I'll start by saying that we don't need this ported to icehouse as we've
included it in our distro, as Alan suggested.
However, I would like to explain why we needed it. We do generate
cert files for the controller node. However, for cases where the different
services are all running on the controller node, we use 127.0.0.1 as the
address they communicate on. Since the cert was based on hostname,
this will fail unless we have the api_insecure flag set. And since we're
communicating on 127.0.0.1, it's ok to ignore ssl errors.
Since this is in Juno, and we've patched it in Icehouse for our distro, we
have no pressing need to backport this one. Thanks for keeping an
eye on it!
Alan Pevec wrote:
> https://bugs.launchpad.net/neutron/+bug/1306822
> https://bugs.launchpad.net/neutron/+bug/1309694
>
> Those bugs describe the missing options, but do not do a great job of
> describing the impact of not having them. My guess is that without those
> parameters, you have to rely on system certificates (as you can't
> provide your own and you can't disable the check). Is that a correct
> assumption ? Who is impacted by these bugs ?
I think you're right that 1309694 can be worked around by using system
cert store.
Disabling cert check bug 1306822 is definitely not needed - why would
you use certs if you don't check them?
So unless more justification is provided in the bugs (importance of
both is Undecided) I don't think we have the case for granting the
exception.
Distributions are of course free to take those patches, if it suits
their policies.
BTW having such backports proposed is fine even if denied for stable
merge, we can use stable reviews as a mean to share patches among
distros.
> If my interpretation is correct, then this falls a bit in a grey area:
> it is a "feature" to allow your own certificate to be provided, but it
> could be seen as a bug (feature gap) if Neutron was the only project in
> Icehouse not having that feature (and people would generally expect
> those parameters to be present). Is Neutron the only project that misses
> those parameters ?
Currently yes, only Neutron has a new feature in Icehouse to send port
events to Nova but Cinder will need to same to properly fix the race
with volumes during VM setup.
Cheers,
Alan
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
