#tripleo log

12:00:25 <jaosorior> #startmeeting tripleo security squad
12:00:26 <openstack> Meeting started Wed Sep  5 12:00:25 2018 UTC and is due to finish in 60 minutes.  The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:00:27 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:00:31 <openstack> The meeting name has been set to 'tripleo_security_squad'
12:00:35 <moguimar> o/
12:00:36 <jaosorior> Hello folks!
12:00:38 <EmilienM> bandini: so https://review.openstack.org/#/c/599480/ will never pass because tripleo-puppet-ci-centos-7-undercloud-oooq
12:00:40 <lhinds> hey
12:00:46 <EmilienM> oops sorry
12:00:50 * EmilienM follwos
12:01:06 <jaosorior> lhinds: hey! how's it going?
12:01:12 <jaosorior> long time no talk :D
12:01:25 <lhinds> good thx jaosorior , back from summer hols
12:01:47 <jaosorior> lhinds: how did it go?
12:01:50 <moguimar> welcome back luke o/
12:01:52 <lhinds> good thx
12:02:08 <moguimar> ping raildo
12:02:18 <jaosorior> lhinds: will you have a chance to go to Denver?
12:02:28 <lhinds> jaosorior: I won't be this time, no.
12:02:47 <raildo> in a meeting, so I'll late answer here
12:02:54 <jaosorior> raildo: o/
12:02:56 <lhinds> there will be some guys fom the Security SIG though
12:03:11 <raildo> jaosorior, hey dude :)
12:03:50 <jaosorior> Alright, lets start
12:04:00 <jaosorior> #topic Security topics for the PTG
12:04:16 <redrobot> o/
12:04:23 <jaosorior> So, as you might know, the PTG is coming next week, and the topics for TripleO are in the following etherpad:
12:04:32 <jaosorior> #link https://etherpad.openstack.org/p/tripleo-ptg-stein
12:05:56 <jaosorior> lhinds: there is the "privilege escalation" topic there. But neither you nor Tengu will be at the PTG. Would you lhinds, or you Tengu want to join remotely (via bluejeans) to the session to talk about this?
12:07:33 <openstackgerrit> Quique Llorente proposed openstack-infra/tripleo-ci master: DNM: TEST featureset override with unsupported  https://review.openstack.org/600015
12:09:23 <jaosorior> Tengu, lhinds: Anyway, let me know if you would be able to join remotely for this session as soon as you can. Else, we can just dedicate time for it in the next security squad meeting
12:09:27 <lhinds> jaosorior: sorry back now
12:09:31 <lhinds> someone at my door
12:09:40 <lhinds> yes, this would be very useful
12:10:01 <jaosorior> lhinds: OK, so you'll be able to join remotely?
12:10:05 <lhinds> I am not up to speed on Tengu 's patch, but my spec really needs some feedback
12:10:08 <Tengu> jaosorior: well, I have already a remote for the validation framework, maybe one with my investigations for podman/selinux.. I can do a third one if you want, although I'd rather limit to the python part.
12:10:17 <ooolpbot> URGENT TRIPLEO TASKS NEED ATTENTION
12:10:18 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1786764
12:10:19 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1787910
12:10:20 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1790489
12:10:20 <openstack> Launchpad bug 1786764 in tripleo "Wrong versions of tripleo-common in container images updated in CI" [Critical,Triaged]
12:10:21 <openstack> Launchpad bug 1787910 in tripleo "OVB overcloud deploy fails on nova placement errors" [Critical,Triaged] - Assigned to Marios Andreou (marios-b)
12:10:22 <openstack> Launchpad bug 1790489 in tripleo "ERROR heat.engine.resource ResourceFailure: Error: resources.ControllerDeployment_Step1.resources[0]: Deployment to server failed: deploy_status_code: Deployment exited with non-zero status code: 6" [Critical,New]
12:10:42 <lhinds> jaosorior: yes to remote (lot of noise above)
12:10:56 <jaosorior> lhinds, Tengu: OK, I'll push the topic near the end, so it's not as early for you guys
12:11:12 <jaosorior> lhinds, Tengu: thanks!
12:11:22 <Tengu> jaosorior: thanks :)
12:11:22 <lhinds> jaosorior: It's Denver this year?
12:11:27 <Tengu> lhinds: yep
12:11:27 <jaosorior> lhinds: yep
12:11:38 <lhinds> so might be better to do it early in your day
12:11:45 <lhinds> unless that's what you mean
12:11:53 <lhinds> Tengu: Europe based?
12:12:02 <Tengu> lhinds: yep
12:12:09 <jaosorior> ah, you're right
12:12:18 <jaosorior> if we want you folks to join, it has to be early in Denver
12:12:32 <lhinds> well I can always try to make an exception
12:12:46 <lhinds> but would be more useful , so thanks!
