#openstack-meeting log

21:03:10 <ttx> #startmeeting project
21:03:11 <openstack> Meeting started Tue Apr  8 21:03:10 2014 UTC and is due to finish in 60 minutes.  The chair is ttx. Information about MeetBot at http://wiki.debian.org/MeetBot.
21:03:12 * russellb sheds a tear
21:03:13 * dhellmann sniffs
21:03:13 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
21:03:15 <openstack> The meeting name has been set to 'project'
21:03:18 * markwash couldn't get past the first chapter of Beloved
21:03:21 <ttx> #link http://wiki.openstack.org/Meetings/ProjectMeeting
21:03:31 <dhellmann> markwash: LOL
21:03:38 <ttx> #topic Current RC status
21:03:42 <hub_cap> markwash: i couldnt get past the title
21:03:48 <ttx> #info RC1 done, no RC2 expected at this point: Swift, Trove
21:03:57 <ttx> #info RC2 done, no RC3 expected at this point: Keystone, Cinder, Ceilometer, Horizon
21:04:04 <ttx> #info RC2 in progress: Glance, Nova, Neutron, Heat
21:04:20 <annegentle> markmc: ghosts
21:04:23 <stevebaker> \o
21:04:25 <ttx> We hope to have Nova and Neutron tomorrow, heat and Glance Thursday
21:04:39 <annegentle> er markwash :)
21:04:51 <ttx> It shall take a pretty significant regression or unforeseen fuckup to do a RC3
21:04:57 <ttx> but then, there always was
21:04:58 <annegentle> ttx: snort
21:05:36 * ttx puts $1 in the swear box
21:05:52 <ttx> Questions on the RC process ?
21:06:21 <ttx> FWIW the icehouse PTLs are not disappearing on Friday with election results
21:06:31 <russellb> go until final icehouse release yes?
21:06:33 * hub_cap suspects ttx's swear box is quite full
21:06:36 <ttx> They are the icehouse cycle PTLs, so they finish the work :P
21:06:42 <annegentle> ttx: is every project open for juno?
21:06:48 <ttx> annegentle: yes
21:07:23 <dolphm> and new PTL's effectively take over on master?
21:07:31 <dolphm> (Friday)
21:07:34 <ttx> dolphm: in theory yes
21:07:41 <dolphm> or at least, free to transition
21:07:44 <annegentle> #info Didn't really see many doc catchups in the feature freeze period
21:08:02 <annegentle> Seems like release notes are being worked
21:08:28 <hub_cap> ttx can u re-link the release notes page?
21:08:35 * hub_cap needs to get started w em
21:08:40 <ttx> #link https://wiki.openstack.org/wiki/ReleaseNotes/Icehouse
21:08:56 <markmcclain> annegentle: did you see the email I sent you?
21:09:11 <ttx> yes release notes seem to come up nicely
21:09:21 <ttx> anything else on that topic ?
21:10:02 <ttx> guess not
21:10:03 <hub_cap> thx ttx
21:10:07 <ttx> #topic Security audit of projects/releases
21:10:12 <ttx> nkinder: o/
21:10:19 <nkinder> Hi all.
21:10:27 * markwash looks nervous
21:10:36 <ttx> today of all days
21:10:41 <russellb> ttx: ha
21:10:54 <nkinder> I'm trying to get an effort going around gathering security related info for each project/release
21:10:55 <russellb> here to disclose openstackbleed?
21:11:11 <annegentle> markmcclain: sorry I need more context? I don't see one
21:11:28 <nkinder> this provides some background for later reading - http://lists.openstack.org/pipermail/openstack-dev/2014-April/032046.html
21:11:31 <ttx> #link Security audit of projects/releases
21:11:33 <ttx> arh
21:11:40 <ttx> #link http://lists.openstack.org/pipermail/openstack-dev/2014-April/032046.html
21:12:00 <nkinder> Basically, I'd like to capture commonly asked security info such as what crypto algorithms are used, what crypto implementations, and how sensitive data is handled.
21:12:11 <russellb> sounds like a good idea
21:12:19 <nkinder> Here is an example I put together for Keystone - https://wiki.openstack.org/wiki/Security/Icehouse/Keystone
21:12:30 <ttx> nkinder: so the challenge is to keep it current, I think
21:12:43 <nkinder> The idea is that each project dev team would be responsible for keeping it up to date.
21:12:51 <ttx> gathering it shall not be too hard, keeping up to date.. ;hmm
21:12:56 <nkinder> maintenance is definitely the big concern
21:12:56 <dolphm> ttx: ++ i'd love to have this in-tree, and kept up to date with the code
21:12:58 <devananda> nkinder: is there substantial interest in having this also for incubated projects (eg ironic)?
