At the Ocata summit we held a design summit session covering several
security-related specs from Dane Fichter and Peter Hamilton. The full
etherpad is here:
https://etherpad.openstack.org/p/ocata-nova-summit-security
Dane was present and the majority of the discussion was on the cert
validation spec:
https://review.openstack.org/#/c/357151/
Daniel Berrange has done the most review on the spec and was present to
discuss some of the issues with the proposal. Ultimately there was
agreement to have an incremental step forward and allow passing a list
of certificate uuids when creating a server which would be used for
signed image verification. The spec lays out several alternatives and
options for improving on this later, but they are out of scope right now
so we're starting small to address the main problem defined in the spec.
I missed some of the discussion in the room and there aren't many
details in the etherpad, so if Dane or Daniel want to update the
etherpad or expand on this thread that would be helpful.
I have reviewed the cert validation spec and added several questions and
concerns around things like, how do we handle evacuate and migration
when we don't persist the list of trusted cert IDs used to create the
server? Discussion on that will continue in the spec.
----
The other thing we talked about during this session was the need for a
CI job that can test a lot of the security-related features we already
support, like signed image verification and using a real key manager
like Barbican. The idea being before we add more features in this space
we really need to start doing integration testing of the code we already
have.
Dane Fichter has started working on some of this already. We shouldn't
require any changes to Tempest as there are no API changes, but we need
some work in devstack to configure it for signed images and using a real
key manager. And then we need a new CI job defined which uses the
Barbican devstack plugin to deploy Barbican and configure the other
services like Nova and Glance to use it. I've volunteered to help work
on pulling those CI job pieces together.
--
Thanks,
Matt Riedemann
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
