#tripleo log

12:00:47 <jaosorior> #startmeeting TripleO Security Squad
12:00:48 <openstack> Meeting started Wed May 16 12:00:47 2018 UTC and is due to finish in 60 minutes.  The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:00:49 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:00:51 <openstack> The meeting name has been set to 'tripleo_security_squad'
12:00:54 <jaosorior> I'll wait a little bit fo rmore folks to log in
12:00:55 <lhinds> hey oz
12:01:03 <jaosorior> hey lhinds! how's it going?
12:01:11 <lhinds> good thanks
12:06:39 <jaosorior> #topic Public TLS work udpate
12:07:10 <jaosorior> right! so
12:07:46 <jaosorior> public TLS by default merged
12:07:53 <jaosorior> ....and it was reverted :D
12:08:32 <jaosorior> It was reverted here https://review.openstack.org/#/c/568699/
12:08:50 <jaosorior> because of this bug https://bugs.launchpad.net/tripleo/+bug/1771435
12:08:51 <openstack> Launchpad bug 1771435 in tripleo "scenario001/002 failing on autoscaling with urllib3.exceptions.SSLError: [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:579)" [Critical,Fix released] - Assigned to Alex Schultz (alex-schultz)
12:09:27 <jaosorior> it seems that tempest (the telemetry plugin) is poking panko
12:09:38 <jaosorior> and it gets a TLS endpoint with a non-TLS port (for some strange reason)
12:09:42 <jaosorior> I'm still not sure why that happens
12:09:52 <jaosorior> but I'm looking into it
12:10:13 <jaosorior> seems sileht is also looking into it
12:10:15 <ooolpbot> URGENT TRIPLEO TASKS NEED ATTENTION
12:10:15 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1770972
12:10:16 <openstack> Launchpad bug 1770972 in tripleo "CI: Images introspection fails in OVB jobs" [Critical,Triaged] - Assigned to Derek Higgins (derekh)
12:10:16 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1771508
12:10:18 <openstack> Launchpad bug 1771508 in tripleo "Telemetry tests fail in scenario-001 and 002 jobs" [Critical,Triaged] - Assigned to Pradeep Kilambi (pkilambi)
12:10:37 <jaosorior> if someone wants to help with that
12:10:54 <jaosorior> I can provide details about how to reproduce it
12:10:57 <jaosorior> so let me know
12:11:02 <jaosorior> help is very much appreciated
12:11:15 <jaosorior> once that merges, then just docs are missing and we'll have public TLS by default :D
12:11:23 <Tengu> can't help more than what I did for now :/
12:11:38 <Tengu> learning curve is nice :3
12:12:21 <sshnaidm|rover> derekh, weshay I suspect there is different problem with images
12:12:23 <jaosorior> Tengu: you're getting your system tomorrow, right?
12:12:34 <Tengu> the builder? yep.
12:12:41 <sshnaidm|rover> derekh, we update our images in the job: https://logs.rdoproject.org/15/568715/2/openstack-check/gate-tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset001-master/Z5df1951657694a9ebaad63e71362a76a/console.txt.gz#_2018-05-16_04_15_05_346
12:13:33 <sshnaidm|rover> derekh, it's done so: https://github.com/openstack/tripleo-quickstart-extras/blob/69ad943adda9000f79277f0230a5751869de9cb3/roles/modify-image/tasks/manual.yml#L33-L70
12:13:37 <jaosorior> Tengu: let me know and I can help you reproduce the issue
12:13:53 <sshnaidm|rover> derekh, weshay but what we have when running update: https://logs.rdoproject.org/15/568715/2/openstack-check/gate-tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset001-master/Z5df1951657694a9ebaad63e71362a76a/undercloud/home/jenkins/repo_setup.sh.1526444104.log.txt.gz
12:14:04 <sshnaidm|rover> it may be a reason for failures..
12:14:13 <jaosorior> any other questions/feedback on the public TLS stuff?
12:14:21 <Tengu> jaosorior: ok :).