12:12:56 <jaosorior> let me see what I can figure out.
12:13:59 <jaosorior> lhinds, Tengu: Would having the sessions start at 9am (Denver time) be OK with you?
12:14:22 <openstackgerrit> Giulio Fidente proposed openstack/tripleo-heat-templates stable/queens: Update sample-env-generator files to make it use ceph-ansible  https://review.openstack.org/600017
12:14:30 <lhinds> 3 hours from now
12:14:33 <lhinds> fine by me
12:14:43 <openstackgerrit> John Fulton proposed openstack/tripleo-heat-templates master: Persist ceph-ansible fetch_directory using config-download  https://review.openstack.org/582811
12:14:48 <lhinds> https://time.is/Denver
12:15:13 <Tengu> should be fine for me as well.
12:15:43 <Tengu> jaosorior: care to sync with EmilienM for the BJ session so we can get the google calendar invitation/reminder/magics?
12:18:09 <jaosorior> Tengu: will do.
12:18:24 <jaosorior> alright, changed the schedule
12:18:58 <jaosorior> #topic No meeting next time
12:19:13 <jaosorior> So... next week, a lot of folks that tend to attend this meeting won't be around (me included)
12:19:32 <moguimar> aren't we meeting biweekly?
12:19:44 <jaosorior> right, so, the one in two weeks
12:19:55 <jaosorior> meaning, the next meeting would be in a month
12:19:59 <jaosorior> unless folks really want to sync up
12:20:19 <moguimar> I think during the PTG wouldn't be productive
12:20:20 <jaosorior> if that's the case, then someone else will need to coordinate this meeting in two weeks
12:20:34 <jaosorior> moguimar: correct, but that week we don't have a security meeting anyway
12:21:15 <jaosorior> Then in September 19, which would be the next meeting, I won't be around, and a bunch of folks won't either
12:21:20 <jaosorior> that's why I was suggesting to cancel that meeting
12:21:28 <moguimar> ah, right
12:21:30 <jaosorior> unless moguimar or lhinds want to coordinate it.
12:22:02 <lhinds> might be best to wait for you folks to return
12:22:33 <jaosorior> alright, lets do that
12:23:28 <jaosorior> #topic Any other business
12:23:34 <jaosorior> Anything else folks want to bring up to the meeting?
12:25:55 <lhinds> nothing from me
12:26:41 <Tengu> small note
12:26:59 <Tengu> I could get an almost working deploy of the undercloud using podman, WITH SELinux enabled.
12:27:27 <jaosorior> wooo :D
12:27:36 <Tengu> this means: the podman version would be more secure than the current docker one, because currently docker isn't configured to use selinux.
12:27:40 <openstackgerrit> mathieu bultel proposed openstack/python-tripleoclient master: Keep plan on update and store user env_files into swift  https://review.openstack.org/583145
12:27:56 <jaosorior> that's awesome progress
12:28:05 <Tengu> on the other hand, podman IS configured by default to use selinux separation, and that was a big headache for me - but in the end: I'm on the good track.
12:28:09 <jaosorior> and hopefully we could use the same code in the overcloud as well :D (at least it gets us closer)
12:28:12 <Tengu> the last issue I get for now is NOT related to selinux.
12:28:30 <Tengu> jaosorior: should be OK for the overcloud as well - but we have other issues right now :).
12:28:36 <jaosorior> understood
12:28:53 <Tengu> I'm currently making patches in t-h-t in order to get a nice changeset.
12:29:00 <Tengu> about 4 different patches.
12:29:43 <openstackgerrit> Emilien Macchi proposed openstack/tripleo-quickstart master: Fix regex for python paunch package in repo config  https://review.openstack.org/600023
12:29:44 <EmilienM> ykarel: ^
12:29:52 <ykarel> EmilienM, ack
12:30:04 <jaosorior> Tengu: if you want, add me as a reviewer when they're ready
12:31:01 <openstackgerrit> Emilien Macchi proposed openstack/tripleo-repos master: Fix regex for python paunch package in repo config  https://review.openstack.org/600024
12:31:30 <openstackgerrit> Emilien Macchi proposed openstack/tripleo-heat-templates master: Initial support for Podman in docker-puppet  https://review.openstack.org/588655
12:31:34 <openstackgerrit> Emilien Macchi proposed openstack/tripleo-heat-templates master: Initial support for Podman in docker-puppet  https://review.openstack.org/588655
12:31:48 <jaosorior> Alright
12:31:51 <jaosorior> thanks for joining folks!
12:31:56 <ykarel> EmilienM, is paunch-services package not required ?
12:31:57 <jaosorior> #endmeeting