12:02:30 <jaosorior> #startmeeting TripleO Security Squad
12:02:31 <openstack> Meeting started Wed Apr 11 12:02:30 2018 UTC and is due to finish in 60 minutes.  The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:02:32 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:02:34 <openstack> The meeting name has been set to 'tripleo_security_squad'
12:02:39 <jaosorior> Gonna wait a couple of minutes for more folks to log in./
12:03:31 <openstackgerrit> Juan Antonio Osorio Robles proposed openstack/tripleo-quickstart master: Revert "Revert "Deploy container-multinode (fs010) with a containerized undercloud""  https://review.openstack.org/560264
12:05:22 <jaosorior> Alright
12:05:28 <jaosorior> #topic Work progress update
12:05:48 <jaosorior> Same as every week, this is just a placeholder to have folks know how the work is going for the different topics.
12:05:57 <jaosorior> #topic Public TLS by default
12:06:11 <jaosorior> This is the one I've been the most active in.
12:06:24 <raildo> o/
12:06:24 <jaosorior> I've got some working patches, and most of the stuff in the chain has already merged
12:06:36 <jaosorior> I still need to write proper documentation about that
12:06:48 <jaosorior> since that change does introduce some changes to our defaults (besides the fact that it uses TLS)
12:07:07 <jistr> gfidente: looking at the ceph issue now
12:07:09 <jaosorior> for one, the default will be to use FQDNs instead of IPs for the public endpoints.
12:07:55 <jaosorior> So, the user/deployer will need to add those to DNS or /etc/hosts after the deployment
12:08:00 <jaosorior> gotta see if we can automate that though
12:08:03 <jaosorior> at least the /etc/hosts part
12:08:08 <jaosorior> shouldn't be too hard.
12:08:23 <jaosorior> Again, reviews are very much welcome, and the patches are in the etherpad
12:08:27 <jaosorior> #link https://etherpad.openstack.org/p/tripleo-security-squad
12:08:47 <jaosorior> I've also been using the same topic for the patches
12:08:49 <jaosorior> #link https://review.openstack.org/#/q/topic:public-tls-default+(status:open+OR+status:merged)
12:09:38 <jaosorior> Any questions/feedback?
12:10:09 <bogdando> jaosorior, shardy: can I debug network data in hiera somehow? I still keep getting the same frontend and backend IPs for haproxy config, and my admin/public VIPs seem ignored
12:10:31 <bogdando> sorry, it's a meeting here...
12:10:50 <jaosorior> bogdando: no worries. I can check that out after the meeting
12:10:53 <jaosorior> #topic Secret Management for TripleO
12:11:12 <jaosorior> So, we started taking the first steps on this task
12:11:30 <jaosorior> We have identified all the potentially sensitive data in this etherpad:
12:11:31 <jaosorior> #link https://etherpad.openstack.org/p/tripleo-audit-secrets
12:11:46 <jaosorior> so, if you are curious about what we identified and how we plan to address it, that's the place to look :)
12:12:06 <jaosorior> upon the first stuff to cover is the undercloud's swift
12:12:23 <jaosorior> we plan to use Swift encryption (at rest) and hopefully enable it as a default
12:12:36 <jaosorior> there are several ways of doing that though.
12:13:03 <jaosorior> One is to have a pre-shared key (or encryption root secret) in the swift configuration
12:13:08 <openstackgerrit> Marios Andreou proposed openstack/tripleo-heat-templates master: Update environment files for Q upgrade and ffwd upgrade  https://review.openstack.org/559061
12:13:13 <jaosorior> that will then be used to encrypt the swift containers
12:13:21 <jaosorior> The other, is to use something else (such as barbican)
12:13:50 <jaosorior> And apparently we already have support for the former one in t-h-t; so that could be a good fit for a feature for the containerized undercloud.
12:14:12 <openstackgerrit> Lukas Bezdicka proposed openstack/tripleo-common master: Unite default parameter_resource name  https://review.openstack.org/560110
12:14:15 <jaosorior> of course, ideally the best would be that the default configuration wouldn't need to use barbican. We gotta see waht's best to implement
12:14:28 <jaosorior> If folks want to join that effort, help is very appreciated.
12:15:18 <moguimar> watching the project update of swift yesterday
12:15:20 <moguimar> https://www.youtube.com/watch?v=rnAtnnE0sQM&feature=youtu.be
12:15:38 <moguimar> they mentioned that swift can run stand alone
12:16:23 <jaosorior> moguimar: yeah, that's a feature they have. Although we don't really need it as we do have a proper openstack installation on the undercloud.
12:17:01 <moguimar> trying to get a default option aligned to that would be more popular
12:17:04 <jaosorior> moguimar: did you have something in mind regarding the standalone feature?
12:17:11 <moguimar> not yet
12:17:54 <jaosorior> moguimar: so, we already deploy and use swift by default. We use it to store the overcloud deployment "plan". The plan is merely the set of rendered heat templates, parameters and options to deploy the overcloud.
12:18:24 <jaosorior> so, the plan would contain passwords and SSL keys in the form of heat parameters that would be used to deploy the overclod.