12:14:55 <openstackgerrit> Sagi Shnaidman proposed openstack-infra/tripleo-ci master: DNM: build image in every OVB job  https://review.openstack.org/568258
12:15:23 <weshay> oof
12:16:04 <Tengu> hello weshay :)
12:16:31 <jaosorior> #topic Secret management
12:17:41 <jaosorior> So, I sent out a mail about enabling swift volume encryption by default http://lists.openstack.org/pipermail/openstack-dev/2018-May/130529.html
12:17:50 <jaosorior> mwhahaha: are you around? I saw you reviewed the patch and had some concerns
12:18:35 <mwhahaha> Sorta
12:19:11 <jaosorior> mwhahaha: swift isn't really poked that much anymore
12:19:24 <weshay> matbu, chem https://review.openstack.org/#/c/568680/
12:19:29 <mwhahaha> So the perf thing probably ok
12:19:36 <jaosorior> mwhahaha: just to store the plan and get the plan out
12:19:39 <jaosorior> update the plan from the UI
12:19:41 <jaosorior> that's about it AFAIK
12:19:49 <jaosorior> ooh and get artifacts from the overcloud
12:19:58 <openstackgerrit> Emilien Macchi proposed openstack/tripleo-upgrade master: add container minimal check and gate  https://review.openstack.org/568733
12:20:08 <openstackgerrit> Sagi Shnaidman proposed openstack/tripleo-quickstart-extras master: WIP: Reproduce CI multinode job with libvirt  https://review.openstack.org/543429
12:20:11 <mwhahaha> But more services is kinda a problem, also how secure is a generic barbican
12:20:24 <openstackgerrit> Emilien Macchi proposed openstack/tripleo-upgrade master: add container minimal check and gate  https://review.openstack.org/568733
12:21:03 <mwhahaha> Like would luks be better
12:21:44 <jaosorior> mwhahaha: it isn't great, but from there we can more forward to using the pkcs11 plugin for the more security concerned
12:21:55 <Tengu> mwhahaha: you'd still get the key somewhere, or have to manually enter encryption password manually after each reboot
12:22:15 <mwhahaha> Luks solves the data at rest problem better imho
12:22:55 <mwhahaha> And the undercloud is less of a problem for automatic reboots
12:23:25 <mwhahaha> Since we don't assume 100% uptime
12:24:13 <mwhahaha> Having dealt with hsm's before I'd rather we recommend luks for the undercloud
12:24:30 <mwhahaha> That's my take on it
12:24:39 <jaosorior> mwhahaha: some people require hardware security
12:24:45 <jaosorior> some folks even want to tie luks to an hsm
12:24:49 <mwhahaha> Then those people enable it
12:24:54 <mwhahaha> But not be default
12:25:08 <EmilienM> bogdando: thx for https://review.openstack.org/#/c/568818/
12:25:13 <mwhahaha> I don't see upside to it being on by default
12:25:39 <jaosorior> alright, those are valid points; I'll leave the commit up there for a bit and see what other folks think; more feedback is always good :)
12:26:00 <mwhahaha> False sense of security is bad :D
12:27:13 <jaosorior> agreed
12:27:22 <Tengu> small question: is there a way to trigger an rdo third party CI without triggering zuul?
12:27:47 <beagles> are the current containerized undercloud install docs in https://docs.openstack.org/tripleo-docs/latest/install/installation/installing.html correct?
12:27:59 <mwhahaha> Tengu: check-rdo
12:28:05 <Tengu> mwhahaha: thank you!
12:28:24 <jaosorior> #topic Kerberos auth for keystone
12:28:45 <jaosorior> Alright, something else I wanted to bring up was a (relatively) low hanging fruit
12:29:09 <jaosorior> keystone supports kerberos for authentication, and I don't think it would be too hard to do (you can do a TLS everywhere deployment if you need keberos around)
12:29:12 <beagles> I'm getting what appears to be issues inc onfiguring nova_placement, heat_api, ironic_api, mysql, ironic, mistral, zaqar, nova, keystone...well basically everything I think
12:29:21 <jaosorior> some folks have expressed interest about it, so I thought it would be a good thing to have'
12:29:39 <sshnaidm|rover> weshay, well, seems like we can't update images at all, jobs pass only when we build them..
