-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[3.5] Bump grpc-go to1.47 (and fix the connection-string format) #16625
[3.5] Bump grpc-go to1.47 (and fix the connection-string format) #16625
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Is there any security issue we are trying to fix by backporting? 3 people complaining about dependency issue doesn't seem like a sensible reason for backport. #15877 (comment) cc @liggitt |
Just spending 2 minutes to search "CVE" or "security" in grpc-go/releases. You will get the "YES" answer.
Why not? It's prevent some applications from integrating with etcd! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
thx @chaochn47
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any security issue we are trying to fix by backporting?
Just spending 2 minutes to search "CVE" or "security" in grpc-go/releases. You will get the "YES" answer.
Spent 10 seconds, didn't find anything worth backporting. Those "security" or "cve" are not related to grpc are unrelated to etcd security posture. For example a feature adding min/max TLS, or bump grpc dependency to address CVE 2022-32149.
3 people complaining about dependency issue doesn't seem like a sensible reason for backport. #15877 (comment)
Why not? It's prevent some applications from integrating with etcd!
What's a weak reason, you are comparing 3 applications vs all the remaining applications.
It is not about 3 applications. It's about all applications which depend on both a newer grpc version (e.g. 1.52+) and etcd client 3.5 SDK. |
from #16591 (comment)
is it a goal to take new grpc features back to etcd release branches? propagating this many grpc updates to all etcd clients on patch updates is surprising to me |
when is etcd 1.6.0 targeted? major bumps in grpc lib versions that pull in breaking changes like package renames seem better to push to consumers in a minor release |
Yes, that hit the point. Usually it isn't recommended to add any feature to a stable release (etcd 3.5 in this case), and users are supposed to integrate with etcd 3.6 to resolve such grpc incompatible issue. But unfortunately, based on the 3.6 roadmap, I don't think we will release 3.6.0 in near future (e.g. at least > 0.5 year). |
Agree that it will be hard to release v3.6 in near future, however we should avoid the vicious cycle of backport anything because next release will not come. |
The goal is to resolve users' pain points that any applications depending on a new grpc version are not able to integrate with etcd 3.5 sdk. gRPC is a very basic lib, so I imagine it will impact lots of applications which depend on etcd SDK as well.
See my comment above. We should handle it from pragmatic propective and case by case. |
cc @dfawley |
No, etcd clients does not use this gRPC feature while consumer of etcd client could use this experimental feature on demand. |
@liggitt the goal is not to introduce new features, it's to maintain interoperability support for the latest stable branch (3.5) To be clear, the proposed changes should not be breaking, and the goal is not to add new features, simply to maintain the 3.5 branch which is the latest branch currently stable in ETCD, which is currently causing trouble to anyone who integrates with ETCD client and have other updated dependencies which don't use an old version of GRPC. |
Hi all, we're actively looking for this fix to be merged for the google/trillian project. We use dependabot to ensure our dependencies are kept up to date. Until a tagged version of etcd is released that uses a newer version of grpc, many of our dependency updates are blocked. We're not looking for any of the newer features in grpc that this backport may introduce. Trillian's dependency graph will continue to become increasingly out of date until this PR is merged or the 3.6 version of etcd is released. This is a cost for us as maintainers to manage dependabot (which is normal running is a very automatic process), and more importantly, it means that our project and any projects that depend on it (e.g. Certificate Transparency, Sigstore) will be stuck on old/obsolete/vulnerable versions of a growing number of libraries. |
@rsafonseca @mhutchinson Please feel free to bring the topic to tonight's etcd community meeting [I will not be able to join the meeting :(]. You need to subscribe etcd-dev@googlegroups.com (https://groups.google.com/g/etcd-dev) to gain permission to add topic to the google doc, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On balance, I support this pull request merging, thanks @chaochn47 for raising.
As mentioned in our dependency management guidelines we generally don't bump dependencies for stable releases unless there is a security driver.
