17:00:50 #startmeeting Security 17:00:55 Meeting started Thu Nov 5 17:00:50 2015 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:57 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:59 The meeting name has been set to 'security' 17:01:24 hi 17:01:27 o/ 17:02:02 busy room! 17:02:16 hi! 17:02:22 o/ 17:02:22 #link https://etherpad.openstack.org/p/security-20151105-agenda 17:02:24 ^ agenda 17:02:31 hi dstanek redrobot ! 17:02:40 * redrobot waves at hyakuhei 17:03:39 So we’ll give people a minute or two, 17:03:46 o/ 17:03:49 o/ 17:03:55 oh good dg_ is here redrobot you guys can talk killick :P 17:04:07 hey guys 17:04:10 hi dg_ 17:05:08 o/ 17:05:09 netsplit… 17:05:27 fun :( 17:05:34 womp womp 17:05:52 I think we’ve still got most people here 17:06:04 agenda link https://etherpad.openstack.org/p/security-20151105-agenda 17:06:13 #topic summit roundup 17:06:34 So it was a good conference and design summit but it was all a bit compressed imho - thoughts? 17:06:50 hyakuhei: +1 17:06:55 #chair tmcpeak 17:06:56 Current chairs: hyakuhei tmcpeak 17:06:56 lots of first timers as well 17:07:07 Yeah around 50% I heard 17:07:27 I’m pleased with security’s contribution 17:07:30 thats a good thing in many ways, but can be a problem for in-depth stuff 17:07:42 hyakuhei: +1 yup 17:07:45 next summit I’m pushing for some slots on cross-project and a few more workrooms too 17:07:48 I wish I could have gotten to more security talks but I was busy with keystone and oslo stuff, too. 17:08:04 bknudson: I know what you mean, though they’re all up on youtube now 17:08:10 Apart from that guy who didn’t turn up 17:08:31 y, I can watch the presentations... not sure if there were a bunch of work sessions I missed. 17:08:32 Thankfully they didn’t film me improving that bit 17:08:36 hyakuhei did an impromptu talk. it was awesome 17:08:39 lol 17:08:48 Awesome it was not, impromptu it was 17:08:57 ;) 17:09:14 elmiko is on vacation this week but we have some interesting things to discuss around that on-cloud auth framework 17:09:21 and the instance user stuff 17:09:40 that's the one I should have been at. :( 17:10:06 So any feedback on our presence at the summit? The overall feedback I got was that more developers need to know about us and what we do 17:10:53 hyakuhei, I would agree with that 17:10:54 any general direction of how we should try to do that? 17:11:01 the developer summit was separated from the conference so it was hard to get to the presentation 17:11:06 #topic increasing visibility 17:11:07 we have our outreach, but it seems like we might have to be at more openstack targetted events too? 17:11:07 bknudson: +1 17:11:26 One possibility is gatecrashing the other projects IRC meetings 17:11:28 plus there were work sessions all the time. 17:11:43 hyakuhei: that's a good idea 17:11:50 I was thinking we can aim to drop something in during their AOB sections in the agenda 17:11:53 grab an intro to security team slot for each project? 17:11:57 yeah 17:12:00 cool, I like it 17:12:05 We can boilerplate some talking points 17:12:14 ok cool, and chop up the meetings 17:12:14 bandit adoption :) 17:12:15 FAQ style 17:12:31 tkelsey: yes, we should be more aggressive with this now 17:12:35 (bandit) 17:12:43 agreed 17:12:59 seems like we've got some good traction with oslo 17:13:00 that's awesome 17:13:13 Great 17:13:16 tmcpeak: is that around the auto gen conf stuff? 17:13:32 yeah, but Cyril in general seems to be really going to get Bandit integrated with the OSLO properties 17:13:39 sorry, we can talk about that in the bandit section :) dont want to derail 17:14:25 No that’s fine 17:14:31 ok so, just have a think 17:14:41 especially guys who wear multiple hats like bknudson redrobot etc 17:14:55 how can (should) the security project better serve your project 17:15:00 +1 17:15:05 sounds good 17:15:16 irc, email feedback etc all welcome 17:15:21 btw did you guys do the flyers ? 17:15:42 Yeah! 17:15:49 awesome, how'd they come out? 17:15:53 They looked great thanks to Michael 17:16:05 sweet, great work michaelxin 17:16:12 yup, they were very cool 17:16:31 yeah I basically forced them on people, put them on all the design session tables, all through the dinner hall etc 17:16:50 We should do something similar at the next summit 17:16:56 stickers 17:16:58 guerrilla marketing status 17:17:00 Any more thoughts on visibility before we move forward 17:17:02 dg_: and T's 17:17:08 quick check, anyone lurking here because of flyer? 