21:00:32 <oneswig> #startmeeting scientific_sig 21:00:32 <openstack> Meeting started Tue May 14 21:00:32 2019 UTC and is due to finish in 60 minutes. The chair is oneswig. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:00:33 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 21:00:35 <openstack> The meeting name has been set to 'scientific_sig' 21:00:37 <janders> good morning, good evening 21:00:44 <janders> how's everyone? 21:00:48 <oneswig> ahoy there :-) 21:00:53 <trandles> hello 21:00:54 <oneswig> #link agenda for today https://wiki.openstack.org/wiki/Scientific_SIG#IRC_Meeting_May_14th_2019 21:01:02 <jmlowe> hello 21:01:13 <oneswig> Greetings all 21:01:49 <oneswig> I trust you all made it back in one piece 21:02:52 <janders> yes I have, thank you :) 21:02:59 <oneswig> #topic CERN OpenStack day 21:03:14 <janders> I missed out on the last meeting cause I went to sleep about 830pm and the meeting started at 9pm 21:03:19 <oneswig> It's a day to go for registrations... last call 21:03:32 <oneswig> janders: it was a very quiet one 21:03:33 <janders> but I'm truly back and on local time. Good conference. 21:03:56 <oneswig> #link get your CERN tickets here - https://www.eventbrite.com/e/openstack-day-cern-tickets-54349067524 21:04:16 <oneswig> I agree, really good to see everyone plus some new faces too 21:05:13 <oneswig> Think that's all on the CERN side... 21:05:17 <oneswig> #topic Denver roundup 21:05:21 <janders> indeed - and having the PTG right after the main conference was a very welcome addition 21:05:22 <janders> very productive 21:05:47 <oneswig> janders: did you stay for the duration? I had to leave on Thursday afternoon, alas 21:06:15 <janders> I skipped Saturday, was driving around the Rockies all weekend :) 21:06:19 <janders> but other than that - yes 21:06:29 <janders> I did convey the SIG message to the Ironic team together with Mark 21:06:32 <janders> pretty good reception 21:06:42 <trandles> Ironic PTG was very useful 21:06:51 <janders> did chat to Miguel about the SDN, too, he's on board, gotta follow this up 21:07:10 <oneswig> Great 21:07:19 <oneswig> trandles: tried that ramdisk driver yet? 21:08:47 <oneswig> janders: which Miguel? 21:09:21 <janders> Miguel Lavalle 21:11:23 <oneswig> Interesting to hear that. 21:12:29 <martial> Seems like a quiet meeting today 21:13:05 <oneswig> Looks like the summit videos have been posted 21:13:15 <oneswig> Any picks? 21:13:19 <oneswig> #chair martial 21:13:20 <openstack> Current chairs: martial oneswig 21:13:31 <oneswig> hey martial, glad you made it 21:13:32 <janders> martial: indeed - to a degree where I thought I got kicked out :) 21:13:57 <b1airo> o/ 21:14:02 <oneswig> I'll admit I'm troubleshooting openvpn weirdness on the side... 21:14:05 <martial> Well I saw no messages for 3 minutes so I was not sure either 21:14:06 <oneswig> hey b1airo 21:14:13 <oneswig> #chair b1airo 21:14:14 <openstack> Current chairs: b1airo martial oneswig 21:14:29 <b1airo> Just realised my calendar is out due to daylight saving changes, hence the lateness 21:14:34 <jmlowe> https://threatpost.com/linux-kernel-remote-code-execution/144713/?utm_source=newsletter&utm_medium=Email&utm_campaign=tp_daily_digest_14_5_2019 21:14:39 <janders> martial: I saw last week you mentioned good conversations with the RHAT folks 21:14:42 <jmlowe> that's got my attention ATM 21:14:43 <janders> who was that? 21:15:15 <jmlowe> and for extra fun Intel has a new exploit, zombieload 21:15:24 <janders> I'm wondering if it's the guys I'm talking to as well, perhaps we can join forces pushing the HPC agenda 21:15:52 <martial> It was Erwan Gallen 21:16:28 <martial> He is seeing how RedHat can bring efforts and code to help the HPC side 21:16:37 <b1airo> OpenStack Summit = new high impact vulnerability disclosures 21:16:52 <martial> I need to follow up so he join our slack too 21:17:08 <janders> cool! thank you 21:17:19 <janders> I think it is a great opportunity for both RHAT and us 21:17:28 <janders> so let's keep fighting the good fight 21:17:47 <jmlowe> b1airo: it's the sobering reality after returning from the summit 21:17:48 <janders> (the subscription model as it stands isn't the best fit for HPC and HPC scale, that's one of the issues I see) 21:17:54 <janders> https://access.redhat.com/security/vulnerabilities/mds?sc_cid=701f20000012nDXAAY& 21:17:59 <janders> (further to the exploit comments) 21:18:18 <martial> They want to help and he is willing to put coders on a problem with the community’s help 21:18:34 <martial> And their code is open source after all 21:18:39 <jmlowe> janders: those are collectively being called zombieload I think 21:19:00 <trandles> oneswig: sorry, was AFK on the phone...not tried ramdisk driver, should be in the next two weeks 21:19:11 <janders> jmlowe: agreed 21:19:38 <oneswig> trandles: no problem, good to hear it 21:20:37 <trandles> working through the logistics of getting a couple collaboration accounts set up here for outsiders, nuke-n-pave my testbed to reset for ironic work, etc. 21:21:23 <oneswig> Sound interesting, but careful with your choice of metaphor 21:21:32 <b1airo> :-) 21:21:35 <trandles> HA! 21:21:55 <trandles> Also, saw the latest Singularity root exploit and had a chuckle :P 21:22:04 <oneswig> The news over here is we got our first Kata study published 21:22:15 <oneswig> #link I/O performance of Kata https://www.stackhpc.com/kata-io-1.html 21:22:23 <oneswig> trandles: what's that? 21:23:04 <martial> Oh cool 21:23:26 <trandles> https://github.com/sylabs/singularity/releases/tag/v3.2.0 21:24:19 <trandles> their CVE link is wrong, you either get the reserved message or a joomla CVE using the same number 21:24:37 <oneswig> how careless 21:25:00 <trandles> scratch that, google brought up 2018-11328 instead of 2019 21:25:01 <trandles> :( 21:27:07 <b1airo> Gah, glad we haven't committed one way or other yet 21:28:27 <trandles> seems like Kata has a LOT of I/O optimization to do 21:29:09 <b1airo> trandles: have you guys considered a Zun plugin for CharlieCloud ? 