[opnfv-tech-discuss] API mismatch between Open-O and Compass

[huangxiangyu]

Hi Yingjun

 Currently , OpenStack Newton deployed by Compass use keystone API V3 
instead of V2 . I assume there may be API mismatch when Open-O talk to 
OpenStack. Please check with Open-O developers if Open-O only support keystone 
V2. And if so, modification should be made in Open-O in order to integrate with 
Compass. BTW, does this issue also exist in JuJu ? maybe victor can answer this 
question ?

Regards
Harry Huang
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] [VSPERF] VSPERF usages and gaps

[Cooper, Trevor]

Hello VSPERF people

In the last weekly call we agreed to try and document the different usages of 
VSPERF today as what are perceived as the major gaps. This was motivated by our 
efforts to prioritize upcoming work but also to decide to what extent 
integration with Yardstick makes sense. The story for this is here, please add 
comments and any relevant information https://jira.opnfv.org/browse/VSPERF-434

/Trevor
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Intel Labs

[Jack Morgan]

All,

The OPNFV Intel lab will be offline and unavailable for 2+ weeks while
we migrate systems between two locations. I will be contacting
individual POD users as I'm working on the transition. All current VPN
access will be removed and new ones created.

Please back any data you feel is critical (Just in case). Please let me
know if you have any questions.


Thanks,

-- 
Jack Morgan
OPNFV Pharos Intel Lab

___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Beierl, Mark]

Here is such an example from StorPerf [1].  When the docker image is built, I 
do a git clone of a specific version of FIO, one which contains a bug fix to 
metrics.  This version is then compiled and used at runtime for executing disk 
IO.

[1] https://github.com/opnfv/storperf/blob/master/docker/Dockerfile#L78

Regards,
Mark

Mark Beierl
Advisory Solutions Architect
Dell EMC | Office of the CTO
mobile +1 613 314 8106
mark.bei...@dell.com

On Dec 19, 2016, at 12:07, Tapio Tallgren 
> wrote:

On 12/19/2016 04:49 PM, Luke Hinds wrote:


On Mon, Dec 19, 2016 at 2:30 PM, Tapio Tallgren 
> wrote:
Luke,

Since you are checking for binary files (point 2), will you also check all 
checkouts from version control systems (like git)? I would like all of these to 
pull in explicit versions (as opposed to main), since otherwise you will have 
no idea what you are building.

Is this a case of opnfv code / scripts  that clone in an external repo? If you 
could give me an example case to help understand..

I meant this code:

#! /usr/bin/bash
git clone https://github.om/tapiot/innocent_code.git
cd innocent_code
make
sudo make install

The innocent_code is totally harmless and you can inspect it. However, one day 
I may make a mistake in my code repository.

-Tapio




We also have a similar problem with external repositories: if you install Linux 
packages from an external repository, you again have a risk that there are 
random changes to what is installed. This is fortunately mostly relevant for 
installers.

 Understood, there is not much I believe we can do here in respect of this work 
item.


-Tapio




On 12/19/2016 03:28 PM, Luke Hinds wrote:
Hi Yujun,

I would need Fatih to comment as I am not that up to speed on CI. The following 
is an albeit incomplete example of how we will wire this in:

https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%2Fopnfv-security-scan.yml

Regards,

Luke

On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang 
> wrote:
Luke,

I remember that Fatih once mentioned that there are no gates in OPNFV CI yet. 
So you are talking about some additional verification jobs enforced on each 
commit. Or it is something like the current daily/weekly job.

Could you help to clarify it?

On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds 
> wrote:
Hi,

Myself and Ash with help from Fatih are currently prototyping some new gates we 
plan to phase in overtime.

The idea is that each commit made to an OPNFV repo will perform some checks.

1. Search for any strings containing passwords, ssh / tls certs and other stuff 
we don't want sitting around in repos to then be scooped up for a release.

2. Search out any binaries. We need to be very strict over what compiled 
binaries are packaged in release (if any at all), as a binary could be 
compromised (without the knowledge of the project itself).

3. Security lint checks. Code will be searched for patterns such as shell 
executions, xss flaws etc and reports linked within the gate.

The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide for 
projects, with the support of the security group, if needed.