17:17:13 Basically we need security project swag 17:17:24 we should be able to bang something up pretty easy 17:17:28 Yeah 17:17:30 hyakuhei: +100 for swag 17:17:35 seems like michaelxin already has good graphics and stuff 17:17:39 michealxin seems to have a friendly graphics person 17:17:43 heh +1 17:17:51 ok, lets roll onto the next topic 17:17:56 #topic ML sunsetting 17:18:02 :( 17:18:06 As you all know we should use openstack-dev for everything 17:18:20 we are going to move openstack-security to being a notification list 17:18:20 I for one dislike the ML workflow 17:18:34 so bugs etc will land there but you won’t be able to post to it 17:19:01 hyakuhei have you figured out a sane way of using Outlook with it? 17:19:06 fungi knows the magics that are required, I’ve been through the mailling list manager thing but couldn’t work it out nicely 17:19:12 tmcpeak: basically no 17:19:17 hah, o 17:19:17 k 17:19:22 try not to top-post, try to keep line length in check 17:19:29 sounds good to me. 17:19:45 but everyone is pretty accepting of messy ML lists because so many people use outlook etc 17:19:48 my neck-beard level isn't high enough to proficiently use ML 17:19:59 mutt ftw 17:20:05 but I don’t use mutt 17:20:16 ok, bandit? 17:20:19 sure 17:20:25 #topic bandit 17:20:27 ahh, right, i need to sync up with you on the ml changes 17:20:27 thanks for the reminder 17:20:42 so tkelsey and I are really pushing baseline feature hard 17:20:49 we've got an initial version which works for a gate 17:21:12 so basically we can introduce voting gate jobs that will check against the last commit and if you're adding something Bandit doesn't like it will fail 17:21:30 this is something we're doing internally now but once it's stable we'll try to get them rolling in upstream project gates also 17:21:50 * hyakuhei needs to step out for 4-5 minutes, tmcpeak can you keep the meeting moving along 17:21:50 effectively its a delta check 17:21:55 yep, will do 17:21:57 hyakuhei 17:22:06 so we pushed 0.15.1 recently 17:22:12 actually 0.15.2 17:22:30 we're iterating a little faster than normal because we're rolling out internal gates 17:22:41 the upshot is that this work should be contributed upstream fairly soon too 17:22:45 so security wins for everybody 17:22:56 tkelsey: you have anything to add? 17:23:04 can you summarize action items from Tokyo for Bandit? 17:23:15 I can, one sec and i'll link the pad 17:23:50 so, i wanted to cover some future looking stuff, but it turned into a 101 really 17:23:51 https://etherpad.openstack.org/p/security-mitaka-worksession-bandit 17:24:22 tkelsey: yeah about 30 min went to 101, ha 17:24:22 however, we had good attendance and plenty of interest 17:24:38 heh browne yup 17:24:53 cool, what are top priority action items? 17:24:57 a bit of a shame, but with so many first timers at the summit I guess it's to be expected 17:25:04 the turn out was a good sign in general though 17:25:18 the config file stuff came up a lot 17:25:18 i think the highest priority is the bandit.yaml impact on other projects. this continues to come up over and over 17:25:27 browne: +1 17:25:28 I don't see that as a shame at all 17:25:28 yup 17:25:32 new users is awesome 17:25:49 tmcpeak: they are, but it was suposed to be a design session 17:26:03 we didn't get to actually talk over any design stuff lol 17:26:07 ahh fair enough. Wasn't it only you two though? 17:26:10 oh you three 17:26:15 you, browne, bknudson 17:26:33 at any rate… config seems to be throwing people for a loop 17:26:51 yeah, we need to get that fixed up in a sane way 17:26:54 Cyril has a tool that will help generate configs, but it seems we need to fix up our config situation sooner than later 17:26:58 certainly before 1.0 17:27:09 also some more automatic tooling around releases was discussed 17:27:46 you guys think we'll get new developers, users, or both? 17:27:47 bandit running on adopted projects in it's own gate and using the baseline stuff to check for new issues etc 17:27:47 next time maybe try to get a regular conference presentation or cross-project on bandit 17:27:55 i like the baby step of just providing a command line option to specify plugins on the command line instead of creating a profile 17:27:58 we could use some new active developers... 