17:02:35 <hyakuhei> #startmeeting openstack security group
17:02:36 <openstack> Meeting started Thu Oct  9 17:02:35 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:37 <tkelsey> hello
17:02:38 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:40 <openstack> The meeting name has been set to 'openstack_security_group'
17:02:48 <nkinder> hi all
17:02:51 <hyakuhei> Lets have a rollcall :)
17:02:57 <nkinder> o/
17:03:02 <chair6> ello
17:03:07 <tkelsey> here
17:03:16 <bdpayne> o/
17:04:03 <dstanek> o/
17:04:20 <hyakuhei> cool, so lets work out the agenda :)
17:04:51 <hyakuhei> OSSN, Bandit, Elections, Summit
17:04:53 <hyakuhei> What else?
17:05:03 <bdpayne> that sounds about right
17:05:21 <hyakuhei> cool
17:05:25 <hyakuhei> nkinder: OSSNs ?
17:05:28 <hyakuhei> #topic OSSN
17:05:30 <tkelsey> hyakuhei: I have that SecImpact script as well
17:05:45 <hyakuhei> Thanks Tim, we'll talk that after OSSN
17:05:54 <nkinder> hyakuhei: The main update with OSSNs is that Rob found a number of older ones that were never published on the wiki
17:06:10 <hyakuhei> #link https://review.openstack.org/#/c/126203
17:06:16 <nkinder> I reformatted them and posted up a review for them, which Rob has been updating
17:06:20 <hyakuhei> I've done some work to bring them up to current standards
17:06:37 <bdpayne> ah, good catch
17:06:38 <nkinder> hyakuhei: your last patch is the first to get blocked by a gate failure too! ;)
17:06:45 <hyakuhei> woot!
17:06:49 <tkelsey> hehe , good work
17:06:50 <nkinder> So our new gate jobs are working
17:06:50 <hyakuhei> Valid test I think :P
17:06:59 <hyakuhei> Completely on purpose.
17:07:03 <nkinder> of course hyakuhei was just trying to test the gate tests... :)
17:07:16 <tkelsey> +1 I'll  buy that :P
17:07:27 <hyakuhei> lol
17:07:39 <nkinder> So I think there are a few things that need to be adjusted to get those merged, then I'll publish them on the wiki
17:07:46 <hyakuhei> That's great work nkinder, I'll try to find time to improve them tomorrow
17:07:48 <nkinder> I think there is no need to re-publish them on the mailing list
17:07:56 <hyakuhei> +1
17:08:03 <nkinder> hyakuhei: If I get a chance this afternoon, I'll update them.
17:08:19 <hyakuhei> cool, don't worry too much though, I'm happy to do it tomorrow
17:08:26 <hyakuhei> Anything else OSSN related?
17:08:32 <nkinder> Aside from that, 0025 needs some reviews
17:08:33 <nkinder> https://review.openstack.org/#/c/117928/
17:08:41 <tkelsey> looking
17:08:59 <nkinder> I'll give this latest version a read-through today
17:09:03 * bdpayne plans to do a round of security-doc reviews later today
17:09:20 <hyakuhei> good plan, it'd be nice to see 0025 done
17:09:32 <nkinder> I saw that one of the other outstanding OSSN bugs was picked up this week
17:09:51 <nkinder> as always, the queue is here...
17:09:52 <nkinder> #link https://bugs.launchpad.net/ossn/
17:10:09 <sweston> bdpayne: please let me know if i can help with anything Neutron related
17:10:40 <bdpayne> ok
17:10:41 <nkinder> I don't believe LP#1341816 is truly in progress, so I'll switch it back to NEW so it's free for people to pick up
17:11:02 <nkinder> I'll probably grab it myself since it's in an area I'm familiar with
17:11:09 <hyakuhei> I think tkelsey was going to pick something up - did that happen ?
