12:01:19 <jaosorior> #startmeeting TripleO Security Squad
12:01:19 <moguimar> didn't talk to him today
12:01:20 <openstack> Meeting started Wed Jun 13 12:01:19 2018 UTC and is due to finish in 60 minutes.  The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:01:21 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:01:23 <jaosorior> lets wait some minutes for some folks to log in
12:01:23 <openstack> The meeting name has been set to 'tripleo_security_squad'
12:01:34 <moguimar> he was feeling sick yesterday
12:02:37 <moguimar> #link https://etherpad.openstack.org/p/tripleo-security-squad
12:02:40 <jaosorior> that's a bummer :/
12:02:51 <openstackgerrit> Sagi Shnaidman proposed openstack/tripleo-common master: DONT REVIEW: used for testing only  https://review.openstack.org/447276
12:03:06 <openstackgerrit> Sagi Shnaidman proposed openstack/puppet-tripleo master: DONT REVIEW: testing patch  https://review.openstack.org/529077
12:03:49 <openstackgerrit> Sagi Shnaidman proposed openstack/tripleo-quickstart master: DNM: test built-tests with all jobs  https://review.openstack.org/575090
12:03:51 <sshnaidm> quiquell, ^^
12:05:41 <quiquell> sshnaidm: I see, I was just adding one file
12:06:30 <openstackgerrit> Flavio Percoco proposed openstack-infra/tripleo-ci master: Collect /etc/os-*/ to get os-net-config  https://review.openstack.org/575088
12:07:10 <jaosorior> Alright, I guess we can begin
12:07:15 <moguimar> ok
12:07:24 <jaosorior> #topic oslo pluggable secrets backend discussion
12:07:27 <openstackgerrit> mathieu bultel proposed openstack/tripleo-heat-templates stable/queens: Match only haproxy for docker ps and skipp all *-haproxy occurences  https://review.openstack.org/574624
12:07:39 <moguimar> I'm currently working on the sample generator
12:07:43 <moguimar> for the ini driver
12:08:01 <moguimar> to be used with oslo-config-generator
12:08:33 <moguimar> we still have two other tasks to the end of phase 0
12:08:52 <jaosorior> What are the plans for the ini driver?
12:09:01 <jaosorior> is that something that we
12:09:04 <jaosorior> we'll take into use?
12:09:11 <jaosorior> or was it just a reference driver?
12:09:21 <moguimar> in general, we are adding to oslo.config the hability to fetch extra config from external locations
12:09:42 <moguimar> at first as a reference, but it kinda seems usable
12:10:07 <moguimar> as we can use https
12:10:13 <jaosorior> moguimar: any further plans on that front?
12:10:15 <ooolpbot> URGENT TRIPLEO TASKS NEED ATTENTION
12:10:15 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1776301
12:10:16 <openstack> Launchpad bug 1776301 in tripleo "[master promotion] Tempest is failing with " KeyError: 'resources' "errors - Connection refused" [Critical,Triaged] - Assigned to chandan kumar (chkumar246)
12:10:16 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1776503
12:10:16 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1776596
12:10:17 <openstack> Launchpad bug 1776503 in tripleo "rdocloud outage recovery - contention for resources and jobs showing long wait times" [Critical,Triaged]
12:10:18 <openstack> Launchpad bug 1776596 in tripleo "[QUEENS] Promotion Jobs failing at overcloud deployment with AttributeError: 'IronicNodeState' object has no attribute 'failed_builds'" [Critical,Triaged] - Assigned to yatin (yatinkarel)
12:10:40 <moguimar> the user can specify ca_path, client_cert and client_key
12:11:14 <moguimar> so we can strip sensitive data out of config files and centralize it somewhere else
12:11:31 <jaosorior> moguimar: wasn't that the plan but instead to use the castellan driver?
12:11:48 <moguimar> castellan driver is phase 1
12:12:05 <moguimar> phase 0 is a proof of concept with the ini driver
12:12:22 <moguimar> so, phase 0 is the ini driver
12:12:27 <moguimar> phase 1 is the castellan driver
12:12:35 <moguimar> and phase 2 is triple0 integration
12:13:22 <moguimar> we are aiming to land phase 0 on rocky and phase 1 on stein
12:13:40 <jaosorior> I see
12:14:12 <jaosorior> So, what are the plans regarding TripleO integration at the moment? anything that could be started now?
12:15:03 <moguimar> we are working on a spec
12:15:19 <moguimar> actually phase 2 is not tripleO integration
12:15:27 <moguimar> it is about automation support
12:15:44 <moguimar> when the spec comes out we'll have more details
12:15:45 <openstackgerrit> Ronelle Landy proposed openstack-infra/tripleo-ci master: Streamline variables passed in different environments  https://review.openstack.org/573819
12:15:55 <moguimar> #link https://etherpad.openstack.org/p/oslo-config-plaintext-secrets
12:16:21 <moguimar> the link to the spec is here
12:16:24 <moguimar> #link https://review.openstack.org/#/c/474304/
12:16:46 <jaosorior> moguimar: right, but that was the oslo spec
12:16:54 <jaosorior> for TripleO we would prefer to have a separate one
12:17:17 <jaosorior> and from what I can tell, the same is with the oslo folks, they would prefer to remove the TripleO specifics from that spec
12:17:18 <moguimar> so far we only have a placeholder for the tripleO bits
12:17:43 <moguimar> yep, the tripleO parts are to be defined yet in a separate spec
12:18:05 <jaosorior> ok
12:18:26 <moguimar> that's all I have for nwo
12:18:28 <moguimar> now*
12:18:39 <jaosorior> thanks
12:18:55 <jaosorior> if there's anything you want to discuss regarding TripleO integration, this is a good place to bring it up
12:19:07 <moguimar> ok
12:19:17 <jaosorior> At some point we do need to discuss what backend will castellan use
12:19:23 <jaosorior> and how that deployment will look like
12:19:50 <moguimar> the castellan phase still need some planning
12:20:05 <jaosorior> that's alright
12:20:07 <jaosorior> there is time :)
12:20:11 <moguimar> I'll leave a note in the trello card to bring the discussion here
12:20:26 <jaosorior> lets come back to this once that's more defined
12:20:31 <jaosorior> lhinds, are you around?
12:20:56 <lhinds> yep jaosorior
12:20:59 <lhinds> just in..
12:21:09 <jaosorior> #topic     Limit TripleO users
12:21:27 <jaosorior> lhinds: can you give a brief update on the status of that?
12:21:42 <jaosorior> I know you're quite busy, so I really appreciate that you were able to make it
12:21:47 <lhinds> for this one we will need to move the spec into stein, as to late for rocky (which is understandable)
12:22:09 <lhinds> cederic has a spec in review, and mine should be up later today or at least before the end of this week as a latest.
12:22:26 <lhinds> that's it for now
12:23:16 <jaosorior> lhinds: did you manage to get some resolution on getting the sudo rules from CI?
12:24:01 <lhinds> I have some ideas, as sudo gives an exit code, but need to chew it over with someone from CI.
12:24:31 <lhinds> If command is specified but not allowed, sudo will exit with a status value of 1
12:24:58 <lhinds> so we could harness this in CI as that would consitute a build failure.
12:25:27 <lhinds> some of this we may need to trash out in review though
12:25:27 <jaosorior> lhinds: wouldn't that be just a deployment failure?
12:25:48 <lhinds> yes, hold on I see what you mean now.
12:25:59 <lhinds> so two phases , the first is to gather the info.
12:26:11 <lhinds> second above, would be to test it on-going
12:27:24 <jaosorior> oh, I see
12:28:10 <lhinds> but need to see if that would be agreed, as like you say it breaks a deployment
12:28:35 <lhinds> It's SELinux all over again
12:28:40 <jaosorior> x_X
12:29:12 <jaosorior> lhinds: thanks for the update
12:30:04 <jaosorior> lhinds: let me know if there's something I can help out with regarding that task
12:30:14 <lhinds> will do , thanks jaosorior
12:30:29 * redrobot is still waiting for the coffee to kick in ... 😴
12:30:40 <jaosorior> #topic Any other business
12:30:45 <jaosorior> Anything else that folks want to bring up to the meeting?
12:31:00 <EmilienM> dciabrin_: can you please review https://review.openstack.org/#/c/574873/ when you have time?
12:31:05 <jaosorior> redrobot: haha same here, but it's 3pm here :P
12:31:26 <EmilienM> dciabrin_: err wrong link nevermind.
12:31:40 <dciabrin_> EmilienM, :)
12:31:47 <EmilienM> dciabrin_: too early :P
12:33:33 <jaosorior> Alright folks! thanks for joining!
12:33:35 <jaosorior> #endmeeting