17:00:46 #startmeeting openstack security group 17:00:47 Meeting started Thu Oct 23 17:00:46 2014 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:48 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:51 The meeting name has been set to 'openstack_security_group' 17:01:04 roll call peeps! 17:01:07 Afternoon/Morning/Evneing all 17:01:08 hi 17:01:10 HOLA 17:01:18 hi 17:01:27 o/ 17:01:28 Hi!! 17:01:29 hello 17:01:36 hi, i'm mainly listening but i have a question for open discussion time =) 17:01:37 hello all 17:01:40 hi all 17:01:47 'ello 17:01:59 Hey, so, the summit is less than two weeks away! 17:02:09 What should we discuss today? 17:02:52 well I'm sure we'll get OSSN status 17:03:09 book? 17:03:36 yeah, OSSNs will be pretty quick 17:03:42 ok lets start there 17:03:46 #topic ossn 17:04:04 So a number of issues were cleared out last week and published. 17:04:19 So there's just one in progress that's out for review (OSSN-0038) 17:04:33 #link https://review.openstack.org/#/c/128636/3 17:04:41 thats mine i think, input welcome :) 17:05:01 Thanks tkelsey 17:05:13 I think there still a few in the queue 17:05:17 your welcome hyakuhei 17:05:26 there are a handful free for others to pick up - https://bugs.launchpad.net/ossn/ 17:06:25 Doug has one thar he picked up, but there's not a patch proposed yet - https://bugs.launchpad.net/ossn/+bug/1163569 17:06:26 Launchpad bug 1163569 in ossn "security groups don't work with vip and ovs plugin" [High,In progress] 17:07:06 yeah, im supposed to be helping with that one, not had much time yet 17:07:13 Yeah that one was tricky iirc 17:07:21 We could discuss options for that now? 17:07:43 Sure. So what's the tricky part of that one? 17:08:27 first of all it's hard to test I think 17:08:39 I think there is some missing or confusing info, is Doug about, he woulf know more 17:08:59 I'll ping him on skype see if he can join us 17:09:02 it seems to need a lot of setup and domain knowledge 17:09:20 yeah tmcpeak 17:10:02 Pinged dg, no reply, assume he's not joining 17:10:44 shame, his input would have been good. I guess I'll try and look at it tomorrow 17:11:05 Yeah, so I think it's as tmcpeak said, if you don't work with it much this is confusing 17:11:20 sure 17:11:33 ok, so perhaps tapping a developer from the area would be best here 17:11:43 +1 17:11:46 Know any friendly ones ? :P 17:11:47 +1 17:12:41 probably worth just having Doug join the neutron weekly meeting to bring it up 17:12:54 or reach out to the current PTL 17:12:56 Depending on what timezone they run that in, sure. 17:13:07 Ok, I'll chat with dg about it tomorrow :) 17:13:08 I can bring it up to Kyle 17:13:26 sweston: thanks! 17:14:06 Yeah, that'll be really helpful 17:14:07 I don't think there's much more on OSSNs 17:14:11 nkinder: sure, if you still want to ping Doug, feel free to bring me in ... I'll be here all day!! 17:14:21 ...aside from mentioning that we're almost up to 40 notes now! 17:14:27 :-) 17:14:30 good work all :) 17:14:38 It's come a long way 17:14:38 +1 17:15:01 yeah, we've more than doubled in a few months 17:15:59 and there are lots of authors now too 17:16:21 Who hoo ... on that "note", I'll take https://bugs.launchpad.net/ossn/+bug/1329214 17:16:22 Launchpad bug 1329214 in cinder "tgtadm iscsi chap does not work" [Critical,Fix released] 17:16:51 nice sweston 17:16:59 unless somebody else wants it :-) 17:17:02 sweston: great! Any help you need, just ask. 17:17:05 I think it's all yours :P 17:17:30 hehe, sure .. I'll ask for help if I need to, thanks!! 17:18:00 sweston: you get bonus points for the pun :-P 17:18:26 ok, any other OSSN stuff? 17:18:34 tkelsey: :-D 17:19:00 Nope. That's it. 17:19:13 ok, next up on the agenda, elmiko - what did you want to discuss? 