<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 18, 2015 at 12:52 PM, Eric Harney <span dir="ltr"><<a href="mailto:eharney@redhat.com" target="_blank">eharney@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 09/18/2015 01:01 PM, John Griffith wrote:<br>
> On Fri, Sep 18, 2015 at 9:06 AM, Chris Friesen <<a href="mailto:chris.friesen@windriver.com">chris.friesen@windriver.com</a>><br>
> wrote:<br>
><br>
>> On 09/18/2015 06:57 AM, Eric Harney wrote:<br>
>><br>
>>> On 09/17/2015 06:06 PM, John Griffith wrote:<br>
>>><br>
>><br>
>> Having the "global conf" settings intermixed with the backend sections<br>
>>>> caused a number of issues when we first started working on this. That's<br>
>>>> part of why we require the "self.configuration" usage all over in the<br>
>>>> drivers. Each driver instantiation is it's own independent entity.<br>
>>>><br>
>>>><br>
>>> Yes, each driver instantiation is independent, but that would still be<br>
>>> the case if these settings inherited values set in [DEFAULT] when they<br>
>>> aren't set in the backend section.<br>
>>><br>
>><br>
>> Agreed. If I explicitly set something in the [DEFAULT] section, that<br>
>> should carry through and apply to all the backends unless overridden in the<br>
>> backend-specific section.<br>
>><br>
>> Chris<br>
>><br>
>><br>
</span><span class="">> Meh I don't know about the "have to modify the code", the config file works<br>
> you just need to add that line to your driver section and configure the<br>
> backend correctly.<br>
><br>
<br>
</span>My point is that there doesn't seem to be a justification for "you just<br>
need to add that line to your driver section", which seems to counter<br>
what most people's expectation would be.<br></blockquote><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline">There certainly is, I don't want to force the same options against all backends. Perfect example is the issues with some distros in the past that DID use global settings and stomp over any driver; which in turn broke those that weren't compatible with that conf setting even though in the driver section they overrode it.</div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
People can and do fail to do that, because they assume that [DEFAULT]<br>
settings are treated as defaults.<br></blockquote><div><br></div><div class="gmail_default" style="font-family:monospace,monospace">Bad assumption, we should probably document this until we fix it (making a very large assumption that we'll ever agree on how to fix it).</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
To help people who make that assumption, yes, you have to modify the<br>
code, because the code supplies a default value that you cannot supply<br>
in the same way via config files.<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline">Or you could just fill out the config file properly:</div></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline"> [lvm-1]</div></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline"> iscsi_helper = lioadm</div></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline"><br></div></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline">I didn't have to modify any code.</div></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline"></div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
> Regardless, I see your point (but I still certainly don't agree that it's<br>
> "blatantly wrong").<br>
><br>
<br>
</span>You can substitute "very confusing" for "blatantly wrong" but I think<br>
those are about the same thing when talking about usability issues with<br>
how to configure a service.<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline">Fair enough. Call it whatever you like.</div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Look at options like:<br>
- strict_ssh_host_key_policy<br>
- sio_verify_server_certificate<br>
- driver_ssl_cert_verify </blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
All of these default to False, and if turned on, enable protections<br>
against MITM attacks. All of them also fail to turn on for the relevant<br>
drivers if set in [DEFAULT]. These should, if set in DEFAULT when using<br>
multi-backend, issue a warning so the admin knows that they are not<br>
getting the intended security guarantees. Instead, nothing happens and<br>
Cinder and the storage works. Confusion is dangerous.<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline">Yeah, so is crappy documentation lack of understanding.</div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
> Bottom line "yes", ideally in the case of drivers we would check<br>
> global/default setting, and then override it if something was provided in<br>
> the driver specific setting, or if the driver itself set a different<br>
> default. That seems like the right way to be doing it anyway. I've looked<br>
> at that a bit this morning, the issue is that currently we don't even pass<br>
> any of those higher level conf settings in to the drivers init methods<br>
> anywhere. Need to figure out how to change that, then it should be a<br>
> relatively simple fix.<br>
><br>
<br>
</span>What I was getting at earlier though, is that I'm not really sure there<br>
is a simple fix. It may be simple to change the behavior to more<br>
predictable behavior, but doing that in a way that doesn't introduce<br>
upgrade problems for deployments relying on the current defaults seems<br>
difficult to me.<br></blockquote><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline">Agreed, but honestly I'd like to at least try. Especially when people use terms like "blatantly wrong" and "dangerous", kinda prompts one to think </div> <div class="gmail_default" style="font-family:monospace,monospace;display:inline">that perhaps it should be looked at. If nothing else, we shouldn't have driver settings in the DEFAULT section, we should just create a driver section, but we still need to figure out how to deal with things outside of the "general" section vs the backend stanza.</div></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline"><br></div></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline">Also, I'd argue that the behavior your arguing for is MORE dangerous and troublesome. The LIO being in the global CONF was a perfect example where it broke third party devices on a specific distro because it assumed that EVERYTHING on the system was using the lio methods and in that case you really couldn't do anything but modify code.</div></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline"><br></div></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline">I've pinged you a number of times on IRC, maybe we can chat there a bit real-time and see if we can work together on a solution?</div></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline"><br></div></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline">Thanks,</div></div><div><div class="gmail_default" style="font-family:monospace,monospace;display:inline">John</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5"><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br></div></div>