<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><h1 data-mce-style="text-align: left;" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 36px; widows: 1;" class=""><font size="4" class=""><a href="https://www.eventbrite.com/e/openstack-summit-october-2015-tokyo-tickets-17356780598" data-mce-href="https://www.eventbrite.com/e/openstack-summit-october-2015-tokyo-tickets-17356780598" class="">Register for OpenStack Summit Tokyo 2015</a></font></h1><h1 data-mce-style="text-align: left;" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 36px; widows: 1;" class=""><span style="font-size: 13px; font-weight: normal; line-height: 18px;" class="">Full access registration prices increase on</span><span style="font-size: 13px; font-weight: normal; line-height: 18px;" class=""> </span><strong style="font-size: 13px; line-height: 18px;" class="">9/29 at 11:59pm PT</strong></h1><h1 data-mce-style="text-align: left;" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 36px; widows: 1;" class=""><a href="http://superuser.openstack.org/articles/this-trove-of-user-stories-highlights-what-people-want-in-openstack" data-mce-href="http://superuser.openstack.org/articles/this-trove-of-user-stories-highlights-what-people-want-in-openstack" class=""><font size="4" class="">This trove of user stories highlights what people want in OpenStack</font></a></h1><h1 data-mce-style="text-align: left;" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 36px; widows: 1;" class=""><span style="font-size: 12px; font-weight: normal; line-height: 18px; background-color: rgb(255, 255, 255);" class="">The Product Working Group recently launched a Git repository to collect requirements ranging from encrypted storage to rolling upgrades.</span></h1><h1 data-mce-style="text-align: left;" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 36px; widows: 1;" class=""><a href="http://superuser.openstack.org/articles/how-storage-works-in-containers" data-mce-href="http://superuser.openstack.org/articles/how-storage-works-in-containers" class=""><font size="4" class="">How storage works in containers</font></a></h1><h1 data-mce-style="text-align: left;" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 36px; widows: 1;" class=""><span style="font-size: 12px; font-weight: normal; line-height: 18px; background-color: rgb(255, 255, 255);" class="">Nick Gerasimatos, senior director of cloud services engineering at FICO, dives into the lack of persistent storage with containers and how Docker volumes and data containers provide a fix.</span></h1><h3 class="" style="background-color: rgb(255, 255, 255);"><font class=""><div class=""><span class=""><font size="4" class="">The Road to Tokyo </font></span></div></font></h3><ul class="" style="background-color: rgb(255, 255, 255);"><li class="li5"><span class="s4"><span class="s5"><a href="http://superuser.openstack.org/articles/get-your-openstack-summit-tokyo-visa-in-five-steps" data-mce-href="http://superuser.openstack.org/articles/get-your-openstack-summit-tokyo-visa-in-five-steps" class="">Get your OpenStack Summit Tokyo visa in five steps: Deadline for Visa invitation requests is <strong class="">10/1</strong></a></span></span></li><li class="li5"><a href="https://www.openstack.org/summit/tokyo-2015/schedule/" data-mce-href="https://www.openstack.org/summit/tokyo-2015/schedule/" class="">The schedule and mobile app for the OpenStack Summit in Tokyo are now available</a></li></ul><div class=""><h1 data-mce-style="text-align: left;" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 36px; widows: 1;" class=""><font size="4" class="">Community feedback</font></h1><h1 data-mce-style="text-align: left;" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 36px; widows: 1;" class=""><span style="font-weight: normal; font-size: 12px;" class=""><span style="line-height: 18px;" class="">OpenStack is always interested in feedback and community contributions, if you would like to see a new section in the OpenStack Weekly Community Newsletter or have ideas on how to present content please get in touch: </span><span class="s1" style="line-height: 18px;"><a href="mailto:community@openstack.org" data-mce-href="mailto:community@openstack.org" class="">community@openstack.org</a>.