Open Stack

Hi

Generally speaking I agree to revert it from stable maintenance perspective.
One special case with this backport is that it is a security impact
fix and OSSN was issued [1].
The fix was already shipped, so when we revert the patch we also need
to consider operators who
already apply this fix and we need another solution for them.
What do you think about disabling the fix if contrack is not available.

Thought?

[1] https://wiki.openstack.org/wiki/OSSN/OSSN-0020

On Fri, Oct 31, 2014 at 12:32 AM, Miguel Angel Ajo Pelayo
<mangelajo at redhat.com> wrote:
> +1 for revert.
>
> ----- Original Message -----
>> On Thu, Oct 30, 2014 at 8:15 AM, Ihar Hrachyshka <ihrachys at redhat.com> wrote:
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA512
>> >
>> > Hi all,
>> >
>> > it seems that we've missed a new runtime dependency being backported
>> > recently into Icehouse. The patch is [1], and it introduced
>> > conntrack-tools dependency for L3 agent. This turned out as a problem
>> > for existing distributions, specifically RHOSP5 [2] which is built for
>> > both RHEL6 and RHEL7. In case of RHEL7, conntrack-tools is not
>> > available neither in base OS repos nor in RHOSP5 specific ones. So Red
>> > Hat will need to import the package into RHOSP5 repos. That's not
>> > convenient but doable. The problem starts when you consider importing
>> > the package for RHEL6 too. It may turn out that some support from
>> > kernel may be missing (we're going to check that in the very near future).
>> >
>> > If RHEL6 conntrack-tools won't play nice, we'll be forced to patch the
>> > fix out for the platform. I wonder whether we'll consider reverting
>> > the patch in upstream if that's the case?
>> >
>> It seems to me that this should be reverted based on the information
>> you've provided. This shouldn't have been merged given it pulls in
>> this new runtime dependency, which may also pull in new kernel
>> dependencies. I don't see any other way around this other than to
>> revert the change.
>>
>> > So my general point is that we should pay more attention to those kind
>> > of runtime dependencies sneaking into stable branches, because it may
>> > result in huge problems in downstream.
>> >
>> > Also, consider this email as a heads-up for other distributions.
>> > Should we update release notes for the latest release to include that
>> > info?
>> >
>> > [1]: https://review.openstack.org/#/c/124375/
>> > [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1158871
>> >
>> > /Ihar
>> > -----BEGIN PGP SIGNATURE-----
>> > Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>> >
>> > iQEcBAEBCgAGBQJUUjnrAAoJEC5aWaUY1u57EgEH/1+IFY+ungkDPNMlC1ALuL7m
>> > nRlqGfj9G6EnSPHdtxcYRfr+6OsVHUsWBGyy10Gscw/A4C4rumvTogSHrsf1h96t
>> > 6+RQPNbUi183tSvukX49dt+yZjrlIgTDBfS4yK8Akgmn6ICSaJnGvoL85B8eqojf
>> > eIaZsIkFRzotS+aCztj0jCmsl5OardQ3BS6z7pxGPmpImt9/rzje4qtj8Lu1QMu9
>> > FvxvZejiDqimbspOY/gtY854Nm6VuX/eIY4EGskjOVUU6nFp6y0alKHIPNEnA+DU
>> > QWeJuJ78gmDE7F0X8h8N2R2Cg1cxGvJC+GnzL1u+Nu6vPiDgQ9ZDJULfrinpXoQ=
>> > =ubTF
>> > -----END PGP SIGNATURE-----
>> >
>> > _______________________________________________
>> > Openstack-stable-maint mailing list
>> > Openstack-stable-maint at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
>>
>> _______________________________________________
>> Openstack-stable-maint mailing list
>> Openstack-stable-maint at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
>>
>
> _______________________________________________
> Openstack-stable-maint mailing list
> Openstack-stable-maint at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint



-- 
Akihiro Motoki <amotoki at gmail.com>