21:13:15 <nkinder> dolphm and I discussed it on the keystone meeting today, and there were some good ideas
21:13:17 <markwash> nkinder: not sure if this is actually on topic, but how can we promote better code / review practices for common security issues? I know as a reviewer I've missed some pretty obvious security problems just because I wasn't thinking like a security guy
21:13:24 <ttx> nkinder: if you have it in tree at least you can make sure one is not updated without the other
21:13:33 <ttx> could be some standard file
21:13:38 <annegentle> nkinder: so I did a brief analysis on the current ossn base, and always more than one project is affected due to the actual use cases
21:13:38 <dolphm> devananda: i think it will be expected of every project once a few have it
21:13:39 <nkinder> We're thinking keeping it in-tree would allow it to be kept up to date along with code changes
21:13:43 <hub_cap> markwash: s/like a security guy// ?
21:13:51 <dolphm> devananda: (expected by deployers, etc)
21:13:57 <russellb> markwash: if you tag a commit message with SecurityImpact, a message will go to the security list for the patch ... if you realize it has potential security impact, though
21:14:04 <devananda> dolphm: seems like a fair assumption, yea
21:14:12 <hub_cap> russellb: thx for the tip, i didnt know that
21:14:19 <markwash> hub_cap: sure
21:14:21 <annegentle> nkinder: so I'm not sure in-tree would work well from a deployer standpoint
21:14:41 <nkinder> annegentle: no, it would only work best for developers in-tree.
21:14:44 <ttx> in-tree would help, but it's no magic bullet. The issue is that oftentimes people touch things they don't know has security implications
21:14:56 <ttx> and sometimes it flies through review
21:14:57 <russellb> this sounds like docs that we should just start encouraging, and eventually expecting from every project
21:14:59 <annegentle> nkinder: right but I don't think we should serve devs easy livin' :)
21:15:05 <nkinder> It would need to be transformed and published somewhere for deployers.
21:15:18 <comstud> markwash: solution: always think like a 'security guy'
21:15:25 <ttx> years of looking at CVE patches make me a little pessimistic about human nature
21:15:27 <annegentle> nkinder: sure, but again, individual projects need to think more cross-project
21:15:32 <nkinder> ttx: that is definitely a concern as well, and diligence by core members would be needed
21:15:35 <annegentle> nkinder: and in-tree doesn't encourage that
21:15:50 <markwash> comstud: lol I suppose I'm trying?
21:15:53 <russellb> a wiki page seems like the most reasonable place to doucment this stuff ... Nova/SecurityInfo, and expect it to be updated like we have Nova/HypervisorSupportMatrix
21:15:56 <comstud> try harder!
21:15:59 <dhellmann> annegentle: +1 to thinking cross-project :-)
21:16:42 <nkinder> annegentle: agreed.  At least for the used crypto sorts of items, they are isolated to individual projects.  It's the interaction between projects around sensitive data that requires more cross-project thinking.
21:17:19 <notmyname> nkinder: indeed
21:17:21 <ttx> nkinder: I think wiki + project resposnsibility to keep up to date + external audits pointing out gaps, could work
21:17:25 <nkinder> Part of doing this at an individual project level is also to identify overlap and inconsistencies between projects, which can be used to push towards further cross-project coordination.
21:18:07 <annegentle> nkinder: yes we haven't really considered the crypto case til now but then would barbican be the responsible party (similar to keystone's commonality)? Or maybe I'm thinking wrongly?
21:18:09 <dolphm> would we want to have one page for all of Openstack then?
21:18:17 <markmcclain> ttx: was thinking that we might consider making this part of PTL duties to ensure that doc is updated for each milestone
21:18:34 <nkinder> annegentle: documenting crypto for barbican will absolutely be important (and I want to reach out to them early)
21:18:35 <dhellmann> dolphm: one page per release would make sense
21:18:49 <nkinder> markmcclain: that was my hope too
21:18:50 <ttx> markmcclain: yes, those slackers could use a bit more responsibilities :)
21:18:51 <russellb> ttx: +1
21:18:55 <dolphm> dhellmann: this *should* be mostly static
21:19:00 <russellb> to the earlier comment, not slackers comment
21:19:02 <dolphm> dhellmann: it shouldn't change dramatically per release
21:19:14 <dhellmann> dolphm: you've seen all the new projects, right? :-)
21:19:14 <dolphm> it just needs to be maintained regularly
21:19:14 <nkinder> russellb: easy for you to say, you're stepping down! :P
21:19:24 <annegentle> heh
21:19:31 <russellb> i say it with the understanding of PTL responsibilities
21:19:35 <russellb> and what i think is reasonable
21:19:41 <russellb> for Nova, it wouldn't get done alone
21:19:43 <russellb> it's "ensure it gets done"
21:19:54 <dhellmann> delegate
21:19:55 <ttx> nkinder: so i would engage with projects to encourage them to provide that info based on the model you provided, and ask them to keep current. the OSSG should run regular audits to check that the info is maintained up to date
21:20:32 <nkinder> ttx: Great, that is my plan.  I wanted to float it by the PTLs here to gauge interest first.  It seems that the interest is there, so now it's working out the details.
