17:02:32 <hyakuhei> #startmeeting openstack security group 17:02:34 <openstack> Meeting started Thu Mar 5 17:02:32 2015 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:02:35 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:02:37 <openstack> The meeting name has been set to 'openstack_security_group' 17:02:40 <hyakuhei> Hi All! 17:02:48 <sicarie> hello! 17:02:51 <redrobot> ohai! 17:03:07 <ukbelch> Hola! 17:03:18 <bpb_> hey 17:03:21 <ljfisher> hi 17:03:32 <fletcher_> greetings 17:03:44 <elmiko> salutations 17:03:49 <nkinder> hi all 17:03:54 <hyakuhei> nkinder: you’re alive! 17:04:12 <tmcpeak> nkinder: welcome back 17:04:43 <dwyde> howdy 17:04:50 <hyakuhei> Looks like a good crowd 17:05:03 <hyakuhei> Agenda items: 17:05:03 <nkinder> hyakuhei, tmcpeak: thanks! 17:05:08 <hyakuhei> Summit 17:05:09 <hyakuhei> OSSN 17:05:13 <hyakuhei> Anchor 17:05:18 <nkinder> finally don't have a meeting conflict 17:05:19 <tmcpeak> Bandit 17:05:32 * bdpayne arrives in the nick of time 17:05:39 <hyakuhei> Thank god! 17:06:29 <hyakuhei> Any more agenda items? 17:06:46 <hyakuhei> Maybe we should put ‘agenda’ on the agenda :) 17:06:55 <nkinder> SSL gate 17:06:59 <hyakuhei> We should consider using the wiki for it like Barbican, Keystone and others. 17:07:01 <nkinder> or TLS gate... 17:07:04 <hyakuhei> Excellent 17:07:12 <hyakuhei> ok lets start then lots to go through 17:07:18 <hyakuhei> #topic summit 17:07:51 <hyakuhei> There’s a lot of great security content this year, running all week! It might make it hard to organise an OSSG meetup that everyone can attend 17:08:14 <dave-mccowan> o/ 17:08:35 <elmiko> have they announced the accepted talks yet? 17:08:39 <hyakuhei> No 17:08:39 <nkinder> yeah, a meetup always seems difficult 17:08:46 <hyakuhei> Track chairs are busy shaping things 17:09:08 <hyakuhei> Which this year includes myself and bdpayne 17:09:22 <ukbelch> congrats guys :) 17:09:30 <bknudson> how many slots? 17:09:46 <hyakuhei> 15! 17:09:48 <bdpayne> ~15 17:09:51 <nkinder> wow 17:10:02 <hyakuhei> I know, my constant bitching must be wearing them down 17:10:13 <elmiko> hehe, very nice 17:10:15 <hyakuhei> We’ve come a long way from hong kong that’s for sure 17:10:30 <bdpayne> and I think there are around 60 submissions 17:10:40 <bdpayne> so we should be able to put together a nice security track 17:10:48 <elmiko> cool 17:10:50 <hyakuhei> ok so yes, I’ll be trying to get us some proper space for the OSSG, design summit time for bandit and anchor too if possible 17:10:59 <hyakuhei> Yeah it’s going to be great, I’m really excited about it 17:11:07 <tmcpeak> that would be awesome 17:11:18 <hyakuhei> ok lets roll onto the next item, OSSN 17:11:21 <hyakuhei> #topic OSSN 17:11:23 <tmcpeak> how feasible is it more me to teleconference in some way for bandit design summit? 17:11:32 <nkinder> tmcpeak: pretty difficult... 17:11:42 <hyakuhei> yeah design summits are hectic 17:11:42 <tmcpeak> ahh ok, you guys can hold it down :) 17:11:49 <hyakuhei> If you’re not there best to act as a remote reviewr 17:11:57 <hyakuhei> possibly or something similar 17:11:59 <hyakuhei> anyway - OSSN 17:12:04 <hyakuhei> nkinder: fancy giving an overview? 17:12:10 <nkinder> Sure 17:12:11 <hyakuhei> I see a few in the queue recently 17:12:27 <nkinder> There have beena few published recently, and the queue has about 7-8 IIRC 17:12:51 <nkinder> A few are pretty old... 17:13:18 <nkinder> Some are assigned and marke "in progress" 17:13:22 <hyakuhei> Is it worth having a push on the old ones? 17:13:28 <nkinder> I'd like to see if they need to be free'd up for others to take 17:13:29 <hyakuhei> tmcpeak: loves writing OSSNs … :D 17:13:33 <nkinder> so, https://bugs.launchpad.net/ossn/+bug/1163569 17:13:34 <openstack> Launchpad bug 1163569 in OpenStack Security Notes "security groups don't work with vip and ovs plugin" [High,In progress] - Assigned to Steven Weston (steve.weston) 17:13:40 <tmcpeak> lol, he does? 17:13:43 <hyakuhei> nkinder: +1 17:13:54 <hyakuhei> Yeah didn’t that go through a round of review then stall out completely? 