17:00:50 <hyakuhei> #startmeeting Security
17:00:55 <openstack> Meeting started Thu Nov  5 17:00:50 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:57 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:59 <openstack> The meeting name has been set to 'security'
17:01:24 <bknudson> hi
17:01:27 <hyakuhei> o/
17:02:02 <hyakuhei> busy room!
17:02:16 <dstanek> hi!
17:02:22 <redrobot> o/
17:02:22 <hyakuhei> #link https://etherpad.openstack.org/p/security-20151105-agenda
17:02:24 <hyakuhei> ^ agenda
17:02:31 <hyakuhei> hi dstanek redrobot !
17:02:40 * redrobot waves at hyakuhei
17:03:39 <hyakuhei> So we’ll give people a minute or two,
17:03:46 <tkelsey> o/
17:03:49 <browne> o/
17:03:55 <hyakuhei> oh good dg_ is here redrobot you guys can talk killick :P
17:04:07 <dg_> hey guys
17:04:10 <redrobot> hi dg_
17:05:08 <tmcpeak> o/
17:05:09 <hyakuhei> netsplit…
17:05:27 <tkelsey> fun :(
17:05:34 <redrobot> womp womp
17:05:52 <hyakuhei> I think we’ve still got most people here
17:06:04 <hyakuhei> agenda link https://etherpad.openstack.org/p/security-20151105-agenda
17:06:13 <hyakuhei> #topic summit roundup
17:06:34 <hyakuhei> So it was a good conference and design summit but it was all a bit compressed imho - thoughts?
17:06:50 <tkelsey> hyakuhei:  +1
17:06:55 <hyakuhei> #chair tmcpeak
17:06:56 <openstack> Current chairs: hyakuhei tmcpeak
17:06:56 <tkelsey> lots of first timers as well
17:07:07 <hyakuhei> Yeah around 50% I heard
17:07:27 <hyakuhei> I’m pleased with security’s contribution
17:07:30 <tkelsey> thats a good thing in many ways, but can be a problem for in-depth stuff
17:07:42 <tkelsey> hyakuhei: +1 yup
17:07:45 <hyakuhei> next summit I’m pushing for some slots on cross-project and a few more workrooms too
17:07:48 <bknudson> I wish I could have gotten to more security talks but I was busy with keystone and oslo stuff, too.
17:08:04 <hyakuhei> bknudson: I know what you mean, though they’re all up on youtube now
17:08:10 <hyakuhei> Apart from that guy who didn’t turn up
17:08:31 <bknudson> y, I can watch the presentations... not sure if there were a bunch of work sessions I missed.
17:08:32 <hyakuhei> Thankfully they didn’t film me improving that bit
17:08:36 <tkelsey> hyakuhei did an impromptu talk. it was awesome
17:08:39 <hyakuhei> lol
17:08:48 <hyakuhei> Awesome it was not, impromptu it was
17:08:57 <tkelsey> ;)
17:09:14 <hyakuhei> elmiko is on vacation this week but we have some interesting things to discuss around that on-cloud auth framework
17:09:21 <hyakuhei> and the instance user stuff
17:09:40 <bknudson> that's the one I should have been at. :(
17:10:06 <hyakuhei> So any feedback on our presence at the summit? The overall feedback I got was that more developers need to know about us and what we do
17:10:53 <tkelsey> hyakuhei, I would agree with that
17:10:54 <tmcpeak> any general direction of how we should try to do that?
17:11:01 <bknudson> the developer summit was separated from the conference so it was hard to get to the presentation
17:11:06 <hyakuhei> #topic increasing visibility
17:11:07 <tmcpeak> we have our outreach, but it seems like we might have to be at more openstack targetted events too?
17:11:07 <hyakuhei> bknudson: +1
17:11:26 <hyakuhei> One possibility is gatecrashing the other projects IRC meetings
17:11:28 <bknudson> plus there were work sessions all the time.
17:11:43 <tmcpeak> hyakuhei: that's a good idea
17:11:50 <hyakuhei> I was thinking we can aim to drop something in during their AOB sections in the agenda
17:11:53 <tmcpeak> grab an intro to security team slot for each project?
