neutron: a new runtime dependency sneaked in via rootwrap filter
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi all, it seems that we've missed a new runtime dependency being backported recently into Icehouse. The patch is [1], and it introduced conntrack-tools dependency for L3 agent. This turned out as a problem for existing distributions, specifically RHOSP5 [2] which is built for both RHEL6 and RHEL7. In case of RHEL7, conntrack-tools is not available neither in base OS repos nor in RHOSP5 specific ones. So Red Hat will need to import the package into RHOSP5 repos. That's not convenient but doable. The problem starts when you consider importing the package for RHEL6 too. It may turn out that some support from kernel may be missing (we're going to check that in the very near future). If RHEL6 conntrack-tools won't play nice, we'll be forced to patch the fix out for the platform. I wonder whether we'll consider reverting the patch in upstream if that's the case? So my general point is that we should pay more attention to those kind of runtime dependencies sneaking into stable branches, because it may result in huge problems in downstream. Also, consider this email as a heads-up for other distributions. Should we update release notes for the latest release to include that info? [1]: https://review.openstack.org/#/c/124375/ [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1158871 /Ihar -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iQEcBAEBCgAGBQJUUjnrAAoJEC5aWaUY1u57EgEH/1+IFY+ungkDPNMlC1ALuL7m nRlqGfj9G6EnSPHdtxcYRfr+6OsVHUsWBGyy10Gscw/A4C4rumvTogSHrsf1h96t 6+RQPNbUi183tSvukX49dt+yZjrlIgTDBfS4yK8Akgmn6ICSaJnGvoL85B8eqojf eIaZsIkFRzotS+aCztj0jCmsl5OardQ3BS6z7pxGPmpImt9/rzje4qtj8Lu1QMu9 FvxvZejiDqimbspOY/gtY854Nm6VuX/eIY4EGskjOVUU6nFp6y0alKHIPNEnA+DU QWeJuJ78gmDE7F0X8h8N2R2Cg1cxGvJC+GnzL1u+Nu6vPiDgQ9ZDJULfrinpXoQ= =ubTF -----END PGP SIGNATURE-----
On Thu, Oct 30, 2014 at 8:15 AM, Ihar Hrachyshka <ihrachys@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi all,
it seems that we've missed a new runtime dependency being backported recently into Icehouse. The patch is [1], and it introduced conntrack-tools dependency for L3 agent. This turned out as a problem for existing distributions, specifically RHOSP5 [2] which is built for both RHEL6 and RHEL7. In case of RHEL7, conntrack-tools is not available neither in base OS repos nor in RHOSP5 specific ones. So Red Hat will need to import the package into RHOSP5 repos. That's not convenient but doable. The problem starts when you consider importing the package for RHEL6 too. It may turn out that some support from kernel may be missing (we're going to check that in the very near future).
If RHEL6 conntrack-tools won't play nice, we'll be forced to patch the fix out for the platform. I wonder whether we'll consider reverting the patch in upstream if that's the case?
It seems to me that this should be reverted based on the information you've provided. This shouldn't have been merged given it pulls in this new runtime dependency, which may also pull in new kernel dependencies. I don't see any other way around this other than to revert the change.
So my general point is that we should pay more attention to those kind of runtime dependencies sneaking into stable branches, because it may result in huge problems in downstream.
Also, consider this email as a heads-up for other distributions. Should we update release notes for the latest release to include that info?
[1]: https://review.openstack.org/#/c/124375/ [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1158871
/Ihar -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQEcBAEBCgAGBQJUUjnrAAoJEC5aWaUY1u57EgEH/1+IFY+ungkDPNMlC1ALuL7m nRlqGfj9G6EnSPHdtxcYRfr+6OsVHUsWBGyy10Gscw/A4C4rumvTogSHrsf1h96t 6+RQPNbUi183tSvukX49dt+yZjrlIgTDBfS4yK8Akgmn6ICSaJnGvoL85B8eqojf eIaZsIkFRzotS+aCztj0jCmsl5OardQ3BS6z7pxGPmpImt9/rzje4qtj8Lu1QMu9 FvxvZejiDqimbspOY/gtY854Nm6VuX/eIY4EGskjOVUU6nFp6y0alKHIPNEnA+DU QWeJuJ78gmDE7F0X8h8N2R2Cg1cxGvJC+GnzL1u+Nu6vPiDgQ9ZDJULfrinpXoQ= =ubTF -----END PGP SIGNATURE-----
_______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
+1 for revert. ----- Original Message -----
On Thu, Oct 30, 2014 at 8:15 AM, Ihar Hrachyshka <ihrachys@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi all,
it seems that we've missed a new runtime dependency being backported recently into Icehouse. The patch is [1], and it introduced conntrack-tools dependency for L3 agent. This turned out as a problem for existing distributions, specifically RHOSP5 [2] which is built for both RHEL6 and RHEL7. In case of RHEL7, conntrack-tools is not available neither in base OS repos nor in RHOSP5 specific ones. So Red Hat will need to import the package into RHOSP5 repos. That's not convenient but doable. The problem starts when you consider importing the package for RHEL6 too. It may turn out that some support from kernel may be missing (we're going to check that in the very near future).
If RHEL6 conntrack-tools won't play nice, we'll be forced to patch the fix out for the platform. I wonder whether we'll consider reverting the patch in upstream if that's the case?
It seems to me that this should be reverted based on the information you've provided. This shouldn't have been merged given it pulls in this new runtime dependency, which may also pull in new kernel dependencies. I don't see any other way around this other than to revert the change.
So my general point is that we should pay more attention to those kind of runtime dependencies sneaking into stable branches, because it may result in huge problems in downstream.
Also, consider this email as a heads-up for other distributions. Should we update release notes for the latest release to include that info?
[1]: https://review.openstack.org/#/c/124375/ [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1158871
/Ihar -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQEcBAEBCgAGBQJUUjnrAAoJEC5aWaUY1u57EgEH/1+IFY+ungkDPNMlC1ALuL7m nRlqGfj9G6EnSPHdtxcYRfr+6OsVHUsWBGyy10Gscw/A4C4rumvTogSHrsf1h96t 6+RQPNbUi183tSvukX49dt+yZjrlIgTDBfS4yK8Akgmn6ICSaJnGvoL85B8eqojf eIaZsIkFRzotS+aCztj0jCmsl5OardQ3BS6z7pxGPmpImt9/rzje4qtj8Lu1QMu9 FvxvZejiDqimbspOY/gtY854Nm6VuX/eIY4EGskjOVUU6nFp6y0alKHIPNEnA+DU QWeJuJ78gmDE7F0X8h8N2R2Cg1cxGvJC+GnzL1u+Nu6vPiDgQ9ZDJULfrinpXoQ= =ubTF -----END PGP SIGNATURE-----
_______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
_______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
Hi Generally speaking I agree to revert it from stable maintenance perspective. One special case with this backport is that it is a security impact fix and OSSN was issued [1]. The fix was already shipped, so when we revert the patch we also need to consider operators who already apply this fix and we need another solution for them. What do you think about disabling the fix if contrack is not available. Thought? [1] https://wiki.openstack.org/wiki/OSSN/OSSN-0020 On Fri, Oct 31, 2014 at 12:32 AM, Miguel Angel Ajo Pelayo <mangelajo@redhat.com> wrote:
+1 for revert.
----- Original Message -----
On Thu, Oct 30, 2014 at 8:15 AM, Ihar Hrachyshka <ihrachys@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi all,
it seems that we've missed a new runtime dependency being backported recently into Icehouse. The patch is [1], and it introduced conntrack-tools dependency for L3 agent. This turned out as a problem for existing distributions, specifically RHOSP5 [2] which is built for both RHEL6 and RHEL7. In case of RHEL7, conntrack-tools is not available neither in base OS repos nor in RHOSP5 specific ones. So Red Hat will need to import the package into RHOSP5 repos. That's not convenient but doable. The problem starts when you consider importing the package for RHEL6 too. It may turn out that some support from kernel may be missing (we're going to check that in the very near future).
If RHEL6 conntrack-tools won't play nice, we'll be forced to patch the fix out for the platform. I wonder whether we'll consider reverting the patch in upstream if that's the case?
It seems to me that this should be reverted based on the information you've provided. This shouldn't have been merged given it pulls in this new runtime dependency, which may also pull in new kernel dependencies. I don't see any other way around this other than to revert the change.
So my general point is that we should pay more attention to those kind of runtime dependencies sneaking into stable branches, because it may result in huge problems in downstream.
Also, consider this email as a heads-up for other distributions. Should we update release notes for the latest release to include that info?
