12:00:25 #startmeeting tripleo security squad 12:00:26 Meeting started Wed Sep 5 12:00:25 2018 UTC and is due to finish in 60 minutes. The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot. 12:00:27 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 12:00:31 The meeting name has been set to 'tripleo_security_squad' 12:00:35 o/ 12:00:36 Hello folks! 12:00:38 bandini: so https://review.openstack.org/#/c/599480/ will never pass because tripleo-puppet-ci-centos-7-undercloud-oooq 12:00:40 hey 12:00:46 oops sorry 12:00:50 * EmilienM follwos 12:01:06 lhinds: hey! how's it going? 12:01:12 long time no talk :D 12:01:25 good thx jaosorior , back from summer hols 12:01:47 lhinds: how did it go? 12:01:50 welcome back luke o/ 12:01:52 good thx 12:02:08 ping raildo 12:02:18 lhinds: will you have a chance to go to Denver? 12:02:28 jaosorior: I won't be this time, no. 12:02:47 in a meeting, so I'll late answer here 12:02:54 raildo: o/ 12:02:56 there will be some guys fom the Security SIG though 12:03:11 jaosorior, hey dude :) 12:03:50 Alright, lets start 12:04:00 #topic Security topics for the PTG 12:04:16 o/ 12:04:23 So, as you might know, the PTG is coming next week, and the topics for TripleO are in the following etherpad: 12:04:32 #link https://etherpad.openstack.org/p/tripleo-ptg-stein 12:05:56 lhinds: there is the "privilege escalation" topic there. But neither you nor Tengu will be at the PTG. Would you lhinds, or you Tengu want to join remotely (via bluejeans) to the session to talk about this? 12:07:33 Quique Llorente proposed openstack-infra/tripleo-ci master: DNM: TEST featureset override with unsupported https://review.openstack.org/600015 12:09:23 Tengu, lhinds: Anyway, let me know if you would be able to join remotely for this session as soon as you can. Else, we can just dedicate time for it in the next security squad meeting 12:09:27 jaosorior: sorry back now 12:09:31 someone at my door 12:09:40 yes, this would be very useful 12:10:01 lhinds: OK, so you'll be able to join remotely? 12:10:05 I am not up to speed on Tengu 's patch, but my spec really needs some feedback 12:10:08 jaosorior: well, I have already a remote for the validation framework, maybe one with my investigations for podman/selinux.. I can do a third one if you want, although I'd rather limit to the python part. 12:10:17 URGENT TRIPLEO TASKS NEED ATTENTION 12:10:18 https://bugs.launchpad.net/tripleo/+bug/1786764 12:10:19 https://bugs.launchpad.net/tripleo/+bug/1787910 12:10:20 https://bugs.launchpad.net/tripleo/+bug/1790489 12:10:20 Launchpad bug 1786764 in tripleo "Wrong versions of tripleo-common in container images updated in CI" [Critical,Triaged] 12:10:21 Launchpad bug 1787910 in tripleo "OVB overcloud deploy fails on nova placement errors" [Critical,Triaged] - Assigned to Marios Andreou (marios-b) 12:10:22 Launchpad bug 1790489 in tripleo "ERROR heat.engine.resource ResourceFailure: Error: resources.ControllerDeployment_Step1.resources[0]: Deployment to server failed: deploy_status_code: Deployment exited with non-zero status code: 6" [Critical,New] 12:10:42 jaosorior: yes to remote (lot of noise above) 12:10:56 lhinds, Tengu: OK, I'll push the topic near the end, so it's not as early for you guys 12:11:12 lhinds, Tengu: thanks! 12:11:22 jaosorior: thanks :) 12:11:22 jaosorior: It's Denver this year? 12:11:27 lhinds: yep 12:11:27 lhinds: yep 12:11:38 so might be better to do it early in your day 12:11:45 unless that's what you mean 12:11:53 Tengu: Europe based? 12:12:02 lhinds: yep 12:12:09 ah, you're right 12:12:18 if we want you folks to join, it has to be early in Denver 12:12:32 well I can always try to make an exception 12:12:46 but would be more useful , so thanks! 12:12:56 let me see what I can figure out. 12:13:59 lhinds, Tengu: Would having the sessions start at 9am (Denver time) be OK with you? 12:14:22 Giulio Fidente proposed openstack/tripleo-heat-templates stable/queens: Update sample-env-generator files to make it use ceph-ansible https://review.openstack.org/600017 12:14:30 3 hours from now 12:14:33 fine by me 12:14:43 John Fulton proposed openstack/tripleo-heat-templates master: Persist ceph-ansible fetch_directory using config-download https://review.openstack.org/582811 12:14:48 https://time.is/Denver 12:15:13 should be fine for me as well. 12:15:43 jaosorior: care to sync with EmilienM for the BJ session so we can get the google calendar invitation/reminder/magics? 12:18:09 Tengu: will do. 12:18:24 alright, changed the schedule 12:18:58 #topic No meeting next time 12:19:13 So... next week, a lot of folks that tend to attend this meeting won't be around (me included) 12:19:32 aren't we meeting biweekly? 12:19:44 right, so, the one in two weeks 12:19:55 meaning, the next meeting would be in a month 12:19:59 unless folks really want to sync up 12:20:19 I think during the PTG wouldn't be productive 12:20:20 if that's the case, then someone else will need to coordinate this meeting in two weeks 12:20:34 moguimar: correct, but that week we don't have a security meeting anyway 12:21:15 Then in September 19, which would be the next meeting, I won't be around, and a bunch of folks won't either 12:21:20 that's why I was suggesting to cancel that meeting 12:21:28 ah, right 12:21:30 unless moguimar or lhinds want to coordinate it. 12:22:02 might be best to wait for you folks to return 12:22:33 alright, lets do that 12:23:28 #topic Any other business 12:23:34 Anything else folks want to bring up to the meeting? 12:25:55 nothing from me 12:26:41 small note 12:26:59 I could get an almost working deploy of the undercloud using podman, WITH SELinux enabled. 12:27:27 wooo :D 12:27:36 this means: the podman version would be more secure than the current docker one, because currently docker isn't configured to use selinux. 12:27:40 mathieu bultel proposed openstack/python-tripleoclient master: Keep plan on update and store user env_files into swift https://review.openstack.org/583145 12:27:56 that's awesome progress 12:28:05 on the other hand, podman IS configured by default to use selinux separation, and that was a big headache for me - but in the end: I'm on the good track. 12:28:09 and hopefully we could use the same code in the overcloud as well :D (at least it gets us closer) 12:28:12 the last issue I get for now is NOT related to selinux. 12:28:30 jaosorior: should be OK for the overcloud as well - but we have other issues right now :). 12:28:36 understood 12:28:53 I'm currently making patches in t-h-t in order to get a nice changeset. 12:29:00 about 4 different patches. 12:29:43 Emilien Macchi proposed openstack/tripleo-quickstart master: Fix regex for python paunch package in repo config https://review.openstack.org/600023 12:29:44 ykarel: ^ 12:29:52 EmilienM, ack 12:30:04 Tengu: if you want, add me as a reviewer when they're ready 12:31:01 Emilien Macchi proposed openstack/tripleo-repos master: Fix regex for python paunch package in repo config https://review.openstack.org/600024 12:31:30 Emilien Macchi proposed openstack/tripleo-heat-templates master: Initial support for Podman in docker-puppet https://review.openstack.org/588655 12:31:34 Emilien Macchi proposed openstack/tripleo-heat-templates master: Initial support for Podman in docker-puppet https://review.openstack.org/588655 12:31:48 Alright 12:31:51 thanks for joining folks! 12:31:56 EmilienM, is paunch-services package not required ? 12:31:57 #endmeeting