15:00:26 <gmann> #startmeeting tc 15:00:26 <opendevmeet> Meeting started Thu Nov 11 15:00:26 2021 UTC and is due to finish in 60 minutes. The chair is gmann. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:26 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:26 <opendevmeet> The meeting name has been set to 'tc' 15:00:31 <gmann> tc-members: meeting time 15:00:36 <gmann> #topic Roll call 15:00:39 <gmann> o/ 15:00:58 <mnaser> o/ 15:01:12 <ade_lee> o/ 15:01:18 <jungleboyj> o/ 15:01:34 <gmann> hope everyone adjusted meeting time change with daylight saving things 15:02:32 <jungleboyj> :-) I was smart enough to put it on my calendar in UTC. 15:02:50 <gmann> yeah, I did same after i missed lot of meeting last time :) 15:03:04 <gmann> less member today, may be holiday in USA, Poland and other place 15:03:09 <gmann> let's start 15:03:18 <gmann> #link https://wiki.openstack.org/wiki/Meetings/TechnicalCommittee#Agenda_Suggestions 15:03:22 <dansmith> o/ 15:03:23 <gmann> today agenda ^^ 15:03:25 <belmoreira> o/ 15:03:44 <gmann> #topic Follow up on past action items 15:03:45 <jungleboyj> ++ 15:03:51 <diablo_rojo> o/ 15:04:09 <gmann> none from last meeting #link https://meetings.opendev.org/meetings/tc/2021/tc.2021-11-04-15.02.html 15:04:17 <gmann> #topic Gate health check 15:04:39 <dansmith> I've only had a few patches in the gate in the last week, but I haven't noticed any big problems 15:04:45 <gmann> yeah 15:04:54 <dansmith> I think nova reported some legit failure at some point though, but I didn't look deep 15:04:57 <jungleboyj> I have seen things merging pretty efficiently. 15:05:05 <gmann> only one was devstack removed the keystone admin client creation and it broke few projects like tacker, blazer etc 15:05:06 <dansmith> also I think clarkb noted that nova has something n-v in the gate queue 15:05:45 <gmann> yeah 15:05:47 <jungleboyj> Cinder was hit with a queueing problem earlier but it sounds like that is fixed. 15:06:24 <gmann> on job cleanup, I am removing the opensuse job, please review where ever you can +2 #link https://review.opendev.org/q/topic:%22remove-tempest-full-py3-opensuse15%22+(status:open%20OR%20status:merged) 15:07:04 <gmann> let's move next 15:07:08 <gmann> #topic Updates on community-wide goal 15:07:16 <gmann> Decoupling goal from release cycle 15:07:32 <gmann> we need more review on this #link https://review.opendev.org/c/openstack/governance/+/816387 15:07:59 <gmann> so that we can get this in first to avoid merge conflict/rebase need on proposed/rework on goals 15:08:33 <jungleboyj> Ok. I will look. 15:08:42 <gmann> thanks 15:08:50 <gmann> RBAC goal rework 15:09:06 <dansmith> I'm behind on looking at the recent changes to that 15:09:12 <dansmith> will try to do that today 15:09:37 <gmann> we had second call after PTG to continue the discussion and things are much clear now on what to target in Yoga 15:09:39 <gmann> #link #link https://review.opendev.org/c/openstack/governance/+/815158 15:09:41 <gmann> dansmith: thanks 15:09:47 <gmann> #link https://review.opendev.org/c/openstack/governance/+/815158 15:10:02 <gmann> other also please review. 15:10:29 <jungleboyj> ++ 15:10:41 <gmann> and we will continue the discussion on various open things for future cycle in policy popup biweekly meeting. 15:10:55 <gmann> I will send the meeting detail on ML soon. 15:11:19 <rosmaita> gmann: that meeting is scheduled for today according to eavesdrop invite 15:11:55 <gmann> rosmaita: yeah, as we meet yesterday i think we can skip today and do from next week with biweekly odd 18th Nov, 2nd Dec.. 15:12:15 <gmann> rosmaita: I updated here #link https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team#Meeting 15:12:22 <rosmaita> gmann: ty 15:12:41 <gmann> and proposed the ical update also #link https://review.opendev.org/c/opendev/irc-meetings/+/817496 15:12:51 <gmann> once that is merged I will update on ML too 15:13:06 <rosmaita> ok, great 15:13:43 <gmann> anything else on RBAC ? 