[1]: https://review.openstack.org/#/c/124375/ [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1158871
/Ihar -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQEcBAEBCgAGBQJUUjnrAAoJEC5aWaUY1u57EgEH/1+IFY+ungkDPNMlC1ALuL7m nRlqGfj9G6EnSPHdtxcYRfr+6OsVHUsWBGyy10Gscw/A4C4rumvTogSHrsf1h96t 6+RQPNbUi183tSvukX49dt+yZjrlIgTDBfS4yK8Akgmn6ICSaJnGvoL85B8eqojf eIaZsIkFRzotS+aCztj0jCmsl5OardQ3BS6z7pxGPmpImt9/rzje4qtj8Lu1QMu9 FvxvZejiDqimbspOY/gtY854Nm6VuX/eIY4EGskjOVUU6nFp6y0alKHIPNEnA+DU QWeJuJ78gmDE7F0X8h8N2R2Cg1cxGvJC+GnzL1u+Nu6vPiDgQ9ZDJULfrinpXoQ= =ubTF -----END PGP SIGNATURE-----
_______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
_______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
_______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
-- Akihiro Motoki <amotoki@gmail.com>
One special case with this backport is that it is a security impact fix and OSSN was issued [1]. The fix was already shipped, so when we revert the patch we also need to consider operators who already apply this fix and we need another solution for them.
OSSN-0020 doesn't mention this backport, it has other proposed solutions.
What do you think about disabling the fix if contrack is not available.
This should be done in master first. But what would it do when tool it not available? Cheers, Alan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 30/10/14 17:07, Alan Pevec wrote:
One special case with this backport is that it is a security impact fix and OSSN was issued [1]. The fix was already shipped, so when we revert the patch we also need to consider operators who already apply this fix and we need another solution for them.
OSSN-0020 doesn't mention this backport, it has other proposed solutions.
What do you think about disabling the fix if contrack is not available.
This should be done in master first. But what would it do when tool it not available?
Yeah, leaving operators with *illusion* of safety ("the patch is there, I read about it in release notes!") while not really dropping connections is not nice.
Cheers, Alan
_______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iQEcBAEBCgAGBQJUUmdOAAoJEC5aWaUY1u579GUIAJLJrnYcUs3xkhIRszrhf4Gl 6V8aBgJrwMMVmJ7c+8bMz4x90FlpOPr2hoxLNt34E1mSpTv8ERfz8AZYqyKLUbHI HKW0jqZTbtVcBiJJ+W1/jTkDBuC9zGJ1+Ta756IHrTD9cI6Gxr20dLFDWew4SUFY I+hLL96yLmiTf9q66odJFBiSbSe1Y/RcegbXrYwVlyJqwEQgADdyx/ZOhuaM3iWy Tp1D00ion6wQKUIqE/NSrCHmDNyGj2JD08/oDn/qSPFEuj80Nzo4P4vPlSouYcuo B5mBllosop5TgCkYIKW6IsThQHQBwix5cW9m5Ghuk2FHaOqTjvmFO6Y3LmqgkX8= =vnuT -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OK, I went forward and requested a revert for the patch [1]. Also, I've updated release notes for 2014.1.3 [2] that is the first and only released Icehouse version that included the patch with the following text: "* A new runtime dependency on conntrack-tools in L3 agent sneaked in the release. This is an issue for at least one of target distributions for Icehouse (specifically, RHEL6/RHEL7), so a revert for the patch that introduced the dependency was requested: https://review.openstack.org/#/c/132052/ Packagers of 2014.1.3 release are left with dilemma: either they also revert the patch in their downstream packages, or they introduce a new runtime conntrack-tools dependency for Neutron L3 agent." I think that's all we can do to mitigate the problem. [1]: https://review.openstack.org/#/c/132052/ [2]: https://wiki.openstack.org/wiki/ReleaseNotes/2014.1.3 /Ihar On 30/10/14 16:32, Miguel Angel Ajo Pelayo wrote:
+1 for revert.
----- Original Message -----
On Thu, Oct 30, 2014 at 8:15 AM, Ihar Hrachyshka <ihrachys@redhat.com> wrote: Hi all,
it seems that we've missed a new runtime dependency being backported recently into Icehouse. The patch is [1], and it introduced conntrack-tools dependency for L3 agent. This turned out as a problem for existing distributions, specifically RHOSP5 [2] which is built for both RHEL6 and RHEL7. In case of RHEL7, conntrack-tools is not available neither in base OS repos nor in RHOSP5 specific ones. So Red Hat will need to import the package into RHOSP5 repos. That's not convenient but doable. The problem starts when you consider importing the package for RHEL6 too. It may turn out that some support from kernel may be missing (we're going to check that in the very near future).
If RHEL6 conntrack-tools won't play nice, we'll be forced to patch the fix out for the platform. I wonder whether we'll consider reverting the patch in upstream if that's the case?
It seems to me that this should be reverted based on the information you've provided. This shouldn't have been merged given it pulls in this new runtime dependency, which may also pull in new kernel dependencies. I don't see any other way around this other than to revert the change.
So my general point is that we should pay more attention to those kind of runtime dependencies sneaking into stable branches, because it may result in huge problems in downstream.
Also, consider this email as a heads-up for other distributions. Should we update release notes for the latest release to include that info?
[1]: https://review.openstack.org/#/c/124375/ [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1158871
/Ihar
_______________________________________________ Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
Openstack-stable-maint mailing list Openstack-stable-maint@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQEcBAEBCgAGBQJUUl5tAAoJEC5aWaUY1u579DIH/R3f1uBqCXjRVbiDPyKUHhYt CAiIbfhEa098ZMy/PhCIvPGWPIxWumG73ePGcnCsqRFlIdTfgs2kTDODGWLdVmDR T1bVfI6RSZ6j74p1qfa9UT7GtRQwi4AtCwD1nnuYHtudYuKyRbDfp8UYN0JTSVf+ HNbBufmTMqwpAkLPo0XFZrkpNYZeHyPKHAQd1jSYo+wKaSpKK2Xam7IFQQ/xhqxT dBAcpume/nQY/V6/wco9u5QYgFkyiiNutynocpym4RPk5TvmmPmcyDLQV4TxCIu7 ytJ4ul3iC6sP1O3v4JD9PdfqciCjb/yeF4qJwEI/16wmWRDmLwqnOOfCkb9Bu04= =C/yD -----END PGP SIGNATURE-----
It seems to me that this should be reverted based on the information you've provided. This shouldn't have been merged given it pulls in this new runtime dependency, which may also pull in new kernel dependencies. I don't see any other way around this other than to revert the change.
+1 Too bad we don't seem to be tracking such non-pypi runtime deps explicitly, how about adding runtime-requirements.txt (or better name) ? Cheers, Alan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 30/10/14 16:48, Alan Pevec wrote:
It seems to me that this should be reverted based on the information you've provided. This shouldn't have been merged given it pulls in this new runtime dependency, which may also pull in new kernel dependencies. I don't see any other way around this other than to revert the change.
+1
Too bad we don't seem to be tracking such non-pypi runtime deps explicitly, how about adding runtime-requirements.txt (or better name) ?
I totally agree we need to track it in some centralized manner. BTW I've raised the point once (among other things) at [1] though haven't received much traction on this part of the email. Maybe I should go further and start a thread on this specific point?.. Comments. I also believe that for Neutron, we should track all python dependencies for all plugins included in the tree, and I've raised that point before [2]. Though again, the idea was not received with great passion. Probably I'm bad at communicating stuff. ;) [1]: http://lists.openstack.org/pipermail/openstack-dev/2014-October/047847.html [2]: http://lists.openstack.org/pipermail/openstack-dev/2014-August/043057.html /Ihar -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iQEcBAEBCgAGBQJUUmJmAAoJEC5aWaUY1u57uDcIAJ077+2UwBKY+0lINpkBiazk O4AwbysB4yuS4hA5heyIaLQqxNtK7AE4FcTkLMHiM8tl2yH5gErDU4GsmRsEl0Mt 8NrK72OiaykltYa27TREt+zniEKxH1rNsHcrXQJSNmdGglZqUdLQuShUVemu41EA QcLeS41S+vzk6IhnnFy0x4cLudYQo0XEwZjbYz4sT7Fi9e2BjcWGVJLMPWup6bHO UJT/hMryzHSyce0jRfLwqbkw2NXRo2ey/GXqGbUaMMnTVs2OFHJ7Vy4lxmhw/hOO 1yL6vXzI4dpTz+81iKaHLLZc1PGmt0hIjEvFO7EGn/+QBotIwUAoJHoY+5a3YrY= =elw5 -----END PGP SIGNATURE-----
participants (5)
-
Akihiro Motoki
-
Alan Pevec
-
Ihar Hrachyshka
-
Kyle Mestery
-
Miguel Angel Ajo Pelayo