</span></span></h1></div><h2 class="" style="background-color: rgb(255, 255, 255);">Reports from Previous Events </h2><ul class="" style="background-color: rgb(255, 255, 255);"><li class="li5"><h4 class="" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 18px;"><a href="https://developer.ibm.com/opentech/2015/09/20/openstack-heats-up-silicon-valley/" data-mce-href="https://developer.ibm.com/opentech/2015/09/20/openstack-heats-up-silicon-valley/" class="" style="font-weight: normal;">OpenStack Heats Up Silicon Valley</a></h4></li><li class="li5"><h4 class="" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 18px;"><a href="http://superuser.openstack.org/articles/openstack-day-benelux-2015" data-mce-href="http://superuser.openstack.org/articles/openstack-day-benelux-2015" class="" style="font-weight: normal;">OpenStack Day Benelux 2015</a></h4></li></ul><h2 class="" style="background-color: rgb(255, 255, 255);">Deadlines and Contributors Notifications </h2><ul class="" style="background-color: rgb(255, 255, 255);"><li class="li5" style="box-sizing: border-box;"><a href="https://wiki.openstack.org/wiki/Liberty_Release_Schedule" class="" style="box-sizing: border-box; text-decoration: none; background-color: transparent;"><font color="#0061ff" class="">Liberty Release Oct., 15, 2015</font></a></li></ul><h2 class="" style="background-color: rgb(255, 255, 255);">Security Advisories and Notices </h2><ul class="" style="background-color: rgb(255, 255, 255);"><li class="li5"><a href="http://lists.openstack.org/pipermail/openstack-announce/2015-September/000655.html" target="_blank" data-mce-href="http://lists.openstack.org/pipermail/openstack-announce/2015-September/000655.html" class="">[openstack-announce] [OSSA 2015-019] Glance image status manipulation (CVE-2015-5251)</a></li></ul><h2 class="" style="background-color: rgb(255, 255, 255);">Tips ‘n Tricks </h2><ul class="" style="background-color: rgb(255, 255, 255);"><li class="li5">By <a href="http://blog.coolsvap.net/" target="_blank" data-mce-href="http://blog.coolsvap.net/" class="">Swapnil Kulkarni</a>: <a href="http://blog.coolsvap.net/2015/09/24/openstackrdo-test-day-liberty/" target="_blank" data-mce-href="http://blog.coolsvap.net/2015/09/24/openstackrdo-test-day-liberty/" class="">[OpenStack][RDO] Liberty Test-Day</a></li></ul><h2 class="" style="background-color: rgb(255, 255, 255);"><a href="https://www.openstack.org/community/events" data-mce-href="https://www.openstack.org/community/events" class="">Upcoming Events</a> </h2><ul class="" style="background-color: rgb(255, 255, 255);"><li class=""><a href="https://us.pycon.org/2016/speaking/" data-mce-href="https://us.pycon.org/2016/speaking/" class="">Sep 28, 2015 – Jan 3, 2016 Presenting At PyCon (call for papers) Portland,OR, US </a></li><li class=""><a href="https://groups.openstack.org/groups/frederick-md/cloud-storage-openstack" data-mce-href="https://groups.openstack.org/groups/frederick-md/cloud-storage-openstack" class="">Sep 29 – 30, 2015 Cloud Storage in OpenStack</a></li><li class=""><a href="http://www.meetup.com/OpenStackRomania/events/222910344/" data-mce-href="http://www.meetup.com/OpenStackRomania/events/222910344/" class="">Oct 01, 2015 OpenStack Meetup Cluj Cluj-Napoc, Cluj, RO</a></li><li class=""><a href="http://www.meetup.com/openstack/events/221806052/" data-mce-href="http://www.meetup.com/openstack/events/221806052/" class="">Oct 01, 2015 South Bay OpenStack Meetup, Beginner track San Francisco, CA, US</a></li><li class=""><a href="http://www.meetup.com/meetup-group-NjZdcegA/events/225081881/" data-mce-href="http://www.meetup.com/meetup-group-NjZdcegA/events/225081881/" class="">Oct 01 – 02, 2015 October OpenStack Meetup – SDN and Containers Chicago, IL, US</a></li><li class=""><a href="http://www.gartner.com/events/na/orlando-symposium" data-mce-href="http://www.gartner.com/events/na/orlando-symposium" class="">Oct 04 – 08, 2015 Gartner SymposiumITxpo Orlando, FL, US</a></li><li class=""><a href="http://www.meetup.com/Australian-OpenStack-User-Group/events/220202327/" data-mce-href="http://www.meetup.com/Australian-OpenStack-User-Group/events/220202327/" class="">Oct 06, 2015 October Sydney Meetup</a></li><li class=""><a href="http://www.meetup.com/openstackhoustonmeetup/events/224870393/?eventId=224870393&action=detail" data-mce-href="http://www.meetup.com/openstackhoustonmeetup/events/224870393/?eventId=224870393&action=detail" class="">Oct 07, 2015 Houston OpenStack Meetup Houston, TX, US</a></li><li class=""><a href="http://www.meetup.com/OpenStack-DFW/events/225014699/" data-mce-href="http://www.meetup.com/OpenStack-DFW/events/225014699/" class="">Oct 07 – 08, 2015 OpenStack Liberty Release Richardson, TX, US</a></li><li class=""><a href="http://www.meetup.com/openstackhoustonmeetup/events/224870393/" data-mce-href="http://www.meetup.com/openstackhoustonmeetup/events/224870393/" class="">Oct 07 – 08, 2015 OpenStack 101 Houston, TX, US</a></li></ul><font size="4" class=""><b class="">What you need to know from the developer’s list</b></font><div class=""><div class="" style="widows: 1;"><span class="" style="color: inherit; font-family: inherit; line-height: inherit; white-space: pre-wrap;"></span></div><div class="" style="widows: 1;"><h3 data-mce-style="text-align: left;" class="" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 27px;"><span data-mce-style="font-weight: 400;" class="" style="font-weight: 400;"><a href="http://lists.openstack.org/pipermail/openstack-dev/2015-September/075227.html" target="_blank" data-mce-href="http://lists.openstack.org/pipermail/openstack-dev/2015-September/075227.html" class="">Handling Projects with no PTL candidates</a></span></h3><ul data-mce-style="text-align: left;" class="" style="color: rgb(51, 51, 51); line-height: 24px;"><li class=""><span data-mce-style="font-weight: 400;" class="">The technical committee will appoint a PTL [1] if there is no identified eligible candidate.