12:29:40 <jaosorior> so, if someone wants to pick up that work, I can provide details on how to do it
12:29:44 <jaosorior> so, let me know :D
12:30:29 <Tengu> jaosorior: is there some open issue for that?
12:30:54 <jaosorior> Tengu: there isn't; didn't think about tracking it with launchpad given it's not a bug but a feature request :D
12:31:13 <Tengu> there are FRE on launchpad :).
12:31:39 <jaosorior> OK, I can write one then
12:31:51 <jaosorior> #action jaosorior to write an RFE bug about Kerberos authentication
12:32:00 <Tengu> that would be best in order to follow
12:32:19 <jaosorior> I'll provide all the details needed to get that working on that bug
12:33:30 <jaosorior> #topic Any other business
12:33:34 <weshay> sshnaidm|rover, ok.. I like the patch
12:33:36 <jaosorior> Anything else folks want to bring up to the meeting?
12:33:40 <weshay> thanks sshnaidm|rover
12:33:41 <lhinds> jaosorior: yup
12:33:53 <lhinds> #topic limiting heat-admin
12:34:30 <lhinds> so I have my new machine now and have been thinking of taking the following approach to get a list of every sudo call.
12:34:40 <jaosorior> #topic limiting heat-admin
12:34:48 <lhinds> in audit you can track all sudo calls:
12:34:50 <lhinds> https://github.com/openstack/tripleo-heat-templates/blob/master/environments/auditd.yaml#L109
12:35:05 <lhinds> /var/log/audit/*
12:35:47 <lhinds> The puppet service can be used to set this up in the overcloud with an environment file, but seeking advice on how I could do this for the undercloud
12:36:30 <jaosorior> lhinds: well, we're moving towards having a containerized undercloud, which would be deployed with t-h-t as well
12:36:34 <lhinds> I guess I could use guestfs into the image and set it up there. I could also add a grub2.conf option to enable it early in the boot phase.
12:36:44 <jaosorior> lhinds: so you could enable the same functionality for the undercloud that way
12:37:21 <lhinds> jaosorior: ack, see what you mean. So would I be able to pull in an -enviroment file to configure audit within the undercloud
12:37:33 <lhinds> container or vm
12:37:38 <jaosorior> right
12:37:56 <lhinds> it won't be a feature, just a debug method to help me see sudo calls
12:38:21 <jaosorior> understood
12:38:27 <jaosorior> that's a good start for that
12:38:49 <lhinds> I guess I can ping you with this outside the meeting if you can help me jaosorior
12:39:01 <jaosorior> lhinds: sure!
12:39:15 <lhinds> just need to grok the best way to do it, and then I will be on my way to getting it scoped out and a patch submitted
12:39:43 <lhinds> lets do that (will send a DM to you)
12:40:15 <jaosorior> awesome
12:40:19 <lhinds> I can then see a complete list of every user who calls sudo (so validations, nova, keystone etc)
12:40:20 <jaosorior> sounds like a plan to get this started
12:40:37 <lhinds> cool. that's it for me.
12:40:38 <jaosorior> the main concern I guess is heat-admin and validations
12:40:55 <jaosorior> openstack services have their own sudoer rules, which look alright, as far as I've seen
12:41:09 <lhinds> yup, validations is the big one..so i also need to think about making sure validations makes lots of noise and gets used a lot
12:41:31 <lhinds> jaosorior: there is also rootwrap which nicely limits things
12:43:31 <jaosorior> #topic Any other business
12:43:37 <jaosorior> Anything else folks want to bring up?
12:45:06 <jaosorior> Alright, thanks for joining folks!
12:45:08 <jaosorior> #endmeeting