#openstack-meeting-alt log

17:02:32 <hyakuhei> #startmeeting openstack security group
17:02:34 <openstack> Meeting started Thu Mar  5 17:02:32 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:35 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:37 <openstack> The meeting name has been set to 'openstack_security_group'
17:02:40 <hyakuhei> Hi All!
17:02:48 <sicarie> hello!
17:02:51 <redrobot> ohai!
17:03:07 <ukbelch> Hola!
17:03:18 <bpb_> hey
17:03:21 <ljfisher> hi
17:03:32 <fletcher_> greetings
17:03:44 <elmiko> salutations
17:03:49 <nkinder> hi all
17:03:54 <hyakuhei> nkinder: you’re alive!
17:04:12 <tmcpeak> nkinder: welcome back
17:04:43 <dwyde> howdy
17:04:50 <hyakuhei> Looks like a good crowd
17:05:03 <hyakuhei> Agenda items:
17:05:03 <nkinder> hyakuhei, tmcpeak: thanks!
17:05:08 <hyakuhei> Summit
17:05:09 <hyakuhei> OSSN
17:05:13 <hyakuhei> Anchor
17:05:18 <nkinder> finally don't have a meeting conflict
17:05:19 <tmcpeak> Bandit
17:05:32 * bdpayne arrives in the nick of time
17:05:39 <hyakuhei> Thank god!
17:06:29 <hyakuhei> Any more agenda items?
17:06:46 <hyakuhei> Maybe we should put ‘agenda’ on the agenda :)
17:06:55 <nkinder> SSL gate
17:06:59 <hyakuhei> We should consider using the wiki for it like Barbican, Keystone and others.
17:07:01 <nkinder> or TLS gate...
17:07:04 <hyakuhei> Excellent
17:07:12 <hyakuhei> ok lets start then lots to go through
17:07:18 <hyakuhei> #topic summit
17:07:51 <hyakuhei> There’s a lot of great security content this year, running all week! It might make it hard to organise an OSSG meetup that everyone can attend
17:08:14 <dave-mccowan> o/
17:08:35 <elmiko> have they announced the accepted talks yet?
17:08:39 <hyakuhei> No
17:08:39 <nkinder> yeah, a meetup always seems difficult
17:08:46 <hyakuhei> Track chairs are busy shaping things
17:09:08 <hyakuhei> Which this year includes myself and bdpayne
17:09:22 <ukbelch> congrats guys :)
17:09:30 <bknudson> how many slots?
17:09:46 <hyakuhei> 15!
17:09:48 <bdpayne> ~15
17:09:51 <nkinder> wow
17:10:02 <hyakuhei> I know, my constant bitching must be wearing them down
17:10:13 <elmiko> hehe, very nice
17:10:15 <hyakuhei> We’ve come a long way from hong kong that’s for sure
17:10:30 <bdpayne> and I think there are around 60 submissions
17:10:40 <bdpayne> so we should be able to put together a nice security track
17:10:48 <elmiko> cool
17:10:50 <hyakuhei> ok so yes, I’ll be trying to get us some proper space for the OSSG, design summit time for bandit and anchor too if possible
17:10:59 <hyakuhei> Yeah it’s going to be great, I’m really excited about it
17:11:07 <tmcpeak> that would be awesome
17:11:18 <hyakuhei> ok lets roll onto the next item, OSSN
17:11:21 <hyakuhei> #topic OSSN
17:11:23 <tmcpeak> how feasible is it more me to teleconference in some way for bandit design summit?
17:11:32 <nkinder> tmcpeak: pretty difficult...
17:11:42 <hyakuhei> yeah design summits are hectic
17:11:42 <tmcpeak> ahh ok, you guys can hold it down :)
17:11:49 <hyakuhei> If you’re not there best to act as a remote reviewr
17:11:57 <hyakuhei> possibly or something similar
17:11:59 <hyakuhei> anyway - OSSN
17:12:04 <hyakuhei> nkinder: fancy giving an overview?
17:12:10 <nkinder> Sure
17:12:11 <hyakuhei> I see a few in the queue recently
17:12:27 <nkinder> There have beena few published recently, and the queue has about 7-8 IIRC
17:12:51 <nkinder> A few are pretty old...
17:13:18 <nkinder> Some are assigned and marke "in progress"
17:13:22 <hyakuhei> Is it worth having a push on the old ones?
17:13:28 <nkinder> I'd like to see if they need to be free'd up for others to take
17:13:29 <hyakuhei> tmcpeak: loves writing OSSNs … :D
17:13:33 <nkinder> so, https://bugs.launchpad.net/ossn/+bug/1163569
17:13:34 <openstack> Launchpad bug 1163569 in OpenStack Security Notes "security groups don't work with vip and ovs plugin" [High,In progress] - Assigned to Steven Weston (steve.weston)
17:13:40 <tmcpeak> lol, he does?
17:13:43 <hyakuhei> nkinder: +1
17:13:54 <hyakuhei> Yeah didn’t that go through a round of review then stall out completely?
17:14:06 <hyakuhei> Was doug’s originally too I think
17:14:30 <nkinder> hyakuhei: I don't see a submitted OSSN review in the LP
17:14:44 <hyakuhei> Maybe I’m confusing it with another one, I’ll check my backlog
17:14:44 <nkinder> The cinder bug says Fix Released for this as well
17:15:43 <hyakuhei> Cinder has a fix for an OVS/vip issue?
17:15:53 <tmcpeak> yeah, I'm confused
17:16:03 <nkinder> well, the LP says fixed at least.  Not sure if it's really a fix.
17:16:10 <nkinder> sorry, mixing up links
17:16:12 <tmcpeak> nkinder: you sure we're talking about the same?
17:16:16 <hyakuhei> so sweston isn’t here I’m guessing ?
17:16:30 <nkinder> https://bugs.launchpad.net/ossn/+bug/1329214 is the other stalled cinder one
17:16:31 <openstack> Launchpad bug 1329214 in OpenStack Security Notes "tgtadm iscsi chap does not work" [Undecided,In progress] - Assigned to Steven Weston (steve.weston)
17:16:46 <tmcpeak> pinged him in #openstack-security
17:16:57 <sweston> here now
17:17:11 <sweston> "if you ping I will be there"
17:17:32 <hyakuhei> :D
17:17:33 <sweston> hehe, yes not sure what do do with this one
17:17:39 <nkinder> sweston: hey, we were wondering about the status of a couple of your OSSN bugs
17:17:54 <nkinder> https://bugs.launchpad.net/ossn/+bug/1329214
17:17:55 <openstack> Launchpad bug 1329214 in OpenStack Security Notes "tgtadm iscsi chap does not work" [Undecided,In progress] - Assigned to Steven Weston (steve.weston)
17:18:04 <nkinder> https://bugs.launchpad.net/ossn/+bug/1163569
17:18:05 <openstack> Launchpad bug 1163569 in OpenStack Security Notes "security groups don't work with vip and ovs plugin" [High,In progress] - Assigned to Steven Weston (steve.weston)
17:18:09 <sweston> nkinder: yes, I need to close these out
17:18:33 <nkinder> sweston: are you blocked on anything, or is it just getting time?
17:19:24 <sweston> on the first one, need to complete verification.  but yes, mostly time
17:20:01 <sweston> I will put a few hours into these bugs tomorrow, and ping with any questions
17:20:05 <nkinder> ok, understandable :)
17:20:22 <nkinder> I'm guilty myself with https://bugs.launchpad.net/ossn/+bug/1390124
17:20:24 <openstack> Launchpad bug 1390124 in OpenStack Security Notes "No validation between client's IdP and Keystone IdP" [Undecided,In progress] - Assigned to Nathan Kinder (nkinder)
17:20:37 <nkinder> I'll work on getting a draft before next week's meeting
17:20:45 <sweston> ok :-) yay, I'm not the only one, hehe
17:20:48 <hyakuhei> That’d be great!
17:21:01 <nkinder> There are 4 others up for grabs here - https://bugs.launchpad.net/ossn/
17:21:12 <hyakuhei> Are there any more ‘entry-level’ OSSNs that might stand out for newer members to have a try at?
17:21:23 <nkinder> some look pretty easy at first glance
17:21:43 <tmcpeak> I'd say this one? https://bugs.launchpad.net/ossn/+bug/1401170
17:21:44 <openstack> Launchpad bug 1401170 in Glance "0-size images allow unprivileged user to deplete glance resources" [Undecided,In progress] - Assigned to Stuart McLaren (stuart-mclaren)
17:21:47 <nkinder> the pecan one for example
17:22:13 <hyakuhei> Yeah the pecan one looks good
17:22:17 <hyakuhei> I’ve grabbed one too
17:22:22 <nkinder> OSSNs are a great way to achieve fame and glory! (...or so I'm told)
17:22:43 <hyakuhei> All the glory!
17:22:46 <tmcpeak> the first one I wrote came up in an internal company discussion yesterday :D
17:22:54 <hyakuhei> Awesome, thanks for the summary nkinder
17:23:06 <bknudson> do you get ATC for an OSSN?
17:23:07 <hyakuhei> Any more to discuss on OSSN ?
17:23:11 <hyakuhei> bknudson: yes.
17:23:17 <bknudson> that's 600 bucks.
17:23:25 <hyakuhei> Heh true
17:23:51 <nkinder> Yep!
17:24:05 <hyakuhei> cool
17:24:07 <nkinder> Nothing else on OSSNs
17:24:11 <hyakuhei> #topic Anchor
17:24:43 <hyakuhei> Just a quick heads up, we’ve done a bunch more work on this recently, lots of refactoring and introduction of sanity :) we’re looking for reviews/contributors
17:25:30 <bdpayne> cool!
17:25:34 <bdpayne> can you provide a quick overview of the recent work?
17:26:00 <hyakuhei> Sure
17:26:17 <hyakuhei> So Doug landed a patch that moved us over to JSON configs as you know from all your help bdpayne
17:26:28 <bdpayne> :-)
17:26:44 <hyakuhei> That kind-of broke functionality a bit, tkelsey has a patch in flight to fix that, a combination of mine and dougs work as well as his
17:26:45 <fletcher_> hyakuhei: can you also provide a very brief description of Anchor so potentially new contributors (read: me) can gauge interest?
17:26:54 <hyakuhei> We’ve added a bunch of unit tests
17:26:56 <tkelsey> heh yeah
17:26:58 <fletcher_> I looked it up, but it's a wall of text :)
17:27:04 <tkelsey> im actually adding functional test right now
17:27:08 <hyakuhei> Sorry, sure fletcher_
17:27:40 <hyakuhei> Anchor is an Ehpemeral PKI platform. It provides some easy ways to do PKI and in some configurations can provide you with strong assurance
17:27:51 <fletcher_> Ah ok, yah, that's right
17:27:58 <hyakuhei> :)
17:27:59 <fletcher_> we talked about it at the meetup
17:28:04 <hyakuhei> Yeah
17:28:32 <hyakuhei> So lots of unit tests (more to come) but going in the right direction :)
17:29:05 <hyakuhei> #topic Bandit
17:29:14 <hyakuhei> tmcpeak et al
17:29:16 <tmcpeak> there has been a flurry of development work on Bandit
17:29:16 <fletcher_> I'm intersted in helping, although I don't have any experience with that sort of thing. anyways, sorry for the interruption
17:29:30 <fletcher_> hyakuhei ^
17:29:47 <tmcpeak> notably check-ins from David Wyde, fletcher, belch
17:29:56 <hyakuhei> fletcher_: awesome :)
17:29:56 <tmcpeak> ljfisher
17:30:03 <tmcpeak> browne
17:30:05 <tmcpeak> chair6
17:30:16 <tmcpeak> I think I'm missing one
17:30:26 <tmcpeak> anyway tons of great check-ins
17:30:28 <tmcpeak> keep them coming!
17:30:30 <hyakuhei> :D
17:30:44 <tmcpeak> the other thing that happened this week was I attended the Keystone meeting to intro Bandit
17:30:50 <ukbelch> it's worth mentioning that the change I pushed was a pretty considerable one. When you guys run it against stuff, keep an eye out for any oddities and file bugs
17:30:51 <tmcpeak> bknudson set that up
17:30:53 <fletcher_> fwiw, the changes we've made have gone a long way in the CI efforts here, so I really appreciate everyone's help reviewing and commiting things!
17:31:11 <tmcpeak> yeah, I'm amazed with the participation level in Bandit now
17:31:26 <tmcpeak> have tons of great devs doing great things, I spend at least an hour a day now on just reviews
17:31:28 <tmcpeak> which is awesome
17:31:44 <fletcher_> we'll be publizing bandit via technical blog posts too
17:31:53 <tmcpeak> fletcher_: oooh ++
17:31:53 <bknudson> I think we got good support from the rest of the keystone team to get bandit running on keystone code.
17:32:05 <tmcpeak> bknudson: can you give an overview of the Bandit keystone intro please?
17:32:07 <bknudson> so, no pushback there.
17:32:11 <ljfisher> i’m impressed with the good reception
17:32:17 <ukbelch> I have some plans for next-steps with regards to the contextual awareness, which may lead to first-steps in flow analysis, but that's a bit down the road
17:32:30 <bknudson> they had some concerns about whether bandit was going to expose potential security vulnerabilities
17:32:47 <fletcher_> lol wut, that's the whole purpose right?
17:32:49 <ukbelch> they didn't want it to? :)
17:33:11 <bknudson> well, they don't want it to be the first thing exposing an existing horrible bug.
17:33:23 <tmcpeak> this is a good point
17:33:37 <fletcher_> Is bandit being run in a public forum?
17:33:40 <tmcpeak> I spoke to ljfisher about it, we're thinking we should implement something to scan OpenStack projects when we implement a new test
17:33:44 <nkinder> manually running it should help with that then
17:33:48 <tmcpeak> to make sure we aren't dropping 0 days or something
17:33:48 <bknudson> yes, the results will be totally public.
17:33:50 <nkinder> fletcher_: yes, CI results are public
17:33:59 <ukbelch> well, if it's exposing them, then obviously they have failed to find them thus far...
17:34:01 <nkinder> ...but anyone can just run it and find issues themselves too
17:34:08 <hyakuhei> bknudson: But in the gate it’ll be checking new code
17:34:10 <tmcpeak> nkinder: yeah, that's pretty much the stand I took
17:34:17 <hyakuhei> So finding a 0day before it’s merged should be ok right :)
17:34:19 <nkinder> I get their point though.  Just run it privately first to see what it reports
17:34:21 <fletcher_> what hyakuhei said
17:34:24 <ljfisher> we should at least think about what to do before adding new tests in Bandit if they expose serious bugs
17:34:30 <ukbelch> sticking their heads in the sand doesn't protect them from 0day lol
17:34:30 <tmcpeak> yeah, I can see both sides
17:34:33 <nkinder> Once it's in CI with a clean baseline, it will keep new issues out of committed code
17:34:38 <hyakuhei> yeah
17:34:50 <tmcpeak> I also made a sensible profile for Keystone to use
17:34:54 <ljfisher> we are on a touchy line
17:34:58 <tmcpeak> that includes our solid tests, but removes some of the noisy ones
17:35:00 <hyakuhei> You’re going to want to go through a round of quickfixes to make it play nice in the gate anyway I think
17:35:12 <hyakuhei> This is very exciting
17:35:17 <tmcpeak> yeah, we're very close
17:35:24 <hyakuhei> We should also put Bandit in the Anchor gate :)
17:35:24 <tmcpeak> and they are excited to use it
17:35:31 <tmcpeak> hyakuhei: +1
17:35:33 <tmcpeak> that would be awesome
17:35:40 <bknudson> so we need it in pypi
17:35:41 <tmcpeak> we should put Bandit in the bandit gate too
17:35:54 <fletcher_> I've talked with the creator of PyPi about it
17:35:54 <tmcpeak> bknudson: yeah, I was just waiting for flurry to die down
17:35:54 <ljfisher> yes :)
17:35:55 <fletcher_> he seems open
17:35:57 <bknudson> then I can update my keystone job
17:35:59 <hyakuhei> Are they likely to add Bandit (with a stronger set of profiles) to the Keystone run_tests scripts that devs can run locally?
17:36:13 <bknudson> then I or someone can update infra to run it.
17:36:26 <tmcpeak> hyakuhei: we didn't discuss that
17:36:26 <bknudson> then we can all party.
17:36:29 <fletcher_> oh, you mean Bandit in PyPi. I meant running bandit on all things in PyPi
17:36:40 <tmcpeak> fletcher_: lol, that would be… interesting
17:36:50 <hyakuhei> fletcher_: I like your ambition :D
17:36:54 <elmiko> lol
17:37:10 <tmcpeak> finally, ljfisher and I moved our TODO section from wiki to proper launchpad blueprints
17:37:28 <hyakuhei> Any more on Bandit ?
17:37:30 <tmcpeak> and did a little bug pruning
17:37:33 <tmcpeak> nope, should be good
17:37:39 <ukbelch> it may be worth considering grouping tests some way, so it's possible to select test-sets
17:37:54 <tmcpeak> ukbelch: sure, let's synch after
17:38:27 <hyakuhei> Great
17:38:38 <hyakuhei> nkinder: want to talk about the TLS gate you mentioned ?
17:38:42 <hyakuhei> #topic TLS Gate
17:38:42 <nkinder> SUre
17:39:07 <nkinder> A lot of groundwork has been laid by rcrit for making TLS gate tests possible
17:39:24 <nkinder> He's been able to run the entire set of gate jobs with TLS enabled for all services
17:39:29 <nkinder> ...all passing
17:39:35 <hyakuhei> Wow thats great!
17:39:39 <bknudson> devstack?
17:39:47 <nkinder> Patches for everything are in aside from just proposing the gate job
17:39:49 <nkinder> bknudson: yes
17:40:04 <tmcpeak> what do you mean TLS gate tests?
17:40:30 <nkinder> tmcpeak: Enabling TLS for all openstack services (as deployed by devstack), then running the full gate suite that exists today
17:40:37 <nkinder> Today, TLS isn't enabled for anything
17:40:38 <tmcpeak> wow
17:40:41 <bknudson> TLS-only
17:40:45 <rcrit> I've tested with the smoke tests so far
17:40:49 <bknudson> right?
17:40:50 <nkinder> ...and devs constantly break TLS
17:40:54 <tmcpeak> that's awesome
17:41:11 <elmiko> yea, very cool
17:41:26 <nkinder> bknudson: yes, no http AFAIK (rcrit can confirm)
17:41:26 <hyakuhei> I’d like to know more about the tests
17:41:43 <ljfisher> is there a way we could run the TLS grading tests, like what qualsys put up, on this
17:41:43 <rcrit> it just runs tempest against a set of secure servers
17:41:49 <bknudson> hyakuhei: the tests aren't anything specific to security / TLS
17:41:54 <hyakuhei> So these aren’t tests of the efficacy of the TLS configuration etc just that secure tunnels are working ?
17:42:02 <hyakuhei> bknudson: figures
17:42:15 <bknudson> can add them once the TLS gate is up.
17:42:20 <nkinder> correct
17:42:32 <rcrit> right, at this point it is a constant  battle just to keep TLS working with the major services
17:42:43 <nkinder> hyakuhei: we keep finding things where people hard-code "http" for example
17:42:50 <rcrit> if working TLS becomes part of the gate job then it will be up to the submitter to not break things
17:42:51 <nkinder> ...or they break the CA validation
17:42:52 <bknudson> not sure what that kind of test would get you though... nobody deploys with devstack, right?
17:43:15 <rcrit> no but it will ensure that the underlying code is sound in at least some configuration
17:43:44 <hyakuhei> Excellent work! Thanks for the effort rcrit!
17:43:50 <bknudson> oh, I'm fine with the functional testing... I'm just not sure what you would get from a test for which ciphers are supported or whatever.
17:43:58 <nkinder> bknudson: agreed
17:44:14 <hyakuhei> So not using obviously bad things by default might be good
17:44:19 <nkinder> this just keep people from totally breaking TLS
17:44:30 <hyakuhei> Bandit will check all that soon enough though :)
17:44:58 <bknudson> so a test where the cert is bad so client ops fail would be good.
17:45:06 <tmcpeak> :)
17:45:08 <hyakuhei> Yup
17:45:09 <nkinder> So what's left is ensuring nobody has introduced new bugs against TLS since the last run (they probably have), then proposing the changes to enable the gate job
17:45:20 <hyakuhei> Like verify=false
17:45:28 <hyakuhei> which would likely make gate testing easier :P
17:45:33 <nkinder> I'd like to get some traction behind the review to enable the gate job once it's proposed
17:45:40 <bknudson> I'm looking forward to the gate test, so great work.
17:45:48 <bknudson> link?
17:45:51 <nkinder> A lot of people may not really care about TLS in the gate, but it's safe to say everyone here does
17:45:59 <hyakuhei> +1
17:46:02 <elmiko> ++
17:46:27 <nkinder> bknudson: not proposed yet.  rcrit wants to run tempest to see if things have been broken again first.
17:46:39 <hyakuhei> Sensible!
17:46:46 <bknudson> add me to the reviews if you want. this will help our group, so happy to review.
17:46:57 <nkinder> bknudson: great
17:47:04 <rcrit> and I need to write a new profile for the devstack-gate project to run the suite. That is where the patch will land.
17:47:59 <nkinder> anyway, this has been a long march and I wanted to let everyone know it's close to completion
17:48:32 <bknudson> might be good to publicise this...
17:48:37 <bknudson> e.g., the ops mailing list or -dev.
17:48:46 <bknudson> you might get more support from operators.
17:48:51 <hyakuhei> Makes sense
17:49:02 <nkinder> yeah
17:49:13 <hyakuhei> Actually kind of brings us onto one more item
17:49:22 <tmcpeak> hyakuhei: dev practice?
17:49:22 <hyakuhei> #topic mailing list
17:50:15 <hyakuhei> The time has come to kick the openstack-security mailing list over to ReadOnly, it’ll be used for security impact notifications etc but normal ML conversation should go via -dev using the [ossg] tag
17:50:47 <bknudson> +1
17:50:49 <hyakuhei> Over time we haven’t used -security enough to warrant having it and working on -dev will raise our visibility
17:51:26 <nkinder> +1
17:51:56 <hyakuhei> Great so I’ll send an email out regarding that soon and we’ll just migrate over :)
17:52:30 <hyakuhei> #topic Any other business
17:52:49 <hyakuhei> I’m working still on getting OSSG recognised as a proper part of OpenStack
17:52:53 <tmcpeak> development practices
17:53:13 <tmcpeak> what's our path to move forward with them?
17:53:24 <hyakuhei> There’s some discussions around naming and tents of various sizes… I hope to have more for you all soon
17:53:46 <hyakuhei> tmcpeak: It’s kinda of waiting on the inclusion work
17:53:51 <tmcpeak> what's that?
17:53:57 <hyakuhei> because that will affect how/where it gets published
17:54:04 <tmcpeak> oh
17:54:05 <hyakuhei> inclusion of OSSG into OpenStack proper
17:54:18 <tmcpeak> ok, I just want to make sure they don't get dropped
17:54:37 <tmcpeak> we all did a good amount of work on them
17:55:05 <hyakuhei> Yeah they’re still there :) Doug tweaked a bunch of them recently
17:55:08 <tmcpeak> can we move them somewhere semi-permanent? and start promoting them?
17:55:17 <hyakuhei> Not yet
17:55:40 <tmcpeak> okies, I'll keep bringing this up every week until we can :D
17:55:54 <hyakuhei> #link https://github.com/openstack-security/Developer-Guidance
17:55:58 <hyakuhei> For those that care
17:56:34 <sicarie> They could also be integrated into the sec guide - an 'openstack developer security best practices' section?
17:56:51 <nkinder> sicarie: seems like a different target audience
17:56:55 <hyakuhei> Format might not be great, they’re supposed to be more conversational
17:57:05 <hyakuhei> They could certainly be referenced somewhere in there though
17:57:08 <tmcpeak> yeah, could still use some tone editing
17:57:20 <sicarie> nkinder - definitely a slightly different gear
17:57:24 <hyakuhei> tone is suppose to be informal and developer to developer
17:57:40 <hyakuhei> They certainly need some work to use a ‘single voice'
17:57:46 <tmcpeak> yeah
17:57:57 <hyakuhei> cool any last minute items chaps?
17:57:58 <bdpayne> yeah, I don't think that the developer guidance is a good fit for the security guide
17:58:01 <tmcpeak> voice should match https://github.com/openstack-security/Developer-Guidance/blob/master/shell_injection.md
17:58:19 <tmcpeak> good meeting all :)
17:58:54 <hyakuhei> Yeah thanks everyone!
17:59:09 <nkinder> Thanks!
17:59:20 <hyakuhei> #endmeeting