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Appointed PTLs:</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Robert Clark nominated security PTL</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Serg Melikyan nominated Murano PTL</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Douglas Mendizabal nominated Barbican PTL</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Election for Magnum PTL between Adrian Otto and Hongbin Lu</span></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">MagnetoDB being abandoned, not PTL was chosen. Instead, it will be fast tracked for removal [2] from the official list of OpenStack projects.</span></li></ul><h3 data-mce-style="text-align: left;" class="" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 27px;"><span data-mce-style="font-weight: 400;" class="" style="font-weight: 400;"><a href="http://lists.openstack.org/pipermail/openstack-dev/2015-September/075075.html" target="_blank" data-mce-href="http://lists.openstack.org/pipermail/openstack-dev/2015-September/075075.html" class="">Release help needed - we are incompatible with ourselves</a></span></h3><ul data-mce-style="text-align: left;" class="" style="color: rgb(51, 51, 51); line-height: 24px;"><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Robert Collins raises that while the constraints system in place for how we recognize incompatible components in our release is working, the release team needs help from the community to fix the incompatibility that exists so we can cut the full Liberty release.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Issues that exist:</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">OpenStack client not able to create an image.</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Fix is merged [3].</span></li></ul></li></ul></li></ul><h3 data-mce-style="text-align: left;" class="" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 27px;"><span data-mce-style="font-weight: 400;" class="" style="font-weight: 400;"><a href="http://lists.openstack.org/pipermail/openstack-dev/2015-September/075107.html" target="_blank" data-mce-href="http://lists.openstack.org/pipermail/openstack-dev/2015-September/075107.html" class="">Semver and dependency changes</a></span></h3><ul data-mce-style="text-align: left;" class="" style="color: rgb(51, 51, 51); line-height: 24px;"><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Robert Collins says currently we don’t provide guidance on what happens when the only changes in a project are dependency changes and a release is made.</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Today the release team treats dependency changes as a “feature” rather than a bug fix. (e.g. if the previous release 1.2.3, requirement sync happens, the next version is 1.3.0.)</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Reasons behind this are complex, some guidance is needed to answer the questions:</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Is this requirements change an API break?</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Is this requirements change feature work?</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Is this requirements change a bug fix?</span></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">All of these questions can be true. Some examples:</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">If library X exposes library Y as part of its API, and library Y’s dependency changes from Y>=1 to Y>=2. X does this because it needs a feature from Y==2.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Library Y is not exposed in library X’s API, however, a change in Y’s dependencies for X will impact users who independently use Y. (ignoring intricacies surrounding PIP here.)</span></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Proposal:</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">nothing -> a requirement -> major version change</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">1.x.y -> 2.0.0 -> major version change</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">1.2.y -> 1.3.0 -> minor version change</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">1.2.3. -> 1.2.4 -> patch version change</span></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Thierry Carrez is ok with the last two proposals. Defaulting to a major version bump sounds a bit overkill.