12:00:47 #startmeeting TripleO Security Squad 12:00:48 Meeting started Wed May 16 12:00:47 2018 UTC and is due to finish in 60 minutes. The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot. 12:00:49 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 12:00:51 The meeting name has been set to 'tripleo_security_squad' 12:00:54 I'll wait a little bit fo rmore folks to log in 12:00:55 hey oz 12:01:03 hey lhinds! how's it going? 12:01:11 good thanks 12:06:39 #topic Public TLS work udpate 12:07:10 right! so 12:07:46 public TLS by default merged 12:07:53 ....and it was reverted :D 12:08:32 It was reverted here https://review.openstack.org/#/c/568699/ 12:08:50 because of this bug https://bugs.launchpad.net/tripleo/+bug/1771435 12:08:51 Launchpad bug 1771435 in tripleo "scenario001/002 failing on autoscaling with urllib3.exceptions.SSLError: [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:579)" [Critical,Fix released] - Assigned to Alex Schultz (alex-schultz) 12:09:27 it seems that tempest (the telemetry plugin) is poking panko 12:09:38 and it gets a TLS endpoint with a non-TLS port (for some strange reason) 12:09:42 I'm still not sure why that happens 12:09:52 but I'm looking into it 12:10:13 seems sileht is also looking into it 12:10:15 URGENT TRIPLEO TASKS NEED ATTENTION 12:10:15 https://bugs.launchpad.net/tripleo/+bug/1770972 12:10:16 Launchpad bug 1770972 in tripleo "CI: Images introspection fails in OVB jobs" [Critical,Triaged] - Assigned to Derek Higgins (derekh) 12:10:16 https://bugs.launchpad.net/tripleo/+bug/1771508 12:10:18 Launchpad bug 1771508 in tripleo "Telemetry tests fail in scenario-001 and 002 jobs" [Critical,Triaged] - Assigned to Pradeep Kilambi (pkilambi) 12:10:37 if someone wants to help with that 12:10:54 I can provide details about how to reproduce it 12:10:57 so let me know 12:11:02 help is very much appreciated 12:11:15 once that merges, then just docs are missing and we'll have public TLS by default :D 12:11:23 can't help more than what I did for now :/ 12:11:38 learning curve is nice :3 12:12:21 derekh, weshay I suspect there is different problem with images 12:12:23 Tengu: you're getting your system tomorrow, right? 12:12:34 the builder? yep. 12:12:41 derekh, we update our images in the job: https://logs.rdoproject.org/15/568715/2/openstack-check/gate-tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset001-master/Z5df1951657694a9ebaad63e71362a76a/console.txt.gz#_2018-05-16_04_15_05_346 12:13:33 derekh, it's done so: https://github.com/openstack/tripleo-quickstart-extras/blob/69ad943adda9000f79277f0230a5751869de9cb3/roles/modify-image/tasks/manual.yml#L33-L70 12:13:37 Tengu: let me know and I can help you reproduce the issue 12:13:53 derekh, weshay but what we have when running update: https://logs.rdoproject.org/15/568715/2/openstack-check/gate-tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset001-master/Z5df1951657694a9ebaad63e71362a76a/undercloud/home/jenkins/repo_setup.sh.1526444104.log.txt.gz 12:14:04 it may be a reason for failures.. 12:14:13 any other questions/feedback on the public TLS stuff? 12:14:21 jaosorior: ok :). 12:14:55 Sagi Shnaidman proposed openstack-infra/tripleo-ci master: DNM: build image in every OVB job https://review.openstack.org/568258 12:15:23 oof 12:16:04 hello weshay :) 12:16:31 #topic Secret management 12:17:41 So, I sent out a mail about enabling swift volume encryption by default http://lists.openstack.org/pipermail/openstack-dev/2018-May/130529.html 12:17:50 mwhahaha: are you around? I saw you reviewed the patch and had some concerns 12:18:35 Sorta 12:19:11 mwhahaha: swift isn't really poked that much anymore 12:19:24 matbu, chem https://review.openstack.org/#/c/568680/ 12:19:29 So the perf thing probably ok 12:19:36 mwhahaha: just to store the plan and get the plan out 12:19:39 update the plan from the UI 12:19:41 that's about it AFAIK 12:19:49 ooh and get artifacts from the overcloud 12:19:58 Emilien Macchi proposed openstack/tripleo-upgrade master: add container minimal check and gate https://review.openstack.org/568733 12:20:08 Sagi Shnaidman proposed openstack/tripleo-quickstart-extras master: WIP: Reproduce CI multinode job with libvirt https://review.openstack.org/543429 12:20:11 But more services is kinda a problem, also how secure is a generic barbican 12:20:24 Emilien Macchi proposed openstack/tripleo-upgrade master: add container minimal check and gate https://review.openstack.org/568733 12:21:03 Like would luks be better 12:21:44 mwhahaha: it isn't great, but from there we can more forward to using the pkcs11 plugin for the more security concerned 12:21:55 mwhahaha: you'd still get the key somewhere, or have to manually enter encryption password manually after each reboot 12:22:15 Luks solves the data at rest problem better imho 12:22:55 And the undercloud is less of a problem for automatic reboots 12:23:25 Since we don't assume 100% uptime 12:24:13 Having dealt with hsm's before I'd rather we recommend luks for the undercloud 12:24:30 That's my take on it 12:24:39 mwhahaha: some people require hardware security 12:24:45 some folks even want to tie luks to an hsm 12:24:49 Then those people enable it 12:24:54 But not be default 12:25:08 bogdando: thx for https://review.openstack.org/#/c/568818/ 12:25:13 I don't see upside to it being on by default 12:25:39 alright, those are valid points; I'll leave the commit up there for a bit and see what other folks think; more feedback is always good :) 12:26:00 False sense of security is bad :D 12:27:13 agreed 12:27:22 small question: is there a way to trigger an rdo third party CI without triggering zuul? 12:27:47 are the current containerized undercloud install docs in https://docs.openstack.org/tripleo-docs/latest/install/installation/installing.html correct? 12:27:59 Tengu: check-rdo 12:28:05 mwhahaha: thank you! 12:28:24 #topic Kerberos auth for keystone 12:28:45 Alright, something else I wanted to bring up was a (relatively) low hanging fruit 12:29:09 keystone supports kerberos for authentication, and I don't think it would be too hard to do (you can do a TLS everywhere deployment if you need keberos around) 12:29:12 I'm getting what appears to be issues inc onfiguring nova_placement, heat_api, ironic_api, mysql, ironic, mistral, zaqar, nova, keystone...well basically everything I think 12:29:21 some folks have expressed interest about it, so I thought it would be a good thing to have' 12:29:39 weshay, well, seems like we can't update images at all, jobs pass only when we build them.. 12:29:40 so, if someone wants to pick up that work, I can provide details on how to do it 12:29:44 so, let me know :D 12:30:29 jaosorior: is there some open issue for that? 12:30:54 Tengu: there isn't; didn't think about tracking it with launchpad given it's not a bug but a feature request :D 12:31:13 there are FRE on launchpad :). 12:31:39 OK, I can write one then 12:31:51 #action jaosorior to write an RFE bug about Kerberos authentication 12:32:00 that would be best in order to follow 12:32:19 I'll provide all the details needed to get that working on that bug 12:33:30 #topic Any other business 12:33:34 sshnaidm|rover, ok.. I like the patch 12:33:36 Anything else folks want to bring up to the meeting? 12:33:40 thanks sshnaidm|rover 12:33:41 jaosorior: yup 12:33:53 #topic limiting heat-admin 12:34:30 so I have my new machine now and have been thinking of taking the following approach to get a list of every sudo call. 12:34:40 #topic limiting heat-admin 12:34:48 in audit you can track all sudo calls: 12:34:50 https://github.com/openstack/tripleo-heat-templates/blob/master/environments/auditd.yaml#L109 12:35:05 /var/log/audit/* 12:35:47 The puppet service can be used to set this up in the overcloud with an environment file, but seeking advice on how I could do this for the undercloud 12:36:30 lhinds: well, we're moving towards having a containerized undercloud, which would be deployed with t-h-t as well 12:36:34 I guess I could use guestfs into the image and set it up there. I could also add a grub2.conf option to enable it early in the boot phase. 12:36:44 lhinds: so you could enable the same functionality for the undercloud that way 12:37:21 jaosorior: ack, see what you mean. So would I be able to pull in an -enviroment file to configure audit within the undercloud 12:37:33 container or vm 12:37:38 right 12:37:56 it won't be a feature, just a debug method to help me see sudo calls 12:38:21 understood 12:38:27 that's a good start for that 12:38:49 I guess I can ping you with this outside the meeting if you can help me jaosorior 12:39:01 lhinds: sure! 12:39:15 just need to grok the best way to do it, and then I will be on my way to getting it scoped out and a patch submitted 12:39:43 lets do that (will send a DM to you) 12:40:15 awesome 12:40:19 I can then see a complete list of every user who calls sudo (so validations, nova, keystone etc) 12:40:20 sounds like a plan to get this started 12:40:37 cool. that's it for me. 12:40:38 the main concern I guess is heat-admin and validations 12:40:55 openstack services have their own sudoer rules, which look alright, as far as I've seen 12:41:09 yup, validations is the big one..so i also need to think about making sure validations makes lots of noise and gets used a lot 12:41:31 jaosorior: there is also rootwrap which nicely limits things 12:43:31 #topic Any other business 12:43:37 Anything else folks want to bring up? 12:45:06 Alright, thanks for joining folks! 12:45:08 #endmeeting