Sent this to the wrong list the first time, my bad. See below.
Paul Ward/Rochester/IBM wrote on 05/28/2014 02:12:10 PM:
From: Paul Ward/Rochester/IBM To: openstack-dev@lists.openstack.org, Date: 05/28/2014 02:12 PM Subject: [Openstack-stable-maint] Stable exception
I'll start by saying that we don't need this ported to icehouse as we've included it in our distro, as Alan suggested.
However, I would like to explain why we needed it. We do generate cert files for the controller node. However, for cases where the
different
services are all running on the controller node, we use 127.0.0.1 as the address they communicate on. Since the cert was based on hostname, this will fail unless we have the api_insecure flag set. And since we're communicating on 127.0.0.1, it's ok to ignore ssl errors.
Since this is in Juno, and we've patched it in Icehouse for our distro,
we
have no pressing need to backport this one. Thanks for keeping an eye on it!
Alan Pevec wrote:
https://bugs.launchpad.net/neutron/+bug/1306822 https://bugs.launchpad.net/neutron/+bug/1309694
Those bugs describe the missing options, but do not do a great job of describing the impact of not having them. My guess is that without
those
parameters, you have to rely on system certificates (as you can't provide your own and you can't disable the check). Is that a correct assumption ? Who is impacted by these bugs ?
I think you're right that 1309694 can be worked around by using system cert store. Disabling cert check bug 1306822 is definitely not needed - why would you use certs if you don't check them? So unless more justification is provided in the bugs (importance of both is Undecided) I don't think we have the case for granting the exception.
Distributions are of course free to take those patches, if it suits their policies. BTW having such backports proposed is fine even if denied for stable merge, we can use stable reviews as a mean to share patches among distros.
If my interpretation is correct, then this falls a bit in a grey area: it is a "feature" to allow your own certificate to be provided, but it could be seen as a bug (feature gap) if Neutron was the only project in Icehouse not having that feature (and people would generally expect those parameters to be present). Is Neutron the only project that
misses
those parameters ?
Currently yes, only Neutron has a new feature in Icehouse to send port events to Nova but Cinder will need to same to properly fix the race with volumes during VM setup.
Cheers, Alan
participants (1)
-
Paul Ward