15:14:31 <gmann> next is new proposed goal - "Proposed community goal for FIPS compatibility and compliance" 15:14:33 <gmann> #link https://review.opendev.org/c/openstack/governance/+/816587 15:14:47 <gmann> ade_lee: hand over to you 15:14:53 <ade_lee> thanks 15:15:21 <ade_lee> I'm not if folks have had a chance to review, but there has been a lt of work around fips 15:15:56 <ade_lee> I split this up into two goals here -- fips compatibility and fips compliance 15:16:16 <ade_lee> fips compatibility means - I turn ffips on and everything still works 15:16:49 <ade_lee> fips compliance means compatibility + I only use crypto libraries that have been fips certified 15:17:32 <ade_lee> I think that we've made a lot of progress in fips compatibility to the point that we might be able to achieve it in Y 15:18:00 <ade_lee> ie. most of the projects now have ci gate jobs in progress to run with fips enabled. 15:18:25 <jungleboyj> That is good. 15:18:31 <ade_lee> and we've identified and fixed a bunch of places where things would trip up -- ie. md5 , bad ciphers etc. 15:19:10 <ade_lee> what making this a community goal would do would be to get all the remaining projects on board, as well as 3rd party vendors 15:19:32 <ade_lee> maybe even, we could replace all the regular ci jobs with fips enabled versions 15:19:49 <gmann> I saw the tempest changes plan on that but not read the goal completely. 15:19:51 <ade_lee> ie. if it works under fips, it could work otherwise too. 15:21:00 <ade_lee> as a longer term goal, we could do fips compliance - maybe for Z, because that will require changes like - for example, replacing paramiko and other non-certified crypto 15:21:02 <fungi> there are probably some blindspots worth noting when testing with fips mode on 15:21:10 <gmann> I think proposal is to replace paramiko with libssh ? 15:21:23 <ade_lee> and we'd like to do that consistently across openstack ideally 15:21:41 <mnaser> question that might be silly 15:21:42 <fungi> for example support of any cyrptographic algorithms not approved by the usa nist can't be exercised 15:21:44 <ade_lee> gmann, that could be the approach - there may be others 15:21:54 <mnaser> is there a benefit in running FIPS only for our gates 15:21:59 <ade_lee> libssh uses certified cryto in the backend 15:22:19 <gmann> k 15:22:20 <mnaser> like is there a downside to making everything FIPS only by standard? 15:22:41 <fungi> for example, you can't ssh with keys using ed25519 15:23:22 <fungi> mnaser: it's an americentric standard pushed by the united states government, so people in other countries, and particularly governments of countries besides the usa, are understandably wary 15:24:29 <fungi> it's great when you want to supply resources under usa government/defense department contracts 15:24:50 <fungi> but maybe not in other cases 15:25:17 <mnaser> ok i see 15:25:20 <gmann> is fips compliance means 'everything FIPS only ' ? 15:25:23 <mnaser> so its not necessary a 'good to have by default' 15:25:37 <gmann> yeah 15:26:44 <ade_lee> its also not just govts though - many financial and regulated industries want fips too - as a requiremwnt for other compliance regimes 15:27:09 <fungi> the global technical community is split on opinion, some expect nist has cryptographic strength as the primary goal, others suspect the nsa has convinced nist not to approve algorithms they don't know how to compromise... i personally expect it's a mix of those two priorities as well as other influences 15:27:46 * jungleboyj feels like he is being watched 15:28:45 <fungi> though supposedly fips 186-5 will add curve25519 as an allowed primitive, so ssh with ed25519 keys will probably eventually work in fips mode 15:29:26 <mnaser> okay that's fair, so it's not overall a 'good thing' for us to aim for fips only to 'increase security' 15:30:01 <fungi> right, it's possible to be "more secure than fips" in ways that are not fips compliant (depending on your definition of "secure" of course), but those are mostly corner cases 15:30:16 <dansmith> even if it doesn't get us better security, 15:30:26 <dansmith> is it bad to run with that as a default just because a lot of people _do_ want it? 15:30:34 <dansmith> like, are we losing coverage if we enable? 15:30:34 <fungi> making sure openstack can be used in fips-compliant environments is 100% a good thing, i think 15:31:22 <fungi> only testing in fips mode may reduce coverage, mainly around any support we might have for cryptographic primitives not (yet) approved by nist 15:31:22 <mnaser> yeah, i am thinking more of 'do we do it by default' or not 15:31:47 <fungi> but for the most part openstack doesn't really roll its own crypto, and tries to leave that to external dependencies 15:31:49 <gmann> I am also not sure about default but definitely make openstack fips compatible and test with few jobs 15:32:53 <fungi> well, also currently only know how to do fips mode testing on rhel/fedora-derived distros, so debian/ubuntu would probably take a fair amount of work to use for fips mode testing 15:33:35 <fungi> and obviously the majority of our testing happens on whatever the latest ubuntu lts was at the time we started a given cycle 15:34:05 <ade_lee> fungi, thats true - although by the time that is done, most of the fips bugs will have been shaken out. 15:34:28 <dansmith> that seems like both a good reason not to enable by default, but also probably a bad thing if we don't know how to make our own primary test platform compliant :D 15:34:35 <gmann> yeah. if we think on making it default then enabling in ubutnu is required 15:34:52 <ade_lee> much of the work in setting up the fips jobs has been getting them working on rhel/centos instead of ubuntu. 15:35:32 <gmann> we can start with the centos job adding in tempest and other tempest plugins and see 15:35:40 <fungi> worth noting, logistically, fips mode is explicitly a non-default configuration for most linux distros (even the rhel/fedora-derived ones), so to test in fips mode on opendev's standard distro images you need to reboot the test nodes into fips mode 15:36:13 <fungi> you can't effectively enter/exit fips mode without a complete reboot 15:36:17 <gmann> but defining a goal to make it default seems difficult in Yoga 15:36:46 <dansmith> default is different than complete right? 15:36:52 <fungi> so that does extend job runtime a bit to swizzle the kernel parameters and reboot 15:37:01 <dansmith> complete can mean "everyone runs at least one job to ensure compliance" 15:37:53 <gmann> we can go with three steps here 1. run few jobs on few projects 2. complete- have all project at least on job 3. discuss on making it default or not 15:38:02 <dansmith> yeah 15:38:47 <ade_lee> gmann, we're already doing 1 -- I'm hoping for at least 2 15:39:11 <gmann> ade_lee: as you mentioned, you have already divided it into multiple steps/goal. and with our new structure on goal, we can do it in these three steps and see how fast we do it. new structure I mean this #link https://review.opendev.org/c/openstack/governance/+/816387 15:39:16 <jungleboyj> gmann: That sounds like a reasonable plan. 15:39:46 <gmann> ade_lee: and with new structure which is not merged yet, it can be done at any different time within a cycle or in multiple cycle. 15:40:39 <ade_lee> gmann, ack - I can add in the new miestones etc. 15:40:56 <ade_lee> as described in the template you described 15:41:05 <gmann> ade_lee: cool, and we will continue the discussion on gerrit. 15:41:13 <ade_lee> cool 15:41:22 <gmann> ade_lee: you can add depends on the 816387in case to avoid merge conflict or so 15:41:30 <ade_lee> will do 15:41:38 <gmann> ade_lee: thanks for the proposal and explaining here 15:41:57 <ade_lee> thanks all 15:42:05 <gmann> moving next 15:42:11 <gmann> #topic Adjutant need PTLs and maintainers 15:42:22 <gmann> #link http://lists.openstack.org/pipermail/openstack-discuss/2021-October/025555.html 15:43:01 <gmann> I saw fungi reply on email to someone asking on Adjutant plan and reaching out to adrian 15:43:14 <gmann> nut did not find the original email they asked on, may be i missed 15:43:49 <gmann> but I think there is no volunteer to help on this project or may be they are discussion internally ? 