[openstack-dev] [cinder][nova]Move encryptors to os-brick

Coffman, Joel M. Joel.Coffman at jhuapl.edu
Mon Nov 30 14:04:00 UTC 2015 


On 11/25/15, 11:33 AM, "Ben Swartzlander" <ben at swartzlander.org<mailto:ben at swartzlander.org>> wrote:

On 11/24/2015 03:27 PM, Nathan Reller wrote:
the cinder admin and the nova admin are ALWAYS the same people

There is interest in hybrid clouds where the Nova and Cinder services
are managed by different providers. The customer would place higher
trust in Nova because you must trust the compute service, and the
customer would place less trust in Cinder. One way to achieve this
would be to have all encryption done by Nova. Cinder would simply see
encrypted data and provide a good cheap storage solution for data.

Consider a company with sensitive data. They can run the compute nodes
themselves and offload Cinder service to some third-party service.
This way they are the only ones who can manage the machines that see
the plaintext.

If you have that level of paranoia, I suggest running LUKS inside the
guest VM and not relying on OpenStack to handle your encryption. Then
you don't have to worry about whether nova is sharing your keys with
cinder because even nova won't have them.
That approach isn't actually more secure — anyone with root access to the compute host can dump the VM's memory to extract the encryption keys.

Trying to design a system where we expect nova to do data encryption but
not cinder will not work in the long run. The eventual result will be
that nova will have to take on most of the functionality of cinder and
we'll be back to the nova-volume days.
Could you explain further what you mean by "nova will have to take on most of the functionality of cinder"? In the current design, Nova is still passing data blocks to Cinder for storage – they're just encrypted instead of plaintext. That doesn't seem to subvert the functionality of Cinder or reimplement it.

Also in case it's not obvious, if you use different providers for
compute and storage, your performance is going to be absolutely terrible.
The general idea is probably separation of duties, which contradicts the original statement that "the cinder admin and the nova admin are ALWAYS the same people." Is there an operational reason that these admins must be the same person, or is that just typical?

Joel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151130/4bc17d5c/attachment.html>

More information about the OpenStack-dev mailing list