12:00:32 <jaosorior> #startmeeting TripleO Security Squad
12:00:33 <openstack> Meeting started Wed Oct 31 12:00:32 2018 UTC and is due to finish in 60 minutes.  The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:00:34 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:00:36 <openstack> The meeting name has been set to 'tripleo_security_squad'
12:01:12 <jaosorior> hello folks!
12:01:14 <jaosorior> who's around?
12:01:17 <Tengu> «o/
12:01:41 <EmilienM> mwhahaha, weshay : please see my comment: https://review.openstack.org/#/c/614364/
12:01:43 <jaosorior> raildo, lhinds, owalsh, redrobot,
12:01:48 <raildo> o/
12:02:16 <owalsh> oh, stupid time change o/
12:02:27 <Tengu> owalsh: I'm not alone then :D
12:02:33 <jaosorior> haha yeah, I was confused about it yesterday
12:02:54 * owalsh changes the event in my calendar to UTC
12:03:24 <jaosorior> IIRC, this daylight savings time business will stop in europe
12:03:31 <openstackgerrit> Brent Eagles proposed openstack/tripleo-heat-templates master: Handle LP openvswitch meta-package on upgrade  https://review.openstack.org/605200
12:03:50 <openstackgerrit> Sagi Shnaidman proposed openstack/tripleo-quickstart master: Make quickstack.sh avoid needing sudo on missing virtualenv  https://review.openstack.org/613797
12:04:08 <Tengu> jaosorior: yeah, maybe, should be decided next year I think. We might stick to Summer time (which is stupid as hell, but, at least, we won't change it twice a year)
12:04:20 <EmilienM> (sorry folks)
12:04:23 <jaosorior> Tengu: Finland did decide to stick with winter time.
12:04:28 <jaosorior> Anyway:
12:04:29 <owalsh> jaosorior: maybe not here... it's only a recommendation AFAIK
12:04:32 <EmilienM> mwhahaha, weshay : https://bugs.launchpad.net/tripleo/+bug/1800737 I renamed the bug. this is the actual problem
12:04:33 <openstack> Launchpad bug 1800737 in tripleo "relabel failed /var/lib/config-data: no such file or directory" [Critical,Triaged]
12:04:47 <jaosorior> #topic Secret Management Update
12:04:50 <jaosorior> raildo: ^^
12:05:46 <weshay> EmilienM, sounds good
12:05:52 <raildo> Hey folks, just a quick update on where we are about the secrets management stuff, more specifically regarding the Castellan driver for oslo.config
12:06:41 <weshay> EmilienM, the gate is foooked http://dashboard-ci.tripleo.org/d/cEEjGFFmz/cockpit?orgId=1
12:06:43 <Tengu> weshay: will comment that LP. have an idea, need some info/feedbacks for solution.
12:06:46 <raildo> so, at this point we wrote the castellan driver https://review.openstack.org/#/c/599589/ but we're pending to write some unit tests for it
12:06:57 <weshay> just fyi.. we're down to 72.5% that is really bad
12:07:51 <raildo> unfortunately, Moises who wrote the driver, is on PTO for a while, and we didn't have so much progress on those tests, until he come back, so I'll sync with him to have this done in the next couple weeks
12:07:59 <jaosorior> raildo: so, the driver is scheduled to land in Stein, right? Are we also aiming to get some tripleo usage of this in Stein? or is that for the next release?
12:08:44 <Tengu> weshay: https://bugs.launchpad.net/tripleo/+bug/1800737/comments/3
12:08:44 <openstack> Launchpad bug 1800737 in tripleo "relabel failed /var/lib/config-data: no such file or directory" [Critical,Triaged]
12:09:05 <raildo> so, the driver will land on Stein, the idea is to implement some gate jobs over Castellan testing those scenarios, but I'm not expecting to have time to have some of this work on TripleO, it'll have to wait for the next release
12:09:33 <jaosorior> got it
12:09:51 <raildo> but would be great for TripleO start understanding/reviewing what we are doing in the Castellan/oslo side, since we'll probably be discussing about it more deeply in the next PTG
12:09:57 <openstackgerrit> Sagi Shnaidman proposed openstack/tripleo-quickstart master: Make quickstack.sh avoid needing sudo on missing virtualenv  https://review.openstack.org/613797
12:10:17 <ooolpbot> URGENT TRIPLEO TASKS NEED ATTENTION
12:10:19 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1798195
12:10:19 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1799895
12:10:20 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1800737
12:10:21 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1800742
12:10:21 <openstack> Launchpad bug 1798195 in tripleo "rdo-cloud yum repos unavailable during container updates and failing the undercloud install " [Critical,Triaged]
12:10:22 <openstack> Launchpad bug 1799895 in tripleo "CI: undercloud takes long time which causes job fail with timeout" [Critical,Triaged]
12:10:23 <openstack> Launchpad bug 1800737 in tripleo "relabel failed /var/lib/config-data: no such file or directory" [Critical,Triaged]
12:10:24 <openstack> Launchpad bug 1800742 in tripleo "tempest.lib.exceptions.IdentityError: Got identity error, undercloud-containers" [Critical,Triaged]
12:10:39 <raildo> that's all that I have for now
12:10:50 <jaosorior> raildo: thanks for the update!
12:10:58 <raildo> sure, no problem!
12:11:05 <jaosorior> #topic SELinux for containers update
12:11:09 <jaosorior> Tengu: ^^
12:11:22 <Tengu> hey, that's me :)
12:11:54 <Tengu> so, basically, it's "mostly working" at least for:  undercloud deploy with podman, overcloud deploy with podman and NON-HA (1 controller + 1 compute tested so far)
12:12:18 <jaosorior> cool!!
12:12:20 <Tengu> we have some non-selinux issues with the HA, so for now I can't say how will keepalived/pcmk/friends work with podman + selinux
12:12:34 <Tengu> ah, and when I say "with selinux"; it's the full thing, meaning: enforcing + separation
12:12:35 <jaosorior> what are the non-selinux issues?
12:12:49 <Tengu> ah well, pcmk not supporting podman, that kind of things.
12:12:53 <jaosorior> oh
12:12:55 <jaosorior> :(
12:12:58 <jaosorior> got it
12:12:59 <Tengu> we need a specific package, already in the pipe.
12:13:18 <Tengu> so yeah. for none-HA I get something working, still hitting some random issues with neutron though
12:13:35 <Tengu> this bunch of containers do create issues, as they have high privileges and the like.
12:13:49 <Tengu> speaking of privileges: we're currently unable to drop the "--privileged".
12:14:11 <Tengu> this is mainly due to the fact we must support both docker and podman for a while, and apparently docker doesn't work well with the cap-add.
12:14:35 <Tengu> so we stick with a bunch of "privileged" containers for now.
12:14:42 <jaosorior> Tengu: do you have any more details related to that?
12:15:09 <jaosorior> as far as I had understood, adding custom capabilities has for long been the recommended approach to locking down your docker deployment.
12:15:14 <Tengu> also, some containers deactivate the labelling, dropping the selinux separation. This isn't great, but I don't have alternative for now.
12:15:29 <jaosorior> and even docker were the ones that originally came up with the set of minimum "secure" defaults
12:15:40 <Tengu> jaosorior: I didn't work on the cap-add part - bogdando did some tests with that and apparently it wasn't that great.
12:15:45 <jaosorior> Tengu: that was to be expected, openshift does the same for their openvswitch container
12:15:57 <jaosorior> bogdando: are you around?
12:15:59 <Tengu> imho we should stick with the --privileged *for now*, as a first iteration.
12:16:29 <jaosorior> Tengu: sure, it's not a blocker; and just having SELinux labeling enabled for most containers already reduces a lot the attack surface
12:17:19 <jaosorior> I guess bogdando is not online right now, I'll ping him off this meeting just to understand things better.
12:17:21 <jaosorior> Tengu: thanks!
12:17:33 <Tengu> np :)
12:17:50 <jaosorior> #topic TLS everywhere in CI
12:18:02 <jaosorior> So, we did some work on this on the PTG
12:18:17 <jaosorior> and agreed with the CI team that is was appropriate to keep this in OVB
12:18:33 <jaosorior> sshnaidm|ruck: was mainly working on this, but the last I knew about it was that there were some issues with DNS
12:18:55 <jaosorior> sshnaidm|ruck: is this still the case? or was there another issue that prevented this work from continuing?
12:19:54 <openstackgerrit> Sagi Shnaidman proposed openstack/tripleo-quickstart master: Make quickstack.sh avoid needing sudo on missing virtualenv  https://review.openstack.org/613797
12:20:47 <sshnaidm|ruck> jaosorior, it's still the issue and rdo cloud breakages prevented from me to proceed with this unfortunately..
