[nova][tripleo][rpm-packaging][kolla][puppet][debian][osa] Nova enforces that no DB credentials are allowed for the nova-compute service

Tobias Urdin tobias.urdin at binero.com
Mon Nov 23 23:10:59 UTC 2020


Sorry,

It was not suppose to be a reply to your specifically but to thread as a whole.


Best regards

________________________________
From: Thomas Goirand <zigo at debian.org>
Sent: Monday, November 23, 2020 11:18:25 AM
To: openstack maillist
Subject: Re: [nova][tripleo][rpm-packaging][kolla][puppet][debian][osa] Nova enforces that no DB credentials are allowed for the nova-compute service

On 11/23/20 9:30 AM, Tobias Urdin wrote:
> Hello,
>
>
> Just to clarify that this is already possible when using
> puppet-nova, it's up to the deployment to
>
> make sure the database parameters for the classes is set.
>
>
> We've been running without database credentials in nova.conf on our
> compute nodes for years.
>
>
> Best regards
>
> Tobias

Hi Tobias,

That's not what I'm suggesting.

I'm suggesting that nova-compute code from upstream simply ignores
completely anything related to db connection, so we're done with the
topic. That is, if nova-compute process having access to the db is the
issue we're trying to fix.

Or is it that the security problem is having the db credentials written
in a file on the compute node? If so, isn't having hacked root (or nova)
access to a compute node already game-over?

What are we trying to secure here? If that's what I'm thinking (ie: some
VM code to escape from guest, and potentially the hacker can gain access
to the db), then IMO that's not the way to enforce things. It's not the
role of upstream Nova to do this apart from a well enough written
documentation.

Cheers,

Thomas Goirand (zigo)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201123/23c80c20/attachment.html>


More information about the openstack-discuss mailing list