_security_group'
18:01:42 <bdpayne> time for some security talk
18:01:49 <bdpayne> Bryan Payne from Nebula here
18:01:54 <bdpayne> who else do we have today?
18:02:21 <rellerreller> Nate from APL here
18:02:33 <randy_perryman> Randy Perryman from Dell here (finally)
18:02:34 <bdpayne> hi Nate
18:02:41 <bdpayne> ah, welcome Randy
18:03:18 <bdpayne> any items that you guys would like to discuss today?
18:03:37 <rellerreller> None from me
18:03:54 <randy_perryman> none from me
18:04:04 <bdpayne> well that's easy then :-)
18:04:16 <bdpayne> I have a few things, of course
18:04:50 <bdpayne> first a quick update on the upcoming doc sprint… we now have someone APL joining in with the effort
18:05:29 <rellerreller> Yes, I was glad to hear that
18:05:44 <bdpayne> that rounds out the team, which also has people on it from Nebula, HP, RedHat, Intel, Paypal, Nicira, Rackspace, Cloudscaling, and Cloudpassage
18:06:10 <bdpayne> so, should be a really good group
18:06:21 <randy_perryman> Good mix of talent
18:06:54 <bdpayne> We say that the security impact tag on commits is working
18:07:02 <bdpayne> Thanks to the volume encryption commits from APL
18:07:14 <rellerreller> Your welcome
18:07:25 <bdpayne> rellerreller You guys getting the feedback you need with those patches?
18:07:48 <rellerreller> We are getting some.  I'm getting back up to speed as I was out for 3 weeks.
18:07:59 <bdpayne> got it
18:08:00 <rellerreller> I need to check on that later today.
18:08:05 <bdpayne> ok
18:08:08 <bdpayne> I did review the code
18:08:14 <rellerreller> Thanks!
18:08:32 <bdpayne> It looked fine to me, but I didn't mark +1 b/c I'm not as familiar with those pieces of the system
18:08:53 <rellerreller> ok
18:08:59 <bdpayne> If you'd like me to be more vocal on it at some point, just let me know
18:09:10 <rellerreller> Will do
18:09:43 <bdpayne> Switching gear here...
18:09:57 <bdpayne> Rob couldn't join today, but asked that we discussed OSSNs
18:10:02 <bdpayne> these are the openstack security notes
18:10:30 <bdpayne> we have published a few… basically general guidance on best practices for security deployment
18:10:56 <bdpayne> Rob was interested in brain storming some areas that we could discuss in future OSSNs
18:11:09 <bdpayne> any thoughts?
18:11:31 <bdpayne> For example, what are some common OS security misconfigurations that we could help steer people away from?
18:12:20 <bdpayne> for reference https://launchpad.net/ossn
18:12:27 <rellerreller> How is this different than the hardening guide?
18:12:35 <bdpayne> clearly related
18:13:06 <bdpayne> these will be more timely
18:13:12 <bdpayne> easier to push out quick advice as needed
18:13:19 <randy_perryman> My question would be how basic
18:13:25 <bdpayne> whereas the hardening guide will cover more long living issues
18:13:53 <randy_perryman> ie... ensuring the network configuration is correct, password security, etc...
18:14:07 <bdpayne> yeah, even the most simple things are probably useful
18:14:26 <bdpayne> esp if the best practices for cloud setup deviate from what you would do for a basic linux setup
18:14:53 <randy_perryman> right
18:14:56 <bdpayne> what network configurations would you guys typically suggest?