For both 1,2 we will maintain a waiver / exception list. This means that if no 
threat is shown to be present, an ignore entry can be made for a single 
project. The gate will then allow the said string, file etc to pass with no 
vote.

Initially we are working with a sandbox project, so expect no interruptions at 
all. From there we will start to bring projects over, so they will be aware 
ahead of any changes implemented that will affect them.

Cheers,

Luke
___
opnfv-security mailing list
opnfv-secur...@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-security



--
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 
77 45 63 98 84 | t: +44 12 52 36 2483



___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss


___ opnfv-tech-discuss mailing list 
opnfv-tech-discuss@lists.opnfv.org 
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
--
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat e: 
lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 
45 63 98 84 | t: +44 12 52 36 2483

___

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Tapio Tallgren]

On 12/19/2016 04:49 PM, Luke Hinds wrote:



On Mon, Dec 19, 2016 at 2:30 PM, Tapio Tallgren 
> wrote:


Luke,

Since you are checking for binary files (point 2), will you also
check all checkouts from version control systems (like git)? I
would like all of these to pull in explicit versions (as opposed
to main), since otherwise you will have no idea what you are building.


Is this a case of opnfv code / scripts  that clone in an external 
repo? If you could give me an example case to help understand..


I meant this code:

#! /usr/bin/bash
git clone https://github.om/tapiot/innocent_code.git
cd innocent_code
make
sudo make install

The innocent_code is totally harmless and you can inspect it. However, 
one day I may make a mistake in my code repository.


-Tapio





We also have a similar problem with external repositories: if you
install Linux packages from an external repository, you again have
a risk that there are random changes to what is installed. This is
fortunately mostly relevant for installers.


 Understood, there is not much I believe we can do here in respect of 
this work item.



-Tapio




On 12/19/2016 03:28 PM, Luke Hinds wrote:

Hi Yujun,

I would need Fatih to comment as I am not that up to speed on CI.
The following is an albeit incomplete example of how we will wire
this in:


https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%2Fopnfv-security-scan.yml



Regards,

Luke

On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang
> wrote:

Luke,

I remember that Fatih once mentioned that there are no gates
in OPNFV CI yet. So you are talking about some additional
verification jobs enforced on each commit. Or it is something
like the current daily/weekly job.

Could you help to clarify it?

On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds > wrote:

Hi,

Myself and Ash with help from Fatih are currently
prototyping some new gates we plan to phase in overtime.

The idea is that each commit made to an OPNFV repo will
perform some checks.

1. Search for any strings containing passwords, ssh / tls
certs and other stuff we don't want sitting around in
repos to then be scooped up for a release.

2. Search out any binaries. We need to be very strict
over what compiled binaries are packaged in release (if
any at all), as a binary could be compromised (without
the knowledge of the project itself).

3. Security lint checks. Code will be searched for
patterns such as shell executions, xss flaws etc and
reports linked within the gate.

The plan is to have 1,2 as voting (-1 / +1) and 3
initially as a guide for projects, with the support of
the security group, if needed.

For both 1,2 we will maintain a waiver / exception list.
This means that if no threat is shown to be present, an
ignore entry can be made for a single project. The gate
will then allow the said string, file etc to pass with no
vote.

Initially we are working with a sandbox project, so
expect no interruptions at all. From there we will start
to bring projects over, so they will be aware ahead of
any changes implemented that will affect them.

Cheers,

Luke
___
opnfv-security mailing list
opnfv-secur...@lists.opnfv.org

https://lists.opnfv.org/mailman/listinfo/opnfv-security





-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat

e: lhi...@redhat.com  | irc: lhinds
@freenode | m: +44 77 45 63 98 84 | t: +44 12 52 36 2483


___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org

https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss



___ opnfv-tech-discuss
mailing list opnfv-tech-discuss@lists.opnfv.org

Re: [opnfv-tech-discuss] Models Weekly Meeting A

[Vul, Alex]

Hi,

Is the meeting happening today?