17:11:57 <hyakuhei> yeah
17:12:00 <tmcpeak> cool, I like it
17:12:05 <hyakuhei> We can boilerplate some talking points
17:12:14 <tmcpeak> ok cool, and chop up the meetings
17:12:14 <tkelsey> bandit adoption :)
17:12:15 <hyakuhei> FAQ style
17:12:31 <hyakuhei> tkelsey: yes, we should be more aggressive with this now
17:12:35 <hyakuhei> (bandit)
17:12:43 <tkelsey> agreed
17:12:59 <tmcpeak> seems like we've got some good traction with oslo
17:13:00 <tmcpeak> that's awesome
17:13:13 <hyakuhei> Great
17:13:16 <tkelsey> tmcpeak: is that around the auto gen conf stuff?
17:13:32 <tmcpeak> yeah, but Cyril in general seems to be really going to get Bandit integrated with the OSLO properties
17:13:39 <tkelsey> sorry, we can talk about that in the bandit section :) dont want to derail
17:14:25 <hyakuhei> No that’s fine
17:14:31 <hyakuhei> ok so, just have a think
17:14:41 <hyakuhei> especially guys who wear multiple hats like bknudson redrobot etc
17:14:55 <hyakuhei> how can (should) the security project better serve your project
17:15:00 <tmcpeak> +1
17:15:05 <tkelsey> sounds good
17:15:16 <hyakuhei> irc, email feedback etc all welcome
17:15:21 <tmcpeak> btw did you guys do the flyers ?
17:15:42 <hyakuhei> Yeah!
17:15:49 <tmcpeak> awesome, how'd they come out?
17:15:53 <hyakuhei> They looked great thanks to Michael
17:16:05 <tmcpeak> sweet, great work michaelxin
17:16:12 <tkelsey> yup, they were very cool
17:16:31 <hyakuhei> yeah I basically forced them on people, put them on all the design session tables, all through the dinner hall etc
17:16:50 <hyakuhei> We should do something similar at the next summit
17:16:56 <dg_> stickers
17:16:58 <tmcpeak> guerrilla marketing status
17:17:00 <hyakuhei> Any more thoughts on visibility before we move forward
17:17:02 <hyakuhei> dg_: and T's
17:17:08 <tkelsey> quick check, anyone lurking here because of flyer?
17:17:13 <hyakuhei> Basically we need security project swag
17:17:24 <tmcpeak> we should be able to bang something up pretty easy
17:17:28 <hyakuhei> Yeah
17:17:30 <tkelsey> hyakuhei: +100 for swag
17:17:35 <tmcpeak> seems like michaelxin already has good graphics and stuff
17:17:39 <hyakuhei> michealxin seems to have a friendly graphics person
17:17:43 <hyakuhei> heh +1
17:17:51 <hyakuhei> ok, lets roll onto the next topic
17:17:56 <hyakuhei> #topic ML sunsetting
17:18:02 <tmcpeak> :(
17:18:06 <hyakuhei> As you all know we should use openstack-dev for everything
17:18:20 <hyakuhei> we are going to move openstack-security to being a notification list
17:18:20 <tmcpeak> I for one dislike the ML workflow
17:18:34 <hyakuhei> so bugs etc will land there but you won’t be able to post to it
17:19:01 <tmcpeak> hyakuhei have you figured out a sane way of using Outlook with it?
17:19:06 <hyakuhei> fungi knows the magics that are required, I’ve been through the mailling list manager thing but couldn’t work it out nicely
17:19:12 <hyakuhei> tmcpeak: basically no
17:19:17 <tmcpeak> hah, o
17:19:17 <tmcpeak> k
17:19:22 <hyakuhei> try not to top-post, try to keep line length in check
17:19:29 <bknudson> sounds good to me.
17:19:45 <hyakuhei> but everyone is pretty accepting of messy ML lists because so many people use outlook etc
17:19:48 <tmcpeak> my neck-beard level isn't high enough to proficiently use ML
17:19:59 <hyakuhei> mutt ftw
17:20:05 <hyakuhei> but I don’t use mutt
17:20:16 <hyakuhei> ok, bandit?
17:20:19 <tmcpeak> sure
17:20:25 <hyakuhei> #topic bandit
17:20:27 <fungi> ahh, right, i need to sync up with you on the ml changes
17:20:27 <fungi> thanks for the reminder
17:20:42 <tmcpeak> so tkelsey and I are really pushing baseline feature hard
17:20:49 <tmcpeak> we've got an initial version which works for a gate
17:21:12 <tmcpeak> so basically we can introduce voting gate jobs that will check against the last commit and if you're adding something Bandit doesn't like it will fail
17:21:30 <tmcpeak> this is something we're doing internally now but once it's stable we'll try to get them rolling in upstream project gates also
17:21:50 * hyakuhei needs to step out for 4-5 minutes, tmcpeak can you keep the meeting moving along
17:21:50 <tkelsey> effectively its a delta check
17:21:55 <tmcpeak> yep, will do
17:21:57 <tmcpeak> hyakuhei
17:22:06 <tmcpeak> so we pushed 0.15.1 recently
17:22:12 <tmcpeak> actually 0.15.2
17:22:30 <tmcpeak> we're iterating a little faster than normal because we're rolling out internal gates
17:22:41 <tmcpeak> the upshot is that this work should be contributed upstream fairly soon too
17:22:45 <tmcpeak> so security wins for everybody
17:22:56 <tmcpeak> tkelsey: you have anything to add?
17:23:04 <tmcpeak> can you summarize action items from Tokyo for Bandit?
17:23:15 <tkelsey> I can, one sec and i'll link the pad
17:23:50 <tkelsey> so, i wanted to cover some future looking stuff, but it turned into a 101 really
17:23:51 <tkelsey> https://etherpad.openstack.org/p/security-mitaka-worksession-bandit
17:24:22 <browne> tkelsey: yeah about 30 min went to 101, ha
17:24:22 <tkelsey> however, we had good attendance and plenty of interest
17:24:38 <tkelsey> heh browne yup
17:24:53 <tmcpeak> cool, what are top priority action items?
17:24:57 <tkelsey> a bit of a shame, but with so many first timers at the summit I guess it's to be expected
17:25:04 <tkelsey> the turn out was a good sign in general though
17:25:18 <tkelsey> the config file stuff came up a lot
17:25:18 <browne> i think the highest priority is the bandit.yaml impact on other projects.  this continues to come up over and over
17:25:27 <tkelsey> browne: +1
17:25:28 <tmcpeak> I don't see that as a shame at all
17:25:28 <tkelsey> yup
17:25:32 <tmcpeak> new users is awesome
17:25:49 <tkelsey> tmcpeak: they are, but it was suposed to be a design session
17:26:03 <tkelsey> we didn't get to actually talk over any design stuff lol
17:26:07 <tmcpeak> ahh fair enough.  Wasn't it only you two though?
17:26:10 <tmcpeak> oh you three
17:26:15 <tmcpeak> you, browne, bknudson
17:26:33 <tmcpeak> at any rate… config seems to be throwing people for a loop
17:26:51 <tkelsey> yeah, we need to get that fixed up in a sane way
17:26:54 <tmcpeak> Cyril has a tool that will help generate configs, but it seems we need to fix up our config situation sooner than later
17:26:58 <tmcpeak> certainly before 1.0
17:27:09 <tkelsey> also some more automatic tooling around releases was discussed
17:27:46 <tmcpeak> you guys think we'll get new developers, users, or both?
17:27:47 <tkelsey> bandit running on adopted projects in it's own gate and using the baseline stuff to check for new issues etc
17:27:47 <bknudson> next time maybe try to get a regular conference presentation or cross-project on bandit
17:27:55 <browne> i like the baby step of just providing a command line option to specify plugins on the command line instead of creating a profile
17:27:58 <tmcpeak> we could use some new active developers...
17:28:07 <tkelsey> browne: +1
17:28:27 <tmcpeak> it could be nice to offer both options
17:28:38 <tmcpeak> if folks want to generate a config that's fine
17:28:41 <browne> tmcpeak:  yep you could do both
17:28:42 <tkelsey> there was talk of renaming/aliasing the tests with an easy to handle ID, the way hacking/flake8 do
17:28:54 <tmcpeak> honestly.. we used to have the "exclude" feature from profiles which seems like it is what people want, but I think we got rid of it
17:29:06 <bknudson> I don't know if it's going to work on upgrade to use the config generator. It was a lot of work for me before on the last upgrade.