17:14:06 <hyakuhei> Was doug’s originally too I think 17:14:30 <nkinder> hyakuhei: I don't see a submitted OSSN review in the LP 17:14:44 <hyakuhei> Maybe I’m confusing it with another one, I’ll check my backlog 17:14:44 <nkinder> The cinder bug says Fix Released for this as well 17:15:43 <hyakuhei> Cinder has a fix for an OVS/vip issue? 17:15:53 <tmcpeak> yeah, I'm confused 17:16:03 <nkinder> well, the LP says fixed at least. Not sure if it's really a fix. 17:16:10 <nkinder> sorry, mixing up links 17:16:12 <tmcpeak> nkinder: you sure we're talking about the same? 17:16:16 <hyakuhei> so sweston isn’t here I’m guessing ? 17:16:30 <nkinder> https://bugs.launchpad.net/ossn/+bug/1329214 is the other stalled cinder one 17:16:31 <openstack> Launchpad bug 1329214 in OpenStack Security Notes "tgtadm iscsi chap does not work" [Undecided,In progress] - Assigned to Steven Weston (steve.weston) 17:16:46 <tmcpeak> pinged him in #openstack-security 17:16:57 <sweston> here now 17:17:11 <sweston> "if you ping I will be there" 17:17:32 <hyakuhei> :D 17:17:33 <sweston> hehe, yes not sure what do do with this one 17:17:39 <nkinder> sweston: hey, we were wondering about the status of a couple of your OSSN bugs 17:17:54 <nkinder> https://bugs.launchpad.net/ossn/+bug/1329214 17:17:55 <openstack> Launchpad bug 1329214 in OpenStack Security Notes "tgtadm iscsi chap does not work" [Undecided,In progress] - Assigned to Steven Weston (steve.weston) 17:18:04 <nkinder> https://bugs.launchpad.net/ossn/+bug/1163569 17:18:05 <openstack> Launchpad bug 1163569 in OpenStack Security Notes "security groups don't work with vip and ovs plugin" [High,In progress] - Assigned to Steven Weston (steve.weston) 17:18:09 <sweston> nkinder: yes, I need to close these out 17:18:33 <nkinder> sweston: are you blocked on anything, or is it just getting time? 17:19:24 <sweston> on the first one, need to complete verification. but yes, mostly time 17:20:01 <sweston> I will put a few hours into these bugs tomorrow, and ping with any questions 17:20:05 <nkinder> ok, understandable :) 17:20:22 <nkinder> I'm guilty myself with https://bugs.launchpad.net/ossn/+bug/1390124 17:20:24 <openstack> Launchpad bug 1390124 in OpenStack Security Notes "No validation between client's IdP and Keystone IdP" [Undecided,In progress] - Assigned to Nathan Kinder (nkinder) 17:20:37 <nkinder> I'll work on getting a draft before next week's meeting 17:20:45 <sweston> ok :-) yay, I'm not the only one, hehe 17:20:48 <hyakuhei> That’d be great! 17:21:01 <nkinder> There are 4 others up for grabs here - https://bugs.launchpad.net/ossn/ 17:21:12 <hyakuhei> Are there any more ‘entry-level’ OSSNs that might stand out for newer members to have a try at? 17:21:23 <nkinder> some look pretty easy at first glance 17:21:43 <tmcpeak> I'd say this one? https://bugs.launchpad.net/ossn/+bug/1401170 17:21:44 <openstack> Launchpad bug 1401170 in Glance "0-size images allow unprivileged user to deplete glance resources" [Undecided,In progress] - Assigned to Stuart McLaren (stuart-mclaren) 17:21:47 <nkinder> the pecan one for example 17:22:13 <hyakuhei> Yeah the pecan one looks good 17:22:17 <hyakuhei> I’ve grabbed one too 17:22:22 <nkinder> OSSNs are a great way to achieve fame and glory! (...or so I'm told) 17:22:43 <hyakuhei> All the glory! 