Thanks,

Alex


-Original Appointment-
From: SULLIVAN, BRYAN L [mailto:bs3...@att.com]
Sent: Friday, November 4, 2016 6:16 AM
To: SULLIVAN, BRYAN L; 'opnfv-tech-discuss@lists.opnfv.org'
Cc: 'Dan Westerberg'; 'Tal Barenboim'; Vul, Alex; 'Henry Fourie'; 'Andrew 
Veitch'; 'a...@gigaspaces.com'; GUPTA, ALOK; 'Ola Liljedahl'; MORTON JR., AL; 
'Ulas Kozat'; 'David Suarez Fuentes'; 'Mario Torrecillas Rodriguez'; Ramia, 
Kannan Babu; 'Sen, Prodip'; 'Kuppuswamy, Prabu'; DRUTA, DAN; 'Gabor Halász'; 
Seiler, Glenn (Wind River); S, Deepak; 'Lawrence Lamers'; 
'ramki_krish...@dell.com'; Vandris, Steve; yaohelan
Subject: Models Weekly Meeting A
When: Monday, December 19, 2016 4:00 PM-5:00 PM (UTC) Coordinated Universal 
Time.
Where: https://global.gotomeeting.com/join/865421325


Updating this invite to be UTC-based as intended on the wiki, so we limit 
confusion during the seasonal change.

https://wiki.opnfv.org/display/models/Models+Meetings
IRC: #opnfv-models, e.g.  
https://www.irccloud.com/#!/ircs://irc.freenode.net:6697/%23opnfv-models



___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Luke Hinds]

On Mon, Dec 19, 2016 at 3:00 PM, Serg Melikyan 
wrote:

> Hi Luke,
>
> there are several kind of projects in Open NFV space, and I am happy
> that your proposal covers not only python projects. Having security
> job templates which we can be re-used in gates with an extensive
> description of how to use them is very important and helpful. My only
> ask would be to pay attention to how exceptions will be specified for
> each gate check - security, as well as lint checks have very high
> number of false-positive results.
>
> Once this initiative will be ready for beta-testing I will be glad to
> help you do this beta-testing on Fuel.
>
> P.S. there is an interesting project in OpenStack community, called
> Bandit [1], which allows to run security lint for Python source code,
> utilizing the ast module from the Python standard library. Seems
> interesting to have this checks on some of the projects.
>
> References:
> [1] https://wiki.openstack.org/wiki/Security/Projects/Bandit



Hi Serg,

So we have developed a wrapper around bandit, rats and PMD for security
linting (with those three we have full language coverage), and with the
lint checks, we plan on having it non-voting (for the same reason you
outline of false positives). So for example, a project developed in python
will have a link to bandit report, whereas something in c or ruby would be
a rats html report. These reports will be 'fyi' only.

The only checks planned with a -1 voting ability is for binaries found and
secrets (private keys etc) - the key thing is though, we have an exception
list, so we can waiver / whitelist false positives.

Great to hear you have an interest in getting involved, be glad to work
with you when we can bring it in for projects.

Luke



>
>
> On Mon, Dec 19, 2016 at 6:49 AM, Luke Hinds  wrote:
> >
> >
> > On Mon, Dec 19, 2016 at 2:30 PM, Tapio Tallgren <
> tapio.tallg...@nokia.com>
> > wrote:
> >>
> >> Luke,
> >>
> >> Since you are checking for binary files (point 2), will you also check
> all
> >> checkouts from version control systems (like git)? I would like all of
> these
> >> to pull in explicit versions (as opposed to main), since otherwise you
> will
> >> have no idea what you are building.
> >
> >
> > Is this a case of opnfv code / scripts  that clone in an external repo?
> If
> > you could give me an example case to help understand..
> >
> >>
> >>
> >> We also have a similar problem with external repositories: if you
> install
> >> Linux packages from an external repository, you again have a risk that
> there
> >> are random changes to what is installed. This is fortunately mostly
> relevant
> >> for installers.
> >
> >
> >  Understood, there is not much I believe we can do here in respect of
> this
> > work item.
> >
> >>
> >> -Tapio
> >>
> >>
> >>
> >>
> >> On 12/19/2016 03:28 PM, Luke Hinds wrote:
> >>
> >> Hi Yujun,
> >>
> >> I would need Fatih to comment as I am not that up to speed on CI. The
> >> following is an albeit incomplete example of how we will wire this in:
> >>
> >>
> >> https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=
> refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%
> 2Fopnfv-security-scan.yml
> >>
> >> Regards,
> >>
> >> Luke
> >>
> >> On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang 
> >> wrote:
> >>>
> >>> Luke,
> >>>
> >>> I remember that Fatih once mentioned that there are no gates in OPNFV
> CI
> >>> yet. So you are talking about some additional verification jobs
> enforced on
> >>> each commit. Or it is something like the current daily/weekly job.
> >>>
> >>> Could you help to clarify it?
> >>>
> >>> On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds  wrote:
> 
>  Hi,
> 
>  Myself and Ash with help from Fatih are currently prototyping some new
>  gates we plan to phase in overtime.
> 
>  The idea is that each commit made to an OPNFV repo will perform some
>  checks.
> 
>  1. Search for any strings containing passwords, ssh / tls certs and
>  other stuff we don't want sitting around in repos to then be scooped
> up for
>  a release.
> 
>  2. Search out any binaries. We need to be very strict over what
> compiled
>  binaries are packaged in release (if any at all), as a binary could be
>  compromised (without the knowledge of the project itself).
> 
>  3. Security lint checks. Code will be searched for patterns such as
>  shell executions, xss flaws etc and reports linked within the gate.
> 
>  The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide
>  for projects, with the support of the security group, if needed.
> 
>  For both 1,2 we will maintain a waiver / exception list. This means
> that
>  if no threat is shown to be present, an ignore entry can be made for a
>  single project. The gate will then allow the said string, file etc to
> pass
>  with no vote.
> 
> 

Re: [opnfv-tech-discuss] [release][colorado] Colorado download page updated to include workaround for Fuel

[Serg Melikyan]

Thank you, David. I expect that by end of this week this workaround
will be obsolete and issue will be fixed in the updates repository,
right now Mirantis Downstream Team is working on acceptance testing
for the fix.

On Fri, Dec 16, 2016 at 12:28 PM, David McBride
 wrote:
> At the release meeting this week, we discussed an issue with Fuel (x86) on
> Colorado.  The team agreed to publish a workaround for the issue.  That
> workaround is now available on the download page.  Please let me know if you
> have any comments.
>
> Many thanks to Serg Melikyan for developing, verifying, and documenting the
> workaround.
>
> David
>
> --
> David McBride
> Release Manager, OPNFV
> Mobile: +1.805.276.8018
> Email/Google Talk: dmcbr...@linuxfoundation.org
> Skype: davidjmcbride1
> IRC: dmcbride



-- 
Serg Melikyan, Development Manager at Mirantis, Inc.
http://mirantis.com | smelik...@mirantis.com | +1 (650) 440-8979
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Serg Melikyan]

Hi Luke,

there are several kind of projects in Open NFV space, and I am happy
that your proposal covers not only python projects. Having security
job templates which we can be re-used in gates with an extensive
description of how to use them is very important and helpful. My only
ask would be to pay attention to how exceptions will be specified for
each gate check - security, as well as lint checks have very high
number of false-positive results.

Once this initiative will be ready for beta-testing I will be glad to
help you do this beta-testing on Fuel.

P.S. there is an interesting project in OpenStack community, called
Bandit [1], which allows to run security lint for Python source code,
utilizing the ast module from the Python standard library. Seems
interesting to have this checks on some of the projects.

References:
[1] https://wiki.openstack.org/wiki/Security/Projects/Bandit

On Mon, Dec 19, 2016 at 6:49 AM, Luke Hinds  wrote:
>
>
> On Mon, Dec 19, 2016 at 2:30 PM, Tapio Tallgren 
> wrote:
>>
>> Luke,
>>
>> Since you are checking for binary files (point 2), will you also check all
>> checkouts from version control systems (like git)? I would like all of these
>> to pull in explicit versions (as opposed to main), since otherwise you will
>> have no idea what you are building.
>
>
> Is this a case of opnfv code / scripts  that clone in an external repo? If
> you could give me an example case to help understand..
>
>>
>>
>> We also have a similar problem with external repositories: if you install
>> Linux packages from an external repository, you again have a risk that there
>> are random changes to what is installed. This is fortunately mostly relevant
>> for installers.
>
>
>  Understood, there is not much I believe we can do here in respect of this
> work item.
>
>>
>> -Tapio
>>
>>
>>
>>
>> On 12/19/2016 03:28 PM, Luke Hinds wrote:
>>
>> Hi Yujun,
>>
>> I would need Fatih to comment as I am not that up to speed on CI. The
>> following is an albeit incomplete example of how we will wire this in:
>>
>>
>> https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%2Fopnfv-security-scan.yml
>>
>> Regards,
>>
>> Luke
>>
>> On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang 
>> wrote:
>>>
>>> Luke,
>>>
>>> I remember that Fatih once mentioned that there are no gates in OPNFV CI
>>> yet. So you are talking about some additional verification jobs enforced on
>>> each commit. Or it is something like the current daily/weekly job.
>>>
>>> Could you help to clarify it?
>>>
>>> On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds  wrote:

 Hi,

 Myself and Ash with help from Fatih are currently prototyping some new
 gates we plan to phase in overtime.

 The idea is that each commit made to an OPNFV repo will perform some
 checks.

 1. Search for any strings containing passwords, ssh / tls certs and
 other stuff we don't want sitting around in repos to then be scooped up for
 a release.

 2. Search out any binaries. We need to be very strict over what compiled
 binaries are packaged in release (if any at all), as a binary could be
 compromised (without the knowledge of the project itself).

 3. Security lint checks. Code will be searched for patterns such as
 shell executions, xss flaws etc and reports linked within the gate.

 The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide
 for projects, with the support of the security group, if needed.

 For both 1,2 we will maintain a waiver / exception list. This means that
 if no threat is shown to be present, an ignore entry can be made for a
 single project. The gate will then allow the said string, file etc to pass
 with no vote.

 Initially we are working with a sandbox project, so expect no
 interruptions at all. From there we will start to bring projects over, so
 they will be aware ahead of any changes implemented that will affect them.

 Cheers,

 Luke
 ___
 opnfv-security mailing list
 opnfv-secur...@lists.opnfv.org
 https://lists.opnfv.org/mailman/listinfo/opnfv-security
>>
>>
>>
>>
>> --
>> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
>> e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t:
>> +44 12 52 36 2483
>>
>>
>> ___
>> opnfv-tech-discuss mailing list
>> opnfv-tech-discuss@lists.opnfv.org
>> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>>
>>
>>
>> ___
>> opnfv-tech-discuss mailing list
>> opnfv-tech-discuss@lists.opnfv.org
>> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>>
>
>
>
> --
> Luke Hinds | NFV Partner Engineering | Office of Technology | 

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Luke Hinds]

On Mon, Dec 19, 2016 at 2:30 PM, Tapio Tallgren 
wrote:

> Luke,
>
> Since you are checking for binary files (point 2), will you also check all
> checkouts from version control systems (like git)? I would like all of
> these to pull in explicit versions (as opposed to main), since otherwise
> you will have no idea what you are building.
>

Is this a case of opnfv code / scripts  that clone in an external repo? If
you could give me an example case to help understand..


>
> We also have a similar problem with external repositories: if you install
> Linux packages from an external repository, you again have a risk that
> there are random changes to what is installed. This is fortunately mostly
> relevant for installers.
>

 Understood, there is not much I believe we can do here in respect of this
work item.


> -Tapio
>
>
>
>
> On 12/19/2016 03:28 PM, Luke Hinds wrote:
>
> Hi Yujun,
>
> I would need Fatih to comment as I am not that up to speed on CI. The
> following is an albeit incomplete example of how we will wire this in:
>
> https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=refs%
> 2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%2Fopnfv
> -security-scan.yml
>
> Regards,
>
> Luke
>
> On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang 
> wrote:
>
>> Luke,
>>
>> I remember that Fatih once mentioned that there are no gates in OPNFV CI
>> yet. So you are talking about some additional verification jobs enforced on
>> each commit. Or it is something like the current daily/weekly job.
>>
>> Could you help to clarify it?
>>
>> On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds  wrote:
>>
>>> Hi,
>>>
>>> Myself and Ash with help from Fatih are currently prototyping some new
>>> gates we plan to phase in overtime.
>>>
>>> The idea is that each commit made to an OPNFV repo will perform some
>>> checks.
>>>
>>> 1. Search for any strings containing passwords, ssh / tls certs and
>>> other stuff we don't want sitting around in repos to then be scooped up for
>>> a release.
>>>
>>> 2. Search out any binaries. We need to be very strict over what compiled
>>> binaries are packaged in release (if any at all), as a binary could be
>>> compromised (without the knowledge of the project itself).
>>>
>>> 3. Security lint checks. Code will be searched for patterns such as
>>> shell executions, xss flaws etc and reports linked within the gate.
>>>
>>> The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide
>>> for projects, with the support of the security group, if needed.
>>>
>>> For both 1,2 we will maintain a waiver / exception list. This means that
>>> if no threat is shown to be present, an ignore entry can be made for a
>>> single project. The gate will then allow the said string, file etc to pass
>>> with no vote.
>>>
>>> Initially we are working with a sandbox project, so expect no
>>> interruptions at all. From there we will start to bring projects over, so
>>> they will be aware ahead of any changes implemented that will affect them.
>>>
>>> Cheers,
>>>
>>> Luke
>>> ___
>>> opnfv-security mailing list
>>> opnfv-secur...@lists.opnfv.org
>>> https://lists.opnfv.org/mailman/listinfo/opnfv-security
>>>
>>
>
>
> --
> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
> e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
> 12 52 36 2483
>
>
> ___
> opnfv-tech-discuss mailing 
> listopnfv-tech-discuss@lists.opnfv.orghttps://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
>
>
> ___
> opnfv-tech-discuss mailing list
> opnfv-tech-discuss@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Apex] opnfv util script?

[Tim Rozet]

Hi Mark,
You should be able to use:

[root@nfvsdn-05 apex]# ci/util.sh -h
Usage:
ci/util.sh subcommand [ arguments ]

Arguments:

   undercloud [ user [ command ] ]   Connect to Undercloud VM as user and 
optionally execute a command
 userOptional: Defaults to 'stack'
 command Optional: Defaults to none

   opendaylight  Connect to OpenDaylight Karaf console

   overcloud  [ node [ command ] ]   Connect to an Overcloud node and 
optionally execute a command
 nodeRequired: in format 
controller|compute.  Example: controller0
 command Optional: Defaults to none

   debug-stack   Print parsed deployment failures to stdout

   mock-detached on | offAdd firewall rules to the jump host to 
mock a detached deployment


Tim Rozet
Red Hat SDN Team

- Original Message -
From: "Mark Beierl" 
To: opnfv-tech-discuss@lists.opnfv.org
Sent: Friday, December 16, 2016 5:01:03 PM
Subject: [opnfv-tech-discuss] [Apex] opnfv util script?

Hello, 

When doing a development deployment of Apex, how do I get access to the opnfv 
helper script that is present in a full deployment? I'd like to ssh to the 
compute and control nodes, or at least find out their IP addresses. 

Regards, 
Mark 

Mark Beierl 
Advisory Solutions Architect 
Dell EMC | Office of the CTO 
mobile +1 613 314 8106 
mark.bei...@dell.com 


___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Luke Hinds]

Yujun,

I said gate, but I meant check (so every time a commit happens, not a
workflow +1)

Luke

On Mon, Dec 19, 2016 at 1:28 PM, Luke Hinds  wrote:

> Hi Yujun,
>
> I would need Fatih to comment as I am not that up to speed on CI. The
> following is an albeit incomplete example of how we will wire this in:
>
> https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=
> refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%
> 2Fopnfv-security-scan.yml
>
> Regards,
>
> Luke
>
> On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang 
> wrote:
>
>> Luke,
>>
>> I remember that Fatih once mentioned that there are no gates in OPNFV CI
>> yet. So you are talking about some additional verification jobs enforced on
>> each commit. Or it is something like the current daily/weekly job.
>>
>> Could you help to clarify it?
>>
>> On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds  wrote:
>>
>>> Hi,
>>>
>>> Myself and Ash with help from Fatih are currently prototyping some new
>>> gates we plan to phase in overtime.
>>>
>>> The idea is that each commit made to an OPNFV repo will perform some
>>> checks.
>>>
>>> 1. Search for any strings containing passwords, ssh / tls certs and
>>> other stuff we don't want sitting around in repos to then be scooped up for
>>> a release.
>>>
>>> 2. Search out any binaries. We need to be very strict over what compiled
>>> binaries are packaged in release (if any at all), as a binary could be
>>> compromised (without the knowledge of the project itself).
>>>
>>> 3. Security lint checks. Code will be searched for patterns such as
>>> shell executions, xss flaws etc and reports linked within the gate.
>>>
>>> The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide
>>> for projects, with the support of the security group, if needed.
>>>
>>> For both 1,2 we will maintain a waiver / exception list. This means that
>>> if no threat is shown to be present, an ignore entry can be made for a
>>> single project. The gate will then allow the said string, file etc to pass
>>> with no vote.
>>>
>>> Initially we are working with a sandbox project, so expect no
>>> interruptions at all. From there we will start to bring projects over, so
>>> they will be aware ahead of any changes implemented that will affect them.
>>>
>>> Cheers,
>>>
>>> Luke
>>> ___
>>> opnfv-security mailing list
>>> opnfv-secur...@lists.opnfv.org
>>> https://lists.opnfv.org/mailman/listinfo/opnfv-security
>>>
>>
>
>
> --
> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
> e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
> 12 52 36 2483
>



-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Tapio Tallgren]

Luke,

Since you are checking for binary files (point 2), will you also check 
all checkouts from version control systems (like git)? I would like all 
of these to pull in explicit versions (as opposed to main), since 
otherwise you will have no idea what you are building.


We also have a similar problem with external repositories: if you 
install Linux packages from an external repository, you again have a 
risk that there are random changes to what is installed. This is 
fortunately mostly relevant for installers.


-Tapio



On 12/19/2016 03:28 PM, Luke Hinds wrote:

Hi Yujun,

I would need Fatih to comment as I am not that up to speed on CI. The 
following is an albeit incomplete example of how we will wire this in:


https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%2Fopnfv-security-scan.yml

Regards,

Luke

On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang > wrote:


Luke,

I remember that Fatih once mentioned that there are no gates in
OPNFV CI yet. So you are talking about some additional
verification jobs enforced on each commit. Or it is something like
the current daily/weekly job.

Could you help to clarify it?

On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds > wrote:

Hi,

Myself and Ash with help from Fatih are currently prototyping
some new gates we plan to phase in overtime.

The idea is that each commit made to an OPNFV repo will
perform some checks.

1. Search for any strings containing passwords, ssh / tls
certs and other stuff we don't want sitting around in repos to
then be scooped up for a release.

2. Search out any binaries. We need to be very strict over
what compiled binaries are packaged in release (if any at
all), as a binary could be compromised (without the knowledge
of the project itself).

3. Security lint checks. Code will be searched for patterns
such as shell executions, xss flaws etc and reports linked
within the gate.

The plan is to have 1,2 as voting (-1 / +1) and 3 initially as
a guide for projects, with the support of the security group,
if needed.

For both 1,2 we will maintain a waiver / exception list. This
means that if no threat is shown to be present, an ignore
entry can be made for a single project. The gate will then
allow the said string, file etc to pass with no vote.

Initially we are working with a sandbox project, so expect no
interruptions at all. From there we will start to bring
projects over, so they will be aware ahead of any changes
implemented that will affect them.