17:29:06 <tmcpeak> oh yeah, we should definitely do that
17:29:13 <bknudson> I couldn't have used the config generator for it.
17:29:19 <tmcpeak> bknudson: how come?
17:29:23 <bknudson> well, maybe... I'll think about it.
17:29:27 <tmcpeak> ok cool
17:29:29 <bknudson> I'd have to exclude all the new tests initially
17:29:30 <tkelsey> bknudson: what are you concerns ?
17:29:31 <tmcpeak> we shouldn't rathole on Bandit anyway
17:29:42 <tmcpeak> let's move along, we can synch up in #openstack-security later
17:29:44 <tmcpeak> sound good?
17:29:56 <tkelsey> ok bknudson lets take it to the sec room later
17:30:00 <tmcpeak> #topic Anchor
17:30:03 <tmcpeak> roll it
17:30:32 <tkelsey> not much to report on anchor, some validators for CA roles have been made none-optional
17:30:57 <tmcpeak> mhayden you around?
17:30:59 <tkelsey> we reviewed a bunch of patches in Tokyo, just trying to recall
17:31:34 <tmcpeak> seems like mhayden's suggestion on ML for a simple CA deployment made a lot of sense and had nice Anchor tie-ins
17:32:33 * mhayden is here now
17:32:44 <mhayden> this utc business got me this week
17:32:45 <tmcpeak> mhayden: want to describe what you did on ML?
17:32:48 <tmcpeak> yeah same here
17:33:09 <mhayden> wait, what did i do on the ML? ;)
17:33:30 <tmcpeak> you were discussing an out of the box simple CA
17:33:49 <mhayden> right right
17:34:04 <tmcpeak> that was interesting and is worth a few minutes to synch up on IRC I think
17:34:10 <tmcpeak> #topic mhayden's idea
17:34:14 <mhayden> long story short, openstack-ansible generates different self-signed certs for various services
17:34:21 <mhayden> if a user doesn't provide their own
17:34:35 <mhayden> one of the ideas is to make a CA for the user (by default) and issue certs off that CA
17:34:45 <mhayden> a user could provide their CA as well and we could issue certs off that
17:34:54 * hyakuhei tunes back in.
17:35:02 <mhayden> it came up when i tried to configure rsyslog tls logging and realized that cert trust is req'd by rsyslog
17:35:08 <tmcpeak> so the current behavior, I assume, is that the auto-generated self signed certs are not trusted, right?
17:35:12 <hyakuhei> oh yeah so I replied to that thread :)
17:35:29 <tmcpeak> hyakuhei: figured it's worth a few minutes to synch on this in real time
17:35:36 <hyakuhei> for sure, good call
17:35:46 <mhayden> gettingna ca together would make things easier and could allow us to remove a bunch of silly repetitive code within osa
17:35:50 <hyakuhei> So anchor just gives you a nice way to do localized certificates
17:36:03 <hyakuhei> you can have it use it’s own root or provide it one
17:36:13 <mhayden> that might be good
17:36:15 <tmcpeak> that sounds like it might be what we want for this use case, yeah mhayden?
17:36:23 <hyakuhei> write “validators” so it only gives out certificates of a certain type or to certain entities
17:36:24 <tmcpeak> that or something like that
17:36:27 <mhayden> someone suggested IPA (with dogtag) but that seems ultra-heavy
17:36:32 <hyakuhei> hah
17:36:40 <hyakuhei> ^ That’s why Anchor is a thing
17:36:57 * mhayden woots
17:37:00 <hyakuhei> Biggest thing is that anchor uses passive revocation
17:37:06 <hyakuhei> because actual revocation doesn’t work
17:37:15 <hyakuhei> so generally issues certificates for short-lifetimes
17:37:28 <hyakuhei> mhayden: I’d be very happy to work with you on using anchor for this
17:37:29 <tmcpeak> mhayden: what do you need to go forward with this?
17:37:32 <hyakuhei> so would tkelsey :)
17:37:35 <mhayden> in this particular scenario, recvocation isn't critical
17:37:35 <tmcpeak> Ansible playbook to set it up?