21:20:42 <russellb> +1!
21:20:47 <russellb> nkinder: totally see the value in this
21:20:51 <dhellmann> +1
21:20:59 <ttx> nkinder: and thx a lot for all the work you've been doing on this and the OSSNs
21:21:02 <nkinder> I'd like to start with a few projects.  Keystone is already started, so maybe 2-3 more to pilot this?
21:21:16 <annegentle> nkinder: yes thanks for the efforts!
21:21:25 <nkinder> Sure.  Happy to help!
21:21:32 <markmcclain> nkinder: I'd be happy to pilot
21:21:53 <nkinder> markmcclain: ok, great!  Any others?
21:22:13 <russellb> ask next week with new PTLs here :)
21:22:22 <ttx> yeah, should be easier
21:22:39 <nkinder> good point
21:22:55 <ttx> ok, next topic
21:22:59 <ttx> #topic Red Flags
21:23:25 <ttx> Anything that will ruin the release next week that I should know about ?
21:23:47 <russellb> if only we knew now
21:24:13 <ttx> well, last week we uncovered the DB upgrades & the translations fail
21:24:22 <ttx> So I'm going fishing again
21:24:36 * dhellmann was picturing ttx with a crystal ball
21:24:40 <russellb> i think ubuntu broke qemu
21:24:49 <russellb> but that's not really an openstack problem, exactly
21:25:09 <ttx> hmm :)
21:25:17 <russellb> ttx: the bug targeted against nova's rc2 turned out to be qemu in ubuntu
21:25:30 <ttx> russellb: will they fix it ?
21:25:39 <annegentle> ttx: do you want some packaging problems install testing uncovered?
21:25:40 <russellb> dunno, but i believe maintainer was emailed directly about it
21:26:10 <ttx> annegentle: hmm... maybe ? define packaging problems install testing
21:26:13 <annegentle> ttx: https://bugs.launchpad.net/openstack-manuals/+bug/1297140
21:26:15 <uvirtbot> Launchpad bug 1297140 in heat "Ubuntu 12.04 (LTS)  - icehouse - heat packaging issues" [Undecided,Confirmed]
21:26:30 <ttx> oh, packaging issues
21:26:33 <ttx> well, no
21:26:41 <ttx> previous job. Done with that
21:26:49 <annegentle> ttx: heh ok, that one's on its way to fixed anyway
21:27:00 <annegentle> ttx: we are uncovering config naming hiccups
21:27:01 <russellb> looks fixed already, nice ... https://bugs.launchpad.net/nova/+bug/1304107
21:27:04 <uvirtbot> Launchpad bug 1304107 in qemu "Libvirt error launching instance - Device 'virtio-net-pci' could not be initialized" [High,Fix released]
21:27:06 <annegentle> securitygroups
21:27:30 <annegentle> er security_group v. securitygroup
21:27:34 <dolphm> this might only impact keystone because we removed keystone.openstack.common.rpc after switching to oslo.notifications but we realized today that rpc_backend options otherwise lose backwards compat when migrating from havana to icehouse http://www.mail-archive.com/openstack-dev@lists.openstack.org/msg21326.html
21:28:50 <ttx> dolphm: sounds like something to document in release notes ?
21:29:05 <annegentle> and we're all bracing for the onslaught of utf-8 questions
21:29:10 <dolphm> ttx: at least for keystone, that's what i'm thinking (an uggrade note or known issue)
21:29:26 <ttx> annegentle: security_group v. securitygroup : release notes material ?
21:29:39 <dolphm> (given that we emitted notifications for the first time in havana, but didn't have any consumers)
21:29:51 <ttx> OK, all in all, we don't seem to be in too bad of a shape
21:30:09 <ttx> we shall be mostly frozen EOD Thursday
21:30:37 <ttx> and become conservative in what we consider release-critical
21:30:45 <annegentle> ttx: this bug fix helped with security_group v. securitygroup https://bugs.launchpad.net/neutron/+bug/1304105
21:30:46 <ttx> anything else on that topic ?
