17:03:52 <hyakuhei> #startmeeting Security
17:03:53 <openstack> Meeting started Thu Mar  9 17:03:52 2017 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:03:54 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:03:56 <hyakuhei> Whoopsy
17:03:56 <openstack> The meeting name has been set to 'security'
17:03:58 <hyakuhei> o/
17:04:01 <aasthad> o/
17:04:14 <unrahul> o/
17:04:17 <browne> o/
17:04:18 <knangia> o/
17:04:21 <hyakuhei> I'm very sorry for being late guys
17:04:25 <hyakuhei> It's been a crazy few days
17:04:43 <knangia> no problem hyakuhei :)
17:04:47 <unrahul> i was wondering if DST has started :D
17:04:55 <hyakuhei> I wouldn't even know
17:05:02 <hyakuhei> Totally heads down at the moemnt
17:05:03 <vinaypotluri> o/
17:05:07 <capnoday> o/
17:05:10 <hyakuhei> oh hai capnoday
17:05:16 <capnoday> sup mate
17:05:28 <aasthad> so we know DST is not in affect guys!
17:05:30 <hyakuhei> Crazy
17:05:41 <hyakuhei> lol no, just a hyakuhei DoS I'm afraid
17:05:46 <hyakuhei> Very poor latency atm
17:05:51 <hyakuhei> zero bandwidth
17:05:52 <hyakuhei> etc
17:06:07 <knangia> lol
17:06:09 <capnoday> aasthad yep we are still on UTC/GMT atm
17:06:11 <aasthad> :D
17:06:16 <hyakuhei> Could we get an update on the docs bugs to start with as we've got lots of OSIC ninjas here
17:06:17 <hyakuhei> #topic Security Guide
17:06:28 <aasthad> gotya capnoday
17:06:34 <unrahul> so , we have pushed 2 patches for 2 sec bugs
17:06:52 <unrahul> One on neutron and the other one with cinder
17:07:14 <unrahul> I am not able to get the link from top of my head
17:07:30 <unrahul> I am working on https://bugs.launchpad.net/neutron/+bug/1274034 this one
17:07:30 <openstack> Launchpad bug 1274034 in neutron "Neutron firewall anti-spoofing does not prevent ARP poisoning" [High,Fix released] - Assigned to Kevin Benton (kevinbenton)
17:07:41 <hyakuhei> #chair capnoday
17:07:41 <openstack> Current chairs: capnoday hyakuhei
17:07:47 <unrahul> it seems to be something of the past, that we just need to close..
17:07:53 <hyakuhei> unrahul excellent!
17:07:54 <unrahul> anyone has any comments on that bug?
17:08:11 <knangia> i am working on https://bugs.launchpad.net/ossp-security-documentation/+bug/1619502
17:08:11 <openstack> Launchpad bug 1619502 in OpenStack Security Guide Documentation "Information Validation - Federated keystone in Security Guide" [Medium,Confirmed] - Assigned to Khanak Nangia (knangia)
17:08:39 <unrahul> thanks hyakuhei  :), the other teams have been helping us with figuring out if these bugs are still valid
17:09:01 <hyakuhei> You guys are doing great!
17:09:34 <unrahul> Anyone has any comments on  this one https://bugs.launchpad.net/neutron/+bug/1274034 ?
17:09:34 <openstack> Launchpad bug 1274034 in neutron "Neutron firewall anti-spoofing does not prevent ARP poisoning" [High,Fix released] - Assigned to Kevin Benton (kevinbenton)
17:09:49 * hyakuhei looks
17:09:49 <unrahul> hyakuhei: capnoday ^
17:09:52 <vinaypotluri> And I've been working on this bug https://bugs.launchpad.net/ossp-security-documentation/+bug/1619485   after assigning it to myself from capnoday
17:09:52 <openstack> Launchpad bug 1619485 in OpenStack Security Guide Documentation "Annual Cipher Validation - Introduction to TLS and SSL in Security Guide" [Medium,Confirmed] - Assigned to Vinay Potluri (vinay-potluri)
17:10:15 <hyakuhei> thanks vinaypotluri - how's it looking now?
17:10:35 <hyakuhei> unrahul that's a massive thread, what's the TL:DR ?
17:12:05 <unrahul> Well, as the bug suggests, we had to write in the sec guide about flat networking not really isolating tenants, but with patches for OVS and linux bridge it seems we can isolate the traffic by correct configuration. This is already mentioned in the sec guide.. here https://docs.openstack.org/security-guide/networking/services-security-best-practices.html
17:12:12 <unrahul> so should we just close it?
17:13:13 <hyakuhei> o/ tkelsey
17:13:39 <hyakuhei> #chair kangia unrahul vinaypotluri tkelsey aasthad
17:13:40 <openstack> Warning: Nick not in channel: kangia
17:13:41 <openstack> Current chairs: aasthad capnoday hyakuhei kangia tkelsey unrahul vinaypotluri
17:13:54 <vinaypotluri> hyakuhei: knangia
17:13:56 <tkelsey> o/ hyakuhei sorry im running late
17:13:58 <hyakuhei> I'll BRB, you guys keep going :)
17:14:01 <hyakuhei> #chair knangia
17:14:02 <openstack> Current chairs: aasthad capnoday hyakuhei kangia knangia tkelsey unrahul vinaypotluri
17:14:16 <hyakuhei> you could have done that vinaypotluri  ;)
17:14:17 <hyakuhei> capnoday can you keep it moving along please?
17:14:26 <capnoday> np
17:14:32 <unrahul> :)
17:14:43 <vinaypotluri> sure hyakuhei  we will take the lead
17:14:56 <knangia> f:)
17:15:10 <unrahul> capnoday:  tkelsey  so what do you think about the sec guide bug , the information is already present in the guide, should we just close it.
17:15:10 <knangia> * :)
17:15:28 <capnoday> Im inclined to just close it
17:15:45 <capnoday> seems like it has been superseeded now
17:16:28 <unrahul> yes.. it is, I dont think there is any need to continue it.. and if anyone wants it in more detail, I feel they should raise a new bug as a wish list
17:16:37 <tkelsey> +1
17:16:42 <capnoday> +1
17:16:43 <unrahul> thanks guys
17:16:45 <knangia> agreed unrahul
17:16:52 <capnoday> right done, thanks vinay rahul
17:16:57 <knangia> for this https://bugs.launchpad.net/ossp-security-documentation/+bug/1619502 :  talking to keystone team, some information needs to be refreshed, setting up the environment...for now according to the keystone team, the information on the federated keystone seems correct....
17:16:57 <openstack> Launchpad bug 1619502 in OpenStack Security Guide Documentation "Information Validation - Federated keystone in Security Guide" [Medium,Confirmed] - Assigned to Khanak Nangia (knangia)
17:16:59 <unrahul> so one bug sec guide close yay!
17:17:22 <capnoday> great, any other security guide stuff you want to discuss?
17:17:32 <aasthad> I am working on this bug : https://bugs.launchpad.net/ossp-security-documentation/+bug/1446756
17:17:32 <openstack> Launchpad bug 1446756 in OpenStack Security Guide Documentation "Integrity life-cycle in OpenStack Security Guide - current" [Medium,Confirmed] - Assigned to Aastha Dixit (aastha-dixit)
17:17:34 <unrahul> yup
17:17:35 <unrahul> one more
17:17:38 <capnoday> :)
17:17:40 <lhinds> ahhh, completely lost track of time..sorry all
17:17:43 <aasthad> Its about dm-verity’s use with openstack. have you guys ever worked with this before
17:17:48 <unrahul> :D
17:18:03 <capnoday> tkelsey sicarie?
17:18:23 <knangia> welcome lhinds  :)
17:18:34 <lhinds> thanks knangia
17:18:50 <lhinds> I can give an OSSN update whenever you folks like.
17:18:56 <capnoday> ok ive never touched dm-verity (or heard of it before now)
17:19:14 <unrahul> :)
17:19:33 <capnoday> but if you want to propose a patch talking about its use aasthad please do so
17:19:48 <hyakuhei> #link https://source.android.com/security/verifiedboot/
17:19:49 <lhinds> I have heard its use on android b4, but thats it
17:20:05 <unrahul> yup.. and they are asking  how it can be used in openstack
17:20:16 <unrahul> and I am not really sure.. in what way dmverity helps openstack
17:20:41 <unrahul> hyakuhei:  lhinds capnoday  any comments?
17:20:41 <aasthad> so I will post a patch on what I know about it is true. and lets see how it goes
17:20:46 <lhinds> hmm, would need a port first to main kernel
17:20:47 <aasthad> I will push a patch soon
17:20:59 <aasthad> yes true
17:21:02 <lhinds> I don't think openstack would be the first place to look at implemtation
17:21:10 <hyakuhei> It's more of a BM concern really
17:21:34 <aasthad> not sure how to make changes at kernel level
17:21:43 <unrahul> or if that is even needed :D
17:21:47 <aasthad> whats BM concern hyakuhei
17:21:57 <hyakuhei> Sorry, bare metal
17:22:01 <unrahul> I think the OS devs or deployers of binaries to concern about it
17:22:43 <aasthad> oh yeah true. would need to ask for a server ! so what do you guys think do we actually need this or we can close it somehow?
17:24:03 <aasthad> i mean if its actually in the scope of our documentation?
17:24:34 <lhinds> wish list if not closing
17:24:40 <capnoday> lhinds +1
17:24:50 <knangia> +1 lhinds
17:25:06 <lhinds> it is in kernel branch, but not sure how decent it is: https://github.com/torvalds/linux/blob/5924bbecd0267d87c24110cbe2041b5075173a25/drivers/md/dm-verity.h
17:25:58 <lhinds> or robust rather
17:25:58 <lhinds> netflix project originally
17:28:16 <hyakuhei> timecheck: 2 minutes
17:28:17 <hyakuhei> *minutes
17:28:23 <capnoday> ok, lets go wishlist and shelve that for the moment
17:28:44 <aasthad> okay capnoday
17:28:48 <lhinds> quick one: last OSSN for reviews: https://review.openstack.org/#/c/443587/
17:28:52 <capnoday> unrahul thanks for your email on keystone vuln analysis, i will get back to you shortly
17:29:03 <unrahul> thanks capnoday
17:29:06 <aasthad> thankyou lhinds capnoday
17:29:12 <michaelxin> Great
17:29:18 <capnoday> lhinds thanks for the ossn, will review
17:29:21 <lhinds> np aasthad
17:29:24 <capnoday> AOB?
17:29:39 <unrahul> I have asked them to talk to us here in the security channel if there is any help needed from our end
17:30:05 <capnoday> ok
17:30:30 <knangia> cool
17:31:07 <unrahul> shall we end the meeting
17:31:17 <knangia> i guess yed
17:31:19 <unrahul> #endmeeting