17:37:45 <tkelsey> mhayden: yup yup
17:37:55 <tkelsey> also #link https://www.youtube.com/watch?v=Q_ZhrQq-_YM
17:38:02 <mhayden> tmcpeak: essentially -- if we deployed anchor in a container and used it to issue certs, that might be good
17:38:05 <tkelsey> for anchor/passive rev background
17:38:06 <tmcpeak> ^ if that's a rick-roll I'm going to be upset
17:38:16 <tkelsey> lol tmcpeak
17:38:27 <tmcpeak> mhayden: I think hyakuhei et. al already have Anchor set up in a container
17:38:41 <mhayden> never gonna give you up
17:38:45 <tmcpeak> :P
17:38:46 <tkelsey> hyakuhei has a docker conf for it i think
17:38:54 <hyakuhei> yeah
17:39:06 <dg_> yeh, and i think there is a vagrant build for it too, although that may now be broken
17:39:15 <tmcpeak> so it sounds like we have most of the pieces to get this working now
17:39:20 <tmcpeak> what's the best way to get it done?
17:39:23 <dg_> the vagrant one may be relevant, because thats built with ansible
17:39:31 <hyakuhei> http://git.openstack.org/cgit/openstack/anchor/tree/README.md
17:39:32 <tmcpeak> tkelsey/hyakuhei want to synch with mhayden offline and JFDI?
17:39:37 <tkelsey> dg_: +1
17:39:39 <hyakuhei> sure thing tmcpeak
17:39:43 <tmcpeak> sweet!
17:39:58 <tkelsey> hyakuhei mhayden yup yup
17:40:00 <mhayden> are there some good docs on making a simple ca with anchor?
17:40:11 <tkelsey> the readme is quite good
17:40:44 <tkelsey> #link https://github.com/openstack/anchor
17:40:47 <hyakuhei> mhayden: It’s pretty trivial, it’s just a pecan service, the readme should cover it, if it doesn’t join up then we can help
17:41:03 <tkelsey> and also improve our readme lol
17:41:04 <mhayden> alrighty
17:41:18 <tmcpeak> mhayden so from your perspective it would just be a playbook to deploy anchor and then get certs for the whatever is necessary?
17:41:39 <tmcpeak> *for whatever is necessary
17:42:39 <dg_> tmcpeak thats what i would expect
17:42:46 <tmcpeak> sweet
17:42:56 <tmcpeak> mhayden: I suspect Anchor will work well for this
17:43:11 <tmcpeak> but dg_, tkelsey, and hyakuhei can help with whatever
17:43:16 <tmcpeak> would be a cool use for Anchor IMO
17:43:19 <dg_> +1 happy to help out
17:43:48 <tmcpeak> allright moving along
17:43:51 <tmcpeak> #topic Sec-Guide
17:43:55 <tmcpeak> sicarie: whatup
17:44:15 <tmcpeak> ;) no sicarie
17:44:22 <tmcpeak> time shift got him it seems
17:44:36 <tmcpeak> I predict sicarie in 10, 9, 8
17:44:41 <hyakuhei> Yeah, it gets a few people
17:44:59 <mhayden> tmcpeak: yes, step 1 would be to get it deployed in a container w/ansible
17:45:14 <tmcpeak> mhayden: ok cool, let us know how to help
17:45:28 <tmcpeak> no sicarie it seems
17:45:33 <hyakuhei> Cool, so we have a Dockerfile for it, actually two depending on how often you want to rebuild i.e devving
17:45:38 <hyakuhei> It’s all in the Readme :)
17:45:58 <tmcpeak> tada
17:46:04 <tmcpeak> sicarie: sec guide update?
17:46:08 <sicarie> Nope
17:46:14 <hyakuhei> lawl
17:46:16 <sicarie> Waiting on some merges
17:46:20 <sicarie> final +2's
17:46:31 <hyakuhei> sicarie: I’ll take a look tonight
17:46:39 <sicarie> Trying to get it set so I can build pdf (probably through sphinx) and push to lulu
17:46:48 <tmcpeak> sell some berks?
17:47:18 <hyakuhei> sicarie: that would be good
17:47:40 <tmcpeak> allright if nothing else we'll move to recruiting
17:48:13 <tmcpeak> aight
17:48:17 <tmcpeak> #topic Security Recruiting
17:48:30 <tmcpeak> I'm sure not much has happened here bc of summit fun and all that
17:48:31 <tmcpeak> but...
