12:01:19 #startmeeting TripleO Security Squad 12:01:19 didn't talk to him today 12:01:20 Meeting started Wed Jun 13 12:01:19 2018 UTC and is due to finish in 60 minutes. The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot. 12:01:21 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 12:01:23 lets wait some minutes for some folks to log in 12:01:23 The meeting name has been set to 'tripleo_security_squad' 12:01:34 he was feeling sick yesterday 12:02:37 #link https://etherpad.openstack.org/p/tripleo-security-squad 12:02:40 that's a bummer :/ 12:02:51 Sagi Shnaidman proposed openstack/tripleo-common master: DONT REVIEW: used for testing only https://review.openstack.org/447276 12:03:06 Sagi Shnaidman proposed openstack/puppet-tripleo master: DONT REVIEW: testing patch https://review.openstack.org/529077 12:03:49 Sagi Shnaidman proposed openstack/tripleo-quickstart master: DNM: test built-tests with all jobs https://review.openstack.org/575090 12:03:51 quiquell, ^^ 12:05:41 sshnaidm: I see, I was just adding one file 12:06:30 Flavio Percoco proposed openstack-infra/tripleo-ci master: Collect /etc/os-*/ to get os-net-config https://review.openstack.org/575088 12:07:10 Alright, I guess we can begin 12:07:15 ok 12:07:24 #topic oslo pluggable secrets backend discussion 12:07:27 mathieu bultel proposed openstack/tripleo-heat-templates stable/queens: Match only haproxy for docker ps and skipp all *-haproxy occurences https://review.openstack.org/574624 12:07:39 I'm currently working on the sample generator 12:07:43 for the ini driver 12:08:01 to be used with oslo-config-generator 12:08:33 we still have two other tasks to the end of phase 0 12:08:52 What are the plans for the ini driver? 12:09:01 is that something that we 12:09:04 we'll take into use? 12:09:11 or was it just a reference driver? 12:09:21 in general, we are adding to oslo.config the hability to fetch extra config from external locations 12:09:42 at first as a reference, but it kinda seems usable 12:10:07 as we can use https 12:10:13 moguimar: any further plans on that front? 12:10:15 URGENT TRIPLEO TASKS NEED ATTENTION 12:10:15 https://bugs.launchpad.net/tripleo/+bug/1776301 12:10:16 Launchpad bug 1776301 in tripleo "[master promotion] Tempest is failing with " KeyError: 'resources' "errors - Connection refused" [Critical,Triaged] - Assigned to chandan kumar (chkumar246) 12:10:16 https://bugs.launchpad.net/tripleo/+bug/1776503 12:10:16 https://bugs.launchpad.net/tripleo/+bug/1776596 12:10:17 Launchpad bug 1776503 in tripleo "rdocloud outage recovery - contention for resources and jobs showing long wait times" [Critical,Triaged] 12:10:18 Launchpad bug 1776596 in tripleo "[QUEENS] Promotion Jobs failing at overcloud deployment with AttributeError: 'IronicNodeState' object has no attribute 'failed_builds'" [Critical,Triaged] - Assigned to yatin (yatinkarel) 12:10:40 the user can specify ca_path, client_cert and client_key 12:11:14 so we can strip sensitive data out of config files and centralize it somewhere else 12:11:31 moguimar: wasn't that the plan but instead to use the castellan driver? 12:11:48 castellan driver is phase 1 12:12:05 phase 0 is a proof of concept with the ini driver 12:12:22 so, phase 0 is the ini driver 12:12:27 phase 1 is the castellan driver 12:12:35 and phase 2 is triple0 integration 12:13:22 we are aiming to land phase 0 on rocky and phase 1 on stein 12:13:40 I see 12:14:12 So, what are the plans regarding TripleO integration at the moment? anything that could be started now? 12:15:03 we are working on a spec 12:15:19 actually phase 2 is not tripleO integration 12:15:27 it is about automation support 12:15:44 when the spec comes out we'll have more details 12:15:45 Ronelle Landy proposed openstack-infra/tripleo-ci master: Streamline variables passed in different environments https://review.openstack.org/573819 12:15:55 #link https://etherpad.openstack.org/p/oslo-config-plaintext-secrets 12:16:21 the link to the spec is here 12:16:24 #link https://review.openstack.org/#/c/474304/ 12:16:46 moguimar: right, but that was the oslo spec 12:16:54 for TripleO we would prefer to have a separate one 12:17:17 and from what I can tell, the same is with the oslo folks, they would prefer to remove the TripleO specifics from that spec 12:17:18 so far we only have a placeholder for the tripleO bits 12:17:43 yep, the tripleO parts are to be defined yet in a separate spec 12:18:05 ok 12:18:26 that's all I have for nwo 12:18:28 now* 12:18:39 thanks 12:18:55 if there's anything you want to discuss regarding TripleO integration, this is a good place to bring it up 12:19:07 ok 12:19:17 At some point we do need to discuss what backend will castellan use 12:19:23 and how that deployment will look like 12:19:50 the castellan phase still need some planning 12:20:05 that's alright 12:20:07 there is time :) 12:20:11 I'll leave a note in the trello card to bring the discussion here 12:20:26 lets come back to this once that's more defined 12:20:31 lhinds, are you around? 12:20:56 yep jaosorior 12:20:59 just in.. 12:21:09 #topic Limit TripleO users 12:21:27 lhinds: can you give a brief update on the status of that? 12:21:42 I know you're quite busy, so I really appreciate that you were able to make it 12:21:47 for this one we will need to move the spec into stein, as to late for rocky (which is understandable) 12:22:09 cederic has a spec in review, and mine should be up later today or at least before the end of this week as a latest. 12:22:26 that's it for now 12:23:16 lhinds: did you manage to get some resolution on getting the sudo rules from CI? 12:24:01 I have some ideas, as sudo gives an exit code, but need to chew it over with someone from CI. 12:24:31 If command is specified but not allowed, sudo will exit with a status value of 1 12:24:58 so we could harness this in CI as that would consitute a build failure. 12:25:27 some of this we may need to trash out in review though 12:25:27 lhinds: wouldn't that be just a deployment failure? 12:25:48 yes, hold on I see what you mean now. 12:25:59 so two phases , the first is to gather the info. 12:26:11 second above, would be to test it on-going 12:27:24 oh, I see 12:28:10 but need to see if that would be agreed, as like you say it breaks a deployment 12:28:35 It's SELinux all over again 12:28:40 x_X 12:29:12 lhinds: thanks for the update 12:30:04 lhinds: let me know if there's something I can help out with regarding that task 12:30:14 will do , thanks jaosorior 12:30:29 * redrobot is still waiting for the coffee to kick in ... 😴 12:30:40 #topic Any other business 12:30:45 Anything else that folks want to bring up to the meeting? 12:31:00 dciabrin_: can you please review https://review.openstack.org/#/c/574873/ when you have time? 12:31:05 redrobot: haha same here, but it's 3pm here :P 12:31:26 dciabrin_: err wrong link nevermind. 12:31:40 EmilienM, :) 12:31:47 dciabrin_: too early :P 12:33:33 Alright folks! thanks for joining! 12:33:35 #endmeeting