17:11:32 <tkelsey> hyakuhei: not yet sorry, though I will pick up one asap
17:11:32 <nkinder> hyakuhei: yes, I believe so
17:11:40 <nkinder> oh, someone else picked one up then...
17:11:47 <tkelsey> yeah wasnt me, sorry
17:11:59 <nkinder> h, Doug picked up https://bugs.launchpad.net/ossn/+bug/1163569
17:12:02 <uvirtbot> Launchpad bug 1163569 in ossn "security groups don't work with vip and ovs plugin" [High,In progress]
17:12:40 <hyakuhei> Ah cool, good stuff
17:12:47 <hyakuhei> Ok, lets talk about Bandit
17:12:50 <hyakuhei> #topic Bandit
17:13:11 <tkelsey> so I added a new test for HTTPSConnection, extracted from OSSN-0033
17:13:12 <sweston> awesome, I'll work with him on that (I am pushing the code for that)
17:13:13 <hyakuhei> tkelsey has been added to core, which is cool
17:13:19 <rlpple> apologies for being late.
17:13:27 <hyakuhei> you're fired rlpple
17:13:34 <rlpple> YEA!!!
17:13:44 <hyakuhei> :) Anyway - Bandit, what's next guys?
17:13:54 <chair6> wiki page is at https://wiki.openstack.org/wiki/Security/Projects/Bandit
17:14:06 <chair6> i'm going to send another update to the mailing list
17:14:27 <hyakuhei> There's a "other project" suggestion in for Bandit at the summit too
17:14:34 <tkelsey> I have started roughing out some ideas here https://etherpad.openstack.org/p/kilo-crossproject-summit-topics
17:14:43 <hyakuhei> and I think Travis is presenting on it.
17:14:50 <chair6> we'll keep working on improving the framework, but really it's a case of adding tests, using the tool, and starting to make it more widely known across openstack
17:14:51 <nkinder> well, figuring out gate integration is next I think
17:15:03 <nkinder> hyakuhei: Is Travis going to be attending the summit?
17:15:22 <chair6> travis's presentation didn't make the cut, iirc
17:15:29 <hyakuhei> Oh maybe he isn't presenting, maybe he just submitted- lots going on in my head atm
17:15:32 <hyakuhei> Yeah that's true
17:15:39 <hyakuhei> Ok well I'l push bandit in my talks anyway :P
17:15:50 <tkelsey> +1 :) Bandit is awesome
17:16:15 <hyakuhei> but that makes the design session even more critical so please take a look at the writeup tkelsey did for a session and edit/improve as required
17:16:51 <chair6> sounds good .. where is the write-up at, tkelsey?
17:17:19 <hyakuhei> #link https://etherpad.openstack.org/p/kilo-crossproject-summit-topics
17:17:19 <bdpayne> this would be the etherpad linked above?
17:17:20 <tkelsey> chair6: some notes here: https://etherpad.openstack.org/p/kilo-crossproject-summit-topics
17:17:41 <nkinder> I wonder if the OSSG gate one should just be merged with Bandit
17:17:52 <hyakuhei> Yeah probably
17:18:06 <nkinder> discussions about testing SSL in the gate are already under way, so there might not be a lot to hash out there once the summit comes around
17:18:56 <bdpayne> that would be a good thing :-)
17:19:06 <hyakuhei> +1
17:19:11 <rlpple> +1
17:19:19 <nkinder> bdpayne: yes, though there is push back to add SSL enabled devstack as an additional job
17:19:20 <hyakuhei> Ok anything else re: Bandit?
17:19:35 <nkinder> likely due to the increased test time and slowing the gate
17:19:48 <hyakuhei> This has already crossed over into Summit talk but I'll tag it anyway
17:19:52 <hyakuhei> #topic Summit
17:19:53 <nkinder> It might make more sense to switch the current jobs to enable SSL for everything
17:20:05 <hyakuhei> I think so
17:20:34 <bdpayne> if we are only going to test one, perhaps ssl is the better choice
17:20:38 <bdpayne> but that's just me
17:20:41 <nkinder> So rcrit has been running through tempest with SSL enabled the last few days to see if there are any issues to be fixed up first
17:20:46 <nkinder> bdpayne: +1
17:20:53 <nkinder> that's what rcrit and I were thinking too
17:21:41 <nkinder> There were a few glance client bugs with SSL that are now being addressed.  One merged yesterday, and the other is out for review.
17:22:10 <nkinder> I'm not sure if any other failures have popped up in the tempest testing, but once we have a clean baseline we can push for enabling SSL in the gate
17:22:29 <hyakuhei> there's been a couple of "Doesnt use certificates properly" bugs in the last few days
17:22:33 <hyakuhei> mainly cinder
17:22:46 <hyakuhei> VMT has been downgrading them and I've been pushing back
17:23:28 <nkinder> rcrit should be coming over here to give an update on his SSL testing
17:23:40 <hyakuhei> oh hai rcrit !
17:23:51 <rcrit> hiya
17:23:52 <bdpayne> this raises another potential summit topic... bug scoring for VMT
17:24:04 <nkinder> rcrit: hey, was just talking about your tempest testing with SSL to prepare for enabling SSL in the gate tests
17:24:15 <bdpayne> in fact, perhaps we should have a series of OSSG topics and run our own informal track one day
17:24:23 <bdpayne> just find a corner and run with it
17:24:51 <nkinder> bdpayne: yeah, we can ask for a "pod" like the other project teams get
17:25:00 <bdpayne> another thing I'd be interested in exploring is ways to provide frameworks for richer input validation across all the projects
17:25:19 <nkinder> rcrit: have you found anything horribly broken in tempest with SSL (other than the glance stuff we know about)?
17:25:23 <hyakuhei> good ideass
17:25:38 <bdpayne> regex is useful, but has it's limitations
17:25:57 <rcrit> well, tempest filled up my disk last night so I haven't yet figured out what passed and what failed
17:26:01 <bdpayne> nkinder a pod would be great, if that's an option for us
17:26:20 <nkinder> bdpayne: I'll ask ttx
17:26:33 <rcrit> from a devstack-gate perspective it looks to be fairly easy to configure SSL. The TLS proxy stuff is configured in devstack as an additional service, so I think that if that is added the rest should just work (tm)
17:27:40 <rcrit> I need to understand better how devstack is used in the gate and whether the same VM/install is used for all tests or if a different one is used for each
17:27:50 <nkinder> rcrit: so the question will come up about which SSL scenario the gate should test: native SSL or proxy
17:28:02 <rcrit> if SSL and non-SSL tests are mixed in the same run it could mean using 2 different VMs
17:28:14 <rcrit> I've been assuming proxy
17:28:18 <nkinder> I think proxy is more real-world, but won't catch bugs in the service side SSL implementations
17:28:51 <rcrit> It will. Even in tls proxy mode the services talk to themselves over SSL. There is no clear back channel
17:29:11 <nkinder> proxy will flush out client-side issues in the server code for sure
17:29:29 <nkinder> just not code around listening on SSL/processing SSL requests, right?
17:29:48 <rcrit> that's true
17:30:18 <rcrit> from what I saw, and it's typical in most servers, it's mostly just setup around the socket code. Once the request is received the same code paths are used
17:30:38 <nkinder> ok, so maybe there's very little to fail there.
17:30:41 <rcrit> there is no reason both couldn't be tested
17:30:45 <rcrit> except time and resources
17:30:55 <nkinder> except that it bloats the gate jobs
17:31:02 <nkinder> I think we'll have to choose one
17:31:44 <rcrit> well, proxy +1 for me anyway
17:31:48 <nkinder> anyone else have an opinion on native SSL vs proxy for gate jobs?
17:31:55 <nkinder> rcrit: yeah, I'm leaning towards proxy too
17:32:07 <bdpayne> proxy
17:32:22 <bdpayne> I suspect that more closely mirrors real world deployments
17:33:59 <nkinder> ok, well we'll see what rcrit finds in his tests and can hopefully propose enabling SSL in the gate soon
17:34:14 <hyakuhei> Interesting stuff, could probably do with a short summary of what's going on maybe as a blog post or mail to openstack-security some time?
17:34:26 <rcrit> sure
17:34:59 <hyakuhei> awesome!
17:35:37 <hyakuhei> Ok so summit wise we are trying to get more time for the OSSG. I like the idea of trying to get a pod / our own space. The midcycle meetup demonstrated how much we can get done in those sorts of setups
17:35:59 <hyakuhei> Also we should do something social again, probably inviting the VMT too which seemed to work previously
17:37:00 <bdpayne> yeah, I like both of those ideas
17:37:04 <hyakuhei> ok Anything else re: summit?
17:37:08 <bdpayne> I know there's lots going on at the summit
17:37:19 <hyakuhei> Yeah busy time.
17:37:19 <bdpayne> but I like the idea of OSSG spending time hanging out together and getting stuff done
17:37:25 <hyakuhei> +1
17:37:29 <rlpple> +1
17:37:30 <bdpayne> we should perhaps come in with a loose agenda / set of goals
17:37:37 <hyakuhei> Agreed
17:37:44 <hyakuhei> Etherpad?
17:38:00 <bdpayne> sure
17:38:00 <hyakuhei> #link https://etherpad.openstack.org/p/ossg-juno-summit
17:38:10 <hyakuhei> lol. kilo maybe.
17:38:19 <bdpayne> heh
17:38:41 <nkinder> ...they grow up so quick...
17:38:47 <tkelsey> lol
17:39:04 <hyakuhei> #link https://etherpad.openstack.org/p/ossg-kilo-summit
17:39:41 <hyakuhei> ok, that should work, care to throw some things into it?
17:40:06 <hyakuhei> #topic Elections
17:40:29 <hyakuhei> bdpayne has graciously agreed to officiate once again
17:40:39 <hyakuhei> https://wiki.openstack.org/wiki/Security/OSSG_Lead_Election_Fall_2014
17:40:55 <bdpayne> yeah
17:40:58 <hyakuhei> Window for candidates closes on the 19th
17:41:00 <bdpayne> so what we need now are candidates
17:41:11 <bdpayne> right now we have none
17:41:12 <hyakuhei> bdpayne: I added some content to the "officials" bit
17:41:18 <bdpayne> thanks
17:41:30 <hyakuhei> bdpayne: I'll stand but I don't want to ruin the drama by doing it too early :P
17:41:37 <bdpayne> So, if you'd like to be considered for leading OSSG for the next cycle, please put your name forward!
17:42:09 <bdpayne> Just a quick email to the list expressing your background and why you want to run would be sufficient
17:42:15 <bdpayne> I'll confirm that you are eligable
17:42:23 <bdpayne> And I'll add you to the wiki page references above
17:42:45 <bdpayne> In the backgroud, I'll be working with Abu on figuring out who is allowed to vote this time around
17:42:56 <hyakuhei> Yeah, the criteria are listed
17:43:04 <bdpayne> So that we can kick off elections later this month
17:43:20 <bdpayne> Yeah, the criteria is listed... so it's just a matter of doing the leg work to see who meets those requirements
17:43:23 <hyakuhei> TBH I think it's highly unlikely we'll get ineligable votes, as being aware of the vote probably puts you in the electorate :)
17:43:35 <hyakuhei> but process is important
17:43:35 <bdpayne> I need to know who to send the ballot to though
17:43:47 <hyakuhei> Yup
17:43:56 <bdpayne> For that we need a list of email addresses... not a mailing list
17:43:59 <bdpayne> that's just how the system works
17:44:05 <hyakuhei> Yeah
17:44:11 <hyakuhei> #topic Any other business
17:44:19 <bdpayne> Anyway... current step is to let us know if you'd like to run
17:44:23 <hyakuhei> tkelsey: want to talk about that code you were working on today?
17:44:25 <bdpayne> And that is all :-)
17:44:28 <hyakuhei> :)
17:44:32 <tkelsey> hyakuhei: sure :)
17:45:05 <tkelsey> so hyakuhei asked about making a quick script to check if a member of the OSSG had reviewed a change marked as SecImpact
17:45:20 <tkelsey> I have knocked up somthing quick n dirty
17:45:24 <nkinder> tkelsey: ah, cool
17:45:48 <bdpayne> groovy
17:45:52 <nkinder> tkelsey: we need to be diligent about adding our -1/+1 then to make sure that it's accurate
17:45:53 <tkelsey> question is how best to communicate the results, could turn it into an IRC bot or somthing
17:46:01 <bdpayne> is now when we get embarassing graphs? :-)
17:46:05 <tkelsey> nkinder: +1 yes for sure
17:46:21 <nkinder> something like "47 DAYS SINCE LAST ACCIDENT"
17:46:28 <tkelsey> LOL
17:46:44 <bdpayne> tkelsey I'd vote for a monthly summary or something like that
17:46:50 <bdpayne> reported here at the meetings
17:46:54 <nkinder> "47 SECURITY ISSUES WAITING TO HAPPEN" maybe
17:46:55 <bdpayne> at least as a first step
17:46:58 <tkelsey> bdpayne: yes that can work :)
17:47:01 <nkinder> yeah, weekly is probably good
17:47:04 <bdpayne> it would be nice to be able to track how well we are doing with that
17:47:07 <hyakuhei> ITs a good start, hopefully we'll end up with a nice way of driving more contributions :)
17:47:10 <bdpayne> and this data will be valuable
17:47:29 <nkinder> I think the inverse is really useful (knowing how many we are dropping)
17:47:33 <bdpayne> we could always have a silly award for the highest contributors
17:47:39 <bdpayne> awarded at each summit
17:47:47 <hyakuhei> Yeah why not :)
17:47:55 <hyakuhei> Better check tkelsey's input though
17:47:55 <tkelsey> +1
17:48:17 <tkelsey> how ever we want to use the data is going to be better than nothing :) so it all sounds good to me
17:48:30 <bdpayne> like hyakuhei buys the top contributor a $100 bottle of scotch
17:48:31 <tkelsey> I can get us the data in what ever way is seen as being best
17:48:46 <tkelsey> +1 for scotch!
17:48:48 <tkelsey> :-P
17:49:29 <hyakuhei> bdpayne: It must be Nebula's turn to by the whisky by now?
17:49:31 <rlpple> +2
17:49:46 <bdpayne> heh, perhaps
17:49:53 <hyakuhei> Cool. Any other business guys?
17:50:03 <bdpayne> not from this end
17:50:21 <nkinder> nothing here
17:50:32 <tkelsey> so we dont have much marked with SecImpact it seems https://review.openstack.org/query?q=message:SecImpact
17:50:46 <hyakuhei> SecurityImpact ?
17:51:01 <tkelsey> yeah, I have configured the script to search on a bunch of tags
17:51:09 <hyakuhei> Good plan
17:51:25 <hyakuhei> SecurityImpact seems to result in at least some amount of input
17:51:28 <tkelsey> Yeah SecurityImpact turns up plenty :)
17:52:40 <hyakuhei> Awesome
17:52:46 <hyakuhei> Right, anything more to add guys?
17:53:20 <tkelsey> nothing from me
17:53:42 <hyakuhei> ok that's a wrap! Thank you everyone!
17:53:47 <nkinder> thanks!
17:53:52 <sweston> thanks :-)
17:53:53 <tkelsey> thanks all
17:53:53 <rlpple> thank you
17:53:58 <hyakuhei> #endmeeting