17:19:45 well, i'm chairing a session for Sahara on security 17:20:12 i have a few topics prepared, but i wanted to reach out and see if anyone might be able to help me find topics that we might be missing currently 17:20:14 Coolio, how can we help 17:20:40 I'm not very familiar with Sahara today - anyone got anything to contribute? 17:20:41 we have a few areas that we improved during juno, but i'm curious how much more can we find 17:20:43 elmiko: do you have a list? 17:21:17 tmcpeak: so far, we will talk about a new security group feature, and the new domain proxy feature. i'm still assembling more topics 17:21:24 elmiko: I know we discussed some things about keystone trusts quite a while back 17:21:34 what i'm really curious about are more general threats that a sahara user/operator should be aware of 17:21:46 elmiko: ok, are you looking for features, hardening your existing code, both? 17:21:53 nkinder: yes! and it helped us implement a new feature based around that 17:22:00 tmcpeak: both ideally 17:22:15 elmiko: maybe an email to the security mailinglist would be useful too? 17:22:41 hyakuhei: awesome idea, is that the openstack-dev list with an [ossg] on it? 17:22:52 elmiko: ok, so I wonder if starting with a security audit page for sahara would be a good start too. 17:23:03 elmiko openstack-security mailing list 17:23:12 nkinder: +1 17:23:12 nkinder: that would be great 17:23:30 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security 17:23:37 elmiko: ^ 17:23:56 elmiko: https://wiki.openstack.org/wiki/Security/Juno 17:23:56 hyakuhei: tnx 17:23:58 Although -dev with [ossg] _should_ work 17:24:09 I suppose it's time I create a Kilo page 17:24:19 Oooh! 17:24:39 nkinder: is there anything i can do to help get the audit under way? 17:25:12 Audit's are _really_ time intensive 17:25:20 elmiko: yeah, let me create a placeholder page after the meeting and you can look at the existing one for Keystone to get an idea of the info to collect. 17:25:29 nkinder: awesome 17:25:34 hyakuhei: not bad if you have experience with the project/code though 17:25:35 best bet right now is to find one or two devs who are interested and setup a meet in Paris to lay the groundwork 17:25:41 I think we should have discussions on -dev rather than the security list 17:25:43 hyakuhei: i'm willing to put some time in on it, if it's something that i can tackle 17:25:56 nkinder: +1 going in cold is the worst 17:26:28 elmiko: It's so much easier with someone who knows the code 17:26:38 #action nkinder to create kilo 'security info' page and a sahara template 17:26:45 hyakuhei: for sure, and i'm interested in being part of the process 17:26:46 And if we want more extensive, we can go some high level Threat analysis on Shara 17:27:20 shohel02: i think that's something that would be useful for the devs and our end-users 17:27:46 on a more general level, i am looking to gain an insight into the type of issues we should be looking for as an openstack project 17:27:57 these are the types of things i'd like to talk about at summit with our devs 17:28:03 heh, that's a long list 17:28:08 i'll bet ;) 17:28:11 Something we can help with though :) 17:28:38 +1 elmiko hyakuhei 17:28:41 Sorry cant help too much today need to leave for 'nother meeting 17:28:55 i'm trying to avoid covering topics that might be better addresses in other areas, for example should we talk about general networking configurations that might be out of scope for sahara? 17:28:58 elmiko: you'll be at the Summit then? 17:29:04 nkinder: yes 17:29:43 for those who haven't explored sahara, we are providing a data processing solution for openstack 17:29:52 so we are building clusters with hadoop, spark, and the like 17:29:58 oh hai dg__ 17:30:07 interesting stuff elmiko 17:30:16 talking about security within our clusters is one thing, but talking about threats to the stack i feel is a bigger issue 17:30:40 hyakuei hi, think i need to kill my outlook calendar 17:30:54 for example, should we be worried about an attacker being able to infiltrate a project and thus gain access to the cluster and swift instances, or is that a more general openstack security concern? 17:31:27 There's a point where attack vectors become shared 17:31:37 but that can be influenced in many ways 17:31:47 We need a whiteboard and pretty pictures ;) 17:31:50 yea, i'm really trying to be that with regards to the topics we should discuss 17:32:03 *to be sensitive to that 17:32:20 Makes sense 17:32:48 but it sounds like we've generated some good topics. we can certainly talk about getting ready for an audit, and the possibility of doing higher level threat analysis 17:33:56 I'd love to do some threat analysis on Sahara 17:34:05 i might have missed it, was there a link to page about audits? 17:34:08 hyakuhei: cool! 17:35:09 hyakuhei: yeah, threat analysis sounds good 17:35:40 security audit... this one https://wiki.openstack.org/wiki/Security/Juno 17:35:47 nikander posted earlier 17:36:01 shohel02: ahh, thanks. got that one, thought i missed one 17:36:14 elmiko: here's a skeleton - https://wiki.openstack.org/wiki/Security/Kilo/Sahara 17:36:27 nkinder: awesome, thanks 17:36:47 elmiko: look at the Juno keystone one for an idea. I'll create the Kilo one for Keystone today 17:36:57 cool 17:37:32 thanks everybody, this is great. i'll have a few more issues we should be talking about within Sahara, and expect me to haunt the OOSG sessions looking to talk more =) 17:37:41 *OSSG 17:37:47 elmiko: sounds good 17:38:08 cool, any other agenda items? 17:38:12 elmiko: good stuff. 17:38:19 so i have some SecImpact numbers 17:38:32 I'd like to talk about a couple of things 17:38:44 tkelsey is welcome to go first :-) 17:38:54 ok, thanks bdpayne_ 17:39:25 so I ran a hacky script against gerrit looking for SecImpact changes, I have some numbers 17:39:37 I'll put them into a pastbin I guess 17:39:40 #topic Security Impact 17:40:24 http://pastebin.com/TuDfph6U 17:41:01 the main take away is that 29 changes got merged that had SecImpact but no OSSG input 17:41:01 So what's good/bad mean? 17:41:12 but 25 did have input ? 17:41:18 yes 17:41:21 That's better than I thought tbh 17:41:29 bad == no OSSG, or -1 from OSSG 17:41:41 Can you do stats on who contributed from OSSG 17:41:43 good = +1 or 0 from OSSG 17:41:52 yes i can get names 17:41:57 hmm, so I think -1 from OSSG is still 'good' in this context? 17:42:01 tkelsey: I'm interested in knowing is OSSG looked at it at all 17:42:08 ...regardless of score 17:42:10 yeah 17:42:13 OSSG looked at something - yay 17:42:27 sure, ok :-) not hard to change things for that metric 17:42:35 this is great to have the data... and something that we should track regularly 17:42:36 even so, takeaway from this is we're likely responding to over 50% of requests 17:42:39 perhaps each month or each quarter 17:42:45 Yup 17:42:49 Thanks for this tkelsey 17:42:55 indeed, thanks 17:42:56 +1 17:42:59 bdpayne_: sure, I can handle doing this at intervals 17:43:37 tkelsey if you can provide the raw numbers, I could figure out a nice visualization to track this over time 17:43:51 just ping me to remind me that I said this ;-) 17:43:52 sure thing bdpayne_ 17:44:01 haha no problem 17:44:05 Something Stacklytics-esk? 17:44:13 yeah 17:44:18 * bdpayne_ likes visualizations 17:44:19 that would be very nice 17:44:52 Great stuff, thanks Tim! 17:45:03 well thats all I had, just wanted to put the data out there. I'll clean things up and give bdpayne_ the info 17:45:13 Right bdpayne_ you had something you wanted to discuss ? 17:45:14 hyakuhei: thanks 17:45:17 yeah 17:45:21 a couple of things 17:45:25 but I can be briefish 17:45:29 1) Elections! 17:45:32 #topic Elections 17:45:39 We have an election going on this week 17:45:46 woo! 17:45:48 Polls will close on Monday morning (pacific time) 17:45:51 Scary stuff. 