#tripleo log

12:00:28 <jaosorior> #startmeeting TripleO Security Squad
12:00:29 <openstack> Meeting started Wed May 30 12:00:28 2018 UTC and is due to finish in 60 minutes.  The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:00:30 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:00:32 <openstack> The meeting name has been set to 'tripleo_security_squad'
12:00:36 <jaosorior> Will wait some minutes for more folks to log in
12:00:44 <moguimar> o/
12:00:53 <jaosorior> hey moguimar, how's it going?
12:01:25 <moguimar> struggling
12:01:32 <raildo> o/
12:01:35 <jaosorior> moguimar: the oslo work?
12:01:42 <openstackgerrit> Marios Andreou proposed openstack/python-tripleoclient master: WIP Remove the --container-registry-file parameter from all clis  https://review.openstack.org/570893
12:01:51 <moguimar> that would be a good struggle
12:01:58 <moguimar> my computer just hates me
12:02:20 <jaosorior> :(
12:02:59 <moguimar> today, for some reason it is forgetting about my user, at some point apps stop responding and `whoiam` doesn't knows my username
12:03:06 <jaosorior> whaaa
12:03:21 <owalsh> o/
12:04:26 <moguimar> it doesn't even let me turn off or reboot the computer, as my user is unknown
12:04:38 <jaosorior> that is quite strange :/
12:04:51 <jaosorior> Alright, I guess I'll start now
12:04:53 <moguimar> thats what the guys from the SSSD team said
12:04:57 <moguimar> sure
12:05:12 <jaosorior> #link https://etherpad.openstack.org/p/tripleo-security-squad
12:05:23 <jaosorior> As usual, the etherpad link is that one ^^
12:05:31 <jaosorior> #topic Public TLS by default work update
12:06:09 <jaosorior> Last week me and Tengu worked on getting public TLS by default for the overcloud
12:06:16 <jaosorior> two main pieces are missing:
12:06:26 <jaosorior> * tripleo-common patch with the logic to inject the certificate in the plan
12:06:35 <jaosorior> * tripleo-heat-templates patch to make TLS the default
12:07:05 <jaosorior> That main logic had merged at some point, but was reverted since making FQDNs the default broke Octavia (and potentially other components)
12:07:23 <jaosorior> So, now we're looking into not using FQDNs by default, but instead rely on the IP
12:07:32 <jaosorior> This requires us to have predictable public IPs for TripleO
12:07:58 <jaosorior> we initially came up with https://review.openstack.org/#/c/569818/
12:08:22 <jaosorior> but upon more discussion with the community, we'll have to change the approach
12:08:31 <jaosorior> so instead of doing everything in the deployment workflow in mistral
12:08:41 <jaosorior> we'll add this code to the derive_parameters workflow
12:08:52 <jaosorior> currently, that workflow is not ran by default, so the first step is to make it so
12:09:19 <jaosorior> jaganathan is helping out in that front. Once he gets that work done, we'll hook up the *FixedIPs parameters logic there, and subsequently the certificates as well
12:09:37 <jaosorior> thanks jaganathan for helping out
12:10:30 <jaganathan> jaosorior, welcome
12:11:17 <jaosorior> any feedback/questions?
