Open Stack

On 8/19/14, 2:48 PM, "Ihar Hrachyshka" <ihrachys at redhat.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>On 19/08/14 11:35, Thierry Carrez wrote:
>> Gary Kotton wrote:
>>> I think that only in exceptional cases should we allow changing
>>> of default configuration variables. This may break existing
>>> setups. I am not in favor of this back port.
>> 
>> I tend to agree with Gary here.
>> 
>> IIUC this is an old bug -- if people encountered it they probably
>> have switched that configuration option to True a long time ago.
>> It's also very easy for downstream consumers to carry the
>> difference if they care (they ship customized config files
>> anyway).
>
>And if they haven't encountered the issue yet, and don't know that
>default value is failing hard, then we leave our users with DoS
>unfixed, waiting for their users to break the cloud and then debug the
>issue, finally discovering that we have defaults that are broken and
>not even documented as such anywhere.

Where is a DOS attack here? Is this a few extra RPC messages being sent?

The bug that this fixes also does not even have the Œimportance¹ assigned.
I was under the impression that we only back port Critical and High bugs.

I understand that there is an issue, which we all agree can be solved by
the user changing a configuration setting.

Can anyone point to a customer defining a gateway not on the subnet? I
think that is the anomaly here.

>
>> 
>> Contrast that with breaking existing setups that may rely on that
>> feature... We trade a known evil for a new, unknown one.
>
>Those setups are beyond our control, we don't even know whether they
>actually exist. So we trade a known evil for a tiny chance of a new,
>less evil one (those limitations will be caught by consumers in their
>testbed, with clear message in the log; and if it's really needed,
>it's a matter of one line changed in conffile).
>
>> 
>> We also don't mark a config option deprecated in the middle of a
>> stable branch. It's either deprecated at release time, or at the
>> next release time. We can't retroactively deprecate.
>
>We don't deprecate it in Havana. The patch proposes to change the
>default value only. If you're concerned about specific description of
>the setting, we may trim it not to mention the part about its
>deprecation in later releases.
>
>> 
>> Some aspects of that patch may still be acceptable though
>> (neutron/db/db_base_plugin_v2.py) and we could document that we
>> recommend people turn that option to True in the next point
>> release releasenotes.
>> 
>
>If we don't merge the patch, it's the least we can do for our users.
>Distributions may also set it in their distro-specific config file
>(neutron-dist.conf).
>
>/Ihar
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>
>iQEcBAEBCgAGBQJT8zmJAAoJEC5aWaUY1u57/lgIAKGJNeZZhNm7NuevmUchHdaZ
>cf0Tng0Ocfn7J3ZOttZSB9Xw5BSVBNN3nlMEKQQ0/nbLEHnkntt080ctMWjBsDX2
>vsMHTBm3IBPihbFyLG0ZRcVeGos5/fqB5vuqmNF7XYjjhi2aQw4kBGLkveGodzyn
>3D0JHfN9ZZ9tjj9QqB4StsKN/OzKCehLPImmzSItu5BU3ixlxBBPNio9m8CwuTvl
>n08OoL3rHWBFkCgzPdY9XGTYMR+Suw3Csm5zfa4Bkx+0RVjt8fYCOpL8QOhHjX3T
>2SryXcsmfIvlot6vLOInl7mEINfedC9Yxb48TkVmvAndDhqhWHlnQtIUuEwmo2g=
>=rX2+
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Openstack-stable-maint mailing list
>Openstack-stable-maint at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint