[openstack-dev] [nova][barbican] ocata summit security specs and testing session recap

Matt Riedemann mriedem at linux.vnet.ibm.com
Sat Nov 12 18:40:55 UTC 2016 

At the Ocata summit we held a design summit session covering several 
security-related specs from Dane Fichter and Peter Hamilton. The full 
etherpad is here:

https://etherpad.openstack.org/p/ocata-nova-summit-security

Dane was present and the majority of the discussion was on the cert 
validation spec:

https://review.openstack.org/#/c/357151/

Daniel Berrange has done the most review on the spec and was present to 
discuss some of the issues with the proposal. Ultimately there was 
agreement to have an incremental step forward and allow passing a list 
of certificate uuids when creating a server which would be used for 
signed image verification. The spec lays out several alternatives and 
options for improving on this later, but they are out of scope right now 
so we're starting small to address the main problem defined in the spec.

I missed some of the discussion in the room and there aren't many 
details in the etherpad, so if Dane or Daniel want to update the 
etherpad or expand on this thread that would be helpful.

I have reviewed the cert validation spec and added several questions and 
concerns around things like, how do we handle evacuate and migration 
when we don't persist the list of trusted cert IDs used to create the 
server? Discussion on that will continue in the spec.

----

The other thing we talked about during this session was the need for a 
CI job that can test a lot of the security-related features we already 
support, like signed image verification and using a real key manager 
like Barbican. The idea being before we add more features in this space 
we really need to start doing integration testing of the code we already 
have.

Dane Fichter has started working on some of this already. We shouldn't 
require any changes to Tempest as there are no API changes, but we need 
some work in devstack to configure it for signed images and using a real 
key manager. And then we need a new CI job defined which uses the 
Barbican devstack plugin to deploy Barbican and configure the other 
services like Nova and Glance to use it. I've volunteered to help work 
on pulling those CI job pieces together.

-- 

Thanks,

Matt Riedemann

More information about the OpenStack-dev mailing list