17:22:46 <tmcpeak> the first one I wrote came up in an internal company discussion yesterday :D 17:22:54 <hyakuhei> Awesome, thanks for the summary nkinder 17:23:06 <bknudson> do you get ATC for an OSSN? 17:23:07 <hyakuhei> Any more to discuss on OSSN ? 17:23:11 <hyakuhei> bknudson: yes. 17:23:17 <bknudson> that's 600 bucks. 17:23:25 <hyakuhei> Heh true 17:23:51 <nkinder> Yep! 17:24:05 <hyakuhei> cool 17:24:07 <nkinder> Nothing else on OSSNs 17:24:11 <hyakuhei> #topic Anchor 17:24:43 <hyakuhei> Just a quick heads up, we’ve done a bunch more work on this recently, lots of refactoring and introduction of sanity :) we’re looking for reviews/contributors 17:25:30 <bdpayne> cool! 17:25:34 <bdpayne> can you provide a quick overview of the recent work? 17:26:00 <hyakuhei> Sure 17:26:17 <hyakuhei> So Doug landed a patch that moved us over to JSON configs as you know from all your help bdpayne 17:26:28 <bdpayne> :-) 17:26:44 <hyakuhei> That kind-of broke functionality a bit, tkelsey has a patch in flight to fix that, a combination of mine and dougs work as well as his 17:26:45 <fletcher_> hyakuhei: can you also provide a very brief description of Anchor so potentially new contributors (read: me) can gauge interest? 17:26:54 <hyakuhei> We’ve added a bunch of unit tests 17:26:56 <tkelsey> heh yeah 17:26:58 <fletcher_> I looked it up, but it's a wall of text :) 17:27:04 <tkelsey> im actually adding functional test right now 17:27:08 <hyakuhei> Sorry, sure fletcher_ 17:27:40 <hyakuhei> Anchor is an Ehpemeral PKI platform. It provides some easy ways to do PKI and in some configurations can provide you with strong assurance 17:27:51 <fletcher_> Ah ok, yah, that's right 17:27:58 <hyakuhei> :) 17:27:59 <fletcher_> we talked about it at the meetup 17:28:04 <hyakuhei> Yeah 17:28:32 <hyakuhei> So lots of unit tests (more to come) but going in the right direction :) 17:29:05 <hyakuhei> #topic Bandit 17:29:14 <hyakuhei> tmcpeak et al 17:29:16 <tmcpeak> there has been a flurry of development work on Bandit 17:29:16 <fletcher_> I'm intersted in helping, although I don't have any experience with that sort of thing. anyways, sorry for the interruption 17:29:30 <fletcher_> hyakuhei ^ 17:29:47 <tmcpeak> notably check-ins from David Wyde, fletcher, belch 17:29:56 <hyakuhei> fletcher_: awesome :) 17:29:56 <tmcpeak> ljfisher 17:30:03 <tmcpeak> browne 17:30:05 <tmcpeak> chair6 17:30:16 <tmcpeak> I think I'm missing one 17:30:26 <tmcpeak> anyway tons of great check-ins 17:30:28 <tmcpeak> keep them coming! 17:30:30 <hyakuhei> :D 17:30:44 <tmcpeak> the other thing that happened this week was I attended the Keystone meeting to intro Bandit 17:30:50 <ukbelch> it's worth mentioning that the change I pushed was a pretty considerable one. When you guys run it against stuff, keep an eye out for any oddities and file bugs 17:30:51 <tmcpeak> bknudson set that up 17:30:53 <fletcher_> fwiw, the changes we've made have gone a long way in the CI efforts here, so I really appreciate everyone's help reviewing and commiting things! 17:31:11 <tmcpeak> yeah, I'm amazed with the participation level in Bandit now 17:31:26 <tmcpeak> have tons of great devs doing great things, I spend at least an hour a day now on just reviews 17:31:28 <tmcpeak> which is awesome 17:31:44 <fletcher_> we'll be publizing bandit via technical blog posts too 17:31:53 <tmcpeak> fletcher_: oooh ++ 17:31:53 <bknudson> I think we got good support from the rest of the keystone team to get bandit running on keystone code. 17:32:05 <tmcpeak> bknudson: can you give an overview of the Bandit keystone intro please? 17:32:07 <bknudson> so, no pushback there. 17:32:11 <ljfisher> i’m impressed with the good reception 17:32:17 <ukbelch> I have some plans for next-steps with regards to the contextual awareness, which may lead to first-steps in flow analysis, but that's a bit down the road 17:32:30 <bknudson> they had some concerns about whether bandit was going to expose potential security vulnerabilities 17:32:47 <fletcher_> lol wut, that's the whole purpose right? 17:32:49 <ukbelch> they didn't want it to? :) 17:33:11 <bknudson> well, they don't want it to be the first thing exposing an existing horrible bug. 17:33:23 <tmcpeak> this is a good point 17:33:37 <fletcher_> Is bandit being run in a public forum? 17:33:40 <tmcpeak> I spoke to ljfisher about it, we're thinking we should implement something to scan OpenStack projects when we implement a new test 17:33:44 <nkinder> manually running it should help with that then 17:33:48 <tmcpeak> to make sure we aren't dropping 0 days or something 17:33:48 <bknudson> yes, the results will be totally public. 17:33:50 <nkinder> fletcher_: yes, CI results are public 17:33:59 <ukbelch> well, if it's exposing them, then obviously they have failed to find them thus far... 17:34:01 <nkinder> ...but anyone can just run it and find issues themselves too 17:34:08 <hyakuhei> bknudson: But in the gate it’ll be checking new code 17:34:10 <tmcpeak> nkinder: yeah, that's pretty much the stand I took 17:34:17 <hyakuhei> So finding a 0day before it’s merged should be ok right :) 17:34:19 <nkinder> I get their point though. Just run it privately first to see what it reports 17:34:21 <fletcher_> what hyakuhei said 17:34:24 <ljfisher> we should at least think about what to do before adding new tests in Bandit if they expose serious bugs 17:34:30 <ukbelch> sticking their heads in the sand doesn't protect them from 0day lol 17:34:30 <tmcpeak> yeah, I can see both sides 17:34:33 <nkinder> Once it's in CI with a clean baseline, it will keep new issues out of committed code 17:34:38 <hyakuhei> yeah 17:34:50 <tmcpeak> I also made a sensible profile for Keystone to use 17:34:54 <ljfisher> we are on a touchy line 17:34:58 <tmcpeak> that includes our solid tests, but removes some of the noisy ones 17:35:00 <hyakuhei> You’re going to want to go through a round of quickfixes to make it play nice in the gate anyway I think 17:35:12 <hyakuhei> This is very exciting 17:35:17 <tmcpeak> yeah, we're very close 17:35:24 <hyakuhei> We should also put Bandit in the Anchor gate :) 17:35:24 <tmcpeak> and they are excited to use it 17:35:31 <tmcpeak> hyakuhei: +1 17:35:33 <tmcpeak> that would be awesome 17:35:40 <bknudson> so we need it in pypi 17:35:41 <tmcpeak> we should put Bandit in the bandit gate too 17:35:54 <fletcher_> I've talked with the creator of PyPi about it 17:35:54 <tmcpeak> bknudson: yeah, I was just waiting for flurry to die down 17:35:54 <ljfisher> yes :) 17:35:55 <fletcher_> he seems open 17:35:57 <bknudson> then I can update my keystone job 17:35:59 <hyakuhei> Are they likely to add Bandit (with a stronger set of profiles) to the Keystone run_tests scripts that devs can run locally? 17:36:13 <bknudson> then I or someone can update infra to run it. 17:36:26 <tmcpeak> hyakuhei: we didn't discuss that 17:36:26 <bknudson> then we can all party. 17:36:29 <fletcher_> oh, you mean Bandit in PyPi. I meant running bandit on all things in PyPi 17:36:40 <tmcpeak> fletcher_: lol, that would be… interesting 17:36:50 <hyakuhei> fletcher_: I like your ambition :D 17:36:54 <elmiko> lol 17:37:10 <tmcpeak> finally, ljfisher and I moved our TODO section from wiki to proper launchpad blueprints 17:37:28 <hyakuhei> Any more on Bandit ? 