17:03:52 #startmeeting Security 17:03:53 Meeting started Thu Mar 9 17:03:52 2017 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:03:54 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:03:56 Whoopsy 17:03:56 The meeting name has been set to 'security' 17:03:58 o/ 17:04:01 o/ 17:04:14 o/ 17:04:17 o/ 17:04:18 o/ 17:04:21 I'm very sorry for being late guys 17:04:25 It's been a crazy few days 17:04:43 no problem hyakuhei :) 17:04:47 i was wondering if DST has started :D 17:04:55 I wouldn't even know 17:05:02 Totally heads down at the moemnt 17:05:03 o/ 17:05:07 o/ 17:05:10 oh hai capnoday 17:05:16 sup mate 17:05:28 so we know DST is not in affect guys! 17:05:30 Crazy 17:05:41 lol no, just a hyakuhei DoS I'm afraid 17:05:46 Very poor latency atm 17:05:51 zero bandwidth 17:05:52 etc 17:06:07 lol 17:06:09 aasthad yep we are still on UTC/GMT atm 17:06:11 :D 17:06:16 Could we get an update on the docs bugs to start with as we've got lots of OSIC ninjas here 17:06:17 #topic Security Guide 17:06:28 gotya capnoday 17:06:34 so , we have pushed 2 patches for 2 sec bugs 17:06:52 One on neutron and the other one with cinder 17:07:14 I am not able to get the link from top of my head 17:07:30 I am working on https://bugs.launchpad.net/neutron/+bug/1274034 this one 17:07:30 Launchpad bug 1274034 in neutron "Neutron firewall anti-spoofing does not prevent ARP poisoning" [High,Fix released] - Assigned to Kevin Benton (kevinbenton) 17:07:41 #chair capnoday 17:07:41 Current chairs: capnoday hyakuhei 17:07:47 it seems to be something of the past, that we just need to close.. 17:07:53 unrahul excellent! 17:07:54 anyone has any comments on that bug? 17:08:11 i am working on https://bugs.launchpad.net/ossp-security-documentation/+bug/1619502 17:08:11 Launchpad bug 1619502 in OpenStack Security Guide Documentation "Information Validation - Federated keystone in Security Guide" [Medium,Confirmed] - Assigned to Khanak Nangia (knangia) 17:08:39 thanks hyakuhei :), the other teams have been helping us with figuring out if these bugs are still valid 17:09:01 You guys are doing great! 17:09:34 Anyone has any comments on this one https://bugs.launchpad.net/neutron/+bug/1274034 ? 17:09:34 Launchpad bug 1274034 in neutron "Neutron firewall anti-spoofing does not prevent ARP poisoning" [High,Fix released] - Assigned to Kevin Benton (kevinbenton) 17:09:49 * hyakuhei looks 17:09:49 hyakuhei: capnoday ^ 17:09:52 And I've been working on this bug https://bugs.launchpad.net/ossp-security-documentation/+bug/1619485 after assigning it to myself from capnoday 17:09:52 Launchpad bug 1619485 in OpenStack Security Guide Documentation "Annual Cipher Validation - Introduction to TLS and SSL in Security Guide" [Medium,Confirmed] - Assigned to Vinay Potluri (vinay-potluri) 17:10:15 thanks vinaypotluri - how's it looking now? 17:10:35 unrahul that's a massive thread, what's the TL:DR ? 17:12:05 Well, as the bug suggests, we had to write in the sec guide about flat networking not really isolating tenants, but with patches for OVS and linux bridge it seems we can isolate the traffic by correct configuration. This is already mentioned in the sec guide.. here https://docs.openstack.org/security-guide/networking/services-security-best-practices.html 17:12:12 so should we just close it? 17:13:13 o/ tkelsey 17:13:39 #chair kangia unrahul vinaypotluri tkelsey aasthad 17:13:40 Warning: Nick not in channel: kangia 17:13:41 Current chairs: aasthad capnoday hyakuhei kangia tkelsey unrahul vinaypotluri 17:13:54 hyakuhei: knangia 17:13:56 o/ hyakuhei sorry im running late 17:13:58 I'll BRB, you guys keep going :) 17:14:01 #chair knangia 17:14:02 Current chairs: aasthad capnoday hyakuhei kangia knangia tkelsey unrahul vinaypotluri 17:14:16 you could have done that vinaypotluri ;) 17:14:17 capnoday can you keep it moving along please? 17:14:26 np 17:14:32 :) 17:14:43 sure hyakuhei we will take the lead 17:14:56 f:) 17:15:10 capnoday: tkelsey so what do you think about the sec guide bug , the information is already present in the guide, should we just close it. 17:15:10 * :) 17:15:28 Im inclined to just close it 17:15:45 seems like it has been superseeded now 17:16:28 yes.. it is, I dont think there is any need to continue it.. and if anyone wants it in more detail, I feel they should raise a new bug as a wish list 17:16:37 +1 17:16:42 +1 17:16:43 thanks guys 17:16:45 agreed unrahul 17:16:52 right done, thanks vinay rahul 17:16:57 for this https://bugs.launchpad.net/ossp-security-documentation/+bug/1619502 : talking to keystone team, some information needs to be refreshed, setting up the environment...for now according to the keystone team, the information on the federated keystone seems correct.... 17:16:57 Launchpad bug 1619502 in OpenStack Security Guide Documentation "Information Validation - Federated keystone in Security Guide" [Medium,Confirmed] - Assigned to Khanak Nangia (knangia) 17:16:59 so one bug sec guide close yay! 17:17:22 great, any other security guide stuff you want to discuss? 17:17:32 I am working on this bug : https://bugs.launchpad.net/ossp-security-documentation/+bug/1446756 17:17:32 Launchpad bug 1446756 in OpenStack Security Guide Documentation "Integrity life-cycle in OpenStack Security Guide - current" [Medium,Confirmed] - Assigned to Aastha Dixit (aastha-dixit) 17:17:34 yup 17:17:35 one more 17:17:38 :) 17:17:40 ahhh, completely lost track of time..sorry all 17:17:43 Its about dm-verity’s use with openstack. have you guys ever worked with this before 17:17:48 :D 17:18:03 tkelsey sicarie? 17:18:23 welcome lhinds :) 17:18:34 thanks knangia 17:18:50 I can give an OSSN update whenever you folks like. 17:18:56 ok ive never touched dm-verity (or heard of it before now) 17:19:14 :) 17:19:33 but if you want to propose a patch talking about its use aasthad please do so 17:19:48 #link https://source.android.com/security/verifiedboot/ 17:19:49 I have heard its use on android b4, but thats it 17:20:05 yup.. and they are asking how it can be used in openstack 17:20:16 and I am not really sure.. in what way dmverity helps openstack 17:20:41 hyakuhei: lhinds capnoday any comments? 17:20:41 so I will post a patch on what I know about it is true. and lets see how it goes 17:20:46 hmm, would need a port first to main kernel 17:20:47 I will push a patch soon 17:20:59 yes true 17:21:02 I don't think openstack would be the first place to look at implemtation 17:21:10 It's more of a BM concern really 17:21:34 not sure how to make changes at kernel level 17:21:43 or if that is even needed :D 17:21:47 whats BM concern hyakuhei 17:21:57 Sorry, bare metal 17:22:01 I think the OS devs or deployers of binaries to concern about it 17:22:43 oh yeah true. would need to ask for a server ! so what do you guys think do we actually need this or we can close it somehow? 17:24:03 i mean if its actually in the scope of our documentation? 17:24:34 wish list if not closing 17:24:40 lhinds +1 17:24:50 +1 lhinds 17:25:06 it is in kernel branch, but not sure how decent it is: https://github.com/torvalds/linux/blob/5924bbecd0267d87c24110cbe2041b5075173a25/drivers/md/dm-verity.h 17:25:58 or robust rather 17:25:58 netflix project originally 17:28:16 timecheck: 2 minutes 17:28:17 *minutes 17:28:23 ok, lets go wishlist and shelve that for the moment 17:28:44 okay capnoday 17:28:48 quick one: last OSSN for reviews: https://review.openstack.org/#/c/443587/ 17:28:52 unrahul thanks for your email on keystone vuln analysis, i will get back to you shortly 17:29:03 thanks capnoday 17:29:06 thankyou lhinds capnoday 17:29:12 Great 17:29:18 lhinds thanks for the ossn, will review 17:29:21 np aasthad 17:29:24 AOB? 17:29:39 I have asked them to talk to us here in the security channel if there is any help needed from our end 17:30:05 ok 17:30:30 cool 17:31:07 shall we end the meeting 17:31:17 i guess yed 17:31:19 #endmeeting