17:45:57 currently 41/91 people have voted 17:46:04 would love to see more votes 17:46:07 vote early, vote often! 17:46:09 +1 17:46:23 so please go ahead and vote if you haven't already 17:46:28 That's a pretty decent sized electorate 17:46:47 also... just a placeholder here, but I think post-election we should have a discussion about electorate qualification going forward 17:47:06 but, regardless, we have 91 people in the electorate and 41 that have voted already 17:47:14 so that's a reasonable sized group 17:47:16 OSSG is growing 17:47:22 and by that I mean that active community 17:47:28 nice work everyone :-) 17:47:35 any questions on the elections? 17:47:36 wooohoo 17:48:03 It's always good to review these things 17:48:06 ok, let's move on to my next topic 17:48:12 2) OSSG track at the summit 17:48:17 #topic OSSG track 17:48:27 we have talked about setting up a space for OSSG people to chat at the summit 17:48:34 Tuesday was looking good for that, not 100% sure ? 17:48:43 I would like to see us pick a day or 1/2 day to have a semi-formal track 17:48:50 at least, planned topics in time slots 17:48:53 bdpayne_: +1 17:48:58 do we have an etherpad to track topics? 17:49:09 We _did_ 17:49:15 hrm 17:49:16 but I confess I didn't make a note of it. 17:49:24 anyone know the link? 17:49:29 I'll circulate an email with it after the meeting, once I've updated the mnutes 17:49:32 *minutes 17:49:50 ok, sounds good 17:49:57 I'd like to have a book discussion in one of the slots 17:50:07 and I will probably have some other ideas too :-) 17:50:25 ok, I think that's all I have for today 17:50:28 bdpayne_: +1 for books 17:50:47 #topic any other business 17:50:49 Thanks bdpayne_ 17:51:07 re: other topics 17:51:30 have we talked about mentorship for folks wanting to jump in to ossg stuffs but unsure where to start? 17:51:49 e-vad: the channel is a good place to find help 17:51:55 we have talked a bit about this in the past, but it would be good to do more here 17:52:04 normally at least somebody is around to point you in the right direction 17:52:14 but people need to know to go into the channel 17:52:22 ahh, solid point 17:52:23 we need a super nice easy intro doc 17:52:28 Yeah, there's occasionally people reaching out on the ML too 17:52:30 and that needs to be easy to find 17:52:30 some of that could be as easy as update our wiki page some 17:52:37 perhaps an email sent to people that join the launchpad group 17:52:50 and an updated wiki page, yeah 17:53:29 both good points 17:53:31 and probably with some example .. .e.g., start with filing bugs in book, or writing OSSN 17:53:49 so there is a wiki with this goal in mind 17:53:55 but it could use some updating 17:54:11 We do have some 'how to contribute' text already that bdpayne_ wrote iirc 17:54:20 https://wiki.openstack.org/wiki/Security/How_To_Contribute 17:54:33 and some intro text on https://wiki.openstack.org/wiki/Security 17:54:43 those are good places to improve 17:55:24 yup 17:55:48 the docbook bits could use a link out to one of anne gentle's preso's on working with docbooks and contributing to openstack docs 17:56:00 it's not the most straightforward thing to do 17:56:28 i guess then, i'll volunteer to take a look over said wiki and see what can be poked 17:56:43 cool, thanks 17:57:12 as part of the ossg track at the summit we should do a thing as well 17:57:24 bdpayne_:Etherpad for the summit 17:57:32 #link https://etherpad.openstack.org/p/ossg-kilo-summit 17:57:37 ahh 17:57:38 thanks 17:57:42 Np. 17:57:50 help folks get signed up, involved, maybe dissect an ossn 17:59:02 Its definitely time we looked at that stuff again, made the ossg a bit more welcoming 17:59:42 fwiw, my experiences with OSSG have been really positive so far. kudos to you all 17:59:49 +1 18:00:03 Thats a great note to wrap on guys! 18:00:04 thanks elmiko :-) 18:00:04 Thank you all! 18:00:10 #endmeeting