On 8/19/14, 2:48 PM, "Ihar Hrachyshka" <ihrachys@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 19/08/14 11:35, Thierry Carrez wrote:
Gary Kotton wrote:
I think that only in exceptional cases should we allow changing of default configuration variables. This may break existing setups. I am not in favor of this back port.
I tend to agree with Gary here.
IIUC this is an old bug -- if people encountered it they probably have switched that configuration option to True a long time ago. It's also very easy for downstream consumers to carry the difference if they care (they ship customized config files anyway).
And if they haven't encountered the issue yet, and don't know that default value is failing hard, then we leave our users with DoS unfixed, waiting for their users to break the cloud and then debug the issue, finally discovering that we have defaults that are broken and not even documented as such anywhere.
Where is a DOS attack here? Is this a few extra RPC messages being sent? The bug that this fixes also does not even have the Œimportance¹ assigned. I was under the impression that we only back port Critical and High bugs. I understand that there is an issue, which we all agree can be solved by the user changing a configuration setting. Can anyone point to a customer defining a gateway not on the subnet? I think that is the anomaly here.
Contrast that with breaking existing setups that may rely on that feature... We trade a known evil for a new, unknown one.
Those setups are beyond our control, we don't even know whether they actually exist. So we trade a known evil for a tiny chance of a new, less evil one (those limitations will be caught by consumers in their testbed, with clear message in the log; and if it's really needed, it's a matter of one line changed in conffile).
We also don't mark a config option deprecated in the middle of a stable branch. It's either deprecated at release time, or at the next release time. We can't retroactively deprecate.
We don't deprecate it in Havana. The patch proposes to change the default value only. If you're concerned about specific description of the setting, we may trim it not to mention the part about its deprecation in later releases.
Some aspects of that patch may still be acceptable though (neutron/db/db_base_plugin_v2.py) and we could document that we recommend people turn that option to True in the next point release releasenotes.
If we don't merge the patch, it's the least we can do for our users. Distributions may also set it in their distro-specific config file (neutron-dist.conf).
/Ihar -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQEcBAEBCgAGBQJT8zmJAAoJEC5aWaUY1u57/lgIAKGJNeZZhNm7NuevmUchHdaZ cf0Tng0Ocfn7J3ZOttZSB9Xw5BSVBNN3nlMEKQQ0/nbLEHnkntt080ctMWjBsDX2 vsMHTBm3IBPihbFyLG0ZRcVeGos5/fqB5vuqmNF7XYjjhi2aQw4kBGLkveGodzyn 3D0JHfN9ZZ9tjj9QqB4StsKN/OzKCehLPImmzSItu5BU3ixlxBBPNio9m8CwuTvl n08OoL3rHWBFkCgzPdY9XGTYMR+Suw3Csm5zfa4Bkx+0RVjt8fYCOpL8QOhHjX3T 2SryXcsmfIvlot6vLOInl7mEINfedC9Yxb48TkVmvAndDhqhWHlnQtIUuEwmo2g= =rX2+ -----END PGP SIGNATURE-----
_______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint