18:01:26 #startmeeting OpenStack Security Group 18:01:27 Meeting started Thu Jun 6 18:01:26 2013 UTC. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:28 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:30 The meeting name has been set to 'openstack_security_group' 18:01:42 time for some security talk 18:01:49 Bryan Payne from Nebula here 18:01:54 who else do we have today? 18:02:21 Nate from APL here 18:02:33 Randy Perryman from Dell here (finally) 18:02:34 hi Nate 18:02:41 ah, welcome Randy 18:03:18 any items that you guys would like to discuss today? 18:03:37 None from me 18:03:54 none from me 18:04:04 well that's easy then :-) 18:04:16 I have a few things, of course 18:04:50 first a quick update on the upcoming doc sprint… we now have someone APL joining in with the effort 18:05:29 Yes, I was glad to hear that 18:05:44 that rounds out the team, which also has people on it from Nebula, HP, RedHat, Intel, Paypal, Nicira, Rackspace, Cloudscaling, and Cloudpassage 18:06:10 so, should be a really good group 18:06:21 Good mix of talent 18:06:54 We say that the security impact tag on commits is working 18:07:02 Thanks to the volume encryption commits from APL 18:07:14 Your welcome 18:07:25 rellerreller You guys getting the feedback you need with those patches? 18:07:48 We are getting some. I'm getting back up to speed as I was out for 3 weeks. 18:07:59 got it 18:08:00 I need to check on that later today. 18:08:05 ok 18:08:08 I did review the code 18:08:14 Thanks! 18:08:32 It looked fine to me, but I didn't mark +1 b/c I'm not as familiar with those pieces of the system 18:08:53 ok 18:08:59 If you'd like me to be more vocal on it at some point, just let me know 18:09:10 Will do 18:09:43 Switching gear here... 18:09:57 Rob couldn't join today, but asked that we discussed OSSNs 18:10:02 these are the openstack security notes 18:10:30 we have published a few… basically general guidance on best practices for security deployment 18:10:56 Rob was interested in brain storming some areas that we could discuss in future OSSNs 18:11:09 any thoughts? 18:11:31 For example, what are some common OS security misconfigurations that we could help steer people away from? 18:12:20 for reference https://launchpad.net/ossn 18:12:27 How is this different than the hardening guide? 18:12:35 clearly related 18:13:06 these will be more timely 18:13:12 easier to push out quick advice as needed 18:13:19 My question would be how basic 18:13:25 whereas the hardening guide will cover more long living issues 18:13:53 ie... ensuring the network configuration is correct, password security, etc... 18:14:07 yeah, even the most simple things are probably useful 18:14:26 esp if the best practices for cloud setup deviate from what you would do for a basic linux setup 18:14:53 right 18:14:56 what network configurations would you guys typically suggest? 18:15:37 * bdpayne probes for information that might also be useful in the book :-) 18:15:54 presuming that one shared network is bad 18:15:56 I was just thinking about on the Openstack admin guide "stories from teh cr**t" - the one about the nova.conf having a misconfugred vlan 18:16:20 ah, yeah 18:16:37 very basic 18:16:44 so, right, I'm guessing that most people use vlans here 18:16:56 right 18:17:09 physical separate networks could work too, but incurs more h/w cost 18:17:19 and is ultimately less flexible 18:17:34 but then vlan termination becomes something that matters 18:17:50 anyway, I imagine that we'll touch on these things in the book 18:18:41 for the OSSNs, if you are aware of deployment decisions that people are making that are wrong, but perhaps just easier 18:18:50 …that could potentially be useful topics 18:18:56 Okay 18:19:12 we also try to address things like configuring around security issues, if reasonable to do so 18:19:40 for example, we had one on restricting header sizes for https requests 18:19:57 good point 18:20:22 well, I'll leave it as an action item for us to be brainstorming such things 18:20:29 #action Think about future OSSN topics 18:20:59 ok… any other topics for discussion today? 18:21:26 Any idea how the rpc encryption is going ? 18:21:41 hi malini1 :-) 18:21:46 :-) 18:21:59 I have not been tracking those discussions, unfortuantely 18:22:07 anyone else aware of the rpc work? 18:22:29 @ewindisch you around? 18:23:04 hello 18:23:09 hi! 18:23:17 we were just curious where the rpc security work has landed 18:23:24 still moving forward or ?? 18:24:01 bdpayne: good question... 18:24:55 I https://review.openstack.org/#/c/28154/ 18:25:03 one review from Semo 18:25:32 I've been otherwise occupied since the overall community support seems to be around Simo - and I'm plenty busy enough as is. 18:25:52 ok, I hadn't been following it that much 18:25:59 so community took Simo's path? 18:26:02 :-) Ah! I was wondering, because at the summit you presented and had not heard more from you on the mailing list 18:26:03 looks like the PR is up there 18:26:05 but I should really work on a formal proposal for a CMS based solution 18:26:38 yeah, that'd be nice 18:26:50 I'll check out that review for Simo's work too 18:26:53 Simo at one point was talking to the key manager folks and did not want to introduce yet another service into the path 18:26:57 bdpayne: I'd rather not log all my thoughts into meetingbot… :) 18:27:09 thanks ewindisch 18:27:29 ewindisch happy to chat in PM sometime if you'd like 18:27:46 sure - and we can chat when I see you later this month 18:27:52 indeed 18:27:56 i too would like to learn more about your CMS 18:28:06 great 18:28:15 ok, anything else for today? 18:28:32 i shall be out for two weeks, take care and fun summer 18:28:46 have a nice trip malini1 18:28:49 not really. I have a patch outstanding to do safe_log for ZeroMQ - passwords and tokens are leaking into logs at present 18:29:08 fun 18:29:32 I'm going to send a message to dev, but you should put "securityimpact" in the commit message for such things 18:29:41 keystone introduced a decorator to silence all things password with a fixed number of * 18:29:47 that will help keep the security community engaged with reviewing such things 18:30:03 bdpayne: will do. It is linked to a bug which is pretty clear in the impact 18:30:25 yeah, but that tag will send an email to the security list :-) 18:30:48 :-) that tag is powerful, wakes folksup 18:30:54 ha 18:31:03 ok, thanks everyone… have a great week 18:31:08 #endmeeting