17:37:30 <tmcpeak> and did a little bug pruning 17:37:33 <tmcpeak> nope, should be good 17:37:39 <ukbelch> it may be worth considering grouping tests some way, so it's possible to select test-sets 17:37:54 <tmcpeak> ukbelch: sure, let's synch after 17:38:27 <hyakuhei> Great 17:38:38 <hyakuhei> nkinder: want to talk about the TLS gate you mentioned ? 17:38:42 <hyakuhei> #topic TLS Gate 17:38:42 <nkinder> SUre 17:39:07 <nkinder> A lot of groundwork has been laid by rcrit for making TLS gate tests possible 17:39:24 <nkinder> He's been able to run the entire set of gate jobs with TLS enabled for all services 17:39:29 <nkinder> ...all passing 17:39:35 <hyakuhei> Wow thats great! 17:39:39 <bknudson> devstack? 17:39:47 <nkinder> Patches for everything are in aside from just proposing the gate job 17:39:49 <nkinder> bknudson: yes 17:40:04 <tmcpeak> what do you mean TLS gate tests? 17:40:30 <nkinder> tmcpeak: Enabling TLS for all openstack services (as deployed by devstack), then running the full gate suite that exists today 17:40:37 <nkinder> Today, TLS isn't enabled for anything 17:40:38 <tmcpeak> wow 17:40:41 <bknudson> TLS-only 17:40:45 <rcrit> I've tested with the smoke tests so far 17:40:49 <bknudson> right? 17:40:50 <nkinder> ...and devs constantly break TLS 17:40:54 <tmcpeak> that's awesome 17:41:11 <elmiko> yea, very cool 17:41:26 <nkinder> bknudson: yes, no http AFAIK (rcrit can confirm) 17:41:26 <hyakuhei> I’d like to know more about the tests 17:41:43 <ljfisher> is there a way we could run the TLS grading tests, like what qualsys put up, on this 17:41:43 <rcrit> it just runs tempest against a set of secure servers 17:41:49 <bknudson> hyakuhei: the tests aren't anything specific to security / TLS 17:41:54 <hyakuhei> So these aren’t tests of the efficacy of the TLS configuration etc just that secure tunnels are working ? 17:42:02 <hyakuhei> bknudson: figures 17:42:15 <bknudson> can add them once the TLS gate is up. 17:42:20 <nkinder> correct 17:42:32 <rcrit> right, at this point it is a constant battle just to keep TLS working with the major services 17:42:43 <nkinder> hyakuhei: we keep finding things where people hard-code "http" for example 17:42:50 <rcrit> if working TLS becomes part of the gate job then it will be up to the submitter to not break things 17:42:51 <nkinder> ...or they break the CA validation 17:42:52 <bknudson> not sure what that kind of test would get you though... nobody deploys with devstack, right? 17:43:15 <rcrit> no but it will ensure that the underlying code is sound in at least some configuration 17:43:44 <hyakuhei> Excellent work! Thanks for the effort rcrit! 17:43:50 <bknudson> oh, I'm fine with the functional testing... I'm just not sure what you would get from a test for which ciphers are supported or whatever. 17:43:58 <nkinder> bknudson: agreed 17:44:14 <hyakuhei> So not using obviously bad things by default might be good 17:44:19 <nkinder> this just keep people from totally breaking TLS 17:44:30 <hyakuhei> Bandit will check all that soon enough though :) 17:44:58 <bknudson> so a test where the cert is bad so client ops fail would be good. 17:45:06 <tmcpeak> :) 17:45:08 <hyakuhei> Yup 17:45:09 <nkinder> So what's left is ensuring nobody has introduced new bugs against TLS since the last run (they probably have), then proposing the changes to enable the gate job 17:45:20 <hyakuhei> Like verify=false 17:45:28 <hyakuhei> which would likely make gate testing easier :P 17:45:33 <nkinder> I'd like to get some traction behind the review to enable the gate job once it's proposed 17:45:40 <bknudson> I'm looking forward to the gate test, so great work. 17:45:48 <bknudson> link? 17:45:51 <nkinder> A lot of people may not really care about TLS in the gate, but it's safe to say everyone here does 17:45:59 <hyakuhei> +1 17:46:02 <elmiko> ++ 17:46:27 <nkinder> bknudson: not proposed yet. rcrit wants to run tempest to see if things have been broken again first. 