Icehouse stable freeze exception for Neutron security fix
Hi, I would like to request a FFE for a neutron patch [0] It is a security bug fix [1] and the corresponding OSSN was issued two weeks ago. The patch in the master landed a few days ago. I believe it is a nice fix in the next stable update. As far as I checked it satiifes the criteria of a stable backport and it looks good to go. [0] https://review.openstack.org/#/c/124375/ [1] https://bugs.launchpad.net/neutron/+bug/1334926 Thanks, Akihiro
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Akihiro, I'm a bit concerned that this patch introduces user-visible change in behaviour. Though we may claim that dropping active connections right after floating-ip is unuassigned is the right thing to do, users of stable branches may think otherwise. That said, formally there is nothing in wiki [1] that forbids changes in behaviour. So I'm kinda agnostic about the request. [1]: https://wiki.openstack.org/wiki/StableBranch#Appropriate_Fixes /Ihar On 29/09/14 08:41, Akihiro Motoki wrote:
Hi,
I would like to request a FFE for a neutron patch [0]
It is a security bug fix [1] and the corresponding OSSN was issued two weeks ago. The patch in the master landed a few days ago. I believe it is a nice fix in the next stable update.
As far as I checked it satiifes the criteria of a stable backport and it looks good to go.
[0] https://review.openstack.org/#/c/124375/ [1] https://bugs.launchpad.net/neutron/+bug/1334926
Thanks, Akihiro _______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iQEcBAEBCgAGBQJUKSdQAAoJEC5aWaUY1u57nggH/jE2CI0M93LgwiswqQIIEDwe LW9AptPz9fdWguXERWmGm5yeUiCEfjAfiwU4eG89aFc/muW7vFIZX/cSeeG4YasQ ZSeotHGSotn9JUp7oT0+HyXMHpcw3YnoLjZwOmlZAUqE0ag5Dn+idpVPE1yQMUDA aVrFjMaItRA6N+JY9Mbrt6KTbsjIW86oOdzOQ37DOrj3+Qu0LidBJSLwByu6sFzI aCS8cAFyROUmz7kGxES4coBoB0rUt4+fkPS6wvTtrVKrO9lMTBKZm6UzF4AgcC7K bNrpDbhj4GDnj3/pEcFU105Lvbio/XsuixIAP8Rb93vGl0TmrXzccRysiLd6Wbg= =xPXQ -----END PGP SIGNATURE-----
Hi Ihar, Although this patch changes the behavior of floating IP, I believe the previous behavior is a bug as discussed in OSSN-0020 [1]. If a project admin disassociates a floating IP, the project admin expects connections related to the floating IP are not able to be reachable any more in most cases. OSSN-0020 suggests to terminate all connections to an instance associated with the floating IP but it is not easy to do so. The new behavior is desirable and the expected behavior when designed. In addition, it is the behavior of nova-network. IMO this kind of bug behaviors can be fixed in the stable release to make the Neutron behavior less confusing. I hope this FFE is granted but I can't say any more. [1] https://wiki.openstack.org/wiki/OSSN/OSSN-0020 Thanks, Akihiro On Mon, Sep 29, 2014 at 6:33 PM, Ihar Hrachyshka <ihrachys@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi Akihiro,
I'm a bit concerned that this patch introduces user-visible change in behaviour. Though we may claim that dropping active connections right after floating-ip is unuassigned is the right thing to do, users of stable branches may think otherwise.
That said, formally there is nothing in wiki [1] that forbids changes in behaviour.
So I'm kinda agnostic about the request.
[1]: https://wiki.openstack.org/wiki/StableBranch#Appropriate_Fixes
/Ihar
On 29/09/14 08:41, Akihiro Motoki wrote:
Hi,
I would like to request a FFE for a neutron patch [0]
It is a security bug fix [1] and the corresponding OSSN was issued two weeks ago. The patch in the master landed a few days ago. I believe it is a nice fix in the next stable update.
As far as I checked it satiifes the criteria of a stable backport and it looks good to go.
[0] https://review.openstack.org/#/c/124375/ [1] https://bugs.launchpad.net/neutron/+bug/1334926
Thanks, Akihiro _______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQEcBAEBCgAGBQJUKSdQAAoJEC5aWaUY1u57nggH/jE2CI0M93LgwiswqQIIEDwe LW9AptPz9fdWguXERWmGm5yeUiCEfjAfiwU4eG89aFc/muW7vFIZX/cSeeG4YasQ ZSeotHGSotn9JUp7oT0+HyXMHpcw3YnoLjZwOmlZAUqE0ag5Dn+idpVPE1yQMUDA aVrFjMaItRA6N+JY9Mbrt6KTbsjIW86oOdzOQ37DOrj3+Qu0LidBJSLwByu6sFzI aCS8cAFyROUmz7kGxES4coBoB0rUt4+fkPS6wvTtrVKrO9lMTBKZm6UzF4AgcC7K bNrpDbhj4GDnj3/pEcFU105Lvbio/XsuixIAP8Rb93vGl0TmrXzccRysiLd6Wbg= =xPXQ -----END PGP SIGNATURE-----
_______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
-- Akihiro Motoki <amotoki@gmail.com>
Looks like this deserves a ffe to me. On Sep 29, 2014 8:58 AM, "Akihiro Motoki" <amotoki@gmail.com> wrote:
Hi Ihar,
Although this patch changes the behavior of floating IP, I believe the previous behavior is a bug as discussed in OSSN-0020 [1]. If a project admin disassociates a floating IP, the project admin expects connections related to the floating IP are not able to be reachable any more in most cases. OSSN-0020 suggests to terminate all connections to an instance associated with the floating IP but it is not easy to do so. The new behavior is desirable and the expected behavior when designed. In addition, it is the behavior of nova-network. IMO this kind of bug behaviors can be fixed in the stable release to make the Neutron behavior less confusing.
I hope this FFE is granted but I can't say any more.
[1] https://wiki.openstack.org/wiki/OSSN/OSSN-0020
Thanks, Akihiro
On Mon, Sep 29, 2014 at 6:33 PM, Ihar Hrachyshka <ihrachys@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi Akihiro,
I'm a bit concerned that this patch introduces user-visible change in behaviour. Though we may claim that dropping active connections right after floating-ip is unuassigned is the right thing to do, users of stable branches may think otherwise.
That said, formally there is nothing in wiki [1] that forbids changes in behaviour.
So I'm kinda agnostic about the request.
[1]: https://wiki.openstack.org/wiki/StableBranch#Appropriate_Fixes
/Ihar
On 29/09/14 08:41, Akihiro Motoki wrote:
Hi,
I would like to request a FFE for a neutron patch [0]
It is a security bug fix [1] and the corresponding OSSN was issued two weeks ago. The patch in the master landed a few days ago. I believe it is a nice fix in the next stable update.
As far as I checked it satiifes the criteria of a stable backport and it looks good to go.
[0] https://review.openstack.org/#/c/124375/ [1] https://bugs.launchpad.net/neutron/+bug/1334926
Thanks, Akihiro _______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQEcBAEBCgAGBQJUKSdQAAoJEC5aWaUY1u57nggH/jE2CI0M93LgwiswqQIIEDwe LW9AptPz9fdWguXERWmGm5yeUiCEfjAfiwU4eG89aFc/muW7vFIZX/cSeeG4YasQ ZSeotHGSotn9JUp7oT0+HyXMHpcw3YnoLjZwOmlZAUqE0ag5Dn+idpVPE1yQMUDA aVrFjMaItRA6N+JY9Mbrt6KTbsjIW86oOdzOQ37DOrj3+Qu0LidBJSLwByu6sFzI aCS8cAFyROUmz7kGxES4coBoB0rUt4+fkPS6wvTtrVKrO9lMTBKZm6UzF4AgcC7K bNrpDbhj4GDnj3/pEcFU105Lvbio/XsuixIAP8Rb93vGl0TmrXzccRysiLd6Wbg= =xPXQ -----END PGP SIGNATURE-----
_______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
-- Akihiro Motoki <amotoki@gmail.com>
_______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
+1 to merge this as an exception
+1 here, too. I'll remove my freeze -2, replace it with a +1 and wait for a +2 from someone else as an ack for the FFE. Thanks Adam On Sun, Sep 28, 2014 at 11:41 PM, Akihiro Motoki <motoki@da.jp.nec.com> wrote:
Hi,
I would like to request a FFE for a neutron patch [0]
It is a security bug fix [1] and the corresponding OSSN was issued two weeks ago. The patch in the master landed a few days ago. I believe it is a nice fix in the next stable update.
As far as I checked it satiifes the criteria of a stable backport and it looks good to go.
[0] https://review.openstack.org/#/c/124375/ [1] https://bugs.launchpad.net/neutron/+bug/1334926
Thanks, Akihiro _______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
participants (6)
-
Adam Gandelman
-
Akihiro Motoki
-
Akihiro Motoki
-
Alan Pevec
-
Ihar Hrachyshka
-
Vishvananda Ishaya