Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

2016-09-22 15:58 GMT+02:00 Matt Riedemann : > 1. We don't bump minimums just because a new thing comes out in a given > release, we only bump minimums when something that uses that dependency > needs a higher minimum version. > > 2. Looking at this: > >

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

On Tue, Sep 20, 2016 at 12:48:49PM +0200, Kashyap Chamarthy wrote: > The said patch in question fixes a CVE[x] in stable/liberty. > > We currently have two options, both of them have caused an impasse with > the Nova upstream / stable maintainers. We've had two-ish months to > mull over this.

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

On 9/22/2016 8:05 AM, Alan Pevec wrote: We have: * global-requirements.txt: origin/stable/liberty : oslo.concurrency>=2.3.0 # Apache-2.0 But wasn't that wrong from the start? First Liberty release of oslo.concurrency was 2.6.0 why was that not bumped in g-r ? Cheers, Alan

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

> We have: > * global-requirements.txt: > origin/stable/liberty : oslo.concurrency>=2.3.0 # Apache-2.0 But wasn't that wrong from the start? First Liberty release of oslo.concurrency was 2.6.0 why was that not bumped in g-r ? Cheers, Alan

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

On Thu, Sep 22, 2016 at 04:25:00PM +1000, Tony Breeds wrote: > On Wed, Sep 21, 2016 at 02:05:51PM -0400, Sean Dague wrote: > > > Well, the risk profile of what has to be changed for stable/liberty > > (given that all the actual code is buried in libraries which have tons > > of other changes).

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

On Wed, Sep 21, 2016 at 02:05:51PM -0400, Sean Dague wrote: > Well, the risk profile of what has to be changed for stable/liberty > (given that all the actual code is buried in libraries which have tons > of other changes). Special cherry-picked library versions would be > needed to fix this

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

On 2016-09-21 14:05:51 -0400 (-0400), Sean Dague wrote: [...] > Well, the risk profile of what has to be changed for stable/liberty > (given that all the actual code is buried in libraries which have tons > of other changes). Special cherry-picked library versions would be > needed to fix this

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

On 09/21/2016 02:03 PM, Jeremy Stanley wrote: > On 2016-09-21 15:41:11 +1000 (+1000), Tony Breeds wrote: >> On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote: > [...] >>> (3) Do nothing, leave the bug unfixed in stable/liberty >>> >>> While this is a security bug, it is one that

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

On 2016-09-21 15:41:11 +1000 (+1000), Tony Breeds wrote: > On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote: [...] > > (3) Do nothing, leave the bug unfixed in stable/liberty > > > > While this is a security bug, it is one that has existed in every single > > openstack release

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote: > On Tue, Sep 20, 2016 at 12:48:49PM +0200, Kashyap Chamarthy wrote: > > The said patch in question fixes a CVE[x] in stable/liberty. > > > > We currently have two options, both of them have caused an impasse with > > the Nova

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

On 9/20/2016 4:17 PM, Matt Riedemann wrote: On 9/20/2016 7:38 AM, Alan Pevec wrote: 2016-09-20 13:27 GMT+02:00 Kashyap Chamarthy : (3) Do nothing, leave the bug unfixed in stable/liberty That was the unspoken third option, thanks for spelling it out. :-) Yes, let's

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

On 9/20/2016 7:38 AM, Alan Pevec wrote: 2016-09-20 13:27 GMT+02:00 Kashyap Chamarthy : (3) Do nothing, leave the bug unfixed in stable/liberty That was the unspoken third option, thanks for spelling it out. :-) Yes, let's abandon both reviews. Cheers, Alan

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

2016-09-20 13:27 GMT+02:00 Kashyap Chamarthy : >> (3) Do nothing, leave the bug unfixed in stable/liberty > > That was the unspoken third option, thanks for spelling it out. :-) Yes, let's abandon both reviews. Cheers, Alan

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote: > On Tue, Sep 20, 2016 at 12:48:49PM +0200, Kashyap Chamarthy wrote: [...] > > The two options at hand: > > > > (1) Nova backport from master (that also adds a check for the presence > > of 'ProcessLimits' attribute which

Re: [openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

On Tue, Sep 20, 2016 at 12:48:49PM +0200, Kashyap Chamarthy wrote: > The said patch in question fixes a CVE[x] in stable/liberty. > > We currently have two options, both of them have caused an impasse with > the Nova upstream / stable maintainers. We've had two-ish months to > mull over this.

[openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

The said patch in question fixes a CVE[x] in stable/liberty. We currently have two options, both of them have caused an impasse with the Nova upstream / stable maintainers. We've had two-ish months to mull over this. I'd prefer to get this out of a limbo, & bring this to a logical conclusion.