17:00:04 #startmeeting security 17:00:05 Meeting started Thu Mar 17 17:00:04 2016 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:06 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:07 #chair hyakuhei 17:00:09 The meeting name has been set to 'security' 17:00:11 Warning: Nick not in channel: hyakuhei 17:00:12 Current chairs: hyakuhei tmcpeak 17:00:15 o/ 17:00:17 o/ 17:00:30 whatup whatup 17:00:42 not mucho, you? 17:00:45 o/ 17:01:02 as my friend chair6 says, living the dream 17:01:17 haha, nice 17:01:25 elmiko: you have the link for where this meetings agenda should be? 17:01:26 or are you... dreaming the life? 17:01:36 tmcpeak: i sure don't 17:01:36 I've switched computers and don't have bookmarks anymore 17:01:42 one sec, i'll check 17:01:42 lol, sweet 17:01:45 hyakuhei: has it 17:01:48 etherpad :) 17:01:52 Yo 17:01:53 https://etherpad.openstack.org/p/security-20160317-agenda 17:01:53 ah, no worries then ;) 17:02:17 o/ 17:02:21 sorry for being late 17:02:44 sigmavirus24: whatup 17:02:50 things and stuff 17:02:55 * elmiko adds a note to sigmavirus24's permanent record 17:02:56 you? 17:03:01 lol 17:03:04 elmiko: that's a long record 17:03:19 o/ 17:03:31 lol 17:03:32 sigmavirus24: i can only imagine... ;) 17:03:44 o/ all 17:03:46 So we do have a drop in from a Kolla guy today which should be exciting 17:03:52 hey tkelsey ! 17:03:53 sweet! 17:04:07 hey I'm the kolla guy ;) 17:04:07 oh cool 17:04:12 hi 17:04:16 * sigmavirus24 looks for good container trolling comments 17:04:16 sdake: welcome :) 17:04:17 * elmiko waves to sdake 17:04:40 * sigmavirus24 wonders if he can make stuff up about containers just to troll while sounding legit ;) 17:04:45 lol 17:04:50 sigmavirus24: you wouldn't be the first 17:05:11 tmcpeak: containers are the next generation of application security. No need to unset debug=True in your flask apps 17:05:17 hehe 17:05:24 run everything as root too 17:05:24 oh, I didn't even know that, amaze 17:05:29 tmcpeak: right? 17:05:34 also containers give you free doge coin 17:05:36 ;) 17:05:39 hyakuhei actually we dont run everything as rootin our containers ;) 17:05:41 kill MAC for that performance upgrade? 17:05:54 running as root with a container breakout allows full comrpomise o the host 17:05:57 tmcpeak: selinux inside the container makes your hosts safer too ;) 17:05:58 sdake: Clearly you’re doing it wrong. 17:06:03 == hyakuhei 17:06:41 now look what you've started sigmavirus24, another mark in your file 17:06:45 lol 17:06:51 #tigerwinning 17:06:55 this is why we can't have guests 17:07:11 anyway 17:07:12 no nice things. 17:07:17 Ok, lets get going 17:07:33 tmcpeak: take it away, I’m going to chase down that PTL who’s supposed to be dropping in 17:07:37 * elmiko notes in sigmavirus24's file, "habitual line stepper" 17:07:41 ok 17:07:50 skipping summit planning for hyakuhei 17:07:52 #topic Anchor 17:08:00 tkelsey, roll it 17:08:45 so, not much to say here, there is talk of making an Anchor 1.0 build but no clear plan yet 17:08:52 fair enough 17:08:55 active dev still? 17:09:03 Yeah stan doesn’t think it needs much more polish 17:09:12 you guys do a roadmap for 1.0 like we did with Bandit? 17:09:26 we will do, but TZ makes it tricky 17:09:30 o/ 17:09:49 does anchor have a deployment story yet? 17:09:50 Yarp 17:09:55 Hey dave-mccowan 17:10:07 ok fair enough 17:10:13 * sigmavirus24 might write an openstack-ansible role for it then 17:10:26 sigmavirus24: nice 17:10:26 * sigmavirus24 has a role for barbican that is being brought upstream 17:10:41 nice, sigmavirus24++ 17:10:53 anchor might be more enjoyable than barbican if it has had thought put into how to deploy it 17:11:21 sigmavirus24 link? 17:11:39 redrobot: the project exists I haven't checked for code yet 17:11:50 old link is https://github.com/sigmavirus24/openstack-ansible-barbican 17:11:53 Just using uwsgi for now 17:12:09 slowly testing out other changes to make pbr generate apache scripts for barbican 17:12:10 cool 17:12:12 sigmavirus24 awesome, thanks. 17:12:35 cool 17:12:39 anything else for Anchor? 17:12:54 not from me 17:13:01 allright 17:13:03 #topic Bandit 17:13:04 has the anchor team thought of reaching out to magnum? 17:13:10 er i'll ask that elsewhere later 17:13:24 sigmavirus24 it was brought up during magnum dev 17:13:25 so we're at feature freeze in Bandit but have lots of bug squashing to do 17:13:35 i really wanted anchor instead of barbican 17:13:40 OK, so bandit has most of the 1.0 stuff, but we have a bunch of bugs to fix 17:13:49 but thats not what happened - expect things to change towards anchor in the future 17:14:05 :thumbsup: 17:14:25 sdake: sigmavirus24 lets discuss magnum + anchor in the AOB section at the end 17:14:35 hyakuhei roger 17:14:45 unfortunalty my OpenStack summit talk to announce 1.0 was rejected and I wont be at the summit. So, I guess it falls to others to spam about it :) 17:14:47 I'm happy to shuffle things if we want to dicuss now? 17:15:09 tmcpeak: not a big deal. later is better 17:15:13 nah that’s ok, roll on MC 17:15:14 ok 17:15:26 allright we've got a big agenda so 17:15:28 #topic docs 17:15:31 sicarie: elmiko 17:16:45 mcfly? 17:17:06 sorry 17:17:09 heh 17:17:19 So, no docs? 17:17:20 i don't think we have any updates, just bug reports being completed 17:17:29 we are still blocked on creating the pdf 17:17:55 cool 17:17:55 although, iirc, pdesai is going to help out researching a path forward 17:18:03 That’s cool 17:18:06 path for what? 17:18:07 Priti right? 17:18:11 oh PDF 17:18:17 otherwise, we are just taking care of issues and adding some content improvements 17:18:21 hyakuhei: yes Priti 17:19:06 i think that's all, it's been slow the last few weeks (and i was out last week) 17:19:24 wb elmiko 17:19:34 cheers ;) 17:19:59 allright 17:20:06 #topic Syntribos 17:21:12 michaelxin et al 17:21:24 tmcpeak: I bumped Kolla further up the agenda 17:21:44 ahh ok 17:22:31 allright 17:22:32 moving on 17:22:36 Doesn’t look the fuzzing guys are here 17:22:39 #topic Summit Planning 17:22:50 This just in 17:22:52 Security: 3fb, 2wr, cm:half 17:23:02 \o/ 17:23:04 wuts dis ^ 17:23:08 2 working room 17:23:11 That’s three fishbowl, 2 working room and a community space for half a day 17:23:12 half of something 17:23:15 ahh ok cool 17:23:17 :) 17:23:20 seems like a good haul 17:23:25 Yeah, better than last time 17:23:30 Slowly we take over :D 17:23:37 hehe :) 17:23:37 hey redrobot didn’t see you lurking there! 17:23:38 nice 17:24:17 I don’t have much to add 17:24:26 I haven't been paying attention to the cross-project stuff... any word on BYOK discussions being a cross-project session? 17:24:30 as I wont be at the summit I expect interested folks to make lots of bandit noise in my absence :) 17:24:43 No, I’m not sure where to get involved with that 17:24:43 yeah I won't be there either 17:24:59 browne sigmavirus24 bknudson: you guys down to do a major Bandit push at the summit for our 1.0 release? 17:25:17 tmcpeak: I wont' be at the summit 17:25:21 * redrobot will be peddling bandit at the summit 17:25:22 But I'll participate remotely 17:25:29 redrobot: sweet! 17:25:36 :D 17:25:49 I'll be there 17:26:01 redrobot: I heard the going rate for uncut Bandit is 4K per kilo 17:26:08 thanks redrobot 17:26:15 tmcpeak: lol 17:26:30 tmcpeak: sure, i'll be there 17:26:34 cool 17:26:34 PSA for those who will be attending, the Swedish metal band Ghost is playing at Emo's in Austin on Monday night (the first day of the summit). 17:26:42 lol, nice 17:26:56 redrobot bknudson browne: let's synch on Bandit peddling :) 17:27:16 #topic Guest: Kolla 17:27:27 sdake: 17:27:42 hey folks - name is Steve - I'm PTL for Kolla for Mitaka 17:27:56 I am organizing an effort to get the vulnerability:managed tag applied to our repo 17:28:03 which means we haev a super big ask of someone 17:28:08 awesome! 17:28:09 and that is a security audit of the kolla code base 17:28:10 gmurphy: loves tasks 17:28:20 tmcpeak: likes them too :P 17:28:24 we are adding bandit atm 17:28:32 and maybe a container security linter called clair 17:28:44 bandit is in the code base, but going voting soon 17:28:49 note most of our code is not python 17:28:53 but ansible and docker stuff 17:29:00 so it will be a failry new experience for most ;) 17:29:09 interesting 17:29:55 so any takers 17:30:02 what's your timeframe? 17:30:04 we have a team already developed to fix security vulnerailities 17:30:11 I mean what do you want to have accomplished and by when? 17:30:14 tmcpeak anytime before the end of newton is good d;) 17:30:15 So I ran kolla through Bandit and pushed the reports back to sdake already 17:30:22 how about threat analysis? 17:30:25 that should probably be a first step 17:30:29 I'm interested in participating in that 17:30:30 hyakuhei ya we already have bandit in the repo 17:30:37 we are working on sorting out the bandit reports 17:30:44 but there is more to an audit then that i think - not sure 17:30:53 There’s a _lot_ 17:31:01 yeah so ideally we'll start with a TA and diagrams, and do some code review 17:31:03 at minimum 17:31:04 This covers some of the basics https://openstack-security.github.io/threatanalysis/2016/02/07/anchorTA.html 17:31:16 code review is more effective if we have a TA first so we know where the high risk locations are 17:31:17 In the context of what is probably the simplest project, Anchor. 17:31:21 what i'm looking for is someone that the TC honors on security matters to say "yup their opinion is good enough for an audit to meet the audited requirement of the vulnerability:managed flag" 17:31:22 Indeed 17:31:42 define TA? 17:31:43 I dont think the audited requirement is fair 17:31:47 sdake: how about we set up a TA with you, a few of us, and a few core Kolla contribs 17:31:57 sdake: ta = threat analysis 17:31:58 hyakuhei i dont make the rules, just follow the process ;) 17:31:59 sdake: TA -> https://openstack-security.github.io/collaboration/2016/01/16/threat-analysis.html 17:32:09 I’d like to see the ‘audit’ for Nova…. 17:32:15 basically you guys generate architecture diagrams and then we walk them with security and project experts 17:32:24 hyakuhei ya for real 17:32:25 hyakuhei: yeah I don't think the audits really happen 17:32:31 that being said it would be very useful 17:32:51 tmcpeak so a TA I think would be good 17:32:53 Sure 17:33:05 and i can work with the TC to get the wording changed to threat analysis in the git repo for the vulnerability managed tag 17:33:19 sdake: great, so let's schedule some time for us to do a web call 17:33:21 if that is what the security team wants 17:33:27 who from here is interested in participating in the Kolla TA? 17:33:29 o/ 17:33:40 o/ 17:33:51 i'll get some folks from kolla side as well 17:33:54 they just arent in this meeting 17:33:54 o/ 17:33:55 o/ 17:33:56 perfect 17:34:15 we have a 5 person coresec team to handle vulnerabilities out of our 12 person core reviewer team 17:34:16 what timezone? 17:34:28 US/EU tz works best 17:34:29 o/ 17:34:30 tkelsey: we'll pick something neutral 17:34:33 o/ 17:34:44 awesome 17:34:45 cool, well o/ then :) 17:34:47 seems like good interest 17:34:55 6am pst - 9 am pst looks good for our end 17:35:08 sdake: so the starting place should be architecture diagrams, you guys in good shape with that? 17:35:09 what do we need in terms of prep - just some arch diagrams? 17:35:21 we have no such thing unfortunately 17:35:21 but we can produce it 17:35:35 hyakuhei: do we have a TA template from our midcycle? 17:35:45 draw.io ftw. 17:35:51 if your open to it, we oculd do the TA at the austin summit 17:35:53 ^ that 17:36:08 sdake will there be a summit session for Kolla Security? 17:36:20 if we do it at summit, i'm way interesting in participating 17:36:22 dave-mccowan we can make that happen - might be better then a web call 17:36:41 up to you folks really - your the experts in this area :) 17:36:45 several of us won't be there but I can dial in 17:36:51 I think we are breaking new groudn with how to do vulnerability:managed 17:36:51 oh right... doh 17:37:02 i can put my cell pn speakerphone 17:37:05 sdake: definitely, and worth it imo 17:37:07 whatever works best 17:37:21 web call, or summit 17:37:23 your call :) 17:37:48 defer to tmcpeak, he seems to be leading the charge ;) 17:37:52 TBH summit might make sense 17:37:52 in the meantime we have some architecture diagrams to put together 17:38:06 i'll get with tmcpeak then when we have diagrams ready to roll? 17:38:29 sounds good 17:38:42 I also think summit makes sense 17:38:49 excellent 17:38:51 cool thanks folks for the time :) 17:38:59 the only problem with summit is i dont want to exclude anyone 17:39:07 summit would be cool, just don't want the vidconf bandwidth to impede things 17:39:07 so if that would be exclusionary let me know 17:39:08 sdake: nice to see projects very interested in security :) 17:39:11 sdake: thanks for dropping in :) 17:39:12 but prime time at summit might be good 17:39:35 allright 17:39:36 thanks tkelsey :) 17:39:43 anybody do anything on publicity or plan to? 17:39:50 #topic publicity 17:39:53 hi all. Sorry to jump in late :). quick update on Syntribos: we’re working on various items of the blueprints here: https://blueprints.launchpad.net/syntribos. We’re also working on adding more tests, refactoring the code base to remove irrelevant pieces and add some automation where applicable, and improving documentation. 17:40:02 #topic Syntribos 17:40:33 yaya: I haven't played with it in a while 17:40:35 how's it going? 17:40:55 going OK. making steady progress 17:41:23 cool, what's the gameplan? 17:41:50 we’re juggling with other stuff wchich kinda slow us down but recently got a couple of folks dedicated to Syntribos so things should pick up much faster 17:42:06 yaya: nice 17:42:31 gameplan for the nearest future: better docs and more fuzzing tests added 17:42:42 yaya: sounds good 17:43:18 plus testing Syntribos in mature environments :) 17:43:37 yeah I'd be curious how that goes 17:43:54 #topic OSSN 17:44:06 looks like we've got 2 new ones? 17:44:46 this one looks solid: https://bugs.launchpad.net/ossn/+bug/1507841 17:44:47 Launchpad bug 1507841 in Trove "mongodb guest instance allows any user to connect" [High,In progress] - Assigned to Matthew Van Dijk (mvandijk) 17:44:47 oh cool. I might try to pick one up this week 17:45:28 ouch 17:46:10 allright 17:46:38 #topic Refstack 17:46:46 http://eavesdrop.openstack.org/irclogs/%23refstack/%23refstack.2016-03-14.log.html#t2016-03-14T20:03:21 17:47:07 what’s this all about? 17:47:12 elmiko's baby 17:47:36 well, the refstack folks are looking for some insight 17:47:50 so generally I can't see a reason to list all users non-priv'd users 17:47:56 least priv should dictate that you can't 17:47:57 they are coming up against a minor issue involving replicating user information into their metadata 17:48:12 Oh I see 17:48:24 i really think we just need a little outreach to the refstack group, maybe at their meeting, and we can help them out 17:48:25 Not paid all that much attention to refstack 17:48:33 sounds good 17:48:39 yeah I dunno what refstack is 17:48:41 me neither, but i saw them talking about security advice so i poked my head in 17:48:58 ideally, talking to catherineD in #refstack is the starting point 17:49:18 i can pick for some more details and maybe we can find sometime to meet 17:49:25 cool, sounds good 17:49:44 #topic AOB 17:49:56 Anchor + Magnum Things? 17:50:00 oh yeah 17:50:24 sigmavirus24: was really interested in that but I think he bounced 17:50:38 so, is this about anchor being deployed into the magnum bays(i think), to provide CA on those clusters? 17:50:57 From what I understand of their use case Anchor probably makes sense. Getting people to understand private community PKI has been tricky 17:51:06 elmiko: it should work for that 17:51:15 Pretty much designed to allow that sort of operation 17:51:23 hyakuhei: i was just curious about what the issue here is 17:51:46 +1 17:52:15 given how magnum deploys it's infra, it certainly seems like they might need portable, ephemeral pki for the bays 17:52:54 makes sense. The ephemeralness might hurt them though 17:52:56 * elmiko hopes he his getting the magnum terminology correct 17:53:05 how so? 17:53:13 Depends, I mean, if we’re talking k8 pods, replacing certs should be ok 17:53:26 Some systems get grumpy having their certs ripped and replaced often. 17:53:31 ah, ok 17:53:46 todo: elmiko to fix grumpiness 17:53:53 Those systems are dumb 17:53:55 i can still see how they would want a solution that could be deployed into the bay structure 17:53:58 tmcpeak: lol 17:54:12 But k8 front ends lots of things with a LB so that might not be an issue. 17:54:34 Research required. 17:54:43 well also, we are talking about a CA that get deployed with the entire k8s/swarm/mesos infra on a per project basis 17:55:15 so these could appear and disappear depending on the individual use case, they *may* not be long living installs 17:55:20 If you ignore the fact that revocation doesn’t work. Killick might make more sense 17:55:28 could be 17:56:05 i think they might just need some sort of lightweight pki that can go in to the deployments. mind you, this would be outside the control plane pki stuff 17:56:25 yeah. Anchor would be a good fit if it doesn’t make things grumpy 17:56:35 but, i'm just speculating here. i'm still not exactly sure what the concrete problem we are solving is 17:56:39 lol 17:56:48 why does anchor draw so much hate? 17:56:54 yeah what's the context here? 17:56:59 anchor does draw no hate from magnum 17:57:08 well that's good to hear =) 17:57:12 from my understanding (I haven't been involved in magnum for 6 months) 17:57:22 they want to make the key architecture pluggable 17:57:32 that is what we originally agreed to, but now its hard coded to one dep only 17:57:33 ah, ok. i was kinda wondering about that 17:57:46 ahh 17:58:10 hongbin (running for ptl) wants to make this modular as well 17:58:18 by default would you want to plug into an existing pki? (i would think most would just want something that works out of the box) 17:58:27 elmiko: it doesn’t, it’s just not many people understand PKI well and fewer understand how screwed up PKI is. 17:58:34 hyakuhei: lol 17:59:01 the horrors hyakuhei has seen 17:59:06 yea totally 17:59:09 lol 17:59:22 1 min left... 17:59:33 Thanks y'all 17:59:37 thanks everybody! 17:59:40 #endmeeting