#openstack-meeting log

18:00:15 <bdpayne> #startmeeting OpenStack Security Group
18:00:16 <openstack> Meeting started Thu Jul 11 18:00:15 2013 UTC.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:17 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:19 <openstack> The meeting name has been set to 'openstack_security_group'
18:00:29 <bdpayne> good morning security group
18:00:40 <nicolae__> Good evening :-)
18:00:45 <bdpayne> :-)
18:01:02 <bdpayne> we've taken a few weeks off here, and I'm hoping to ramp things up again
18:01:10 <bdpayne> so lots to discuss today
18:01:21 <bdpayne> first, who do we have in the meeting?
18:01:30 <bdpayne> Bryan from Nebula here
18:01:31 <rlp> Good Afternoon
18:01:36 <rlp> Randy Perryman from Dell
18:02:04 <bdpayne> hi randy
18:02:08 <nicolae__> Nicolae, sics
18:02:29 <bdpayne> ok, great
18:02:37 <bdpayne> I'm sure others will join in as we go along too
18:02:43 <bdpayne> #topic Annoucements
18:03:16 <bdpayne> First, I wanted to make sure that everyone is aware of the mailing list
18:03:17 <bdpayne> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
18:03:45 <bdpayne> This is where security related announcements go, along with notifications about OpenStack bugs that need security team review
18:04:00 <bdpayne> also a fine place for security discussion
18:04:12 <bdpayne> I'd encourage everyone in OSSG to join that list
18:04:58 <bdpayne> Also, Rob put together the initial pieces for a security wiki web page
18:04:59 <bdpayne> https://wiki.openstack.org/wiki/Security
18:05:14 <rlp> ty
18:05:34 <bdpayne> I'd like to build this out to be a nice landing page for people interested in openstack security
18:06:00 <bdpayne> and then perhaps have a subpage that is full of suggestions for people wanted to get involved in OSSG
18:06:17 <bdpayne> nicolae__ said he could help with this
18:06:20 <bdpayne> right? :-)
18:07:06 <bdpayne> #action nicolae__ to help fill out the wiki pages
18:07:07 <nicolae__> Right :)
18:07:34 <bdpayne> #topic Security Guide
18:08:03 <bdpayne> If you haven't heard the news yet, the security guide book sprint was a big success
18:08:05 <bdpayne> http://docs.openstack.org/sec/
18:08:28 <bdpayne> We'll be getting a pdf and html up there shortly
18:08:39 <rlp> thanks
18:08:48 <rlp> I just saw this and now to read...
18:08:53 <bdpayne> This was really a huge effort by a great team of people
18:09:00 <bdpayne> I think it's a great first cut
18:09:08 <bdpayne> But there's plenty of places where it can be improved
18:09:28 <bdpayne> So I would encourage others to contribute back to the guide… anything from grammatical edits to new chapters
18:09:30 <bdpayne> https://github.com/openstack/openstack-manuals/tree/master/doc/src/docbkx/openstack-security-guide
18:09:49 <bdpayne> ^^ The book is in docbook source and held in that github repo ^^
18:09:50 <uvirtbot> bdpayne: Error: "^" is not a valid command.
18:09:59 <bdpayne> sorry about that bot
18:10:23 <bdpayne> any questions about the book?
18:11:32 <bdpayne> ok, I'll push ahead
18:11:44 <bdpayne> #topic Reviewing open security issues
18:11:56 <bdpayne> So there's a lot of code that needs security reviews
18:12:06 <bdpayne> The mailing list is a great way to get plugged into this
18:12:43 <bdpayne> But I wanted to call to the attention of the group here some specific itema
18:12:49 <bdpayne> s/itema/items/
18:13:08 <bdpayne> the APL team (who couldn't make the meeting today) have done a lot of work on Volume encryption
18:13:14 <bdpayne> and this work is ready for review now
18:13:28 <bdpayne> unfortunately, they haven't been getting as many eyes as they would like
18:13:36 <bdpayne> https://review.openstack.org/#/c/30973/
18:13:42 <bdpayne> https://review.openstack.org/#/c/30974/
18:13:47 <bdpayne> https://review.openstack.org/#/c/30976/
18:13:51 <bdpayne> There's the links
18:14:04 <bdpayne> I would encourage people to spend some time reviewing those
18:15:03 <bdpayne> You can find other things that need review by checking the security mailing list archives and/or by search the various projects for security tags
18:15:23 <bdpayne> list archives are here http://lists.openstack.org/pipermail/openstack-security/
18:15:48 <bdpayne> security tagged items look like: https://bugs.launchpad.net/keystone/+bugs?field.tag=security
18:15:57 <bdpayne> similar link for other projects
18:16:10 <bdpayne> for example
18:16:12 <bdpayne> https://bugs.launchpad.net/keystone/+bugs?field.tag=security
18:16:43 <bdpayne> for OSSG members that want to get involved with code-level contributions, this is a great place to get started
18:17:05 <bdpayne> any questions about these?