With that said, given how far away 3.6.0
is, and the input from the community on how not proceeding with the backport will negatively affect projects that depend on etcd stable releases (and how this will get worse over time). Then on the understanding that this backport is non breaking / transparent to clients my vote would be that we proceed.
Part of #16740 |
@chaochn47 please rebase this PR. |
@chaochn47 can you please also bump grpc for 3.4? |
Security is the top priority, I will work on this today. Thanks for the heads up! @ahrtr |
Just a reminder that this PR alone won't solve the dependency issues, it's just the first bump in a series that needs to happen to get to a version with the problem fixed (1.55+) |
We are well aware of it, we will bump grpc-go step by step. FYI. #16740 |
51bfc2f
to
92c4df7
Compare
…he connection-string format) Signed-off-by: Chao Chen <chaochn@amazon.com>
568c9d6
to
db16069
Compare
Looks much better now. Should be ready to go. ping @serathius |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @chaochn47 for the quick response.
I am on it. 3.4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM on new change
Agree the security issue is super important for all, us included. But also want to be extra cautious given this is a stable version. I took a quick look at the diff between grpc-go, there are quite a bit of new features, API changes, behavior changes and stuff. @chaochn47 would you please kindly check the diff between grpc-go 1.41 and 1.47, and make sure there won't be any breaking changes? Let's just try to be extra careful, so many people are waiting for this patch, let's not break anyone. |
Sure. After reviewing change log of v1.42.0 and grpc/grpc-go@v1.41.0...v1.42.0, there are potentially three behavior changes.
In conclusion: we should be good upgrading to |
Behavior Changes
|
Done all the auditing.. No outstanding breaking changes to etcd AFAIK. |
thx @chaochn47 for the investigation. It aligns with my understanding. There is no obvious differences between 3.5 and 3.6 in term of grpc usage. If a grpc version works for 3.6, there is no reason that it doesn't work for 3.5. But 3.4 is another story. see #16740 (comment). We can have more discussion in your following PR of bumping grpc for 3.4. |
Thanks @chaochn47 !
Do we need to change #15940 accordingly? Have we changed #12469 since main branch already updated grpc-go? If so, could you please open an issue for tracking, to the next 3.5 cut is blocked by it?
This looks like a breaking change? @chaochn47 could you please make sure this is reflected in the CHANGELOG?
Could you open a ticket as 3.5 release blocking issue for tracking? cc @jmhbnz @serathius @ahrtr @fuweid could you please help to check if there is anything missing? |
|
No, etcd 3.5 never supports unix socket domain in the I just moved the discussion to the right place #15940 (comment).
#16762 is drafted since
Deprecated does not mean removed. 3.5 release is not blocked by this issue. Tracked in #15145 (comment) though. |
Hi @wenjiaswe, @serathius, is it in a good shape to be merged and unblock the CVE fix? |
Looks like everyone approved. I will go ahead and merge. |
…gRPC-go-updates ETCD-495: UPSTREAM <carry>: [3.5] Bump grpc-go to1.47 (and fix the connection-string format)
…gRPC-go-updates OCPBUGS-21221: UPSTREAM <carry>: [3.5] Bump grpc-go to1.47 (and fix the connection-string format)
…gRPC-go-updates [3.5] Bump grpc-go to1.47 (and fix the connection-string format)
…gRPC-go-updates [3.5] Bump grpc-go to1.47 (and fix the connection-string format)
…gRPC-go-updates [3.5] Bump grpc-go to1.47 (and fix the connection-string format)
…gRPC-go-updates [3.5] Bump grpc-go to1.47 (and fix the connection-string format)
…gRPC-go-updates [3.5] Bump grpc-go to1.47 (and fix the connection-string format)
…gRPC-go-updates [3.5] Bump grpc-go to1.47 (and fix the connection-string format)
Split gRPC-go dependency update in release-3.5 into multiple PRs based on #16591 (comment).
Backport #14125
Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.