12:12:40 <jaosorior> #topic Public TLS refactor
12:12:51 <jaosorior> So, regarding this topic
12:13:11 <jaosorior> public TLS in TripleO has for a long time relied on a custom resource that runs a specific script that injects the certs
12:13:27 <jaosorior> this is kinda tricky as it's separate from the HAProxy service definition (even though that cert is only used by HAProxy)
12:13:43 <openstackgerrit> Marios Andreou proposed openstack/tripleo-common master: WIP Remove container registry param from package_update_plan workflow  https://review.openstack.org/571186
12:13:47 <jaosorior> and it had the limitation that we would only inject the certificate if the role had the tags 'primary' and 'controller'
12:14:24 <jaosorior> now that we have config-download by default, we can instead just use ansible, and finally get rid of this script
12:14:36 <jaosorior> So, Tengu started working on this, and has a WIP patch making this work
12:14:38 <jaosorior> #link https://review.openstack.org/#/c/570627/
12:14:51 <jaosorior> big thanks to Tengu for taking on this work! It's great stuff and quite needed
12:15:06 <jaosorior> so, this removes the tagging limitation, and is a cleaner implementation, since we will only get that cert where HAProxy is deployed
12:15:20 <jaosorior> it also allows us to span HAProxy with TLS in multiple roles, so that's a nice feature too
12:15:50 <jaosorior> So, if folks are interested in that work, please take a look at that patch
12:16:06 <Tengu> :)
12:17:38 <jaosorior> #topic Kerberos auth for keystone update
12:18:26 <jaosorior> I took shot at this work last week, by deploying keystone with an LDAP backend (FreeIPA being the LDAP server), and getting into the container and adding the needed packages/configuration
12:18:40 <jaosorior> turns out that the keystone kerberos plugin is broken on the client side
12:18:43 <jaosorior> reported the bug here
12:18:49 <jaosorior> #link https://storyboard.openstack.org/#!/story/2002076
12:19:19 <jaosorior> Pre-entively, I also did some patches to get the needed packages to the keystone container
12:19:23 <jaosorior> #link https://review.openstack.org/569785
12:19:28 <jaosorior> #link https://review.openstack.org/570372
12:19:33 <jaosorior> They have merged in kolla
12:19:39 <jaosorior> so, once we get a promotion of the containers
12:19:42 <jaosorior> this will be easier to test out
12:19:49 <jaosorior> hopefully we can get the bug fixed soon
12:19:56 <jaosorior> doesn't seem to be too much work to get this working though
12:20:16 <jaosorior> So, if anyone wants to take on this work, I can certainly guide on the needed next steps
12:20:45 <jaosorior> any questions/feedback?
12:21:28 <raildo> +2A for kerberos on Keystone :)
12:21:56 <jaosorior> it'll be nice :)
12:21:58 <raildo> that something that will benefit a bunch of services to be me independent in the authorization side
12:22:18 <raildo> but maybe we will need some keystoneres feedback on it?
12:22:35 <openstackgerrit> Carlos Camacho proposed openstack/instack-undercloud stable/newton: Removing packages when installing Undercloud in Newton  https://review.openstack.org/570897
12:22:56 <raildo> anyway, I'll start review it soon :)
12:23:25 <jaosorior> raildo: well, that's something that has already been done in keystone before. Where we would need keystoner's help is fixing https://storyboard.openstack.org/#!/story/2002076
12:23:43 <jaosorior> raildo: also, if you want to take a look at replicating this, let me know and I can guide you through it
12:24:29 <raildo> jaosorior, that sounds interesting, I'll try to replicate that, we can sync about it after meeting
12:24:37 <jaosorior> raildo: lets do that
12:24:45 <jaosorior> #topic Any other business
12:24:50 <jaosorior> Anything someone wants to bring up to the meeting?
12:25:23 <Tengu> jaosorior: just digging a bit - (sorry, I'm late): https://ask.openstack.org/en/question/97078/keystone-kerberos-configuration/  might be a path using the apache kerberos mod? probably silly, but...
12:25:45 <jaosorior> Tengu: that is indeed what I was testing out
12:25:56 <Tengu> :]
12:26:11 <jaosorior> Tengu: if you check the links that I posted above, the packages I added to kolla were mod_auth_gssapi (formerly mod_auth_kerb)
12:26:17 <jaosorior> Tengu: and python-requests-kerberos
12:26:33 <jaosorior> so yeah, ultimately httpd is what does all the heavy lifting
12:26:33 <Tengu> yup, just saw that. my bad, should have checked before.
12:26:47 <jaosorior> no biggie :)
12:27:48 <Tengu> also: my patch is once again in zuul, maybe it will succeed, even if I'm not happy with the solution for the gid -.-'
12:27:51 <Tengu> anyway.
12:28:54 <jaosorior> Tengu: it's the way it goes :/
12:28:56 <jaosorior> alright folks!
12:28:58 <jaosorior> thanks for joining
12:29:03 <jaosorior> #endmeeting