18:17:44 <bdpayne> you guys are quiet today :-)
18:17:53 <bdpayne> ok, pushing forward
18:17:53 <rlp> :)
18:18:14 <bdpayne> #topic Ongoing security projects
18:18:29 <bdpayne> There's a few ongoing projects to mention
18:18:45 <bdpayne> Unfortunately, the people with knowledge on the current status aren't here today
18:19:05 <bdpayne> There's the volume encryption work that I mentioned above
18:19:12 <bdpayne> There's also work on a key manager
18:19:41 <malini1> Greetings, sorry to join late
18:19:47 <bdpayne> contacts for the key manager work include Jerret Raim (Rackspace) and malini1
18:20:03 <bdpayne> nice timing malini1 :-)  care to give an update on the key manager work?
18:20:55 <malini1> going well, very few bugs left
18:21:04 <bdpayne> on track for H?
18:21:11 <malini1> the thing that concerns me more is no reviews of the volume encryption patches
18:21:11 <bdpayne> need any review eyes or ??
18:21:24 <bdpayne> fair… so let's focus resources there
18:21:37 <malini1> absolutely need review eyes, those are languishing and they are the proof of the pudding
18:21:56 <bdpayne> sounds good
18:22:11 <malini1> there are 3 a-- all by joel C
18:22:22 <bdpayne> yeah, I've got links above
18:22:29 <bdpayne> so they will be in the meeting transcripts
18:22:53 <malini1> :-)
18:23:00 <bdpayne> other thing worth mentioning in ongoing work is something that came out of the book sprint
18:23:17 <bdpayne> while writing the book, the team captured a variety of security shortcomings in openstack
18:23:42 <bdpayne> I'll be working with the book sprint team to triage these and figure out how to handle each one
18:24:02 <bdpayne> These will end up as a collection of blueprints, bugs, security notes, etc
18:24:09 <malini1> and a thought on libvirt connection, there is readonly  mode which does not need credentials and one which needs credentials
18:24:13 <bdpayne> so be watching here for updates on those in the coming weeks
18:24:29 <malini1> it can be a pain to prompt and provide, but should this be something that is enforced
18:24:50 <bdpayne> malini1 perhaps a worthwhile OSSN?
18:25:02 <bdpayne> would you like to work with Rob on that?
18:25:03 <malini1> a use case of libvirt connection is to obtain stats on cpu usage
18:25:12 <malini1> sure
18:26:45 <bdpayne> #action malini1 to work with Rob on OSSN for libvirt authentication best practices
18:27:08 <bdpayne> #action bdpayne to work with book sprint team to push out security issues identified during the sprint
18:27:19 <bdpayne> #topic Open Discussion
18:27:29 <bdpayne> that's all I have for today… anything else that people would like to discuss?
18:27:35 <malini1> BTW -- there is a pitch for geo tagging in NIST .. something to watch
18:27:46 <bdpayne> link?
18:27:50 <malini1> one second
18:28:03 <malini1> http://csrc.nist.gov/groups/SMA/forum/documents/april2013presentations/forum_april_11_2013_bartock.pdf     http://csrc.nist.gov/publications/drafts/ir7904/draft_nistir_7904.pdf
18:28:16 <malini1> it is all fluffy right now, nothing implemented
18:28:24 <bdpayne> interesting
18:28:26 <bdpayne> what's the goal there?
18:28:33 <bdpayne> to know where the cloud resources are located?
18:28:33 <malini1> basically folks want to control where their payload runs, where their data is stored to meet
18:28:38 <malini1> regulation requirements
18:28:46 <bdpayne> makes sense
18:28:59 <malini1> to truely now where machien is located needs GPS (which will not work in a bunker somewhere)
18:29:14 <malini1> also those GPS co-ordinates have to be mapped to a country
18:29:42 <malini1> and sub-area (say embassy in a foreign land or in international airspace or waters) which maynot be an issue
18:29:46 <malini1> for data center
18:30:20 <malini1> and all server chips today do not have GPS while phones etc do
18:30:34 <malini1> may have to trust admin who deploys machine
18:30:42 <bdpayne> ok, thanks for the pointer
18:30:47 <bdpayne> that all we have time for today
18:30:50 <malini1> to certify where it is located, and sign it
18:30:58 <nicolae__> There were some research publications on this topic too, don't have the links right now, can send them if interested
18:31:11 <malini1> please do, thanks
18:31:14 <bdpayne> sure, perhaps start a thread on the securty mailing list
18:31:23 <nicolae__> Ok, will do
18:31:27 <bdpayne> thanks
18:31:36 <bdpayne> have a great week everyone
18:31:40 <malini1> bye
18:31:41 <bdpayne> #endmeeting