15:03:47 #startmeeting security 15:03:47 Meeting started Thu Jul 25 15:03:47 2019 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:03:48 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:03:50 The meeting name has been set to 'security' 15:03:55 aloha 15:04:01 sorry still in a meeting 15:04:08 no worries, me too ;) 15:04:10 o/ 15:04:12 Should be done soon 15:04:15 o/ 15:06:50 #link https://etherpad.openstack.org/p/security-agenda Security SIG Weekly Meeting Agenda 15:07:28 thanks, I was failing on my phone 15:08:03 no worries, there's another bugset i can add 15:08:07 #topic CIDR's of the form 12.34.56.78/0 should be an error Edit 15:08:21 #link https://bugs.launchpad.net/horizon/+bug/1837339 15:08:22 Launchpad bug 1837339 in OpenStack Security Advisory "CIDR's of the form 12.34.56.78/0 should be an error" [Undecided,Incomplete] 15:09:00 Looks like this is a good security hardening opportunity 15:11:24 If interested, feel free to take a look 15:11:59 #topic IFLA_BR_AGEING_TIME of 0 causes flooding across bridges 15:12:08 #link https://bugs.launchpad.net/os-vif/+bug/1837252 15:12:09 Launchpad bug 1837252 in os-vif "IFLA_BR_AGEING_TIME of 0 causes flooding across bridges" [High,Confirmed] - Assigned to sean mooney (sean-k-mooney) 15:12:09 yeah, at the moment it's in a good place to weigh in on what you think the correct user interface is for horizon's handling of cidrs 15:12:17 1837339 i mean 15:12:44 1837252 got brought to my attention today 15:14:03 yeah I will take a look at it today 15:14:28 there's also another linked in the agenda which was known as a potential vulnerability for a while (via one of its marked duplicates), and seems to have very similar symptoms but is thought to stem from somewhere else 15:14:59 ah ok 15:15:09 #link https://bugs.launchpad.net/neutron/+bug/1732067 15:15:10 Launchpad bug 1732067 in neutron "openvswitch firewall flows cause flooding on integration bridge" [High,In progress] - Assigned to LIU Yulong (dragon889) 15:16:28 * gagehugo will read those later 15:16:41 fungi: anything else to add to those? 15:17:00 nothing i haven't already put in comments on the bugs themselves, no 15:17:05 ok 15:17:12 #topic open discussion 15:17:28 floor is open if anyone has anything 15:17:28 assistance in reproducing/fixing those public reports would be most appreciated 15:17:33 ^ 15:17:37 * mhen raises hand 15:17:39 especially figuring out whether they're related 15:18:08 I'd like to discuss a topic regarding API policy files 15:19:45 recently I tried enforcing non-default rules in Cinder and Nova and happened to notice that: 1) Nova only accepted json but not yaml and 2) Cinder did accept only yaml but not json for the policy.yaml or policy.json respectively 15:20:22 interesting 15:20:24 Cinder does override [1] the default from oslo policy [2], whereas Nova doesn't seem to do that 15:20:36 [1] https://github.com/openstack/cinder/blob/0ec28f84289490c80688a58244e091224c9c8393/cinder/policy.py#L31 15:20:55 [2] https://github.com/openstack/oslo.policy/blob/1e3f81c89b49451bd4c32a12f5a338441c5c1e56/oslo_policy/opts.py#L38 15:21:32 cinder's commit for that was https://github.com/openstack/cinder/commit/8c132193923168150fdc7f62a20e2d887cde723b 15:22:06 So if an operator/provider deploys their own policy files and doesn't pay attention, one of their files might be ignored without them immediately noticing 15:22:39 if you search online, there is much talk about the json or yaml but it's hard to find a resource telling you exactly where to use which 15:23:01 I thought there was a movement a while ago to use yaml, but I could be remembering that wrong 15:23:11 obv still supporting json 15:23:23 yaml was preferred because it allows comments 15:23:39 ah yeah 15:23:53 yaml has advantages, but simply ignoring a supplied json silently doesn't look good to me 15:23:59 So it's what we're shipping for sample policy configs because it allows us to inline the description text. 15:24:37 Agreed that neither should be ignored though. Both are still supported. 15:24:46 this does sound like a security bug to me 15:25:16 could open one against cinder and nova and get to the bottom of this 15:25:20 note: you can change this in the respective components config (e.g. nova.conf) but the problem here is that the defaults are different 15:25:22 mhen: what release are you using? 15:25:35 gagehugo, queens currently 15:25:41 ok 15:25:41 but looked up the code in master 15:26:00 seems to be no different in master either, see links above 15:26:14 Nova says json: https://github.com/openstack/nova/blob/a37a035c9d359b29fed6ea08bc99b93e51164e61/doc/source/configuration/index.rst 15:26:52 their documentation might need updating 15:27:01 their policy generator says policy.yaml 15:27:02 https://github.com/openstack/nova/blob/master/etc/nova/nova-policy-generator.conf 15:27:51 gagehugo, but I wasn't able to find the overriding part in Nova as found in Cinder, so Nova falls back to json as per oslo.policy code if I got that right 15:28:17 see [1] and [2] above 15:28:49 ok 15:29:10 at least that's what I observe in queens right now and looking at the code, in master it hasn't changed 15:29:45 * gagehugo takes notes of all this 15:31:27 thanks 15:31:31 mhen: ok, I can dig into this a bit 15:32:25 thank you! 15:32:49 thanks for bringing this up! 15:32:52 anything else? 15:32:55 I have a bit of news on security guide updates 15:33:28 submitted first few patches https://review.opendev.org/#/q/is:open+owner:nickthetait 15:33:41 nice 15:33:45 pretty minor stuff so far, needing reviews 15:34:20 and one quick questions, is this "future" section right at the bottom of this page still needed? https://docs.openstack.org/security-guide/identity/federated-keystone.html 15:34:33 I'll take a look 15:34:48 nickthetait: I can ask in keystone 15:34:57 thx 15:35:10 thats all I have 15:35:23 thanks! 15:35:27 * gagehugo needs to run 15:35:37 thanks everyone! have a good rest of the week 15:35:40 #endmeeting