18:15:37 * bdpayne probes for information that might also be useful in the book :-)
18:15:54 <bdpayne> presuming that one shared network is bad
18:15:56 <randy_perryman> I was just thinking about on the Openstack admin guide "stories from teh cr**t" - the one about the nova.conf having a misconfugred vlan
18:16:20 <bdpayne> ah, yeah
18:16:37 <randy_perryman> very basic
18:16:44 <bdpayne> so, right, I'm guessing that most people use vlans here
18:16:56 <randy_perryman> right
18:17:09 <bdpayne> physical separate networks could work too, but incurs more h/w cost
18:17:19 <bdpayne> and is ultimately less flexible
18:17:34 <bdpayne> but then vlan termination becomes something that matters
18:17:50 <bdpayne> anyway, I imagine that we'll touch on these things in the book
18:18:41 <bdpayne> for the OSSNs, if you are aware of deployment decisions that people are making that are wrong, but perhaps just easier
18:18:50 <bdpayne> …that could potentially be useful topics
18:18:56 <randy_perryman> Okay
18:19:12 <bdpayne> we also try to address things like configuring around security issues, if reasonable to do so
18:19:40 <bdpayne> for example, we had one on restricting header sizes for https requests
18:19:57 <randy_perryman> good point
18:20:22 <bdpayne> well, I'll leave it as an action item for us to be brainstorming such things
18:20:29 <bdpayne> #action Think about future OSSN topics
18:20:59 <bdpayne> ok… any other topics for discussion today?
18:21:26 <malini1> Any idea how the rpc encryption is going ?
18:21:41 <bdpayne> hi malini1 :-)
18:21:46 <malini1> :-)
18:21:59 <bdpayne> I have not been tracking those discussions, unfortuantely
18:22:07 <bdpayne> anyone else aware of the rpc work?
18:22:29 <bdpayne> @ewindisch you around?
18:23:04 <ewindisch> hello
18:23:09 <bdpayne> hi!
18:23:17 <bdpayne> we were just curious where the rpc security work has landed
18:23:24 <bdpayne> still moving forward or ??
18:24:01 <ewindisch> bdpayne: good question...
18:24:55 <malini1> I   https://review.openstack.org/#/c/28154/
18:25:03 <malini1> one review from Semo
18:25:32 <ewindisch> I've been otherwise occupied since the overall community support seems to be around Simo - and I'm plenty busy enough as is.
18:25:52 <bdpayne> ok, I hadn't been following it that much
18:25:59 <bdpayne> so community took Simo's path?
18:26:02 <malini1> :-) Ah! I was wondering, because at the summit you presented and had not heard more from you on the mailing list
18:26:03 <bdpayne> looks like the PR is up there
18:26:05 <ewindisch> but I should really work on a formal proposal for a CMS based solution
18:26:38 <bdpayne> yeah, that'd be nice
18:26:50 <bdpayne> I'll check out that review for Simo's work too
18:26:53 <malini1> Simo at one point was talking to the key manager folks and did not want to introduce yet another service into the path
18:26:57 <ewindisch> bdpayne: I'd rather not log all my thoughts into meetingbot… :)
18:27:09 <bdpayne> thanks ewindisch
18:27:29 <bdpayne> ewindisch happy to chat in PM sometime if you'd like
18:27:46 <ewindisch> sure - and we can chat when I see you later this month
18:27:52 <bdpayne> indeed
18:27:56 <malini1> i too would like to learn more about your CMS
18:28:06 <malini1> great
18:28:15 <bdpayne> ok, anything else for today?
18:28:32 <malini1> i shall be out for two weeks, take care and fun summer
18:28:46 <bdpayne> have a nice trip malini1
18:28:49 <ewindisch> not really. I have a patch outstanding to do safe_log for ZeroMQ - passwords and tokens are leaking into logs at present
18:29:08 <bdpayne> fun
18:29:32 <bdpayne> I'm going to send a message to dev, but you should put "securityimpact" in the commit message for such things
18:29:41 <malini1> keystone introduced a decorator to silence all things password with a fixed number of *
18:29:47 <bdpayne> that will help keep the security community engaged with reviewing such things
18:30:03 <ewindisch> bdpayne: will do. It is linked to a bug which is pretty clear in the impact
18:30:25 <bdpayne> yeah, but that tag will send an email to the security list :-)
18:30:48 <malini1> :-) that tag is powerful, wakes folksup
18:30:54 <bdpayne> ha
18:31:03 <bdpayne> ok, thanks everyone… have a great week
18:31:08 <bdpayne> #endmeeting