17:48:35 <tmcpeak> let's get this rolling
17:48:45 <tmcpeak> hyakuhei, dg_ can you guys try to slot some stuff this week?
17:48:47 <sicarie> I think I'm planned for something about a month from now
17:48:52 <dg_> what now?
17:48:56 <tmcpeak> recruiting
17:49:09 <tmcpeak> ideally one security meetup, one openstack meetup, one college meetup
17:49:24 <dg_> hyakuhei we could get a poster at discover...
17:49:24 <hyakuhei> Sure, we can try to find some
17:49:28 <tmcpeak> browne: I'll be back in the bay in a month so I'm going to start trying to book events for us, seems reasonable?
17:49:33 <hyakuhei> do you have an etherpad or something for tracking?
17:49:45 <tmcpeak> #link https://etherpad.openstack.org/p/security-project-recruiting
17:50:16 <tmcpeak> bknudson: you set anything up?
17:50:40 <redrobot_mobile> There's a security meetup  here in SA I could probably do some recruiting at.
17:50:49 <tmcpeak> redrobot_mobile: that would be awesome!
17:50:55 <tmcpeak> I think michaelxin was looking at doing some as well
17:51:03 <tmcpeak> you guys could team up or divide and conquer
17:51:06 <tmcpeak> either way is good
17:51:26 <bknudson> tmcpeak: nope, need to get in touch with organizer of the meetup
17:51:33 <tmcpeak> ok cool
17:51:56 <redrobot_mobile> I'll ping michaelxin about tag teaming in SA.
17:51:57 <tmcpeak> here's the deck link again: https://docs.google.com/presentation/d/13GG47EdoQCBEGqMe7ji_UzfO9okMTLgbnK5_UpoaXYA/edit?usp=sharing
17:52:20 <tmcpeak> I do really want to get these moving, so I'm going to set some up in the bay
17:53:05 <tmcpeak> allright, anyhow
17:53:07 <tmcpeak> #topic AOB
17:53:20 <hyakuhei> Trying to put together a mid-cycle with Barbican
17:53:32 <tmcpeak> ahh cool
17:53:35 <hyakuhei> redrobot: Do you remember the proposed date?
17:53:37 <tmcpeak> security + Barbican?
17:53:39 <hyakuhei> Yeah
17:53:43 <tmcpeak> that would be cool
17:53:58 <redrobot_mobile> The week before mitaka-2
17:53:59 <hyakuhei> Mon-Tues->Weds Barbican. Weds->Thurs->Fri Security
17:54:03 <hyakuhei> or other way around etc
17:54:39 <redrobot_mobile> Jan 11-15
17:54:39 <tmcpeak> which date?
17:54:43 <tmcpeak> ahh cool
17:55:00 <dg_> that would be cool
17:55:02 <tmcpeak> how should we get that going?
17:55:39 <redrobot_mobile> I'm currently looking into funding for my team. We have a bunch of options for location.
17:56:11 <tmcpeak> hyakuhei: time to get the etherpad started for it then?
17:56:18 <hyakuhei> Yeah, I’ve been chatting with redrobot_mobile about it
17:56:29 <redrobot_mobile> hyakuhei 's preference would be the APL in Laurel, MD
17:56:30 <tmcpeak> ok cool
17:56:47 <tmcpeak> wut
17:56:50 <hyakuhei> tmcpeak: Yeah I don’t see why not, get people to start thinking about the date, topics etc
17:57:10 <tmcpeak> Laurel, MD?
17:57:21 <redrobot_mobile> Another option would be Seattle
17:57:28 <tmcpeak> seems reasonable ;)
17:57:48 <dg_> +1 for Laurel
17:57:51 <tmcpeak> can't recommend Maryland in the winter
17:58:28 <hyakuhei> Yeah so we’re working through the options :)
17:58:50 <tmcpeak> allright cool, at any rate that should be fun
17:58:53 <hyakuhei> I think that’s about time, I’ll put an etherpad up and follow up on docs for sicarie and anchor for mhayden
17:58:57 <tmcpeak> sweet
17:59:03 <hyakuhei> Cheers all!
17:59:09 <tmcpeak> have a good week everybody
17:59:11 <hyakuhei> #endmeeting