Cheers,

Luke
___
opnfv-security mailing list
opnfv-secur...@lists.opnfv.org

https://lists.opnfv.org/mailman/listinfo/opnfv-security





--
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com  | irc: lhinds 
@freenode | m: +44 77 45 63 98 84 | t: +44 12 52 36 2483



___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss



___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Luke Hinds]

Hi Yujun,

I would need Fatih to comment as I am not that up to speed on CI. The
following is an albeit incomplete example of how we will wire this in:

https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%2Fopnfv-security-scan.yml

Regards,

Luke

On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang 
wrote:

> Luke,
>
> I remember that Fatih once mentioned that there are no gates in OPNFV CI
> yet. So you are talking about some additional verification jobs enforced on
> each commit. Or it is something like the current daily/weekly job.
>
> Could you help to clarify it?
>
> On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds  wrote:
>
>> Hi,
>>
>> Myself and Ash with help from Fatih are currently prototyping some new
>> gates we plan to phase in overtime.
>>
>> The idea is that each commit made to an OPNFV repo will perform some
>> checks.
>>
>> 1. Search for any strings containing passwords, ssh / tls certs and other
>> stuff we don't want sitting around in repos to then be scooped up for a
>> release.
>>
>> 2. Search out any binaries. We need to be very strict over what compiled
>> binaries are packaged in release (if any at all), as a binary could be
>> compromised (without the knowledge of the project itself).
>>
>> 3. Security lint checks. Code will be searched for patterns such as shell
>> executions, xss flaws etc and reports linked within the gate.
>>
>> The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide
>> for projects, with the support of the security group, if needed.
>>
>> For both 1,2 we will maintain a waiver / exception list. This means that
>> if no threat is shown to be present, an ignore entry can be made for a
>> single project. The gate will then allow the said string, file etc to pass
>> with no vote.
>>
>> Initially we are working with a sandbox project, so expect no
>> interruptions at all. From there we will start to bring projects over, so
>> they will be aware ahead of any changes implemented that will affect them.
>>
>> Cheers,
>>
>> Luke
>> ___
>> opnfv-security mailing list
>> opnfv-secur...@lists.opnfv.org
>> https://lists.opnfv.org/mailman/listinfo/opnfv-security
>>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Yujun Zhang]

Luke,

I remember that Fatih once mentioned that there are no gates in OPNFV CI
yet. So you are talking about some additional verification jobs enforced on
each commit. Or it is something like the current daily/weekly job.

Could you help to clarify it?

On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds  wrote:

> Hi,
>
> Myself and Ash with help from Fatih are currently prototyping some new
> gates we plan to phase in overtime.
>
> The idea is that each commit made to an OPNFV repo will perform some
> checks.
>
> 1. Search for any strings containing passwords, ssh / tls certs and other
> stuff we don't want sitting around in repos to then be scooped up for a
> release.
>
> 2. Search out any binaries. We need to be very strict over what compiled
> binaries are packaged in release (if any at all), as a binary could be
> compromised (without the knowledge of the project itself).
>
> 3. Security lint checks. Code will be searched for patterns such as shell
> executions, xss flaws etc and reports linked within the gate.
>
> The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide for
> projects, with the support of the security group, if needed.
>
> For both 1,2 we will maintain a waiver / exception list. This means that
> if no threat is shown to be present, an ignore entry can be made for a
> single project. The gate will then allow the said string, file etc to pass
> with no vote.
>
> Initially we are working with a sandbox project, so expect no
> interruptions at all. From there we will start to bring projects over, so
> they will be aware ahead of any changes implemented that will affect them.
>
> Cheers,
>
> Luke
> ___
> opnfv-security mailing list
> opnfv-secur...@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-security
>
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Security checks at Gate

[Luke Hinds]

Hi,

Myself and Ash with help from Fatih are currently prototyping some new
gates we plan to phase in overtime.

The idea is that each commit made to an OPNFV repo will perform some
checks.

1. Search for any strings containing passwords, ssh / tls certs and other
stuff we don't want sitting around in repos to then be scooped up for a
release.

2. Search out any binaries. We need to be very strict over what compiled
binaries are packaged in release (if any at all), as a binary could be
compromised (without the knowledge of the project itself).

3. Security lint checks. Code will be searched for patterns such as shell
executions, xss flaws etc and reports linked within the gate.

The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide for
projects, with the support of the security group, if needed.

For both 1,2 we will maintain a waiver / exception list. This means that if
no threat is shown to be present, an ignore entry can be made for a single
project. The gate will then allow the said string, file etc to pass with no
vote.

Initially we are working with a sandbox project, so expect no interruptions
at all. From there we will start to bring projects over, so they will be
aware ahead of any changes implemented that will affect them.

Cheers,

Luke
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss