12:00:20 #startmeeting TripleO Security Squad 12:00:21 Meeting started Wed Jun 20 12:00:20 2018 UTC and is due to finish in 60 minutes. The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot. 12:00:22 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 12:00:24 The meeting name has been set to 'tripleo_security_squad' 12:00:28 #link https://etherpad.openstack.org/p/tripleo-security-squad 12:00:31 Lets wait some minutes for more folks to log in 12:03:15 Alright, I guess it's fine now 12:03:32 #topic oslo pluggable secrets backend discussion 12:04:11 raildo, moguimar: wanna take it from here? 12:04:32 yeah, I'll try to sync everything here :) 12:05:05 Alex Schultz proposed openstack/instack-undercloud stable/queens: Fall back to puppet-ntp defaults https://review.openstack.org/576450 12:05:43 so we're starting to discuss about the castellan driver, that will probably be supported by Tripleo, in a meaning of having a secure and automated way to handle the secrets on configuration files 12:06:37 so we were discussing about that in yesterday meeting and dhellmann had a good point about understand more the tripleo needs for this feature, so we can guarantee that we're covering those points in that driver 12:07:26 Martin André proposed openstack/tripleo-quickstart master: Install packages from centos-release-openshift-origin39 https://review.openstack.org/576832 12:07:35 right, I would hate for us to design the driver to work in a way that doesn't fit with tripleo 12:07:36 right 12:08:14 So, the way we do things at the moment, is that we write everything to hiera and after that eventually it gets persisted to the configuration files 12:08:30 ccamacho: do you know if that py35 issue is generalized or a recheck will do 12:08:50 It would be possible, however, to, instead of writing sensitive info to hiera, to write it to a secure backend (Vault?) 12:09:12 ccamacho: by the way waiting on the memcached one that ci passes (or should I just merge the backport now ?) 12:09:29 chem: w'ere in the middle of a meeting 12:09:32 *we're 12:09:42 * chem ->[ ] 12:09:59 Having these secrets in the secure backend we could then write "constants" to the config files, that point to the relevant entry in the backend, and a reference on how to get to that backend 12:10:14 URGENT TRIPLEO TASKS NEED ATTENTION 12:10:14 https://bugs.launchpad.net/tripleo/+bug/1777759 12:10:16 https://bugs.launchpad.net/tripleo/+bug/1777762 12:10:16 Launchpad bug 1777759 in tripleo "pike, volume failed to build in error status. list index out of range in cinder" [Critical,Triaged] - Assigned to Quique Llorente (quiquell) 12:10:18 Launchpad bug 1777762 in tripleo "pike: nova scheduler, Failed to update inventory for resource provider" [Critical,Triaged] - Assigned to Quique Llorente (quiquell) 12:10:18 it looks like castellan supports barbican and vault today, but I don't know how complete either of those drivers is 12:10:35 dhellmann: barbican would be the most complete implementation I would say 12:10:47 jaosorior : yeah, for each secret you would need the "id" string that the service gives you, I think 12:10:55 the problem is that we can't use Barbican, because... how would keystone AND barbican would get their own secrets? 12:11:07 so instead of storing the actual secret in the config, you store the id of the secret in a separate file the driver will read 12:11:09 dhellmann: either an ID or just a unique tag 12:11:16 dhellmann, well, we are looking for to use the vault backend, since it wont require keystone auth tokens and also because we will be able to store the keystone and babican secrets as well 12:11:29 raildo : that makes sense 12:11:39 jaosorior : it sounds like you probably know more about this than I do :-) 12:11:59 so... we can't use the barbican backend for castellan 12:12:11 so someone needs to evaluate that vault driver and figure out if it is complete enough 12:12:20 dhellmann, also, the way that the vault backend is implemented, it's just pointing for an external vault server passing vault key, user... 12:12:25 Martin André proposed openstack/tripleo-heat-templates master: Update for openshift 3.9 https://review.openstack.org/574233 12:12:25 Martin André proposed openstack/tripleo-heat-templates master: Add ability to set openshift container images https://review.openstack.org/576441 12:12:26 assuming we don't want to use a completely different backend, of course 12:12:27 we also don't want the overcloud to depends on the undercloud. So ideally it has to be a service that's deployed by TripleO 12:12:57 redrobot has been taking a look at the Vault driver... not sure if he got to any conclusions 12:13:00 * redrobot sneaks into the back of the room 12:13:02 hopefully he'll be online soon 12:13:09 o/ 12:13:11 aaah there you go! Hi! redrobot 12:13:13 nice timing 12:13:17 ++ 12:14:11 haha, sorry guys. Give me a sec to read the scrollback 12:15:04 chem, we are still waiting for the BZ flags 12:15:14 so we can wait for the patch to merge 12:15:54 just for my own clarification, are we at a stage where we need to deep dive into questions like "does the driver work?" or are we still working out higher level issues like what parts of the system are responsible for different actions? 