21:30:47 <uvirtbot> Launchpad bug 1304105 in neutron "Section name [security_group] is wrong in sample config files" [Critical,Fix released]
21:31:04 <ttx> ok, RC2 soon
21:31:25 <ttx> #topic Incubated projects
21:31:34 <SergeyLukjanov> ttx, o/
21:31:38 <ttx> devananda, SergeyLukjanov, kgriffs|afk o/
21:31:54 <annegentle> related to Incubated projects, I recommend that each write their own release notes on the wiki using Key New Features, Significant bugs fixed, Known Issues, Upgrade Notes sections
21:32:09 <devananda> ttx: o/
21:32:14 <ttx> SergeyLukjanov: https://launchpad.net/sahara/+milestone/icehouse-rc2
21:32:19 <SergeyLukjanov> ttx, sahara rc2 is planned to Thu
21:32:19 <annegentle> page pattern like: http://wiki.openstack.org/wiki/<projectname>/ReleaseNotes/Icehouse
21:32:26 <SergeyLukjanov> annegentle, will do
21:32:33 <devananda> annegentle: ack, will do this week
21:32:35 <annegentle> SergeyLukjanov: thanks
21:32:41 <annegentle> thanks devananda for asking
21:33:07 <ttx> SergeyLukjanov: I'm surprised you don't have more FixReleased in that list, since you've been backporting stuff
21:33:29 * ttx investigates
21:33:40 <SergeyLukjanov> ttx, looks like my bad
21:34:02 <SergeyLukjanov> ttx, I've moved some from fix released to fix committed due to the rc2 is not released
21:34:11 <SergeyLukjanov> ttx, is it incorrect?
21:34:16 <ttx> Hah! it is
21:34:20 <ttx> So.
21:34:28 <ttx> FixCommitted means "fixed in master"
21:34:39 <ttx> FixReleased means "fixed in milestone-proposed"
21:34:47 <ttx> taht's our only way to track that in LP
21:34:57 <dolphm> this was confusing to me too ^
21:34:59 <ttx> so here is how we play
21:35:10 <dolphm> surprising, anyway
21:35:12 <devananda> hmm, yea, that's not what i expected
21:35:23 <SergeyLukjanov> ttx, oh...,
21:35:24 <ttx> You only approve the backport to RC2 for stuff that is targeted to RC2 AND fixed in master (FixCommitted)
21:35:25 <devananda> ttx: fwiw, we have two bugs identified as backport potential
21:35:44 <ttx> that way you make sure your fix is in both branches
21:35:46 <SergeyLukjanov> ttx, so, I'm moving all of them to Fix Release :)
21:35:51 <ttx> probably
21:36:00 <SergeyLukjanov> ttx, yup, all of them merged to master first
21:36:00 <ttx> SergeyLukjanov: and always have a bug for each backport
21:36:19 <devananda> ttx: though the proposed fix for one of them is a) non-trivial plumbing change and b) only a partial backport of the much larger change proposed for juno
21:36:27 <ttx> SergeyLukjanov: LP will automatically set "FixReleased" if the bug merges to milestone-proposed
21:36:58 <ttx> SergeyLukjanov: is it clear now or do you ned more explanation ? I know it's confusing
21:37:13 <ttx> so the process is:
21:37:15 <SergeyLukjanov> ttx, ok, so, I'll update them to Fix Released and ensure that all backported changes have an issue or backing blueprint
21:37:18 <ttx> - target to RC2
21:37:23 <ttx> - get the bug fixed in master
21:37:30 <ttx> (it moves to FixCommitted)
21:37:36 <ttx> - backport it to milestone-proposed
21:37:44 <ttx> (it moves to FixReleased)
21:37:53 <SergeyLukjanov> ttx, the only unclear thing for me was "Fix Released", thanks for detailed explanation
21:38:01 <ttx> then you use the milestone page to track progress to RC
21:38:14 <ttx> SergeyLukjanov: i'll let you fix status so that it matches reality
21:38:20 <ttx> devananda: o/
21:38:54 <devananda> ttx: hi!
21:38:59 <ttx> devananda: you're in full control of what ends up in icehouse release for ironic :)
21:39:15 <ttx> whatever you feel comfortable with, you can push to release branch
21:39:29 <ttx> by design, it can't wreck the other projects since you're not integrated yet
21:39:45 <devananda> ttx: ok. i've been avoiding large changes late in the cycle, in part because there are folks tracking us
21:40:00 <devananda> ttx: and in part to get us used to the process / cadence
21:40:02 <ttx> devananda: yes, that's not really a license to kill either
21:40:07 <devananda> right :)
21:40:17 <devananda> so my question here, w.r.t. backports, is
21:40:33 <ttx> devananda: but I just don't have the bandwidth to look into the incubated changes to check their risk/benefit ratio
21:40:41 <devananda> fair enough
21:40:53 <ttx> but i can give you advice if you need it
21:40:55 <devananda> but any guidance on that is helpful :)
21:40:58 <SergeyLukjanov> ttx, statuses fixed
21:40:58 <ttx> ok
21:41:26 * ttx likes how LP redirects transparently savanna to sahara
21:41:45 <SergeyLukjanov> ttx, yup, it works smoothly
21:41:53 <SergeyLukjanov> we need such feature in storyboard too :)
21:42:04 <ttx> SergeyLukjanov: so 1302130 needs to be backported, and 1302755 1304100 first need to be fixed in master. Is that correct ?
21:42:28 <SergeyLukjanov> ttx, yup
21:42:31 <ttx> devananda: if you have a specific doubt I can help address, just point me to it
21:42:43 * devananda gets the link
21:43:28 <devananda> ttx: https://bugs.launchpad.net/ironic/+bug/1297925
21:43:29 <uvirtbot> Launchpad bug 1297925 in ironic "Disk partitioning is broken if swap >= 1024mb" [Critical,In progress]
21:43:46 <ttx> that happens. swap >= 1024mb
21:44:26 <devananda> ttx: the proposed quick-fix is to s/sfdisk/parted/
21:44:53 <devananda> but as we've been testing with one, not the other, it's hard for me to quantify the impact of that change this late
21:45:45 <ttx> devananda: ok -- so let's imagine hat was integrated
21:45:53 <ttx> +t
21:46:12 <ttx> that fix wouldn't be possible post-releasesince it fails stable patch acceptance to change behavior/deps/etc
21:46:34 <ttx> does it impact doc or is it completely under the hood ?
21:47:12 <devananda> under the hood
21:47:31 <devananda> both sfdisk and parted are present on current ubuntu dists, and afaik, same goes for RH
21:47:37 <ttx> devananda: ok... so you have two options: document the limitation in release notes, or just do all the testing you can and push the change to users asap
21:47:40 <ttx> (rc2)
21:47:58 <devananda> right -- i'd prefer option 2
21:47:59 <ttx> all depends how acceptable the "limitation" is
21:48:17 <ttx> if ironic is useless without it, well option 2 it is
21:48:49 <devananda> not useless -- but hamstrung for deploying on large bare metal systems
21:48:55 <devananda> where swap ~ RAM is expected
21:49:11 <ttx> frankly, given your state, it's a nobrainer, do it
21:49:18 <devananda> ack
21:49:20 <ttx> you want something usable and you can accept the risk
21:49:34 <devananda> great, will push it today
21:49:37 <devananda> thanks!
21:50:00 <devananda> I really appreciate the walk through the process :)
21:50:49 <ttx> devananda: not that in theory you'll need the fix to go in master first
21:51:07 <ttx> devananda: before you backport (part of) it
21:51:11 <devananda> does the backport need to be nearly the same code?
21:51:12 <devananda> right
21:51:18 <ttx> not necessarily
21:51:20 <devananda> so there's a much larger feature proposed to fix it in master
21:51:24 <devananda> and a small one as a backport
21:51:27 <ttx> it's the safeguard to make sure we don't regress from MP to master
21:51:33 <devananda> k
21:52:13 <ttx> you could push the simple patch to master and then the refactor can overwrite it
21:52:16 <SergeyLukjanov> ttx, I like this idea of safeguarding
21:52:54 <ttx> the two rules of milestone-proposed are: bug must be fixed (or not exist) in master
21:53:09 <ttx> and bug must be targeted to the relevant RC milestone
21:53:27 <SergeyLukjanov> ttx, btw, I've created m-p branches for the rest sahara repos as we agreed to release them like I do it before (with 2014.1 tag)
21:53:36 <ttx> ok
21:53:59 <ttx> devananda: want me to add the rc2 milestone for you ?
21:54:12 <devananda> ttx: I just created it, thx
21:54:39 <ttx> devananda: ok, just send me an email (or ping on IRC) when you need the tag pushed / tarball uploaded
21:55:32 <devananda> ttx: ack. thanks
21:56:04 <ttx> devananda: if the "much larger feature proposed to fix it in master" gets delayed I would advise you push a simple version of it first so that the backport can be safely pushed to mp
21:57:52 <ttx> #topic Open discussion
21:57:56 <ttx> Anything, anyone ?
21:57:58 <ttx> #endmeeting