21:29:10 <oneswig> trandles: a lot indeed. It's moving fast and should get a lot of the low-hanging fruit in the next release. 21:29:38 <oneswig> trandles: it has a very long way to go though 21:29:52 <trandles> b1airo: not really 21:29:59 <oneswig> In other post-summit follow-up, I mailed Jonathan Bryce about supporting a white paper on private / hybrid cloud advocacy for research computing, no response as yet, but I'll follow up 21:30:10 <oneswig> brb 21:30:32 <trandles> we've been focusing on some Slurm integration 21:30:53 <jmlowe> plan9 is always going to kill I/O 21:30:54 <trandles> among other things (like at 100% truly unprivileged container build without docker as a dependency) 21:31:43 <trandles> we've been digging into Buildah since it's billed as "unprivileged build" using Dockerfiles...and it relies on setuid binaries and has Docker as a dependency buried in all the golang :( 21:32:31 <b1airo> Nice o_0 21:33:26 <janders> bad developers go to dependency hell after they die 21:34:13 <oneswig> trandles: similarly I saw that podman claims to offer an unprivileged container runtime but not until the next release of RHEL 21:34:29 <trandles> oneswig: in RHEL 8, which is GA 21:34:29 <b1airo> The really bad ones go to dll hell :-P 21:34:45 <oneswig> trandles: ah is it? Thanks 21:34:53 <trandles> I also heard that RHEL is offering RHEL-based base containers with RHEL 8 that can be redistributed, but haven't confirmed it 21:35:14 <janders> next as in 7.7, 8 or 8.1? 21:35:27 <janders> sorry scratch that 21:35:53 <trandles> I know podman is being looked at here, but I'm not the one doing the looking and haven't followed-up yet 21:37:51 <oneswig> trandles: going from https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users/ 21:38:04 <oneswig> "You can also run Podman from your normal non-root user in Podman 1.0 on Fedora. RHEL support is aimed for version 7.7 and 8.1 onwards." 21:38:20 <oneswig> That was the story in February 21:39:41 <trandles> ah yeah, thx for the link 21:39:48 <trandles> I've heard of this blog post but hadn't read it myself 21:40:02 <oneswig> It's somewhat biased :-) 21:40:59 <trandles> just a tad 21:41:09 <martial> We can always let them know 21:41:32 <trandles> martial: I haven't contacted Erwan yet but plan to 21:41:44 <trandles> thx for the introduction 21:42:20 <martial> You walked as I was talking about you:) small world 21:44:29 <oneswig> jmlowe: that exploit on threadpost is not quite as bad as the whatsapp one... 21:48:55 <oneswig> I think everyone here's on the Slack channel set up by martial - anyone want the sign-up link? 21:49:36 <trandles> btw - ZombieLoad is scary 21:50:07 <trandles> tl;dr disable hyperthreading 21:51:48 <trandles> ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device. Daniel Gruss, one of the researchers who discovered the latest round of chip flaws, said it works “just like” it does on PCs and can read data off the processor. That’s potentially a major problem in cloud environments where different customers’ virtual machines run on the same server h 21:51:53 <janders> oneswig: I think I will need to switch accounts - can I re-invite myself on a different email address? 21:52:27 <oneswig> Sure - martial is the admin, if you need super-powers :-) 21:52:36 <janders> ok! 21:52:52 <jmlowe> ugh, I hadn't read that carefully to see the exploitable in vms part 21:53:32 <trandles> the abstract of the whitepaper (https://zombieloadattack.com/zombieload.pdf) says "We discuss both short and long-term mitigation approaches and arrive at the conclusion that disabling hyperthreading is the only possible workaround to prevent this extremely powerful attack on current processors." 21:53:59 <jmlowe> I saw Intel was rolling new microcode, so that's not sufficient? 21:54:04 <trandles> dunno 21:55:01 <martial> Let me get the link again 21:56:21 <martial> here https://join.slack.com/t/os-scientific-sig/shared_invite/enQtNjIyOTU1NjU3Njg1LTVjY2QzNTkyMjVmZjIzNjI2MDYzNjcxMzExMDY5NDQ0MTc1NGRjMzk2ZTE2N2VjZjJiMzlmMGM2MGJjZjY4YzA 21:57:08 <martial> janders, I think you can change your email from within the slack itself 21:57:40 <janders> ok, thank you martial 21:59:24 <martial> of note, Blair and Stig are also admin on the slack 21:59:41 <oneswig> trandles: If I read this right, a user process can access privileged memory, data from other VMs or the hypervisor, even SGX protected regions? 21:59:47 <martial> and on that we are at the end of the hour 21:59:55 <janders> thanks guys! 22:00:11 <oneswig> Thanks all and good night :-) 22:00:14 <martial> seems scary indeed 22:00:18 <oneswig> #endmeeting