#openstack-meeting log

15:03:11 <gagehugo> #startmeeting security
15:03:11 <openstack> Meeting started Thu Apr  4 15:03:11 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:03:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:03:15 <openstack> The meeting name has been set to 'security'
15:03:25 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda
15:03:40 <gagehugo> ping fungi gagehugo lhinds nickthetait browne redrobot
15:04:18 <fungi> i stuck a few things on the agenda as i thought of them
15:04:25 <redrobot> Only 1/2 o/ ... got a work meeting right now as well.
15:04:43 <fungi> yeah,i'm juggling this and tc office hour as usual
15:04:49 <gagehugo> im on another call as well heh
15:05:12 <gagehugo> apologies for the late start
15:05:15 <gagehugo> #topic Privsep is not giving us any security
15:05:36 <gagehugo> #link http://lists.openstack.org/pipermail/openstack-discuss/2019-March/004362.html
15:06:53 <fungi> yeah, just calling more attention to this since it came up after last week's meeting
15:07:24 <fungi> i flagged a reply for [security-sig] on the ml thread itself too
15:07:51 <fungi> but basically, this is a great opportunity for security-minded folks to get involved with helping make openstack services measurably more secure
15:08:31 <gagehugo> fungi ok, I'll make sure to look it over today
15:08:31 <fungi> to summarize, oslo.privsep provides a framework for properly limiting privilege when performing certain sensitive system calls
15:08:49 <fungi> as a replacement for rootwrap which wasn't very flexible in this regard
15:09:34 <fungi> and projects like nova have made a start at moving their rootwrap usage over to privsep, but they haven't really adjusted and refactored how those operations were being performed to take advantage of the improved security model there
15:10:10 <fungi> so it's a place folks interested in such topics can get involved in more bite-sized chunks if they like
15:10:30 <fungi> and ttx has taken a first stab at improving the privsep usage docs, which may help
15:10:41 <fungi> #link     https://review.openstack.org/649997 (openstack/oslo.privsep) Add more usage documentation
15:11:19 <fungi> it might also make for a good (multi-stage) community cycle goal
15:11:24 <fungi> anyway, that's all i had on this topic unless folks want to ask questions
15:12:52 <gagehugo> thanks fungi
15:13:39 <fungi> seems like there are no questions
15:13:45 <fungi> also feel free to ask them on that ml thread
15:13:50 <fungi> or in #openstack-oslo
15:14:15 * gagehugo attaches a sticky note to read it over
15:14:28 <gagehugo> #topic Security SIG most wanted
15:14:55 <gagehugo> I started an etherpad from last week's meeting about things ricolin was asking from the security sig
15:15:02 <gagehugo> #link https://etherpad.openstack.org/p/security-sig-most-wanted
15:16:44 <gagehugo> fungi: I added things from last week's meeting, mostly the documentation stuff
15:16:55 <gagehugo> was there anything else I missed that you recall?
15:17:26 <fungi> i'll skim quickly
15:18:04 <gagehugo> just whenever you are available
15:18:12 <gagehugo> I wanted to just bring it up here
15:18:13 <fungi> the first bullet is probably redundant
15:18:28 <fungi> you cover security analyses and the security guide already
15:18:34 <gagehugo> ok
15:18:49 <fungi> though also having folks pitch in on public security bugs would be nice
15:18:54 <fungi> i'll add something
15:19:54 <gagehugo> ah yeah
15:19:57 <gagehugo> that's a good one
15:21:18 <fungi> if i think if anything else i'll toss it in there too
15:21:58 <gagehugo> sounds good!
15:22:02 <gagehugo> thanks fungi
15:22:18 <gagehugo> #topic Unable to install new flows on compute nodes when having broken security group rules
15:22:37 <gagehugo> #link https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1813007
15:22:38 <openstack> Launchpad bug 1813007 in OpenStack Security Advisory "[SRU] Unable to install new flows on compute nodes when having broken security group rules" [Undecided,Incomplete]
15:23:07 <gagehugo> looks like fixes were backported
15:26:09 <fungi> yep, the neutron bug folks just failed to add bugtasks for those series so no comments for them ended up in the report
15:26:22 <gagehugo> ah
15:26:32 <fungi> but anyway, it looks like we will probably issue an advisory for this based on how it's shaping up
15:26:39 <gagehugo> ok
15:27:01 <fungi> and if anyone is interested in pitching in, perhaps by volunteering to write an impact description so i don't need to, that would be great
15:27:16 <fungi> otherwise i'll probably get to it in the next day or two
15:27:48 <fungi> (this is a prime example for the item i added to the help wanted etherpad moments ago)
15:28:12 <gagehugo> fungi: I will articulate a good summary for that in the etherpad
15:28:28 <fungi> oh, thanks gagehugo!
15:28:58 <fungi> i get the impression some of it can be drawn from ossa-2019-001 but with slightly different details
15:29:09 <gagehugo> hmm ok
15:29:40 <fungi> like ovs instead of iptables, and conflicting rules instead of ports coupled with non-port-relaetd protocols
15:31:08 <gagehugo> ok, yeah I'll ping you if I have any questions later
15:31:39 <gagehugo> #topic open discussion
15:31:49 <gagehugo> Does anyone have anything they want to talk about?
15:32:23 <gagehugo> I'm pretty sure we're getting a BoF room at the summit, and we have a floating session at the PTG it looks like
15:32:58 <fungi> that'll be swell
15:33:23 <fungi> i'll be there all week, getting in the saturday prior and leaving the sunday after
15:33:52 <gagehugo> nice, I'm arriving early sunday and leaving sat afternoon
15:36:18 <gagehugo> thanks for coming everyone, have a good weekend!
15:36:22 <gagehugo> #endmeeting