17:00:28 <tmcpeak> #startmeeting security
17:00:28 <openstack> Meeting started Thu Mar 24 17:00:28 2016 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:29 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:32 <openstack> The meeting name has been set to 'security'
17:00:33 <tmcpeak> #chair hyakuhei
17:00:34 <openstack> Warning: Nick not in channel: hyakuhei
17:00:35 <openstack> Current chairs: hyakuhei tmcpeak
17:00:40 <singlethink> o/
17:00:40 <tmcpeak> whatup whatup
17:00:43 <bknudson> hi
17:00:44 <cjschaef> hi
17:00:50 <ccneill> o/
17:01:05 <hyakuhei> Sup y’all
17:01:15 <mdong> o/
17:01:27 <elmiko> yo hyakuhei
17:01:44 <tkelsey> o/
17:02:11 <browne> o/
17:02:19 <tmcpeak> #link https://etherpad.openstack.org/p/security-20160324-agenda
17:02:24 <shelleea007> o/
17:02:25 <tmcpeak> ^ da agenda
17:02:42 <hyakuhei> wootles
17:03:07 <michaelxin> hi
17:03:07 <tmcpeak> allright, let's get started
17:03:18 <tmcpeak> #topic Anchor
17:03:30 <tmcpeak> saw 0.4.0 is out, eh?
17:03:37 <tmcpeak> tkelsey, hyakuhei
17:03:50 <hyakuhei> Yeah there was an announcement and everything!
17:04:19 <tkelsey> hyakuhei: oh nice on getting the announcement out :)
17:04:23 <hyakuhei> It’s pretty stable now, don’t expect much more to happen
17:04:28 <tmcpeak> sick
17:04:31 <hyakuhei> Yeah it’s 97% stans work :D
17:04:35 <hyakuhei> (viraptor
17:04:36 <tmcpeak> well what about 1.0 then?
17:04:50 <hyakuhei> Needs 3% more work from Stan :P
17:04:57 <tkelsey> lol
17:05:06 <tmcpeak> Mr. Raptor is a beast
17:05:26 <tmcpeak> what else do you guys need to get it 1.0 status?
17:05:37 <tmcpeak> just bug fixes or new features?
17:05:38 <browne> stan the man
17:05:39 <hyakuhei> TBH I’m not 100% sure. Not much though.
17:05:56 <michaelxin> +1
17:06:01 <tmcpeak> I feel like Stan should be coming to these meetings, it's only like 2AM there, right?
17:06:16 <hyakuhei> I know right!
17:06:21 <elmiko> heh
17:06:23 <michaelxin> where is Stan?
17:06:28 <tmcpeak> Australia somewhere
17:06:29 <hyakuhei> Aus
17:06:41 <hyakuhei> Somewhere it’s both warm and snowy. I don’t understand how that work.s
17:06:46 <michaelxin> Got it. Thanks.
17:07:03 <tmcpeak> allright cool, maybe we can put a roadmap for 1.0 at some point
17:07:09 <tmcpeak> would be nice to declare a victory :)
17:07:36 <tmcpeak> http://apjjf.org/data/bush_mission_accomplished.png
17:07:48 <elmiko> there is also the question of openstack-iness of anchor, imo
17:07:52 <tmcpeak> security is fixed, you can all go home
17:08:00 <tmcpeak> elmiko: let's discuss
17:08:04 <elmiko> maybe on the roadmap for 2.0
17:08:35 <tmcpeak> elmiko: what you have in mind?
17:08:38 <elmiko> well, from my initial browsing of the code for anchor i felt there was room to bring its apis more in alignment with the openstack community
17:08:48 <tmcpeak> ahh cool
17:08:55 <elmiko> and i think there were a few other minor details
17:08:57 <elmiko> but,
17:09:04 <michaelxin> elmiko: +1
17:09:16 <elmiko> when i brought this up before we kinda descended into a discussion of how "openstacky" anchor should e
17:09:19 <elmiko> *be
17:09:20 <tmcpeak> elmiko: would you mind filing these concerns in launchpad so we can track them?
17:09:34 <tmcpeak> regardless it should at least be on the table for discussion
17:09:38 <tkelsey> elmiko: interesting, perhaps put up a blueprint for it ?
17:09:46 <tmcpeak> +1 yeah that ^
17:09:52 <elmiko> i can, but i think it would be appropriate to talk with the anchor team first to make sure they are cool with that direction
17:09:54 <hyakuhei> Yup yup
17:10:05 <elmiko> ok, if you guys want to debate it over a bp i'm down with that
17:10:17 <tmcpeak> yeah it's been a while since we had a nice bikeshed party
17:10:20 <tkelsey> elmiko: its simpler to use async comms with TZs
17:10:22 <elmiko> hehe
17:10:29 <elmiko> tkelsey: ack
17:10:42 <tmcpeak> cool, anything else for Anchor?
17:10:52 <tmcpeak> #TODO elmiko to file grievances in BP form
17:10:56 <elmiko> i have a feeling my suggestions might be quite disruptive though, just a warning
17:10:59 <elmiko> LOL
17:11:00 <hyakuhei> rofl
17:11:03 <tmcpeak> that's what we love about you
17:11:12 <elmiko> ;)
17:11:23 <tmcpeak> #topic Bandit
17:11:24 <hyakuhei> That’s fine.
17:11:30 <tmcpeak> tkelsey: you've been doing most of the work, what's up here?
17:11:34 <tkelsey> ok, so 1.0 is so very close now :)
17:11:36 <hyakuhei> OpenStack isn’t the _only_ target for Anchor though ;)
17:11:53 <tkelsey> I had a quick poll of the cores and I think everyone was happy with the features now
17:11:59 <tmcpeak> yep yep
17:12:19 <elmiko> hyakuhei: right, which is why i kinda backed off before
17:12:24 <tkelsey> so its just bug hunting and fixing, we need a single patch to oslo.messaging to land so browne can get the integration tests green then we are good to go
17:12:29 <hyakuhei> It’s good to have the discussion :)
17:12:44 <tmcpeak> hrmm, I probably changed topic too quick ;)
17:12:47 <elmiko> cool
17:12:51 <tmcpeak> I'm caffeinated and twitchy
17:12:54 <elmiko> nah, no worries
17:13:05 <tkelsey> I have a few people (internal and external) asking about bugs in 0.17.3 that are fixed in in master
17:13:12 <tmcpeak> cool, browne: what's the status with your infra patch?
17:13:14 <tkelsey> so I really want to get the release rolle ASAP
17:13:21 <michaelxin> rahulunair: welcome
17:13:22 <tmcpeak> yeah
17:13:39 <tmcpeak> so what do you guys think about doing a 0.99 with all this stuff and then fix bugs to 1.0?
17:13:49 <tkelsey> I would sooner go full 1.0
17:13:59 <tmcpeak> I just want 1.0 to be really well tested
17:14:06 <michaelxin> 1.0 sounds better
17:14:10 <tmcpeak> since this will be the first time many have seen Bandit I want to make sure it's damn good
17:14:26 <tmcpeak> at least a week of real hammering
17:14:42 <tmcpeak> but like you said tkelsey there are bugs in 0.17.3 that have been fixed
17:14:53 <tmcpeak> and our new config-less option is ready to go, so would be good for people to start using it
17:15:01 <browne> tmcpeak: waiting on https://review.openstack.org/#/c/286506/
17:15:01 <browne> alternatively we could update infra to remove oslo.messaging from the integration for now
17:15:36 <tkelsey> browne: yeah, it may come to that. I think I may have to push something monday
17:15:43 <tmcpeak> that seems ok, this one looks bogged down
17:15:55 <browne> i think the most likely problems we'll have with the 1.0 release is some obscure project using the very initial bandit.yaml which doesn't properly work anymore
17:16:06 <elmiko> o/
17:16:11 <elmiko> ;P
17:16:12 <tmcpeak> that's not our problem though, we've always said this is development status
17:16:31 <tmcpeak> that's the big difference between 1.0 and prior to 1.0 IMO
17:16:37 <tkelsey> browne: yeah, though I think I have that covered (i'll confirm by grabbing the first config from git and using it)
17:16:38 <browne> yeah
17:17:18 <tmcpeak> ok so what timeframe you guys thinking for 1.0?
17:17:19 <browne> tkelsey: might be worthwhile to put that in a unit test
17:17:32 <tkelsey> browne: yeah thats not a bad idea
17:17:48 <tmcpeak> 1) remove oslo from integration tests   2) merge in flight stuff    3) test for a week    4) profit?
17:18:01 <tkelsey> 3 test for 4 days :P
17:18:21 <tmcpeak> I have to insist on at least 4.62 days tkelsey, final offer
17:18:32 <michaelxin> haha
17:18:40 <tkelsey> is that working days? and can we shift for timezones
17:18:48 <tmcpeak> allright cool, well we'll keep going with this strategy
17:18:53 <tmcpeak> seems like we're well on track for summit release
17:19:07 <tmcpeak> anything else on Bandit?
17:19:18 <tkelsey> yeah that wont be a problem, its only the bugs in 0.17 that are pushing things a little ahead of schedule
17:19:27 <tmcpeak> yep yep
17:19:38 <tkelsey> once 1.0 is out then it should be back to release early, release often
17:19:45 <tmcpeak> cool
17:20:00 <tmcpeak> #topic Sec Guide
17:20:06 <tmcpeak> elmiko: sicarie
17:20:11 <sicarie> pretty much the same
17:20:15 <sicarie> a few bugfixes
17:20:29 <tmcpeak> sweet
17:20:29 <sicarie> We had a good merge on glance image validation I’m going to do a blog write-up for
17:20:35 <tmcpeak> you guys doing anything for it at the summit?
17:20:39 <sicarie> we had input on that yesterday, will probably get more contributions
17:20:44 <sicarie> No, but that’s a good idea
17:20:51 <sicarie> elmiko: Barcelona?
17:20:52 <sicarie> :D
17:21:18 <elmiko> hehe
17:21:20 <elmiko> could be
17:21:23 <tmcpeak> if you do I'm going to attempt to barrel my way into sec guide participation
17:21:43 <elmiko> tmcpeak: please do, we could use more bodies =)
17:21:51 <sicarie> +1
17:21:57 <sicarie> that’s all I have on the sec-guide
17:22:02 <tmcpeak> #topic Syntribos
17:22:08 <elmiko> and i don't think we signed up for a sec-guide session, i suppose we could piggyback on doc team
17:22:11 <tmcpeak> michaelxin: ccneill etc
17:22:22 <michaelxin> before we start
17:22:43 <michaelxin> we have a new intel team member join us today
17:22:48 <tmcpeak> sick
17:22:49 <tmcpeak> who?
17:22:55 <michaelxin> rahulunair: Would you please introduce yourself?
17:23:14 <rahulunair> Hi all, I am rahul, just joined the team a day back.
17:23:14 <michaelxin> Now, we have two rackers and one Intel team member working on this.
17:23:21 <michaelxin> full time
17:23:22 <tmcpeak> awesome!
17:23:39 <michaelxin> now, it is ccneill, mdong and rahulunair's turn
17:23:46 <tmcpeak> good stuff
17:23:51 <tkelsey> :)
17:23:53 <ccneill> welcome, rahulunair!
17:23:59 <sicarie> +1 welcome!
17:24:03 <mdong> yep, welcome to the team, rahulnair!
17:24:18 <bknudson> welcome!
17:24:20 <elmiko> welcome aboard rahulunair =)
17:24:43 <mdong> as Michael said, as part of Rackspace’s OSIC initiative, we now have three people dedicated full time to work on Syntribos
17:24:46 <rahulunair> thanks all, i am excited to be here.
17:24:58 <hyakuhei> OSIC?
17:25:05 <hyakuhei> Welcome rahulunair :)
17:25:07 <mdong> Rackspace and Intel
17:25:09 <tmcpeak> that's awesome, I'm excited to see Syntribos grow
17:25:14 <hyakuhei> Ah yeah, exciting times!
17:25:16 <ccneill> hyakuhei: http://osic.org
17:25:31 <mdong> sorry, can’t have that sort of ommision!
17:25:45 <elmiko> ccneill: neat
17:26:19 <hyakuhei> very
17:26:23 <mdong> so we have been using Syntribos to test Solum for the past two weeks, which has been pretty valuable as a test run to see how it performs in a real world environment
17:27:22 <hyakuhei> How did it do?
17:27:33 <mdong> we’ve got a lot of work to do, but with 3 people now dedicated to this project, we’re going to have some real movement towards our goal of providing test coverage across Openstack products
17:28:01 <hyakuhei> That’s awesome
17:28:11 <mdong> one of the things it’s taught us is that the tests we’ve written for it needs to be more robust
17:28:25 <hyakuhei> Very sensible
17:28:33 <ccneill> we're starting to track our weekly meetings on the OpenStack etherpad
17:28:35 <ccneill> #link https://etherpad.openstack.org/p/syntribos-planning
17:28:38 <tmcpeak> +1, very cool
17:28:41 <elmiko> nice
17:28:51 <michaelxin> +2
17:29:04 <mdong> there’s a whole bunch of blueprints
17:29:12 <ccneill> we typically do them on our internal video conferencing software, but if there are others who want to join, I imagine we can figure something out for more folks to join us
17:29:15 <mdong> https://blueprints.launchpad.net/syntribos/
17:29:34 <mdong> we’ll be cleaning this up and prioritizing the blueprints in the very near future
17:30:12 <tmcpeak> this is impressive, looks like you're all tooling up to make something cool :)
17:30:26 <ccneill> we've also started tracking potential small roadmap items here\
17:30:27 <mdong> anyway I don’t have anything else on Syntribos, but I’m definitely excited for the potential of this project
17:30:28 <ccneill> #link https://etherpad.openstack.org/p/syntribos-glitches
17:30:52 <ccneill> these will probably get filtered into BPs eventually
17:30:54 <tmcpeak> cool, I'm excited to see how it goes
17:30:56 <ccneill> BPs/CRs
17:31:18 <ccneill> if anyone is an expert in sphinx + OpenStack docs, ping me after the meeting
17:31:25 <elmiko> very encouraging to see this level of progress
17:31:26 <tmcpeak> browne is :P
17:31:30 <ccneill> trying to figure out how to document the code, not just have a long README
17:32:01 <tmcpeak> cool..
17:32:05 <tmcpeak> #topic Summit Planning
17:32:05 <michaelxin> nice
17:32:05 <elmiko> i think we have enough knowledge around here that we could easily make a patch to syntribos to add a doc strucutre
17:32:16 <michaelxin> elmiko: +1
17:32:18 <tmcpeak> who wants to do what
17:32:19 <ccneill> elmiko: that would be awesome :)
17:32:25 <tmcpeak> we have fishbowls, something, something
17:32:34 <elmiko> ccneill: i'll take a look at the code this afternoon
17:32:47 <redrobot> any fishbowls for BYOK?  Or any news of adding it to the cross-project track?
17:33:05 <tmcpeak> I will be at summit now so I'll work with browne, bknudson, and redrobot to promote Bandit
17:33:15 <bknudson> great!
17:33:27 <ccneill> elmiko: awesome. thank you!
17:33:39 <hyakuhei> redrobot: Good question. I’m not sure. A feys ago the Design summit wiki/etherpad wasn’t up
17:33:40 <tmcpeak> hyakuhei: poke, BYOK
17:33:49 <michaelxin> tmcpeak: +1
17:33:58 <hyakuhei> ^^
17:34:02 <tmcpeak> :P
17:34:17 <hyakuhei> I’d like to have more to choose from here guys: https://etherpad.openstack.org/p/security-newton-summit-brainstorm
17:34:21 <elmiko> i also noticed there is a cross project session on the instance user issue, i think it would be worthwhile if a few ossp folks could attend that
17:34:27 <elmiko> (i'm going to try)
17:34:35 <tmcpeak> how big is a fishbowl?
17:34:39 <tmcpeak> what's the biggest room we have?
17:34:45 <michaelxin> Will everyone be in the summit?
17:34:55 <tmcpeak> certainly not :)
17:35:09 <redrobot> fishbowl=large room, also listed on the schedule for wide audience participation
17:35:23 * ccneill won't be :(
17:35:28 <hyakuhei> Yup
17:35:34 <hyakuhei> elmiko: linky?
17:35:41 <singlethink> I won't be either :-(
17:35:42 <michaelxin> how many design sessions will we have?
17:36:15 <elmiko> #link https://etherpad.openstack.org/p/newton-cross-project-sessions
17:36:40 <hyakuhei> Dank
17:36:42 <hyakuhei> *e
17:38:01 <hyakuhei> #action hyakuhei to add some cross project proposals for BYOK, Anchor, Threat Analaysis
17:38:05 <redrobot> in case anyone is interested
17:38:06 <redrobot> #link https://etherpad.openstack.org/p/newton-barbican-design-sessions
17:38:06 <tmcpeak> I wonder if we should do Bandit here in the cross project
17:38:13 <tmcpeak> Bandit overview
17:38:16 <hyakuhei> All can be done using Security time/space too if required
17:38:50 <elmiko> tmcpeak: it seemed to me that the intention of the cross-project stuff was to address issues and questions, not necessarily as intro/tutorial type sessions
17:39:04 <tmcpeak> elmiko: ah, gotcha
17:39:05 <elmiko> more design related
17:39:24 <tmcpeak> not a good opportunity to pimp Bandit gates?
17:39:46 <elmiko> could be, but address it like "should all projects have bandit gates?"
17:39:51 <tmcpeak> gotcha
17:39:54 <elmiko> or "we propose ..."
17:39:56 <hyakuhei> +1
17:40:04 <michaelxin> +1
17:40:10 <tmcpeak> well if we're going to do one of those my vote lies with TA
17:40:16 <elmiko> speaking of that, i'm putting up a change to have sahara's bandit gate go voting =D
17:40:38 <hyakuhei> woohoo
17:40:41 <tmcpeak> elmiko: sweet!
17:40:50 <tmcpeak> wait, are you guys passing?
17:40:51 <michaelxin> +100
17:40:52 <tmcpeak> :P
17:40:59 <ccneill> niice
17:41:01 <elmiko> tmcpeak: yup, went through all the issues and we are green now
17:41:02 <tmcpeak> or are you using baseline?
17:41:06 <tmcpeak> sweet!
17:41:30 <elmiko> took awhile because we use too much pickle
17:41:31 <tmcpeak> allright
17:41:55 <tmcpeak> pickle dependence is a hard habit to break ;)
17:42:06 <elmiko> heh, yeah
17:42:07 <bknudson> yay!
17:42:23 <tmcpeak> #topic OSSN
17:42:26 <bknudson> what did you replace pickle with?
17:42:58 <tmcpeak> yeah good question
17:43:46 <tmcpeak> elmiko: ^
17:43:47 <elmiko> well, we haven't replaced it yet. but i went through and insured that our usage will not introduce security issues, that was the time consuming part.
17:44:05 <tmcpeak> ahh, would be good to add something to sec guidance based on whatever you find
17:44:11 <elmiko> we have a TODO to evaluate options in how we handle our ssh transactions (which are the majority of our pickle usages)
17:44:27 <bknudson> great
17:44:41 <bknudson> it makes me feel much better that it's ssh related.
17:44:50 <tmcpeak> elmiko: you have a code example you can point me to?
17:44:55 <elmiko> i really didn't want to just mark everything as nosec, so i did a deep dive on every warning/error produced
17:45:04 <tmcpeak> +1
17:45:09 <elmiko> tmcpeak: sure, give me a few
17:45:17 <tmcpeak> coool
17:45:26 <tmcpeak> so this is the part of the meeting we try to bum note writers
17:45:31 <tmcpeak> we've got a couple interesting looking issues
17:45:36 <tmcpeak> #link https://bugs.launchpad.net/ossn
17:45:49 <tmcpeak> #link https://bugs.launchpad.net/ossn/+bug/1507841
17:45:49 <openstack> Launchpad bug 1507841 in OpenStack Security Notes "mongodb guest instance allows any user to connect" [Undecided,New]
17:46:01 <tmcpeak> this looks fun for anybody that wants to write a note and hasn't written one or hasn't written one in a while
17:46:42 <tmcpeak> anyways, please sign up for a bug if you're so inclined and have the bandwidth
17:46:49 <hyakuhei> I still need to go after one.
17:47:04 <elmiko> that sounds kinda bad
17:47:12 <tmcpeak> yeah
17:47:29 <tmcpeak> #topic AOB
17:47:35 <elmiko> tmcpeak: probably our most prominent example of pickle, https://github.com/openstack/sahara/blob/master/sahara/utils/procutils.py#L46
17:47:36 <tmcpeak> hyakuhei: 	have you been elected fearless leader again yet?
17:47:50 <elmiko> it used deep in sahara for deploying some specific commands to the cluster nodes
17:47:52 <hyakuhei> By default I think
17:48:07 <gmurphy> #link https://review.openstack.org/#/c/293147/
17:48:12 <gmurphy> can i get a review of this please?
17:48:19 <elmiko> but, the commands that generated by the pickle are isolated to sahara's usage only and won't accept outside input. so i felt ok adding a nosec
17:48:35 <tmcpeak> gmurphy: sure
17:48:37 <gmurphy> (changes to security guidelines)
17:48:43 <gmurphy> guidance
17:48:45 <gmurphy> or whatever its called
17:48:55 <tmcpeak> elmiko: thanks for the reference, I'll do some reads after the meeting :)
17:49:11 <elmiko> gmurphy: ack, i'll take a look
17:49:40 <tmcpeak> elmiko: wait, so what are you guys doing here?
17:49:51 <tmcpeak> why not use paramiko with parameterized input?
17:50:44 <elmiko> tmcpeak: i'd need to look into paramiko further, but that might be a possible solution
17:50:56 <tmcpeak> ok, yeah seems like a more direct way of doing what you're trying to do :)
17:51:01 <tmcpeak> maybe I'm missing context though
17:51:13 <elmiko> essentially there are some bits of python that we encapsulate and send to the cluster nodes
17:51:23 <tmcpeak> just make sure you wrap all calls with parameterization because paramiko runs on a shell
17:51:49 <singlethink> On the (off-)topic of summits, is anyone attending the Linux Collaboration Summit?
17:51:50 <elmiko> right, hence my todo. this needs a much deeper inspection to replace, its at the of some sahara functionality
17:52:01 <elmiko> *the core
17:52:03 <tmcpeak> cool, let me know if you'd like a second set of eyes
17:52:12 <elmiko> tmcpeak: definitely, thanks!
17:52:26 <elmiko> singlethink: sadly, not me =(
17:52:43 <tmcpeak> ooh Squaw
17:52:58 <tmcpeak> I'm actually going the squaw the following weekend
17:53:10 <tmcpeak> maybe I should build some business case to go a little early :P
17:53:17 <hyakuhei> =
17:53:32 <hyakuhei> Sorry ^^ cat
17:53:40 <singlethink> (I won't be able to make the OpenStack Summit but I thought it might be a chance to meet up if anyone's going...)
17:54:42 <hyakuhei> I think it would be interesting to talk about how we’re doing security for OpenStack at other open source-y conferences.
17:54:48 <tmcpeak> looks like some good security stuff here
17:55:01 <tmcpeak> hyakuhei: +1
17:55:07 <singlethink> hyakuhei: I think that would be useful
17:55:52 <tmcpeak> allright anything else or shall we wrap?
17:56:04 <hyakuhei> Wrap it up :)
17:56:10 <tmcpeak> allright, thanks everybody
17:56:11 <tmcpeak> #endmeeting