12:16:01 Re: Vault driver. Still evaluating but, yeah I'm concerned about the way the castellan-context is used 12:16:04 or not used rather 12:16:33 context? 12:16:35 the idea was that the castellan-context (which is a terrible name, should have been castellan-auth) would be used to abstract away auth from the backend 12:17:33 does that mean the driver doesn't work? it's not secure? or it's not using the preferred implementation pattern? 12:17:49 and so http://git.openstack.org/cgit/openstack/castellan/tree/castellan/common/utils.py#n95 was supposed to be called to get a castellan-context 12:18:04 but the Vault plugin sidesteps all that and just reads the token from config 12:18:29 also, the whole context naming has people passing oslo contexts into the Castellan API 12:18:29 ah 12:18:31 dhellmann, my concern from a tripleo perspective, if we choose to go with the vault backend, will be how we gonna to ship/build vault to use it on tripleo? or we gonna just ask for an external vault server, something like what castellan did on that driver 12:19:02 raildo : good question 12:19:54 redrobot : changing the name of the public classes and arguments may be a challenge at this point, but fixing up the driver to use them seems like a good idea 12:20:27 I'm not sure why a centralized set of options and a function to access them is needed. It seems like each driver is just going to have 1 auth method, right? 12:20:54 but if that's the preferred way, it seems like the driver can just be fixed to use it 12:21:02 Seems that Vault is the only choice at the moment. We could try to use the Barbican driver, but it would need to be a barbican instance that uses a context-middleware that's not the keystone one, and we would need to write up proper auth and permissions for that one. That just seems like too much work when we could try to fix up the vault driver. 12:21:13 Sagi Shnaidman proposed openstack-infra/tripleo-ci master: WIP: DNM: try to remove things from toci_* scripts https://review.openstack.org/576834 12:21:44 dhellmann, yeah... the more I think about it, the more I think the credential_factory is not needed, and maybe the way the Vault backend gets its credentials may be the better pattern. 12:21:50 so what's involved in getting tripleo to deploy vault in a way that it can be used by the services to access their secrets? 12:22:17 a prod-ready vault needs a HA backend 12:22:22 so etcd or consul 12:22:31 redrobot : I'd be happy to deep-dive into that with you at some point if you want to talk about it separately 12:23:01 are we deploying either of those yet? 12:23:18 * dhellmann knows embarrassingly little about tripleo today 12:23:28 heh, you and me both dhellmann 12:23:43 for a PoC, would we need etcd or consul? 12:23:44 I hear jaosorior is the TripleO expert... 12:24:04 No, a non-prod vault server doesn't really have any dependencies 12:24:21 ok, so maybe we could do it in stages, if we need to 12:24:38 we should start #info-ing these things 12:24:51 or #action-ing 12:25:06 who's going to look at the vault driver? redrobot, is that you? 12:25:29 yep, been deep diving into it, and I think I'm the Vault expert 12:25:43 and by expert I mean I probably read more docs than anyone else, but still don't know much, haha 12:25:52 #action redrobot investigate completeness of the vault driver in castellan and identify any shortcomings that need to be resolved 12:26:29 What's required for an HA Vault deployment? 12:26:38 just etcd or consul? 12:26:45 depends ... 12:26:54 etcd or consul gives your storage HA 12:27:02 but Vault runs in single instance mode 12:27:14 unless you have a boatload of cash to dump on Hashicorp 12:27:30 only the Enterprise version has failover IIRC 12:27:53 uhm... 12:27:57 maybe the next question to answer is which backend we actually want to use 12:28:08 * redrobot needs to revisit the Vault open-source vs Enterprise feature set 12:28:28 Seems to me that without HA, the cluster startup is gonna be quite prone to failure 12:28:43 do we have any info from users about which service they have experience running? 12:28:56 basically, when OpenStack services start, they will pull the secrets from Vault 12:28:58 AT&T has some thing I can never remember the name of 12:29:14 s/has/likes/ maybe 12:29:19 when we're deploying (or updating) a cloud, this means there will be a LOT of traffic coming to Vault at that one point 12:29:38 and then for most of the rest of the cloud's lifetime, there won't be any traffic... 