Ceph's custom apache: ok to drop?

Ceph's custom apache: ok to drop?

[Ken Dreyer]

Hi folks,

The Apache fork that we ship on Ceph.com
(https://github.com/ceph/apache2) is several versions behind upstream
and has a couple CVEs by now.

I've heard from the developers (I don't remember if it was Dan, Yehuda,
or someone else) refer on IRC to the idea that the changes in our Ceph
Apache fork were cosmetic, and it's ok to simply use upstream Apache.

I wanted to confirm this with a wider audience: it's ok to stop
maintaining and shipping our custom Apache?

In other words, we would remove references to our custom Apache from
Teuthology, and our docs, and eventually from our repositories?


-----

Diving into our changes, there are two patches that we have on top of
Apache 2.2.22:

1. "rgw: don't unset Content-Length header on HEAD response (this was
being done when content length was 0)"
https://github.com/ceph/apache2/commit/5ae1b4a081b05fcacf55e7114eec87d9b2a0a5da
. (See also the original patch submission at
http://tracker.ceph.com/issues/897)

2. "don't complain on badly formatted expectations"
https://github.com/ceph/apache2/commit/0d9948f1e483386adef0841896484db8422127b2

Both of these were submitted to Apache upstream in December 2013 (thread
on apache-dev "Ceph patches for httpd") and merged in
http://svn.apache.org/r1554303 .

So his will be controllable via new directives in httpd 2.5:
"HttpContentLengthHeadZero" (defaults to off, ie, continue to squelch
the zero-length header) and HttpExpectStrict (defaults to off, ie,
continue to log the error).

So for httpd 2.5 we have something that gives us what we need.

Re: Ceph's custom apache: ok to drop?

[Yehuda Sadeh]

On Fri, Dec 12, 2014 at 9:12 AM, Ken Dreyer <kdreyer@redhat.com> wrote:
> Hi folks,
>
> The Apache fork that we ship on Ceph.com
> (https://github.com/ceph/apache2) is several versions behind upstream
> and has a couple CVEs by now.
>
> I've heard from the developers (I don't remember if it was Dan, Yehuda,
> or someone else) refer on IRC to the idea that the changes in our Ceph
> Apache fork were cosmetic, and it's ok to simply use upstream Apache.
>
> I wanted to confirm this with a wider audience: it's ok to stop
> maintaining and shipping our custom Apache?
>
> In other words, we would remove references to our custom Apache from
> Teuthology, and our docs, and eventually from our repositories?
>
>
> -----
>
> Diving into our changes, there are two patches that we have on top of
> Apache 2.2.22:
>
> 1. "rgw: don't unset Content-Length header on HEAD response (this was
> being done when content length was 0)"
> https://github.com/ceph/apache2/commit/5ae1b4a081b05fcacf55e7114eec87d9b2a0a5da
> . (See also the original patch submission at
> http://tracker.ceph.com/issues/897)
>
> 2. "don't complain on badly formatted expectations"
> https://github.com/ceph/apache2/commit/0d9948f1e483386adef0841896484db8422127b2
>
> Both of these were submitted to Apache upstream in December 2013 (thread
> on apache-dev "Ceph patches for httpd") and merged in
> http://svn.apache.org/r1554303 .

Oh, awesome!

>
> So his will be controllable via new directives in httpd 2.5:
> "HttpContentLengthHeadZero" (defaults to off, ie, continue to squelch
> the zero-length header) and HttpExpectStrict (defaults to off, ie,
> continue to log the error).
>
> So for httpd 2.5 we have something that gives us what we need.

I don't think we really need either of these changes. One was really
only triggered in a very synthetic use case (the Expect header), and
the other one only happened with a very old version of boto, and we've
managed to send an upstream fix for it 3-4 years ago. I'm all for
dropping it.


Yehuda