17:46:39 <hyakuhei> Sensible! 17:46:46 <bknudson> add me to the reviews if you want. this will help our group, so happy to review. 17:46:57 <nkinder> bknudson: great 17:47:04 <rcrit> and I need to write a new profile for the devstack-gate project to run the suite. That is where the patch will land. 17:47:59 <nkinder> anyway, this has been a long march and I wanted to let everyone know it's close to completion 17:48:32 <bknudson> might be good to publicise this... 17:48:37 <bknudson> e.g., the ops mailing list or -dev. 17:48:46 <bknudson> you might get more support from operators. 17:48:51 <hyakuhei> Makes sense 17:49:02 <nkinder> yeah 17:49:13 <hyakuhei> Actually kind of brings us onto one more item 17:49:22 <tmcpeak> hyakuhei: dev practice? 17:49:22 <hyakuhei> #topic mailing list 17:50:15 <hyakuhei> The time has come to kick the openstack-security mailing list over to ReadOnly, it’ll be used for security impact notifications etc but normal ML conversation should go via -dev using the [ossg] tag 17:50:47 <bknudson> +1 17:50:49 <hyakuhei> Over time we haven’t used -security enough to warrant having it and working on -dev will raise our visibility 17:51:26 <nkinder> +1 17:51:56 <hyakuhei> Great so I’ll send an email out regarding that soon and we’ll just migrate over :) 17:52:30 <hyakuhei> #topic Any other business 17:52:49 <hyakuhei> I’m working still on getting OSSG recognised as a proper part of OpenStack 17:52:53 <tmcpeak> development practices 17:53:13 <tmcpeak> what's our path to move forward with them? 17:53:24 <hyakuhei> There’s some discussions around naming and tents of various sizes… I hope to have more for you all soon 17:53:46 <hyakuhei> tmcpeak: It’s kinda of waiting on the inclusion work 17:53:51 <tmcpeak> what's that? 17:53:57 <hyakuhei> because that will affect how/where it gets published 17:54:04 <tmcpeak> oh 17:54:05 <hyakuhei> inclusion of OSSG into OpenStack proper 17:54:18 <tmcpeak> ok, I just want to make sure they don't get dropped 17:54:37 <tmcpeak> we all did a good amount of work on them 17:55:05 <hyakuhei> Yeah they’re still there :) Doug tweaked a bunch of them recently 17:55:08 <tmcpeak> can we move them somewhere semi-permanent? and start promoting them? 17:55:17 <hyakuhei> Not yet 17:55:40 <tmcpeak> okies, I'll keep bringing this up every week until we can :D 17:55:54 <hyakuhei> #link https://github.com/openstack-security/Developer-Guidance 17:55:58 <hyakuhei> For those that care 17:56:34 <sicarie> They could also be integrated into the sec guide - an 'openstack developer security best practices' section? 17:56:51 <nkinder> sicarie: seems like a different target audience 17:56:55 <hyakuhei> Format might not be great, they’re supposed to be more conversational 17:57:05 <hyakuhei> They could certainly be referenced somewhere in there though 17:57:08 <tmcpeak> yeah, could still use some tone editing 17:57:20 <sicarie> nkinder - definitely a slightly different gear 17:57:24 <hyakuhei> tone is suppose to be informal and developer to developer 17:57:40 <hyakuhei> They certainly need some work to use a ‘single voice' 17:57:46 <tmcpeak> yeah 17:57:57 <hyakuhei> cool any last minute items chaps? 17:57:58 <bdpayne> yeah, I don't think that the developer guidance is a good fit for the security guide 17:58:01 <tmcpeak> voice should match https://github.com/openstack-security/Developer-Guidance/blob/master/shell_injection.md 17:58:19 <tmcpeak> good meeting all :) 17:58:54 <hyakuhei> Yeah thanks everyone! 17:59:09 <nkinder> Thanks! 17:59:20 <hyakuhei> #endmeeting