12:29:52 that's an interesting point 12:30:10 most of what we need is for Vault to be HA, but for read operations 12:30:21 write operations can happen quite serialized 12:30:35 Also, open-source Vault does not support HSMs 12:30:41 TripleO can deploy etcd, but it's not enabled by default 12:30:46 yeah, we also need to talk about what we have to do to update a cloud when secrets are changed 12:30:56 AFAICS only the neutron vpp ml2 plugin requires it 12:30:57 and will only happen when we first deploy the cloud and when we update secrets (password rotation for instance)( 12:31:20 shardy: sure, if we want to enable the secure backend we could just deploy etcd for that setup 12:31:39 redrobot: HSMs are not a requirement (yet) 12:34:00 redrobot: so, given that our main concern aren't really write operations... will open-source Vault be alright? or does everything still relly on one node? 12:34:06 * isn't 12:35:26 Vault is a single node, but presumably etcd or consul won't be. Supposedly even though Vault seems like a bottleneck, because it's written in Go it can keep up with large loads and the performance limit is the speed of the backend you're using. 12:35:51 this is all theoretical btw. I need to set up a for realsies Vault and actually put some numbers together 12:36:02 that would be nice 12:36:14 Martin André proposed openstack/tripleo-common master: Use upstream etcd container image for openshift https://review.openstack.org/576497 12:36:15 redrobot: also, for failover, we could potentially write a pacemaker resource agent for Vault 12:36:16 that sounds like a good way to test the castellan driver, too :-) 12:36:19 afaik the backend is the bottleneck, not vault itself 12:36:53 so we need to figure out which backend to use, as well 12:37:10 well, seems etcd is the best bet we have right now, given that tripleo can deploy it 12:37:15 vault only encrypt/decrypt stuff 12:37:23 the IO is done in the backend 12:37:28 Martin André proposed openstack/tripleo-quickstart-extras master: Add openshift etcd image to image prepare params https://review.openstack.org/576837 12:38:03 so it sounds like we need etcd regardless of whether we're worried about HA? 12:38:12 yep 12:38:15 etcd or consul 12:38:30 consul is also from hashicorp 12:38:46 what are the other backend alternatives? 12:38:49 btw, I'm just collecting some of this discussion on: https://etherpad.openstack.org/p/oslo-config-plaintext-secrets so we can come back later, in a future 12:39:25 the in memory vault backend should never be used in production 12:40:03 we can start with it to test the castellan integration then move on to connect vault to a real backend 12:40:44 jaosorior, looks like they have a lot of plugin options for backend: https://www.vaultproject.io/docs/configuration/storage/index.html 12:41:22 Well 12:41:22 Yeah, last time I looked only etcd and Consul were considered "HA" 12:41:27 there is a mysql backend 12:41:32 that we do deploy by default 12:41:32 but that may have changed, it's been a while 12:41:34 why not use that? 12:41:47 > No High Availability 12:41:57 > the MySQL storage backend does not support high availability. 12:42:05 What does that mean? :D 12:42:16 that seems odd 12:43:37 Vault will merely go to either it's local mysql instance, or the VIP (if it's not colocated), replication is handled elsewhere, so it's nothing vault has to worry about 12:43:44 Martin Mágr proposed openstack/puppet-tripleo master: Collectd QDR connection https://review.openstack.org/571152 12:43:44 Martin Mágr proposed openstack/tripleo-heat-templates master: Enable collectd to connect to metrics QDR https://review.openstack.org/576057 12:45:18 I want to say Vault itself has an "HA" option that can't be turned on when configured to use MySQL 12:45:33 but I cant recall off the top of my head what that actually implies 12:45:43 ok, this feels like something that needs more investigation but that we're not going to answer here today 12:45:47 redrobot: can you investigate on that? 12:45:51 yessir 12:45:54 cause that would then be the easiest option 12:47:23 myoung|off I am trying to understand why scenarios 001/004 are failing https://review.openstack.org/#/c/564285/ 12:47:27 note that I'm actually not taking into account Hashicorp's enterprise HA offering... 12:47:51 jaosorior, noted 12:48:28 alright 12:48:51 redrobot: seems it all lies on you now :D 12:48:52 gfidente: o/ good morning. 12:49:20 quiquell|rover, http://logs.openstack.org/85/564285/20/check/tripleo-ci-centos-7-scenario001-multinode-oooq-container/ef7b33c/logs/df.txt.gz 12:49:30 raildo : did we cover the topics you were hoping for? we have a few minutes left... 12:49:42 gfidente: regarding the gate check jobs and scenario 001/004, I haven't sync'd up with realtime yet this morning, weshay|ruck or quiquell|rover should have current status/details 12:49:48 dhellmann, I believe that are good for now, jaosorior, thanks for taking this time today for that discussion :) 12:49:58 thanks for bringing it up! 12:50:03 gfidente, what's up 12:50:12 quite eager to see the result of the Vault research :D 12:50:21 weshay|ruck: see above, he was asking about https://review.openstack.org/#/c/564285, scenario 1/4 fails 12:51:14 myoung, gfidente see the alerts guys 12:51:22 it's scen001/4 12:51:23 #topic Any other business 12:51:28 Anything else that folks want to bring up to the meeting 12:51:30 ? 12:51:45 nothing from me 12:52:14 Arlight 12:52:15 well 12:52:18 thanks for joining everyone! 12:52:18 nothign from me 12:52:23 very interesting stuff! 12:52:27 thanks, jaosorior , redrobot , & raildo 12:52:31 o/ 12:52:31 myoung, gfidente: one of them is RBD reporting 0 GB os disk free space 12:52:36 #endmeeting