15:44:01 <gmann> * help on this project yet 15:44:16 <mnaser> isn't catalyst using this internally? 15:45:02 <gmann> not sure, adrian mentioned they might take this up but not sure 15:46:16 <gmann> but at least they are aware as I see Andrew from catalyst reply on this ML thread 15:46:48 <fungi> i was replying to this: 15:46:54 <gmann> I will send another reminder on ML and not sure how long adrian will be there to help/lead so they might need to take this soon 15:46:58 <fungi> #link http://lists.openstack.org/pipermail/openstack-discuss/2021-November/025713.html 15:47:00 <gmann> yeah 15:47:45 <gmann> so let's wait for more time on this 15:47:50 <gmann> moving next 15:47:53 <gmann> #topic Pain Point targeting 15:48:05 <gmann> #link https://etherpad.opendev.org/p/pain-point-elimination 15:48:35 <gmann> we decided to continue iterating the list and keep discussion on this. 15:49:05 <gmann> we did not much time in last week meeting also and this too 15:49:26 <gmann> I think we can have a voice call to iterate it in adhoc meeting? 15:49:38 <gmann> belmoreira: ricolin_ what you think? 15:50:10 <gmann> like RBAC discussion we are doing 15:50:21 <belmoreira> looks good to me 15:51:12 <gmann> cool, belmoreira or ricolin_ any one of you to schedule it otherwise I can do, sometime for next week or so? 15:51:18 <jungleboyj> I think that makes sense as a next step. 15:51:46 <gmann> yeah, we do not get much time in weekly meeting so doing it in adhoc meeting will be more productive 15:52:20 <belmoreira> it would be better to confirm with ricolin_ first since he started this effort 15:52:47 <jungleboyj> belmoreira: ++ 15:52:51 <gmann> sure, he is not here today but I will ping him in case he miss to see our ping here. 15:53:12 <gmann> #action gmann, ricolin_ to schedule adhoc meeting for pain point discussions 15:53:22 <gmann> #topic Open Reviews 15:53:35 <gmann> #link https://review.opendev.org/q/projects:openstack/governance+is:open 15:53:47 <gmann> lot of open reviews, let check what all are ready to vote 15:54:16 <gmann> this one is needed for goal things #link https://review.opendev.org/c/openstack/governance/+/816387 15:54:37 <gmann> mnaser: jungleboyj rosmaita diablo_rojo spotz ^^ please check 15:55:08 <jungleboyj> mnaser: Got it. 15:55:13 <gmann> this will be quick one as we discussed in last meeting to remvoe the office hours #link https://review.opendev.org/c/openstack/governance/+/817493 15:55:47 <gmann> and this one is important for Yoga testing runtime so that we can start working on new testing part soon #link https://review.opendev.org/c/openstack/governance/+/815851 15:56:09 <gmann> frickler: fungi ^^ you too in case you have not checked the latest version 15:56:35 <gmann> with adding centos9-stream, I have removed the py36 and making py3.8 and py3.9 as voting 15:57:57 <gmann> there are othr open reviews also which are ready to vote, please check and review in this week as much as possible 15:58:02 <fungi> i think we're getting close on stream 9 testing, right now we're trying to work through getting package mirroring in place 15:58:16 <gmann> +1, thanks 15:59:02 <diablo_rojo> I will check that out toda 15:59:14 <gmann> thanks 15:59:16 <gmann> one last thing- 15:59:31 <gmann> is openinfra tv keynotes 1 hr long or 2? on 18th 15:59:46 <gmann> #link https://openinfra.dev/live/ 16:00:12 <gmann> ah but it is at same time out tc meeting 16:00:27 <gmann> we can cancel it for next week on 18th if ok for everyone ? 16:00:31 <fungi> yes, i was just watching this week's episode during the tc meeting 16:00:32 <gmann> cancel TC meeting 16:00:41 <diablo_rojo> yes please 16:01:09 <jungleboyj> That would be good. 16:01:48 <gmann> ok, let's cancel meeting on 18th and we will meet on 25th Nov. I will update on ML too 16:01:59 <gmann> thanks everyone for joining, let's close it for today 16:02:04 <gmann> #endmeeting