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Doug Hellmann reminds that we can’t assume the dependency is using semver itself. We would need something other than the version number to determine from the outside whether the API is in fact breaking.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Due this problem being so complicated, Doug would rather over-simplify the analysis of requirements updates until we’re better at identifying our own API breaking changes and differentiating between features and bug fixes. This will allow us to be consistent, if not 100% correct.</span></li></ul></li></ul><h3 data-mce-style="text-align: left;" class="" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 27px;"><span data-mce-style="font-weight: 400;" class="" style="font-weight: 400;"><a href="http://lists.openstack.org/pipermail/openstack-dev/2015-September/073435.html" target="_blank" data-mce-href="http://lists.openstack.org/pipermail/openstack-dev/2015-September/073435.html" class="">Criteria for applying vulnerability:managed tag</a></span></h3><ul data-mce-style="text-align: left;" class="" style="color: rgb(51, 51, 51); line-height: 24px;"><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">The vulnerability management processes were brought to the big tent a couple of months ago [4].</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Initially we listed what repos the Vulnerability Manage Team (VMT) tracks for vulnerabilities.</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">TC decided to change this from repos to deliverables as per-repo tags were decided against.</span></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Jeremy Stanley provides transparency for how deliverables can qualify for this tag:</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">All repos in a given deliverable must qualify. If one repo doesn’t, they all don’t in a given deliverable.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Points of contact:</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Deliverable must have a dedicated point of contact.</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">The VMT will engage with this contact to triage reports.</span></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">A group of core reviewers should be part of the <project>-corsec team and will:</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Confirm whether a bug is accurate/applicable.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Provide pre-approval of patches attached to reports.</span></li></ul></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">The PTLs for the deliverable should agree to act as (or delegate) a vulnerability management liaison to escalate for the VMT.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">The bug tracker for the repos within a deliverable should have a bug tracker configured to initially provide access to privately reported vulnerabilities initially to the VMT.</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">The VMT will determine if the vulnerability is reported against the correct deliverable and redirect when possible.</span></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">The deliverable repos should undergo a third-party review/audit looking for obvious signs of insecure design or risky implementation.</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">This aims to keep the VMT’s workload down.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">It has not been identified who will perform this review. Maybe the OpenStack Security project team?</span></li></ul></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Review of this proposal is posted [5].</span></li></ul><h3 data-mce-style="text-align: left;" class="" style="margin: 0px; color: rgb(51, 51, 51); text-rendering: optimizelegibility; line-height: 27px;"><span data-mce-style="font-weight: 400;" class="" style="font-weight: 400;"><a href="http://lists.openstack.org/pipermail/openstack-dev/2015-September/074871.html" target="_blank" data-mce-href="http://lists.openstack.org/pipermail/openstack-dev/2015-September/074871.html" class="">Consistent support for SSL termination proxies across all APIs</a></span></h3><ul data-mce-style="text-align: left;" class="" style="color: rgb(51, 51, 51); line-height: 24px;"><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">While a bug [6] was being debugged, an issue was identified where an API sitting behind a proxy performing SSL termination would not generate the right redirection (http instead of https).</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">A review [7] has been given to have a config option ‘secure_proxy_ssl_header’ which allows the API service to detect ssl termination based on the header X-Forwarded-Proto.</span></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Another bug back in 2014 was open with the same issue [8].