12:00:22 <jaosorior> #startmeeting TripleO Security Squad
12:00:23 <openstack> Meeting started Wed Aug 22 12:00:22 2018 UTC and is due to finish in 60 minutes.  The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:00:24 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:00:26 <openstack> The meeting name has been set to 'tripleo_security_squad'
12:01:00 <jaosorior> hey lhinds !
12:01:05 <weshay> sshnaidm, it's in the stinkin journal
12:01:29 <weshay> sshnaidm, https://review.openstack.org/#/c/593716/
12:01:33 <jaosorior> raildo, redrobot, are you around?
12:01:39 <lhinds> jaosorior: hey
12:01:40 <raildo> o/
12:02:03 <jaosorior> I'll wait a bit to see if more folks log in
12:02:06 <jaosorior> Tengu: ^^
12:02:30 <Tengu> jaosorior: :)
12:04:07 <moguimar> o/
12:04:11 <jaosorior> o/
12:04:19 <jaosorior> Alright, lets start
12:04:29 <jaosorior> #topic SELinux for containers
12:05:09 <Tengu> EmilienM: -^  might be interesting for you as well :)
12:05:11 <jaosorior> So, Tengu has been involved with work related to moving from docker to podman, and on the way, he started checking out the SELinux integration for containers, a topic which we had in our view
12:05:39 <jaosorior> Tengu: IIRC, you started looking at this by running the containerized undercloud with podman, and SELinux enabled, right?
12:06:04 <Tengu> indeed. Following EmilienM first steps in order to get an undercloud running on podman instead of docker.
12:06:29 <jaosorior> So, Tengu run into some SELinux issues, which he tracked down in this trello card https://trello.com/c/hNkI15a7/1-selinux-issues
12:06:46 <jaosorior> and they're not as much issues as I expected :D
12:06:49 <chandankumar> Ruck/Rover https://review.rdoproject.org/r/#/c/15732/ we are updating tempestconf to 2.0.0 in queens if you see any failures related to temepstconfiguraiton let us know
12:06:53 <openstackgerrit> Jiri Tomasek proposed openstack/tripleo-ui master: Fix network lines rendering  https://review.openstack.org/594938
12:06:58 <Tengu> indeed, but they are nasty :).
12:07:06 <jaosorior> they are
12:07:35 <jaosorior> So, whoever is interested in working on this, please contact me and Tengu about it, so we can put you up to speed. It's quite interesting work :D
12:07:51 <Tengu> some of the issues are "normal" and require a specific selinux policy.
12:08:04 <Tengu> but most of them exists only because of bad practices :]
12:08:34 <jaosorior> right, we need to divide which of these issues should we rectify ASAP, and which should have an "exception" in the selinux policy (and hopefully get fixed later)
12:09:47 <jaosorior> the first of the issues is the way we use docker/podman with puppet in order to generate the configurations; basically we bind-mount the /etc/puppet directory (which has a selinux label of etc_t) into the container to a temporary directory, and then attempt to copy that into the /etc/puppet directory in the container
12:10:07 <jaosorior> this is not allowed, as containers only have access to reading and executing stuff with etc_t
12:10:17 <ooolpbot> URGENT TRIPLEO TASKS NEED ATTENTION
12:10:19 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1786764
12:10:20 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1787910
12:10:20 <openstack> Launchpad bug 1786764 in tripleo "tripleo-ci-centos-7-scenario000-multinode-oooq-container-updates times out on prepare" [Critical,In progress] - Assigned to Sorin Sbarnea (ssbarnea)
12:10:21 <openstack> Launchpad bug 1787910 in tripleo "OVB overcloud deploy fails on nova placement errors" [Critical,Triaged] - Assigned to Marios Andreou (marios-b)
12:10:21 <jaosorior> creating stuff from it, and writing to it, isn't allowed
12:10:56 <jaosorior> with the hopes of following an approach where we'll have an immutable host, we're going with the approach of having dedicated hieradata for the containers
12:10:58 <Tengu> also, the first thing docker-puppet.sh does is an rm -rf /etc/puppet/ssl directory in the container.
12:11:11 <Tengu> second step is to add a file in the /etc/puppet/hieradata directory
12:11:16 <Tengu> both actions are forbidden.
12:11:34 <Tengu> first one can be avoided by copying only wanted files. second one is trickier.
12:13:20 <jaosorior> right, though having dedicated hieradata for the containers would solve these issues (I think) since we would then have those files with the needed selinux labels, and copy them as needed, trying to keep docker-puppet.py's functionality
12:13:47 <jaosorior> So, either we copy the hieradata to a temp location on the host, and relabel that, or we straight generate the hieradata on a container volume
12:15:06 <jaosorior> Anyway, this is the stuff that we've been discussing lately, and we'll keep this trello card updated: https://trello.com/c/hNkI15a7/1-selinux-issues
12:15:16 <jaosorior> Any questions/feedback/interest in this topic?
12:16:03 <weshay> sshnaidm, that patch is failing on file not found
12:16:06 <weshay> not sure why
12:17:27 <sshnaidm> weshay, because you use "shell: |" and need to use "shell: >"
12:17:49 <weshay> bah..
12:18:04 <jaosorior> #topic Secret Management update
12:18:04 <openstackgerrit> Sagi Shnaidman proposed openstack/ansible-role-tripleo-modify-image master: log modify image to a log file for humans  https://review.openstack.org/593716
12:18:17 <jaosorior> redrobot, moguimar, raildo: anything you wanna bring up on this topic?
12:18:18 <sshnaidm> weshay, ^^
12:18:20 <moguimar> o/
12:18:27 <moguimar> started working on the castellan drive
12:18:41 <moguimar> found out today that the castellan-vault tests are not working
12:18:46 <moguimar> already diagnosed the cause
12:19:21 <moguimar> from vault 0.10.0 forward there is a change in the API
12:19:22 <raildo> jaosorior, not from my side
12:19:23 <openstackgerrit> Sagi Shnaidman proposed openstack/ansible-role-tripleo-modify-image master: log modify image to a log file for humans  https://review.openstack.org/593716
12:19:50 <moguimar> so castellan fails to talk to a vault server >= 0.10.0
12:19:51 <jaosorior> moguimar: so, is the castellan driver broken as well?
12:20:04 <moguimar> yep, I filed a bug on launchpad
12:20:08 <jaosorior> crap
12:20:11 <jaosorior> thanks for filing it
12:20:14 <moguimar> #link https://bugs.launchpad.net/castellan/+bug/1788375
12:20:14 <openstack> Launchpad bug 1788375 in castellan "API changes in vault 0.10.0 causes test to fail." [Undecided,New]
12:20:28 <openstackgerrit> Sagi Shnaidman proposed openstack/ansible-role-tripleo-modify-image master: log modify image to a log file for humans  https://review.openstack.org/593716
12:20:29 <moguimar> but the fix is quite simple
12:20:38 <moguimar> I already have a fix in progress
12:21:00 <moguimar> tests passing and all, just need to make it backward compatible with vault < 0.10.0
12:21:13 <jaosorior> ade_lee: are we supposed to have access to castellan's launchpad?
12:21:37 <jaosorior> moguimar: when you have a fix let me know. thanks for working on this.
12:21:53 <moguimar> I've analyzed the wireshark logs and the vault client itself does some http request to fetch API version
12:22:23 <jaosorior> moguimar: right, it does discovery. Maybe we can do that upon first interaction and cache the result.
12:22:24 <moguimar> so I'll add the same behaviour in the castellan driver
12:22:32 <moguimar> yep
12:22:39 <jaosorior> awesome
12:22:47 <jaosorior> moguimar: thanks for this work
12:22:54 <moguimar> o/
12:24:49 <jaosorior> #topic Any other business
12:24:55 <jaosorior> Anything else folks want to bring up to the meeting?
12:27:00 <openstackgerrit> John Trowbridge proposed openstack/tripleo-quickstart-extras master: WIP: Update default for THT resource registry  https://review.openstack.org/594944
12:28:26 <jaosorior> Alright folks! thanks for joining!
12:28:31 <moguimar> o/
12:28:36 <electrichead> thanks jaosorior
12:28:37 <jaosorior> Just a reminder, the security squad meeting is now every two weeks
12:28:45 <jaosorior> so, talk to you here in two weeks!
12:28:48 <jaosorior> #endmeeting