12:18:26 <jaosorior> *overcloud
12:19:04 <jaosorior> moguimar: the plan would be to add the encryption option as a default for the swift deployment in the undercloud that we already do.
12:19:11 <jistr> gfidente: hmm interesting indeed, it looks like it fails in step 1 of docker-puppet.py but i'm having trouble to spot any indication of root cause in the logs
12:19:12 <jistr> http://logs.openstack.org/66/546966/28/check/tripleo-ci-centos-7-scenario004-multinode-oooq-container/130db82/logs/undercloud/home/zuul/overcloud_deploy.log.txt.gz
12:20:01 <jaosorior> Now, the tricky thing are updates/upgrades.
12:20:03 <anilvenkata> EmilienM, thanks Emilien
12:20:28 <jaosorior> The encryption docs say that only new swift containers would be encrypted. Which would require the deployer to download the plan, delete it, and upload it again.
12:20:45 <jaosorior> But I think that's a reasonable expectation if folks need that feature.
12:21:06 <openstackgerrit> Lukas Bezdicka proposed openstack/tripleo-common master: Unite default parameter_resource name  https://review.openstack.org/560110
12:21:23 <jaosorior> Anyway, that's all the update from my side. There is still a bunch of research and a POC to do.
12:21:25 <jaosorior> any questions.feedback?
12:21:30 <jaosorior> questions/feedback
12:21:42 <openstackgerrit> Mike Fedosin proposed openstack/tripleo-common master: UpdatePlanEnvironmentAction enable overwrite or merge  https://review.openstack.org/560312
12:22:30 <moguimar> I got through the oslo.config docs
12:23:09 <moguimar> now I'm watching the project updates in the openstack website to get familiarized with all the projects I heard so far in our discussions
12:23:35 <jaosorior> moguimar: if you have questions about any project, reach out, we're always glad to help
12:23:43 <moguimar> sure
12:24:32 <jaosorior> Alright
12:24:36 <jaosorior> that's all for the work updates
12:24:40 <jaosorior> #topic Migration to Storyboard
12:25:08 <jaosorior> So... Kendall and EmilienM reached out recently proposing that the Security Squad try out using Storyboard
12:25:23 <jaosorior> For anybody interested
12:25:26 <jaosorior> here's the link
12:25:29 <jaosorior> #link https://storyboard.openstack.org/
12:26:02 <jaosorior> So, we could track the work progress and user stories there, as well as bugs and other work done by the squad
12:26:07 <EmilienM> ++
12:26:12 <jaosorior> which would effectively replace our etherpad which is getting quite filled up
12:26:18 <moguimar> +1
12:26:19 <jaosorior> I for one, am quite keen on giving it a try
12:26:31 <alee> jaosorior, we dont actually have any launchpad items so there is no migration
12:26:35 <EmilienM> feel free to reach her on #storyboard, she's diablo_rojo
12:26:37 <jaosorior> alee: exactly
12:26:37 <moguimar> scrum feelings
12:26:46 <alee> its just a matter of using it
12:26:58 <raildo> I'm fine with storyboard as well :)
12:27:03 <jaosorior> Does someone have any reservations or comments against it?
12:27:06 <alee> and if everyone else is doing so, why not?
12:27:19 <alee> I plan to migrate barbican to it next week
12:27:26 <jaosorior> alee: nice!
12:27:28 <jaosorior> alright
12:27:51 <jaosorior> #action TripleO Security Squad will start tracking the projects we're working on in Storyboard
12:28:05 <jaosorior> I still need to give it a better read to know more features that it has, but it seems quite promising
12:28:21 <alee> jaosorior, has the rest of tripleo migrated too?
12:28:27 <jaosorior> EmilienM: ^^
12:28:30 <alee> does it matter?
12:28:41 <jaosorior> alee: I don't think it matters :)
12:29:10 <jaosorior> and I don't know if any other squad from tripleo has migrated
12:29:18 <alee> jaosorior, fair enough -- it just may get tricky if we have references to launchpad issues
12:29:31 <jaosorior> we do have some
12:29:36 <jaosorior> so, we'll need to figure out how that works
12:29:38 <alee> for work thatwe depend on that is outside of the security squad
12:29:48 <EmilienM> only UI and validations
12:29:51 <EmilienM> have migrated
12:30:42 <alee> ok - so there is precedent then -- no objections from me
12:30:47 <jaosorior> alright
12:30:53 <jaosorior> lets migrate then! :D
12:30:57 <EmilienM> jtomasek, jrist, honza, florianf, jpich (and others): if you have anything to share on storyboard migration so far
12:33:16 <jaosorior> well, hopefully they'll reach out when they have time. And now we know who to poke if we have some questions regarding how to link Storyboard to our existing TripleO bugs.
12:35:06 <jaosorior> #topic Any other business
12:35:25 <jaosorior> Does anybody have something to bring up to the group?
12:35:43 <openstackgerrit> Sagi Shnaidman proposed openstack/tripleo-quickstart-extras master: Install additional roles for quickstart  https://review.openstack.org/558786
12:35:55 <honza> EmilienM: not at the moment
12:38:16 <jaosorior> Alright folks
12:38:18 <jaosorior> thanks for joining
12:38:20 <jaosorior> #endmeeting