All-
I’d like propose that we grant an exception for new configuration options for these backports to stable/icehouse
https://review.openstack.org/#/c/88437/ https://review.openstack.org/#/c/90626/
mark
Mark McClain wrote:
I’d like propose that we grant an exception for new configuration options for these backports to stable/icehouse
https://review.openstack.org/#/c/88437/ https://review.openstack.org/#/c/90626/
Hi!
So far we excluded the addition of new configuration options in stable release patches, because a "release" is defined by a stable feature set, which is documented and communicated in various books and articles. As soon as we add new features, we introduce confusion regarding what "Icehouse" is, how it behaves and how it is configured. Some downstream distributions will adopt the new feature, some won't...
I'm therefore very opposed to the idea of backporting features. New configuration options are generally new features, so they generally fall in that category... But then we can grant exceptions, provided that all the stable branch stakeholders like the proposed patch.
Looking at the proposed exception, it adds a nova_api_insecure option (default to False) and a nova_ca_certificates_file option (default to None) that are then passed to the novaclient constructor. Default behavior is preserved. So it boils down to the bugs we are actually solving by adding those parameters:
https://bugs.launchpad.net/neutron/+bug/1306822 https://bugs.launchpad.net/neutron/+bug/1309694
Those bugs describe the missing options, but do not do a great job of describing the impact of not having them. My guess is that without those parameters, you have to rely on system certificates (as you can't provide your own and you can't disable the check). Is that a correct assumption ? Who is impacted by these bugs ?
If my interpretation is correct, then this falls a bit in a grey area: it is a "feature" to allow your own certificate to be provided, but it could be seen as a bug (feature gap) if Neutron was the only project in Icehouse not having that feature (and people would generally expect those parameters to be present). Is Neutron the only project that misses those parameters ?
https://bugs.launchpad.net/neutron/+bug/1306822 https://bugs.launchpad.net/neutron/+bug/1309694
Those bugs describe the missing options, but do not do a great job of describing the impact of not having them. My guess is that without those parameters, you have to rely on system certificates (as you can't provide your own and you can't disable the check). Is that a correct assumption ? Who is impacted by these bugs ?
I think you're right that 1309694 can be worked around by using system cert store. Disabling cert check bug 1306822 is definitely not needed - why would you use certs if you don't check them? So unless more justification is provided in the bugs (importance of both is Undecided) I don't think we have the case for granting the exception.
Distributions are of course free to take those patches, if it suits their policies. BTW having such backports proposed is fine even if denied for stable merge, we can use stable reviews as a mean to share patches among distros.
If my interpretation is correct, then this falls a bit in a grey area: it is a "feature" to allow your own certificate to be provided, but it could be seen as a bug (feature gap) if Neutron was the only project in Icehouse not having that feature (and people would generally expect those parameters to be present). Is Neutron the only project that misses those parameters ?
Currently yes, only Neutron has a new feature in Icehouse to send port events to Nova but Cinder will need to same to properly fix the race with volumes during VM setup.
Cheers, Alan
participants (3)
-
Alan Pevec
-
Mark McClain
-
Thierry Carrez