21:00:32 <oneswig> #startmeeting scientific_sig
21:00:32 <openstack> Meeting started Tue May 14 21:00:32 2019 UTC and is due to finish in 60 minutes.  The chair is oneswig. Information about MeetBot at http://wiki.debian.org/MeetBot.
21:00:33 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
21:00:35 <openstack> The meeting name has been set to 'scientific_sig'
21:00:37 <janders> good morning, good evening
21:00:44 <janders> how's everyone?
21:00:48 <oneswig> ahoy there :-)
21:00:53 <trandles> hello
21:00:54 <oneswig> #link agenda for today https://wiki.openstack.org/wiki/Scientific_SIG#IRC_Meeting_May_14th_2019
21:01:02 <jmlowe> hello
21:01:13 <oneswig> Greetings all
21:01:49 <oneswig> I trust you all made it back in one piece
21:02:52 <janders> yes I have, thank you :)
21:02:59 <oneswig> #topic CERN OpenStack day
21:03:14 <janders> I missed out on the last meeting cause I went to sleep about 830pm and the meeting started at 9pm
21:03:19 <oneswig> It's a day to go for registrations... last call
21:03:32 <oneswig> janders: it was a very quiet one
21:03:33 <janders> but I'm truly back and on local time. Good conference.
21:03:56 <oneswig> #link get your CERN tickets here - https://www.eventbrite.com/e/openstack-day-cern-tickets-54349067524
21:04:16 <oneswig> I agree, really good to see everyone plus some new faces too
21:05:13 <oneswig> Think that's all on the CERN side...
21:05:17 <oneswig> #topic Denver roundup
21:05:21 <janders> indeed - and having the PTG right after the main conference was a very welcome addition
21:05:22 <janders> very productive
21:05:47 <oneswig> janders: did you stay for the duration?  I had to leave on Thursday afternoon, alas
21:06:15 <janders> I skipped Saturday, was driving around the Rockies all weekend :)
21:06:19 <janders> but other than that - yes
21:06:29 <janders> I did convey the SIG message to the Ironic team together with Mark
21:06:32 <janders> pretty good reception
21:06:42 <trandles> Ironic PTG was very useful
21:06:51 <janders> did chat to Miguel about the SDN, too, he's on board, gotta follow this up
21:07:10 <oneswig> Great
21:07:19 <oneswig> trandles: tried that ramdisk driver yet?
21:08:47 <oneswig> janders: which Miguel?
21:09:21 <janders> Miguel Lavalle
21:11:23 <oneswig> Interesting to hear that.
21:12:29 <martial> Seems like a quiet meeting today
21:13:05 <oneswig> Looks like the summit videos have been posted
21:13:15 <oneswig> Any picks?
21:13:19 <oneswig> #chair martial
21:13:20 <openstack> Current chairs: martial oneswig
21:13:31 <oneswig> hey martial, glad you made it
21:13:32 <janders> martial: indeed - to a degree where I thought I got kicked out :)
21:13:57 <b1airo> o/
21:14:02 <oneswig> I'll admit I'm troubleshooting openvpn weirdness on the side...
21:14:05 <martial> Well I saw no messages for 3 minutes so I was not sure either
21:14:06 <oneswig> hey b1airo
21:14:13 <oneswig> #chair b1airo
21:14:14 <openstack> Current chairs: b1airo martial oneswig
21:14:29 <b1airo> Just realised my calendar is out due to daylight saving changes, hence the lateness
21:14:34 <jmlowe> https://threatpost.com/linux-kernel-remote-code-execution/144713/?utm_source=newsletter&utm_medium=Email&utm_campaign=tp_daily_digest_14_5_2019
21:14:39 <janders> martial: I saw last week you mentioned good conversations with the RHAT folks
21:14:42 <jmlowe> that's got my attention ATM
21:14:43 <janders> who was that?
21:15:15 <jmlowe> and for extra fun Intel has a new exploit, zombieload
21:15:24 <janders> I'm wondering if it's the guys I'm talking to as well, perhaps we can join forces pushing the HPC agenda
21:15:52 <martial> It was Erwan Gallen
21:16:28 <martial> He is seeing how RedHat can bring efforts and code to help the HPC side
21:16:37 <b1airo> OpenStack Summit = new high impact vulnerability disclosures
21:16:52 <martial> I need to follow up so he join our slack too
21:17:08 <janders> cool! thank you
21:17:19 <janders> I think it is a great opportunity for both RHAT and us
21:17:28 <janders> so let's keep fighting the good fight
21:17:47 <jmlowe> b1airo: it's the sobering reality after returning from the summit
21:17:48 <janders> (the subscription model as it stands isn't the best fit for HPC and HPC scale, that's one of the issues I see)
21:17:54 <janders> https://access.redhat.com/security/vulnerabilities/mds?sc_cid=701f20000012nDXAAY&
21:17:59 <janders> (further to the exploit comments)
21:18:18 <martial> They want to help and he is willing to put coders on a problem with the community’s help
21:18:34 <martial> And their code is open source after all
21:18:39 <jmlowe> janders: those are collectively being called zombieload I think
21:19:00 <trandles> oneswig: sorry, was AFK on the phone...not tried ramdisk driver, should be in the next two weeks
21:19:11 <janders> jmlowe: agreed
21:19:38 <oneswig> trandles: no problem, good to hear it
21:20:37 <trandles> working through the logistics of getting a couple collaboration accounts set up here for outsiders, nuke-n-pave my testbed to reset for ironic work, etc.
21:21:23 <oneswig> Sound interesting, but careful with your choice of metaphor
21:21:32 <b1airo> :-)
21:21:35 <trandles> HA!
