12:03:45 <jaosorior> #startmeeting TripleO Security Squad
12:03:46 <openstack> Meeting started Wed Mar 28 12:03:45 2018 UTC and is due to finish in 60 minutes.  The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:03:47 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:03:49 <openstack> The meeting name has been set to 'tripleo_security_squad'
12:04:19 <jaosorior> Alright folks, lets start
12:04:34 <jaosorior> #topic Work progress update
12:05:08 <jaosorior> Out of all the topics, the main effort lately has been in two areas: * TLS by default  * Secret Management
12:05:12 <raildo> #link https://etherpad.openstack.org/p/tripleo-security-squad
12:05:19 <jaosorior> thanks raildo
12:05:33 <jaosorior> #topic Public TLS by default
12:05:47 <jaosorior> So, there has been a bunch of progress on this side.
12:06:06 <jaosorior> TLS is now the default in the classic undercloud, and mistral will automatically push the CA certificate to the overcloud nodes.
12:06:25 <jaosorior> I also have put up patches for enabling TLS by default for the containerized undercloud
12:06:37 <jaosorior> namely
12:06:40 <jaosorior> #link https://review.openstack.org/557159
12:06:42 <jaosorior> and
12:06:53 <jaosorior> #link https://review.openstack.org/557160
12:07:20 <jaosorior> And I actually got TLS (public) for the overcloud working.
12:07:44 <jaosorior> But currently I'm facing some package related issues that prevent CI on that job from running properly
12:08:10 <jaosorior> #link https://review.openstack.org/#/c/554926/
12:08:37 <jaosorior> That one ^^ enables TLS by default for the overcloud. But is currently failing because I introduce a new script to tripleo-common, thus packaging fails.
12:08:53 <jaosorior> #link https://review.openstack.org/#/c/554926/
12:09:14 <jaosorior> that one ^^ is the commit to the spec file in RDO, that would enable that script. But I haven't gotten that commit to work yet
12:09:20 <jaosorior> So any help on that side is welcome
12:09:38 <jaosorior> The rest of the reviews that have been put up are on the etherpad.
12:09:49 <jaosorior> Any questions/feedback?
12:10:14 <ooolpbot> URGENT TRIPLEO TASKS NEED ATTENTION
12:10:14 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1757556
12:10:15 <openstack> Launchpad bug 1757556 in tripleo "timeouts in neutron are causing ssh failures in tempest test instances" [Critical,Triaged]
12:10:23 <bogdando> folks PTAL https://review.openstack.org/#/c/553427/ all green
12:10:53 <raildo> for now, I believe that we just need to go deeper in those patches and have that reviewed soon
12:11:07 <jaosorior> that would be appreciated
12:11:08 <openstackgerrit> Gael Chamoulaud proposed openstack/tripleo-validations stable/queens: Fix overcloud services connectivity validation  https://review.openstack.org/557315
12:11:25 <jaosorior> so please, if you have some time, reviews are always welcome
12:12:43 <jaosorior> Moving on
12:12:48 <jaosorior> #topic Secret Management audit
12:13:29 <jaosorior> alee and me went through a deployment and started listing out the files and places where we have sensitive data
12:13:44 <openstackgerrit> Chandan Kumar proposed openstack/tripleo-quickstart-extras master: Refactored validate-tempest role for undercloud and containers  https://review.openstack.org/551441
12:13:47 <jaosorior> #link https://etherpad.openstack.org/p/tripleo-audit-secrets
12:14:00 <jaosorior> fortunately, it seems that we're well covered in basic unix permissions for those files.
12:14:28 <jaosorior> the goal of that is, once we have identified everything, we'll go through those secrets and come up with strategies on how to secure them
12:14:53 <jaosorior> we're already throwing around ideas on how to do that, but we'll need to meet up again to formalize some of those approaches, and discuss them further.
12:15:20 <jaosorior> So, if folks have time to review the etherpad I posted above, please check it out; if we missed anything feel free to add that there.
12:16:11 <jaosorior> We could probably use the same Etherpad to post some ideas on how to lock those places down
12:16:53 <jaosorior> Any questions/feedback?
12:18:41 <raildo> jaosorior, it more fore curiosity, is there anyway to guarantee that we are covering all the secrets in this document?
12:19:27 <raildo> jaosorior, I mean, I'm supposing that you guys listed those secrets bases in your previous knowledge in where the secrets are, right?
12:19:48 <jaosorior> raildo: we also did a bunch of grep magic around the nodes :D but of course we might have missed something
12:20:03 <raildo> jaosorior, ok, got it
12:20:05 <jaosorior> raildo: this is why it's important to have more folks review that list, and if someone knows of something we missed, it should be posted there.
12:20:24 <jaosorior> and once we secure it, it'll be a matter of documenting the approach and writing up some best-practices.
12:20:40 <raildo> jaosorior, yeak, makes sense. thanks!
12:21:00 <jaosorior> in k8s, nobody stops you from writing out some passwords in your templates; but of course it's prefered to use k8s secrets instead.
12:21:53 <openstackgerrit> Bogdan Dobrelya proposed openstack/python-tripleoclient master: Hard link http boot contents for Ironic  https://review.openstack.org/556516
12:22:05 <jaosorior> Anyway
12:22:07 <jaosorior> that's all from my side
12:22:13 <jaosorior> #topic Any other business
12:22:35 <jaosorior> Does someone have something else that you would like to bring up to the meeting?
12:24:12 <holser__> bnemec - Do we really need https://github.com/openstack/instack-undercloud/blob/master/instack_undercloud/undercloud.py#L2362-L2366
12:24:22 <moguimar> nothing here
12:24:29 <jaosorior> Alright
12:24:37 <holser__> I guess it was special case for N>M upgrade
12:24:53 <jaosorior> Remember that if you're interested in a topic and would like some help getting started out, you're welcome to reach out to me or lhinds and we'll help you out getting started
12:25:09 <jaosorior> Thanks for attending folks!
12:25:12 <jaosorior> #endmeeting