17:01:37 <hyakuhei> #startmeeting Security
17:01:38 <openstack> Meeting started Thu Jun 18 17:01:37 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:39 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:42 <hyakuhei> Sorry about the delay!
17:01:42 <openstack> The meeting name has been set to 'security'
17:01:53 <tmcpeak> all good man
17:01:54 <nkinder> Hi all
17:01:56 <sicarie> o/
17:01:57 <hyakuhei> Thanks to tmcpeak for covering things last week, I was travelling
17:01:58 <browne> hi
17:02:26 <hyakuhei> Hi :)
17:02:59 <tmcpeak> #meetup :D
17:03:08 <bknudson> hi
17:03:10 <hyakuhei> Ok, so agenda today - updates on projects - meetup - summit abstracts - git repos - docs
17:03:14 <hyakuhei> hey bknudson
17:03:22 <michaelxin> +1
17:03:33 <hyakuhei> Thanks for agreeing to represent security at the Xproject meetings
17:03:44 <tmcpeak> +1 thanks bknudson!
17:03:47 <bknudson> y, so if you want me to announce anything will do.
17:03:56 <bknudson> I didn't have anything for last week
17:04:02 <bknudson> would be happy to announce a bandit release!
17:04:09 <hyakuhei> michaelxin: do you want to talk about fuzzing at all?
17:04:24 <hyakuhei> (thanks for the @rackspace contributions to Bandit btw)
17:04:37 <michaelxin> sure
17:04:42 <tmcpeak> +1 !
17:05:02 <hyakuhei> ok lets start with the fun stuff
17:05:04 <bknudson> lots of interest in bandit everywhere.
17:05:08 <hyakuhei> #topic meetup
17:05:08 <elmiko> yea
17:05:13 <tmcpeak> https://etherpad.openstack.org/p/security-liberty-midcycle
17:05:21 <hyakuhei> #link https://etherpad.openstack.org/p/security-liberty-midcycle
17:06:12 <hyakuhei> I think we’ve probably grown enough in terms of scope that we probably cant make a multi-project thing work
17:06:33 <tmcpeak> hyakuhei: +1
17:06:50 <hyakuhei> There’s a few opportunities with locations. Suggestions at the moment include SanFrancisco, Seattle and Cheltenham(UK)
17:07:10 <hyakuhei> I’m making the gross assumption that most US folks wont get budget to come over to the UK ?
17:07:18 <michaelxin> ha
17:07:26 <tmcpeak> yeah probs not :\
17:07:27 <hyakuhei> Though we’re a grown up (proper) openstack project now so perhaps budgets will be better…
17:07:32 <browne> UK, might be harder, but it would be pretty awesome
17:07:36 <michaelxin> if anyone want to come to hot texas, Rackspace will be happy to host it.
17:07:49 <hyakuhei> michaelxin: I just got home from Arizona, I think I’ll pass.
17:07:55 <hyakuhei> TY though :P
17:08:10 <bknudson> The keystone meetups were in San Antonio and the heat wasn't bad. I thought.
17:08:14 <hyakuhei> I’ll add Austin to the list, we need to lock in dates soon too.
17:08:20 <morganfainberg> bknudson: ++
17:08:28 <hyakuhei> I’m happy to consider it and let people decide/vote
17:08:46 <morganfainberg> hyakuhei: I highly recommend Austin if you have a place to host. San Antonio was great because geekdom is there.
17:08:54 <hyakuhei> HP will be happy to host in Seattle, Uber in SF, Rackspace in Texas somewhere
17:09:12 <michaelxin> we have an office in Austin too.
17:09:16 <dg_> Austin would be cool. Chair6 I take it all back!
17:09:36 <tmcpeak> location is probably somewhat dependent on timing too, right?
17:09:36 <michaelxin> I will check with them. It should not be a problem.
17:09:45 <browne> you can add VMware in Palo Alto as a site option
17:10:27 <hyakuhei> Ok, so we’ve got a reasonable template for getting this working now, it might depend on how far we’re asking people to travel etc.
17:10:32 <bknudson> I'd offer up IBM in Rochester but I'd rather go elsewhere, too.
17:10:47 <tmcpeak> ;)
17:10:49 <browne> where are most people located?
17:10:57 <browne> west coast?
17:11:33 <tmcpeak> mostly
17:11:37 <hyakuhei> Pretty spread out, a few more west coast, 3-4 in the UK
17:12:05 <timkennedy> how big of a group is it?
17:12:17 <hyakuhei> Normally ends up being 12-16 people iirc.
17:12:31 <hyakuhei> Last time was maybe 18 at the busiest time
17:12:56 <timkennedy> ok
17:12:57 <hyakuhei> Ok, so lets continue to discuss on the etherpad
17:13:03 <hyakuhei> #topic CoreSec
17:13:11 <hyakuhei> Did you all see the CoreSec emails on -dev?
17:13:30 <michaelxin> no
17:13:38 <hyakuhei> #link http://lists.openstack.org/pipermail/openstack-dev/2015-June/066550.html
17:14:11 <hyakuhei> There are two nominations in flight atm, both need to be looked at and potentially +1’ing
17:14:24 <nkinder> hyakuhei: yep, I need to chime in on those
17:14:31 <hyakuhei> Thanks.
17:14:38 <hyakuhei> We’re down to two people
17:14:43 <bknudson> #link http://lists.openstack.org/pipermail/openstack-dev/2015-June/066951.html
17:14:44 <hyakuhei> I’ve also asked the VMT to review and comment
17:14:51 <bknudson> Michael McCune
17:14:59 <bknudson> elmiko: ^
17:15:10 * elmiko waves
17:15:13 <michaelxin> good
17:15:13 <bknudson> #link http://lists.openstack.org/pipermail/openstack-dev/2015-June/067079.html
17:15:23 <bknudson> Travis McPeak
17:15:26 <hyakuhei> thanks bknudson
17:15:40 <tmcpeak> :D
17:15:48 <bknudson> I wouldn't -1 either of those... and I -1 a lot.
17:15:59 <elmiko> aww ;)
17:15:59 <nkinder> that is saying a lot! :)
17:16:02 <bknudson> actually would happily +1
17:16:03 <hyakuhei> Heh, would you +1 them though…. :P
17:16:07 <hyakuhei> pah.
17:16:10 <elmiko> lol
17:16:18 <hyakuhei> Ok yes, go forth and +1 if you feel these are good candidates.
17:16:30 <hyakuhei> #topic Bandit
17:16:32 <tmcpeak> ;)
17:16:34 <hyakuhei> What’s the latest chaps ?
17:16:46 <tmcpeak> just put up a review for a new test yesterday
17:16:57 <tmcpeak> seems like paramiko runs commands directly on the shell
17:17:11 <tmcpeak> so added a test for that
17:17:17 <bknudson> bandit is running on keystoneclient: https://review.openstack.org/#/c/134700/
17:17:25 <tmcpeak> sigmavirus24: has a big change for proper plugins that I believe is almost done
17:17:42 <tmcpeak> then we'll push a new version to PyPI
17:17:45 <tmcpeak> bknudson: awesome!!
17:17:51 <bknudson> I'm going to ask to make it voting at next keystone meeting
17:17:56 <michaelxin> I talked with our private cloud team and recommended them use bandit too.
17:18:02 <Daviey> i got my first bandit fix in this week, fun issue. wasn't what the bug reported it to be - https://review.openstack.org/#/c/190704/
17:18:11 <hyakuhei> Any movement on the multi-threaded stuff?
17:18:15 <tmcpeak> bknudson: double awesome!
17:18:36 <tmcpeak> oh yeah, Daviey: that was a good catch
17:18:50 <Daviey> ta
17:18:53 <bknudson> I need to look into an issue with keystoneclient bandit... jobs are failing for no reason -- https://review.openstack.org/#/c/191653/
17:18:54 <tmcpeak> hyakuhei: no, sigmavirus24 I think is doing most of the stuff in his spare time, so it's a little slow
17:19:05 <hyakuhei> Welcome Daviey! Thanks for the fix
17:19:49 <nkinder> bknudson: hmm, strange - "ERROR: unknown environment 'bandit'"
17:20:03 <tmcpeak> ruhroh
17:20:37 <bknudson> y, I don't get it. Might have to ask on infra
17:20:54 <bknudson> after the meeting
17:21:07 <tmcpeak> bknudson: I'll be curious
17:21:56 <tmcpeak> sorry, quick sneak back to meetup
17:22:10 <tmcpeak> when are we finalizing dates? I might have to move some stuff in personal schedule to accomodate one of those weeks
17:22:33 <dg_> +1
17:22:54 <hyakuhei> Lets try to get it locked in by next week
17:23:00 <tmcpeak> ok cool
17:23:01 <hyakuhei> by the Security meeting next week
17:23:10 <bknudson> I didn't put my name on any dates since they all work for me.
17:23:55 <tmcpeak> cool, sorry to derail :)
17:24:26 <hyakuhei> no worries
17:24:32 <hyakuhei> sicarie: you around to talk docs?
17:24:38 <sicarie> Sure
17:24:46 <hyakuhei> #topic docs
17:25:07 <sicarie> We're moving towards the migration from docbook to RST - we're going to submit the bp as soon as we determine where we should put it
17:25:23 <nkinder> s/bp/spec/
17:25:31 <sicarie> +1 thanks nkinder
17:25:36 <elmiko> i like the idea of a sec-group repo
17:25:39 <hyakuhei> Wonderful. Docbook is so horrible.