17:28:07 browne: +1 17:28:27 it could be nice to offer both options 17:28:38 if folks want to generate a config that's fine 17:28:41 tmcpeak: yep you could do both 17:28:42 there was talk of renaming/aliasing the tests with an easy to handle ID, the way hacking/flake8 do 17:28:54 honestly.. we used to have the "exclude" feature from profiles which seems like it is what people want, but I think we got rid of it 17:29:06 I don't know if it's going to work on upgrade to use the config generator. It was a lot of work for me before on the last upgrade. 17:29:06 oh yeah, we should definitely do that 17:29:13 I couldn't have used the config generator for it. 17:29:19 bknudson: how come? 17:29:23 well, maybe... I'll think about it. 17:29:27 ok cool 17:29:29 I'd have to exclude all the new tests initially 17:29:30 bknudson: what are you concerns ? 17:29:31 we shouldn't rathole on Bandit anyway 17:29:42 let's move along, we can synch up in #openstack-security later 17:29:44 sound good? 17:29:56 ok bknudson lets take it to the sec room later 17:30:00 #topic Anchor 17:30:03 roll it 17:30:32 not much to report on anchor, some validators for CA roles have been made none-optional 17:30:57 mhayden you around? 17:30:59 we reviewed a bunch of patches in Tokyo, just trying to recall 17:31:34 seems like mhayden's suggestion on ML for a simple CA deployment made a lot of sense and had nice Anchor tie-ins 17:32:33 * mhayden is here now 17:32:44 this utc business got me this week 17:32:45 mhayden: want to describe what you did on ML? 17:32:48 yeah same here 17:33:09 wait, what did i do on the ML? ;) 17:33:30 you were discussing an out of the box simple CA 17:33:49 right right 17:34:04 that was interesting and is worth a few minutes to synch up on IRC I think 17:34:10 #topic mhayden's idea 17:34:14 long story short, openstack-ansible generates different self-signed certs for various services 17:34:21 if a user doesn't provide their own 17:34:35 one of the ideas is to make a CA for the user (by default) and issue certs off that CA 17:34:45 a user could provide their CA as well and we could issue certs off that 17:34:54 * hyakuhei tunes back in. 17:35:02 it came up when i tried to configure rsyslog tls logging and realized that cert trust is req'd by rsyslog 17:35:08 so the current behavior, I assume, is that the auto-generated self signed certs are not trusted, right? 17:35:12 oh yeah so I replied to that thread :) 17:35:29 hyakuhei: figured it's worth a few minutes to synch on this in real time 17:35:36 for sure, good call 17:35:46 gettingna ca together would make things easier and could allow us to remove a bunch of silly repetitive code within osa 17:35:50 So anchor just gives you a nice way to do localized certificates 17:36:03 you can have it use it’s own root or provide it one 17:36:13 that might be good 17:36:15 that sounds like it might be what we want for this use case, yeah mhayden? 17:36:23 write “validators” so it only gives out certificates of a certain type or to certain entities 17:36:24 that or something like that 17:36:27 someone suggested IPA (with dogtag) but that seems ultra-heavy 17:36:32 hah 17:36:40 ^ That’s why Anchor is a thing 17:36:57 * mhayden woots 17:37:00 Biggest thing is that anchor uses passive revocation 17:37:06 because actual revocation doesn’t work 17:37:15 so generally issues certificates for short-lifetimes 17:37:28 mhayden: I’d be very happy to work with you on using anchor for this 17:37:29 mhayden: what do you need to go forward with this? 17:37:32 so would tkelsey :) 17:37:35 in this particular scenario, recvocation isn't critical 17:37:35 Ansible playbook to set it up? 17:37:45 mhayden: yup yup 17:37:55 also #link https://www.youtube.com/watch?v=Q_ZhrQq-_YM 17:38:02 tmcpeak: essentially -- if we deployed anchor in a container and used it to issue certs, that might be good 17:38:05 for anchor/passive rev background 17:38:06 ^ if that's a rick-roll I'm going to be upset 17:38:16 lol tmcpeak 17:38:27 mhayden: I think hyakuhei et. al already have Anchor set up in a container 17:38:41 never gonna give you up 17:38:45 :P 17:38:46 hyakuhei has a docker conf for it i think 17:38:54 yeah 17:39:06 yeh, and i think there is a vagrant build for it too, although that may now be broken 17:39:15 so it sounds like we have most of the pieces to get this working now 17:39:20 what's the best way to get it done? 17:39:23 the vagrant one may be relevant, because thats built with ansible 17:39:31 http://git.openstack.org/cgit/openstack/anchor/tree/README.md 17:39:32 tkelsey/hyakuhei want to synch with mhayden offline and JFDI? 17:39:37 dg_: +1 17:39:39 sure thing tmcpeak 17:39:43 sweet! 17:39:58 hyakuhei mhayden yup yup 17:40:00 are there some good docs on making a simple ca with anchor? 17:40:11 the readme is quite good 17:40:44 #link https://github.com/openstack/anchor 17:40:47 mhayden: It’s pretty trivial, it’s just a pecan service, the readme should cover it, if it doesn’t join up then we can help 17:41:03 and also improve our readme lol 17:41:04 alrighty 17:41:18 mhayden so from your perspective it would just be a playbook to deploy anchor and then get certs for the whatever is necessary? 17:41:39 *for whatever is necessary 17:42:39 tmcpeak thats what i would expect 17:42:46 sweet 17:42:56 mhayden: I suspect Anchor will work well for this 17:43:11 but dg_, tkelsey, and hyakuhei can help with whatever 17:43:16 would be a cool use for Anchor IMO 17:43:19 +1 happy to help out 17:43:48 allright moving along 17:43:51 #topic Sec-Guide 17:43:55 sicarie: whatup 17:44:15 ;) no sicarie 17:44:22 time shift got him it seems 17:44:36 I predict sicarie in 10, 9, 8 17:44:41 Yeah, it gets a few people 17:44:59 tmcpeak: yes, step 1 would be to get it deployed in a container w/ansible 17:45:14 mhayden: ok cool, let us know how to help 17:45:28 no sicarie it seems 17:45:33 Cool, so we have a Dockerfile for it, actually two depending on how often you want to rebuild i.e devving 17:45:38 It’s all in the Readme :) 17:45:58 tada 17:46:04 sicarie: sec guide update? 17:46:08 Nope 17:46:14 lawl 17:46:16 Waiting on some merges 17:46:20 final +2's 17:46:31 sicarie: I’ll take a look tonight 17:46:39 Trying to get it set so I can build pdf (probably through sphinx) and push to lulu 17:46:48 sell some berks? 17:47:18 sicarie: that would be good 17:47:40 allright if nothing else we'll move to recruiting 17:48:13 aight 17:48:17 #topic Security Recruiting 17:48:30 I'm sure not much has happened here bc of summit fun and all that 17:48:31 but... 17:48:35 let's get this rolling 17:48:45 hyakuhei, dg_ can you guys try to slot some stuff this week? 17:48:47 I think I'm planned for something about a month from now 17:48:52 what now? 17:48:56 recruiting 17:49:09 ideally one security meetup, one openstack meetup, one college meetup 17:49:24 hyakuhei we could get a poster at discover... 17:49:24 Sure, we can try to find some 17:49:28 browne: I'll be back in the bay in a month so I'm going to start trying to book events for us, seems reasonable? 17:49:33 do you have an etherpad or something for tracking? 17:49:45 #link https://etherpad.openstack.org/p/security-project-recruiting 17:50:16 bknudson: you set anything up? 17:50:40 There's a security meetup here in SA I could probably do some recruiting at. 17:50:49 redrobot_mobile: that would be awesome! 17:50:55 I think michaelxin was looking at doing some as well 17:51:03 you guys could team up or divide and conquer 17:51:06 either way is good 17:51:26 tmcpeak: nope, need to get in touch with organizer of the meetup 17:51:33 ok cool 17:51:56 I'll ping michaelxin about tag teaming in SA. 17:51:57 here's the deck link again: https://docs.google.com/presentation/d/13GG47EdoQCBEGqMe7ji_UzfO9okMTLgbnK5_UpoaXYA/edit?usp=sharing 17:52:20 I do really want to get these moving, so I'm going to set some up in the bay 17:53:05 allright, anyhow 17:53:07 #topic AOB 17:53:20 Trying to put together a mid-cycle with Barbican 17:53:32 ahh cool 17:53:35 redrobot: Do you remember the proposed date? 17:53:37 security + Barbican? 17:53:39 Yeah 17:53:43 that would be cool 17:53:58 The week before mitaka-2 17:53:59 Mon-Tues->Weds Barbican. Weds->Thurs->Fri Security 17:54:03 or other way around etc 17:54:39 Jan 11-15 17:54:39 which date? 17:54:43 ahh cool 17:55:00 that would be cool 17:55:02 how should we get that going? 17:55:39 I'm currently looking into funding for my team. We have a bunch of options for location. 17:56:11 hyakuhei: time to get the etherpad started for it then? 17:56:18 Yeah, I’ve been chatting with redrobot_mobile about it 17:56:29 hyakuhei 's preference would be the APL in Laurel, MD 17:56:30 ok cool 17:56:47 wut 17:56:50 tmcpeak: Yeah I don’t see why not, get people to start thinking about the date, topics etc 17:57:10 Laurel, MD? 17:57:21 Another option would be Seattle 17:57:28 seems reasonable ;) 17:57:48 +1 for Laurel 17:57:51 can't recommend Maryland in the winter 17:58:28 Yeah so we’re working through the options :) 17:58:50 allright cool, at any rate that should be fun 17:58:53 I think that’s about time, I’ll put an etherpad up and follow up on docs for sicarie and anchor for mhayden 17:58:57 sweet 17:59:03 Cheers all! 17:59:09 have a good week everybody 17:59:11 #endmeeting