12:21:04 <jaosorior> sshnaidm|ruck: got it
12:21:39 <jaosorior> sshnaidm|ruck: do you think (assuming RDO cloud would work in the near future), that we could get around these DNS issues?
12:21:59 <openstackgerrit> Sorin Sbarnea proposed openstack/tripleo-quickstart master: Fix quickstart.sh --install-deps on fedora26  https://review.openstack.org/613797
12:22:25 <sshnaidm|ruck> jaosorior, yeah, the main problem is that you can't run it to test, not dns issue itself
12:22:42 <jaosorior> sshnaidm|ruck: what do you mean?
12:23:14 <sshnaidm|ruck> jaosorior, I mean that it can run only on private tenant of rdo cloud currently, and if it's broken - you can't run it to test
12:24:08 <jaosorior> sshnaidm|ruck: right, so that's still related to the RDO cloud issues, right?
12:26:12 <weshay> jaosorior, morning..  we leaving the gate as is w/ mirror and podman issues?
12:26:13 <jaosorior> We were discussing with my team the possiblity of adding the necessary things in the workflow to support the TLS everywhere setup without relying on FreeIPA discovery through DNS (so no DNS needed from FreeIPA).
12:26:42 <jaosorior> sshnaidm|ruck: would that be helpful? or all the issue falls down due to the RDO cloud issues?
12:27:17 <sshnaidm|ruck> jaosorior, I think it might be helpful
12:27:25 <sshnaidm|ruck> jaosorior, as it's currently a blocker
12:27:35 <jaosorior> sshnaidm|ruck: got it. I'll report back to my team to try to prioritize that.
12:27:41 <sshnaidm|ruck> jaosorior, cool, thanks
12:27:52 <jaosorior> sshnaidm|ruck: thanks for all the help man
12:28:03 <weshay> jaosorior,  can you comment on this epic with your thoughts or a looks good if it's ok atm https://tree.taiga.io/project/tripleo-ci-board/epic/298
12:28:25 <jaosorior> weshay: will do after this meeting
12:28:41 <weshay> sorry
12:28:51 <jaosorior> #topic Read Only policy files
12:29:53 <jaosorior> So... it's not uncommon that folks modify the policy files for their deployments. However, there are some policy modifications that are done time and time again
12:30:23 <jaosorior> fixing these issues in the default policy files of OpenStack is work in progress (but it'll take several releases)
12:30:44 <jaosorior> so some folks have suggested maintaining policy references (best practices) in a repo
12:30:53 <jaosorior> these policies could be directly taken into use in deployments
12:31:03 <jaosorior> so I was given the suggestion of including them under the TripleO umbrella
12:31:10 <jaosorior> #link https://pagure.io/openstack-access-policy
12:31:36 <jaosorior> That would be the work that's been done so far ^^
12:31:50 <jaosorior> the main change in those policy files is the inclusion of a read-only role
12:32:06 <jaosorior> which allows folks not to require admin privileges to do operations like listing users and projects
12:32:08 <jaosorior> which is nice :D
12:32:40 <jaosorior> now, including it as part of TripleO would require us to test these files somehow (although this all becomes a bit easier with the standalone jobs)
12:32:49 <jaosorior> Do people have thoughts about this?
12:33:15 <jaosorior> For reference, these are the supported services for this kind of custom policy:
12:33:17 <jaosorior> #link https://pagure.io/openstack-access-policy/blob/master/f/etc
12:35:08 <openstackgerrit> Sagi Shnaidman proposed openstack/tripleo-quickstart master: Make quickstack.sh avoid needing sudo on missing virtualenv  https://review.openstack.org/613797
12:36:19 <jaosorior> If there are no opinions about this on the security squad, I'll bring it up anyway to the weekly meeting next week.
12:37:08 <jaosorior> #topic Any Other business
12:37:24 <jaosorior> Does anybody have something else to bring up to the security squad?
12:38:44 <openstackgerrit> wes hayutin proposed openstack-infra/tripleo-ci master: ovb: reduce the number of workers on the undercloud  https://review.openstack.org/613640
12:39:13 <jaosorior> Alright! thanks for joining everyone!
12:39:16 <jaosorior> #endmeeting