17:25:51 <elmiko> (for specs that is)
17:25:52 <nkinder> We had a few proposals we discussed
17:26:09 <nkinder> create security-specs, or use doc-specs
17:26:25 <elmiko> yea, i'm on the fence about that one
17:26:31 <nkinder> for the security guide, using doc-specs seems like it would be a good idea if the rest of the doc folks are OK with it
17:26:38 <hyakuhei> Bandit will need specs soon
17:26:38 <sicarie> I'd personally prefer to create security-specs as the doc team doesn't claim us :(
17:26:44 <nkinder> mainly so we can make sure we do things in a consistent way with the other docs
17:26:47 <tmcpeak> hyakuhei: +1
17:26:51 <Daviey> Just to check, there aren't any sections wanted / gaps - blueprints open at the moment, just a case studies one?
17:27:04 <elmiko> hyakuhei: and anchor too?
17:27:06 <hyakuhei> sicarie: has a low-hanging fruit bug open I think ?
17:27:21 <sicarie> Open sec-guide bugs are: #link https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide
17:27:30 <sicarie> No specs are in for any of them
17:27:30 <hyakuhei> It certainly needs a better way to manage proposals too
17:27:49 <nkinder> elmiko: I actually think anchor should be totally separate (it's really looking to be it's own project)
17:27:49 <sicarie> I'd be very interested in creating a spec for both case studies and the compute chapter
17:28:02 <elmiko> if doc team truly doesn't claim sec-guide, then i'm all for using a security-group repo for the specs. otherwise...
17:28:09 <elmiko> nkinder: ack
17:28:10 <nkinder> sicarie: I'm ok with that
17:28:20 <nkinder> we can always ask other doc folks to review our stuff too
17:28:21 <hyakuhei> Bandit and Anchor are both built _for_ OpenStack, they just don’t tightly couple to it
17:28:41 <sicarie> nkinder: the doc team is great about reviewing and supporting, but they do make a point to note we don't live in their repo
17:28:49 <bknudson> There are openstack-specific checks in bandit
17:29:07 <hyakuhei> There are OpenStack-specific validators and authentication plugins in Anchor
17:29:08 <elmiko> sicarie: then yea, somewhere in a sec-repo would be cool.
17:29:10 <bknudson> if it's pluggable we could move those to an openstack-specific lib
17:29:25 <nkinder> I see Anchor as an operator exposed thing though, where bandit is a security tool designed for CI of OpenStack (though usable for more)
17:30:33 <hyakuhei> I’m not sure it’s something to get hung up on either way tbh. We’ve got real work to do :)
17:30:42 <sicarie> and on that note
17:30:50 <sicarie> Case study etherpad: https://etherpad.openstack.org/p/sec-guide-case-studies
17:31:03 <hyakuhei> Ah yes :)
17:31:06 <sicarie> Please take a look, we have one in-review now
17:31:23 <sicarie> a few more that need to be validated/refactored for Alice, and then all of Bob's need to be reviewed
17:31:43 <sicarie> And then the hypervisor chapter has been moved into the Compute chapter
17:31:53 <sicarie> and my thoughts on what else should go in there are: #link https://etherpad.openstack.org/p/secguide-compute
17:32:18 <sicarie> and thanks to Daviey for his input on the in-process case study!
17:32:39 <hyakuhei> Great, it’d be good to get some more input for sicarie
17:32:58 <shelleea> I'll take a look at some of the Case Studies today/tomorrow
17:33:00 <hyakuhei> nkinder: How’re the OSSNs looking?
17:33:07 <hyakuhei> Thanks shelleea
17:33:14 <nkinder> we have a bit of a backlog of low-hanging issues
17:33:42 <michaelxin> sicarie: good job
17:33:43 <nkinder> Some are blocked (we want a recommendation or pending patch first for instance)
17:33:45 <elmiko> i just started tackling 0049, the ironic password/token thing
17:33:48 <hyakuhei> Eeep I think I might have one of them assigned to me!
17:33:57 <nkinder> elmiko: cool.  I noticed you updated the page to take one
17:34:17 <nkinder> I will grab one of the keystone ones in the next week
17:34:25 <elmiko> nkinder: hopefully i'll have a first draft up tomorrow. it's pretty straight-forward. i'm just trying to create some examples of the output.
17:34:41 <hyakuhei> There’s a couple of things in the VMT pipeline that will end up as OSSN too I think
17:34:45 <nkinder> elmiko: great
17:34:57 <michaelxin> elmiko: +1
17:35:37 <hyakuhei> Cool, so I think that’s all I had for today…
17:36:10 <tmcpeak> cool, sounds good
17:36:29 <hyakuhei> Make sure you update the mid-cycle etherpad if you want to be able to go
17:36:34 <hyakuhei> Have a great week all!
17:36:37 <nkinder> thanks!
17:36:38 <tmcpeak> later!
17:36:41 <michaelxin> thanks.
17:36:44 <elmiko> thanks hyakuhei
17:36:44 <hyakuhei> #endmeeting