</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Several projects applied patches to fix this issue, but are inconsistent:</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Glance added public_endpoint config</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Cinder added public_endpoint config</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Heat added secure_proxy_ssl_header config (through heat.api.openstack:sslmiddleware_filter)</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Nova added secure_proxy_ssl_header config</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Manila added secure_proxy_ssl_header config (through oslo_middleware.ssl:SSLMiddleware.factory)</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Ironic added public_endpoint config</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Keystone added secure_proxy_ssl_header config</span></li></ul></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Ben Nemec comments that solving this at the service level is the wrong place, due to this requiring changes in a bunch of different API services. Instead it should be fixed in the proxy that’s converting the traffic to http.</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Sean Dague notes that this should be done in the service catalog. Service discovery is a base thing that all services should use in talking to each other. There’s an OpenStack spec [9] in an attempt to get a handle on this</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Mathieu Gagné notes that this won’t work. There is a “split view” in the service catalog where internal management nodes have a specific catalog and public nodes (for users) have a different one.</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Suggestion to use oslo middleware SSL for supporting the ‘secure_proxy_ssl_header’ config to fix the problem with little code.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Sean agrees the split view needs to be considered, however, another layer of work shouldn’t decide if the service catalog is a good way to keep track of what our service urls are. We shouldn’t push a model where Keystone is optional.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Sean notes that while the ‘secure_proxy_ssl_header’ config solution supports the cases where there’s a 1 HA proxy with SSL termination to 1 API service, it may not work in the cases where there’s a 1 API service to N HA Proxies for:</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Clients needing to understand the “Location:” headers correctly.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Libraries like request/phatomjs can follow the links provided in REST documents, and they’re correct.</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">The minority of services that “operate without keystone” as an option are able to function.</span></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">ZZelle mentions this solution does not work in the cases when the service itself acts as a proxy (e.g. nova image-list).</span></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Would this solution work in the HA Proxy case where there is one terminating address for multiple backend servers?</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Yes, by honoring the headers X-Forwarded-Host and X-Forwarded-Port which are set by HTTP proxies, making WSGI applications unaware of the fact that there is a request in front of them.</span></li></ul></li></ul></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Jamie Lennox says this same topic came up as a block in a Devstack patch to get TLS testing in the gate with HA Proxy.</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Longer term solution, transition services to use relative links.</span><ul class=""><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">This is a pretty serious change. We’ve been returning absolute URLs forever, so assuming that all client code out there would with relative code is a big assumption. That’s a major version for sure.</span></li></ul></li></ul></li><li data-mce-style="font-weight: 400;" class=""><span data-mce-style="font-weight: 400;" class="">Sean agrees that we have enough pieces to get something better with proxy headers for Mitaka. We can do the remaining edge cases if clean up the service catalog use.