#openstack-tc log

15:00:26 <gmann> #startmeeting tc
15:00:26 <opendevmeet> Meeting started Thu Nov 11 15:00:26 2021 UTC and is due to finish in 60 minutes.  The chair is gmann. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:26 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:26 <opendevmeet> The meeting name has been set to 'tc'
15:00:31 <gmann> tc-members: meeting time
15:00:36 <gmann> #topic Roll call
15:00:39 <gmann> o/
15:00:58 <mnaser> o/
15:01:12 <ade_lee> o/
15:01:18 <jungleboyj> o/
15:01:34 <gmann> hope everyone adjusted meeting time change with daylight saving things
15:02:32 <jungleboyj> :-)  I was smart enough to put it on my calendar in UTC.
15:02:50 <gmann> yeah, I did same after i missed lot of meeting last time :)
15:03:04 <gmann> less member today, may be holiday in USA, Poland and other place
15:03:09 <gmann> let's start
15:03:18 <gmann> #link https://wiki.openstack.org/wiki/Meetings/TechnicalCommittee#Agenda_Suggestions
15:03:22 <dansmith> o/
15:03:23 <gmann> today agenda ^^
15:03:25 <belmoreira> o/
15:03:44 <gmann> #topic Follow up on past action items
15:03:45 <jungleboyj> ++
15:03:51 <diablo_rojo> o/
15:04:09 <gmann> none from last meeting #link https://meetings.opendev.org/meetings/tc/2021/tc.2021-11-04-15.02.html
15:04:17 <gmann> #topic Gate health check
15:04:39 <dansmith> I've only had a few patches in the gate in the last week, but I haven't noticed any big problems
15:04:45 <gmann> yeah
15:04:54 <dansmith> I think nova reported some legit failure at some point though, but I didn't look deep
15:04:57 <jungleboyj> I have seen things merging pretty efficiently.
15:05:05 <gmann> only one was devstack removed the keystone admin client creation and it broke few projects like tacker, blazer etc
15:05:06 <dansmith> also I think clarkb noted that nova has something n-v in the gate queue
15:05:45 <gmann> yeah
15:05:47 <jungleboyj> Cinder was hit with a queueing problem earlier but it sounds like that is fixed.
15:06:24 <gmann> on job cleanup, I am removing the opensuse job, please review where ever you can +2 #link https://review.opendev.org/q/topic:%22remove-tempest-full-py3-opensuse15%22+(status:open%20OR%20status:merged)
15:07:04 <gmann> let's move next
15:07:08 <gmann> #topic Updates on community-wide goal
15:07:16 <gmann> Decoupling goal from release cycle
15:07:32 <gmann> we need more review on this #link https://review.opendev.org/c/openstack/governance/+/816387
15:07:59 <gmann> so that we can get this in first to avoid merge conflict/rebase need on proposed/rework on  goals
15:08:33 <jungleboyj> Ok.  I will look.
15:08:42 <gmann> thanks
15:08:50 <gmann> RBAC goal rework
15:09:06 <dansmith> I'm behind on looking at the recent changes to that
15:09:12 <dansmith> will try to do that today
15:09:37 <gmann> we had second call after PTG to continue the discussion and things are much clear now on what to target in Yoga
15:09:39 <gmann> #link #link https://review.opendev.org/c/openstack/governance/+/815158
15:09:41 <gmann> dansmith: thanks
15:09:47 <gmann> #link https://review.opendev.org/c/openstack/governance/+/815158
15:10:02 <gmann> other also please review.
15:10:29 <jungleboyj> ++
15:10:41 <gmann> and we will continue the discussion on various open things for future cycle in policy popup biweekly meeting.
15:10:55 <gmann> I will send the meeting detail on ML soon.
15:11:19 <rosmaita> gmann: that meeting is scheduled for today according to eavesdrop invite
15:11:55 <gmann> rosmaita: yeah, as we meet yesterday i think  we can skip today and do from next week with biweekly odd 18th Nov, 2nd Dec..
15:12:15 <gmann> rosmaita: I updated here #link https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team#Meeting
15:12:22 <rosmaita> gmann: ty
15:12:41 <gmann> and proposed the ical update also #link https://review.opendev.org/c/opendev/irc-meetings/+/817496
15:12:51 <gmann> once that is merged I will update on ML too
15:13:06 <rosmaita> ok, great
15:13:43 <gmann> anything else on RBAC ?
15:14:31 <gmann> next is new proposed goal - "Proposed community goal for FIPS compatibility and compliance"
15:14:33 <gmann> #link https://review.opendev.org/c/openstack/governance/+/816587
15:14:47 <gmann> ade_lee: hand over to you
15:14:53 <ade_lee> thanks
15:15:21 <ade_lee> I'm not if folks have had a chance to review, but there has been a lt of work around fips
15:15:56 <ade_lee> I split this up into two goals here -- fips compatibility and fips compliance
15:16:16 <ade_lee> fips compatibility means - I turn ffips on and everything still works
15:16:49 <ade_lee> fips compliance means compatibility + I only use crypto libraries that have been fips certified
15:17:32 <ade_lee> I think that we've made a lot of progress in fips compatibility to the point that we might be able to achieve it in Y
15:18:00 <ade_lee> ie. most of the projects now have ci gate jobs in progress to run with fips enabled.
15:18:25 <jungleboyj> That is good.
15:18:31 <ade_lee> and we've identified and fixed a bunch of places where things would trip up -- ie. md5 , bad ciphers etc.
15:19:10 <ade_lee> what making this a community goal would do would be to get all the remaining projects on board, as well as 3rd party vendors
15:19:32 <ade_lee> maybe even, we could replace all the regular ci jobs with fips enabled versions
15:19:49 <gmann> I saw the tempest changes plan on that but not read the goal completely.
15:19:51 <ade_lee> ie. if it works under fips, it could work otherwise too.
15:21:00 <ade_lee> as a longer term goal, we could do fips compliance - maybe for Z, because that will require changes like - for example, replacing paramiko and other non-certified crypto
15:21:02 <fungi> there are probably some blindspots worth noting when testing with fips mode on
15:21:10 <gmann> I think proposal is to replace paramiko with libssh ?
15:21:23 <ade_lee> and we'd like to do that consistently across openstack ideally
15:21:41 <mnaser> question that might be silly
15:21:42 <fungi> for example support of any cyrptographic algorithms not approved by the usa nist can't be exercised
15:21:44 <ade_lee> gmann, that could be the approach - there may be others
15:21:54 <mnaser> is there a benefit in running FIPS only for our gates
15:21:59 <ade_lee> libssh uses certified cryto in the backend
15:22:19 <gmann> k
15:22:20 <mnaser> like is there a downside to making everything FIPS only by standard?
15:22:41 <fungi> for example, you can't ssh with keys using ed25519
15:23:22 <fungi> mnaser: it's an americentric standard pushed by the united states government, so people in other countries, and particularly governments of countries besides the usa, are understandably wary
15:24:29 <fungi> it's great when you want to supply resources under usa government/defense department contracts
15:24:50 <fungi> but maybe not in other cases
15:25:17 <mnaser> ok i see
15:25:20 <gmann> is fips compliance means 'everything FIPS only ' ?
15:25:23 <mnaser> so its not necessary a 'good to have by default'
15:25:37 <gmann> yeah
15:26:44 <ade_lee> its also not just govts though - many financial and regulated industries want fips too - as a requiremwnt for other compliance regimes
15:27:09 <fungi> the global technical community is split on opinion, some expect nist has cryptographic strength as the primary goal, others suspect the nsa has convinced nist not to approve algorithms they don't know how to compromise... i personally expect it's a mix of those two priorities as well as other influences
15:27:46 * jungleboyj feels like he is being watched
15:28:45 <fungi> though supposedly fips 186-5 will add curve25519 as an allowed primitive, so ssh with ed25519 keys will probably eventually work in fips mode
15:29:26 <mnaser> okay that's fair, so it's not overall a 'good thing' for us to aim for fips only to 'increase security'
15:30:01 <fungi> right, it's possible to be "more secure than fips" in ways that are not fips compliant (depending on your definition of "secure" of course), but those are mostly corner cases
15:30:16 <dansmith> even if it doesn't get us better security,
15:30:26 <dansmith> is it bad to run with that as a default just because a lot of people _do_ want it?
15:30:34 <dansmith> like, are we losing coverage if we enable?
15:30:34 <fungi> making sure openstack can be used in fips-compliant environments is 100% a good thing, i think
15:31:22 <fungi> only testing in fips mode may reduce coverage, mainly around any support we might have for cryptographic primitives not (yet) approved by nist
15:31:22 <mnaser> yeah, i am thinking more of 'do we do it by default' or not
15:31:47 <fungi> but for the most part openstack doesn't really roll its own crypto, and tries to leave that to external dependencies
15:31:49 <gmann> I am also not sure about default but definitely  make openstack fips compatible and test with few jobs
15:32:53 <fungi> well, also currently only know how to do fips mode testing on rhel/fedora-derived distros, so debian/ubuntu would probably take a fair amount of work to use for fips mode testing
15:33:35 <fungi> and obviously the majority of our testing happens on whatever the latest ubuntu lts was at the time we started a given cycle
15:34:05 <ade_lee> fungi, thats true - although by the time that is done, most of the fips bugs will have been shaken out.
15:34:28 <dansmith> that seems like both a good reason not to enable by default, but also probably a bad thing if we don't know how to make our own primary test platform compliant :D
15:34:35 <gmann> yeah. if we think on making it default then enabling in ubutnu is required
15:34:52 <ade_lee> much of the work in setting up the fips jobs has been getting them working on rhel/centos instead of ubuntu.
15:35:32 <gmann> we can start with the centos job adding in tempest and other tempest plugins and see
15:35:40 <fungi> worth noting, logistically, fips mode is explicitly a non-default configuration for most linux distros (even the rhel/fedora-derived ones), so to test in fips mode on opendev's standard distro images you need to reboot the test nodes into fips mode
15:36:13 <fungi> you can't effectively enter/exit fips mode without a complete reboot
15:36:17 <gmann> but defining a goal to make it default seems difficult in Yoga
15:36:46 <dansmith> default is different than complete right?
15:36:52 <fungi> so that does extend job runtime a bit to swizzle the kernel parameters and reboot
15:37:01 <dansmith> complete can mean "everyone runs at least one job to ensure compliance"
15:37:53 <gmann> we can go with three steps here 1. run few jobs on few projects 2. complete- have all project at least on job 3. discuss on making it default or not
15:38:02 <dansmith> yeah
15:38:47 <ade_lee> gmann, we're already doing 1 -- I'm hoping for at least 2
15:39:11 <gmann> ade_lee: as you mentioned, you have already divided it into multiple steps/goal. and with our new structure on goal, we can do it in these three steps and see how fast we do it. new structure I mean this #link https://review.opendev.org/c/openstack/governance/+/816387
15:39:16 <jungleboyj> gmann:  That sounds like a reasonable plan.
15:39:46 <gmann> ade_lee: and with new structure which is not merged yet, it can be done at any different time within a cycle or in multiple cycle.
15:40:39 <ade_lee> gmann, ack - I can add in the new miestones etc.
15:40:56 <ade_lee> as described in the template you described
15:41:05 <gmann> ade_lee: cool, and we will continue the discussion on gerrit.
15:41:13 <ade_lee> cool
15:41:22 <gmann> ade_lee: you can add depends on the 816387in case to avoid merge conflict or so
15:41:30 <ade_lee> will do
15:41:38 <gmann> ade_lee: thanks for the proposal and explaining here
15:41:57 <ade_lee> thanks all
15:42:05 <gmann> moving next
15:42:11 <gmann> #topic Adjutant need PTLs and maintainers
15:42:22 <gmann> #link http://lists.openstack.org/pipermail/openstack-discuss/2021-October/025555.html
15:43:01 <gmann> I saw fungi reply on email to someone asking on Adjutant plan and reaching out to adrian
15:43:14 <gmann> nut did not find the original email they asked on, may be i missed
15:43:49 <gmann> but I think there is no volunteer to help on this project or may be they are discussion internally ?
15:44:01 <gmann> * help on this project yet
15:44:16 <mnaser> isn't catalyst using this internally?
15:45:02 <gmann> not sure, adrian mentioned they might take this up but not sure
15:46:16 <gmann> but at least they are aware as I see Andrew  from catalyst reply on this ML thread
15:46:48 <fungi> i was replying to this:
15:46:54 <gmann> I will send another reminder on ML and not sure how long adrian will be there to help/lead so they might need to take this soon
15:46:58 <fungi> #link http://lists.openstack.org/pipermail/openstack-discuss/2021-November/025713.html
15:47:00 <gmann> yeah
15:47:45 <gmann> so let's wait for more time on this
15:47:50 <gmann> moving next
15:47:53 <gmann> #topic Pain Point targeting
15:48:05 <gmann> #link https://etherpad.opendev.org/p/pain-point-elimination
15:48:35 <gmann> we decided to continue iterating the list and keep discussion on this.
15:49:05 <gmann> we did not much time in last week meeting also and this too
15:49:26 <gmann> I think we can have a voice call to iterate it in adhoc meeting?
15:49:38 <gmann> belmoreira: ricolin_ what you think?
15:50:10 <gmann> like RBAC discussion we are doing
15:50:21 <belmoreira> looks good to me
15:51:12 <gmann> cool, belmoreira or ricolin_ any one of you to schedule it otherwise I can do, sometime for next week or so?
15:51:18 <jungleboyj> I think that makes sense as a next step.
15:51:46 <gmann> yeah, we do not get much time in weekly meeting so doing it in adhoc meeting will be more productive
15:52:20 <belmoreira> it would be better to confirm with ricolin_ first since he started this effort
15:52:47 <jungleboyj> belmoreira:  ++
15:52:51 <gmann> sure, he is not here today but I will ping him in case he miss to see our ping here.
15:53:12 <gmann> #action gmann, ricolin_ to schedule adhoc meeting for pain point discussions
15:53:22 <gmann> #topic Open Reviews
15:53:35 <gmann> #link https://review.opendev.org/q/projects:openstack/governance+is:open
15:53:47 <gmann> lot of open reviews, let check what all are ready to vote
15:54:16 <gmann> this one is needed for goal things #link https://review.opendev.org/c/openstack/governance/+/816387
15:54:37 <gmann> mnaser: jungleboyj rosmaita diablo_rojo spotz ^^ please check
15:55:08 <jungleboyj> mnaser:  Got it.
15:55:13 <gmann> this will be quick one as we discussed in last meeting to remvoe the office hours #link https://review.opendev.org/c/openstack/governance/+/817493
15:55:47 <gmann> and this one is important for Yoga testing runtime so that we can start working on new testing part soon #link https://review.opendev.org/c/openstack/governance/+/815851
15:56:09 <gmann> frickler: fungi ^^ you too in case you have not checked the latest version
15:56:35 <gmann> with adding centos9-stream, I have removed the py36 and making py3.8 and py3.9 as voting
15:57:57 <gmann> there are othr open reviews also which are ready to vote, please check and review in this week as much as possible
15:58:02 <fungi> i think we're getting close on stream 9 testing, right now we're trying to work through getting package mirroring in place
15:58:16 <gmann> +1, thanks
15:59:02 <diablo_rojo> I will check that out toda
15:59:14 <gmann> thanks
15:59:16 <gmann> one last thing-
15:59:31 <gmann> is openinfra tv keynotes 1 hr long or 2? on 18th
15:59:46 <gmann> #link https://openinfra.dev/live/
16:00:12 <gmann> ah but it is at same time out tc meeting
16:00:27 <gmann> we can cancel it for next week on 18th if ok for everyone ?
16:00:31 <fungi> yes, i was just watching this week's episode during the tc meeting
16:00:32 <gmann> cancel TC meeting
16:00:41 <diablo_rojo> yes please
16:01:09 <jungleboyj> That would be good.
16:01:48 <gmann> ok, let's cancel meeting on 18th and we will meet on 25th Nov. I will update on ML too
16:01:59 <gmann> thanks everyone for joining, let's close it for today
16:02:04 <gmann> #endmeeting