21:21:55 <trandles> Also, saw the latest Singularity root exploit and had a chuckle :P
21:22:04 <oneswig> The news over here is we got our first Kata study published
21:22:15 <oneswig> #link I/O performance of Kata https://www.stackhpc.com/kata-io-1.html
21:22:23 <oneswig> trandles: what's that?
21:23:04 <martial> Oh cool
21:23:26 <trandles> https://github.com/sylabs/singularity/releases/tag/v3.2.0
21:24:19 <trandles> their CVE link is wrong, you either get the reserved message or a joomla CVE using the same number
21:24:37 <oneswig> how careless
21:25:00 <trandles> scratch that, google brought up 2018-11328 instead of 2019
21:25:01 <trandles> :(
21:27:07 <b1airo> Gah, glad we haven't committed one way or other yet
21:28:27 <trandles> seems like Kata has a LOT of I/O optimization to do
21:29:09 <b1airo> trandles: have you guys considered a Zun plugin for CharlieCloud ?
21:29:10 <oneswig> trandles: a lot indeed.  It's moving fast and should get a lot of the low-hanging fruit in the next release.
21:29:38 <oneswig> trandles: it has a very long way to go though
21:29:52 <trandles> b1airo: not really
21:29:59 <oneswig> In other post-summit follow-up, I mailed Jonathan Bryce about supporting a white paper on private / hybrid cloud advocacy for research computing, no response as yet, but I'll follow up
21:30:10 <oneswig> brb
21:30:32 <trandles> we've been focusing on some Slurm integration
21:30:53 <jmlowe> plan9 is always going to kill I/O
21:30:54 <trandles> among other things (like at 100% truly unprivileged container build without docker as a dependency)
21:31:43 <trandles> we've been digging into Buildah since it's billed as "unprivileged build" using Dockerfiles...and it relies on setuid binaries and has Docker as a dependency buried in all the golang :(
21:32:31 <b1airo> Nice o_0
21:33:26 <janders> bad developers go to dependency hell after they die
21:34:13 <oneswig> trandles: similarly I saw that podman claims to offer an unprivileged container runtime but not until the next release of RHEL
21:34:29 <trandles> oneswig: in RHEL 8, which is GA
21:34:29 <b1airo> The really bad ones go to dll hell :-P
21:34:45 <oneswig> trandles: ah is it?  Thanks
21:34:53 <trandles> I also heard that RHEL is offering RHEL-based base containers with RHEL 8 that can be redistributed, but haven't confirmed it
21:35:14 <janders> next as in 7.7, 8 or 8.1?
21:35:27 <janders> sorry scratch that
21:35:53 <trandles> I know podman is being looked at here, but I'm not the one doing the looking and haven't followed-up yet
21:37:51 <oneswig> trandles: going from https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users/
21:38:04 <oneswig> "You can also run Podman from your normal non-root user in Podman 1.0 on Fedora. RHEL support is aimed for version 7.7 and 8.1 onwards."
21:38:20 <oneswig> That was the story in February
21:39:41 <trandles> ah yeah, thx for the link
21:39:48 <trandles> I've heard of this blog post but hadn't read it myself
21:40:02 <oneswig> It's somewhat biased :-)
21:40:59 <trandles> just a tad
21:41:09 <martial> We can always let them know
21:41:32 <trandles> martial: I haven't contacted Erwan yet but plan to
21:41:44 <trandles> thx for the introduction
21:42:20 <martial> You walked as I was talking about you:) small world
21:44:29 <oneswig> jmlowe: that exploit on threadpost is not quite as bad as the whatsapp one...
21:48:55 <oneswig> I think everyone here's on the Slack channel set up by martial - anyone want the sign-up link?
21:49:36 <trandles> btw - ZombieLoad is scary
21:50:07 <trandles> tl;dr disable hyperthreading
21:51:48 <trandles> ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device.  Daniel Gruss, one of the researchers who discovered the latest round of chip flaws, said it works “just like” it does on PCs and can read data off the processor. That’s potentially a major problem in cloud environments where different customers’ virtual machines run on the same server h
21:51:53 <janders> oneswig: I think I will need to switch accounts - can I re-invite myself on a different email address?
21:52:27 <oneswig> Sure - martial is the admin, if you need super-powers :-)
21:52:36 <janders> ok!
21:52:52 <jmlowe> ugh, I hadn't read that carefully to see the exploitable in vms part
21:53:32 <trandles> the abstract of the whitepaper (https://zombieloadattack.com/zombieload.pdf) says "We discuss both short and long-term mitigation approaches and arrive at the conclusion that disabling hyperthreading is the only possible workaround to prevent this extremely powerful attack on current processors."
21:53:59 <jmlowe> I saw Intel was rolling new microcode, so that's not sufficient?
21:54:04 <trandles> dunno
21:55:01 <martial> Let me get the link again
21:56:21 <martial> here https://join.slack.com/t/os-scientific-sig/shared_invite/enQtNjIyOTU1NjU3Njg1LTVjY2QzNTkyMjVmZjIzNjI2MDYzNjcxMzExMDY5NDQ0MTc1NGRjMzk2ZTE2N2VjZjJiMzlmMGM2MGJjZjY4YzA
21:57:08 <martial> janders, I think you can change your email from within the slack itself
21:57:40 <janders> ok, thank you martial
21:59:24 <martial> of note, Blair and Stig are also admin on the slack
21:59:41 <oneswig> trandles: If I read this right, a user process can access privileged memory, data from other VMs or the hypervisor, even SGX protected regions?
21:59:47 <martial> and on that we are at the end of the hour
21:59:55 <janders> thanks guys!
22:00:11 <oneswig> Thanks all and good night :-)
22:00:14 <martial> seems scary indeed
22:00:18 <oneswig> #endmeeting