</span></li></ul><p data-mce-style="text-align: left;" class="" style="margin: 0px 0px 9px; line-height: 18px; color: rgb(51, 51, 51);"><span data-mce-style="font-weight: 400;" class="">[1] - </span><a href="http://governance.openstack.org/resolutions/20141128-elections-process-for-leaderless-programs.html" data-mce-href="http://governance.openstack.org/resolutions/20141128-elections-process-for-leaderless-programs.html" class=""><span data-mce-style="font-weight: 400;" class="">http://governance.openstack.org/resolutions/20141128-elections-process-for-leaderless-programs.html</span></a></p><p data-mce-style="text-align: left;" class="" style="margin: 0px 0px 9px; line-height: 18px; color: rgb(51, 51, 51);"><span data-mce-style="font-weight: 400;" class="">[2] - <a href="https://review.openstack.org/#/c/224743/" target="_blank" data-mce-href="https://review.openstack.org/#/c/224743/" class="">https://review.openstack.org/#/c/224743/</a></span></p><p data-mce-style="text-align: left;" class="" style="margin: 0px 0px 9px; line-height: 18px; color: rgb(51, 51, 51);"><span data-mce-style="font-weight: 400;" class="">[3] - </span><a href="https://review.openstack.org/#/c/225443/" data-mce-href="https://review.openstack.org/#/c/225443/" class=""><span data-mce-style="font-weight: 400;" class="">https://review.openstack.org/#/c/225443/</span></a></p><p data-mce-style="text-align: left;" class="" style="margin: 0px 0px 9px; line-height: 18px; color: rgb(51, 51, 51);"><span data-mce-style="font-weight: 400;" class="">[4] - </span><a href="http://governance.openstack.org/reference/tags/vulnerability_managed.html" data-mce-href="http://governance.openstack.org/reference/tags/vulnerability_managed.html" class=""><span data-mce-style="font-weight: 400;" class="">http://governance.openstack.org/reference/tags/vulnerability_managed.html</span></a></p><p data-mce-style="text-align: left;" class="" style="margin: 0px 0px 9px; line-height: 18px; color: rgb(51, 51, 51);"><span data-mce-style="font-weight: 400;" class="">[5] - </span><a href="https://review.openstack.org/#/c/226869/" data-mce-href="https://review.openstack.org/#/c/226869/" class=""><span data-mce-style="font-weight: 400;" class="">https://review.openstack.org/#/c/226869/</span></a></p><p data-mce-style="text-align: left;" class="" style="margin: 0px 0px 9px; line-height: 18px; color: rgb(51, 51, 51);"><span data-mce-style="font-weight: 400;" class="">[6] - <a href="https://bugs.launchpad.net/python-novaclient/+bug/1491579" target="_blank" data-mce-href="https://bugs.launchpad.net/python-novaclient/+bug/1491579" class="">https://bugs.launchpad.net/python-novaclient/+bug/1491579</a></span></p><p data-mce-style="text-align: left;" class="" style="margin: 0px 0px 9px; line-height: 18px; color: rgb(51, 51, 51);"><span data-mce-style="font-weight: 400;" class="">[7] - </span><a href="https://review.openstack.org/#/c/206479/" data-mce-href="https://review.openstack.org/#/c/206479/" class=""><span data-mce-style="font-weight: 400;" class="">https://review.openstack.org/#/c/206479/</span></a></p><p data-mce-style="text-align: left;" class="" style="margin: 0px 0px 9px; line-height: 18px; color: rgb(51, 51, 51);"><span data-mce-style="font-weight: 400;" class="">[8] - </span><a href="https://bugs.launchpad.net/glance/+bug/1384379" data-mce-href="https://bugs.launchpad.net/glance/+bug/1384379" class=""><span data-mce-style="font-weight: 400;" class="">https://bugs.launchpad.net/glance/+bug/1384379</span></a></p><p data-mce-style="text-align: left;" class="" style="margin: 0px 0px 9px; line-height: 18px; color: rgb(51, 51, 51);"><span data-mce-style="font-weight: 400;" class="">[9] - <a href="https://review.openstack.org/#/c/181393/" target="_blank" data-mce-href="https://review.openstack.org/#/c/181393/" class="">https://review.openstack.org/#/c/181393/</a></span></p></div><div class="" style="box-sizing: border-box; counter-increment: snippet 1; position: relative; margin-left: 40px; color: rgb(85, 84, 89); font-family: monospace; line-height: 14px;"><pre class="" style="box-sizing: border-box; padding: 0px; color: inherit; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; display: inline-block; margin-top: 0px; margin-bottom: 0px; line-height: inherit; word-break: normal; word-wrap: break-word; white-space: pre-wrap; border: 0px solid rgba(0, 0, 0, 0.14902); z-index: 2; position: relative; overflow: visible; min-height: 0.8rem; text-rendering: auto; font-family: inherit !important; background-position: 0px 0px;"></pre></div></div><em class="" style="background-color: rgb(255, 255, 255);">The weekly newsletter is a way for the community to learn about all the various activities in the OpenStack world.</em><span class="" style="background-color: rgb(255, 255, 255);">_______________________________________________</span><br class="" style="background-color: rgb(255, 255, 255);"><span class="" style="background-color: rgb(255, 255, 255);">Community mailing list</span><br class="" style="background-color: rgb(255, 255, 255);"><a href="mailto:Community@lists.openstack.org" class="" style="background-color: rgb(255, 255, 255);">Community@lists.openstack.org</a><br class="" style="background-color: rgb(255, 255, 255);"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/community" class="" style="background-color: rgb(255, 255, 255);">http://lists.openstack.org/cgi-bin/mailman/listinfo/community</a></body></html>