<div dir="ltr">Dear Amrith,<div><br></div><div><div><br></div><div>Thank you for responding this thread.</div><div><br></div><div>I don't know if we have a "vector" here but the deal is this: We are offering a Public Cloud and for us in unacceptable that users can have access to any password of any of the component of any service.</div><div><br></div><div>Now, in this case, the user can take a snapshot of the instance running the trove guest-agent, create a volume, attach the volume to another VM and capture the rabbitMQ password.</div><div><br></div><div>I'm not expert on RabbitMQ and I don't know if with this a user can create a python script to continuously take the messages and send them to /dev/null or something like this. Because I'm not expert on RabbitMQ, I'm not interest on having to worry about things like this. The idea of a user having access to any password is just unacceptable ([1]).</div><div><br></div><div>About tmpfs, we setup the fstab of the guest image with this:</div><div><br></div><div>tmpfs<span class="Apple-tab-span" style="white-space:pre"> </span>/etc/trove/conf.d/<span class="Apple-tab-span" style="white-space:pre"> </span>tmpfs<span class="Apple-tab-span" style="white-space:pre"> </span>defaults,size=1m<span class="Apple-tab-span" style="white-space:pre"> </span>0 0</div><div>tmpfs<span class="Apple-tab-span" style="white-space:pre"> </span>/var/lib/cloud/<span class="Apple-tab-span" style="white-space:pre"> </span>tmpfs<span class="Apple-tab-span" style="white-space:pre"> </span>defaults,size=1m<span class="Apple-tab-span" style="white-space:pre"> </span>0 0</div><div><br></div><div>Now if a user take a snapshot of the instance, they will not have access to any configuration file, because this paths will be writen on RAM. We are still doing some test but until now is working fine.</div></div><div><br></div><div>Cheers.</div><div><br></div><div>[1]: <a href="https://www.youtube.com/watch?v=07So_lJQyqw">https://www.youtube.com/watch?v=07So_lJQyqw</a></div></div><br><div class="gmail_quote"><div dir="ltr">El lun., 6 feb. 2017 a las 20:29, Amrith Kumar (<<a href="mailto:amrith.kumar@gmail.com">amrith.kumar@gmail.com</a>>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Sergio,<br class="gmail_msg">
<br class="gmail_msg">
Sounds like I may have been replying only to you, not the list.<br class="gmail_msg">
<br class="gmail_msg">
A couple of things to recap from the emails I’d sent you.<br class="gmail_msg">
<br class="gmail_msg">
1. From the description of what you are doing, I’m not sure that single tenant remote (or shadow tenant) would be my first choice.<br class="gmail_msg">
<br class="gmail_msg">
2. If you go the route of tmpfs, I suspect that some things in Trove won’t work. At the very least, I think resize instance is one of those things. I don’t follow the logic behind the tmpfs choice but would love to understand more about that. I see a reference in the mail thread below that it may address some attack vector but I'm not certain what that vector is.<br class="gmail_msg">
<br class="gmail_msg">
3. The single tenant remote code broke recently and the focus was on getting the main code paths fixed (this is in the past week or so), fixing single tenant remote is on my list of things to do. I think you found Matt Reidmann's bug on this as well (I've duped that to the bug you entered).<br class="gmail_msg">
<br class="gmail_msg">
Documentation of single-tenant-remote and shadow tenant can certainly do with some improvement, seems like a good thing to do once the code gets fixed up.<br class="gmail_msg">
<br class="gmail_msg">
-amrith<br class="gmail_msg">
<br class="gmail_msg">
---<br class="gmail_msg">
<br class="gmail_msg">
From: Sergio Morales Acuña [mailto:<a href="mailto:semoac@gmail.com" class="gmail_msg" target="_blank">semoac@gmail.com</a>]<br class="gmail_msg">
Sent: Tuesday, February 7, 2017 1:43 AM<br class="gmail_msg">
To: Sam Morrison <<a href="mailto:sorrison@gmail.com" class="gmail_msg" target="_blank">sorrison@gmail.com</a>><br class="gmail_msg">
Cc: <a href="mailto:openstack-operators@lists.openstack.org" class="gmail_msg" target="_blank">openstack-operators@lists.openstack.org</a><br class="gmail_msg">
Subject: Re: [Openstack-operators] Trove Shadow Tenant<br class="gmail_msg">
<br class="gmail_msg">
I'm going to use tmpfs.<br class="gmail_msg">
<br class="gmail_msg">
I found many errors when using this feature (<a href="https://bugs.launchpad.net/trove/+bug/1662300" rel="noreferrer" class="gmail_msg" target="_blank">https://bugs.launchpad.net/trove/+bug/1662300</a>).<br class="gmail_msg">
<br class="gmail_msg">
Thank you all for your time.<br class="gmail_msg">
<br class="gmail_msg">
El dom., 5 feb. 2017 a las 23:50, Sam Morrison (<mailto:<a href="mailto:sorrison@gmail.com" class="gmail_msg" target="_blank">sorrison@gmail.com</a>>) escribió:<br class="gmail_msg">
Hi Sergio,<br class="gmail_msg">
<br class="gmail_msg">
I’m very interested in this feature too, it might be worth asking in the openstack-trove IRC channel or on the openstack-dev mailing list (adding a [trove] in the subject should get their attention) to get some answers to this question.<br class="gmail_msg">
<br class="gmail_msg">
Cheers,<br class="gmail_msg">
Sam<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
> On 4 Feb 2017, at 1:34 am, Sergio Morales Acuña <mailto:<a href="mailto:semoac@gmail.com" class="gmail_msg" target="_blank">semoac@gmail.com</a>> wrote:<br class="gmail_msg">
><br class="gmail_msg">
> Hi.<br class="gmail_msg">
><br class="gmail_msg">
> I'm looking for information about the "Trove Shadow Tenant" feature.<br class="gmail_msg">
><br class="gmail_msg">
> There some blogs talking about this but I can't find any information about the configuration.<br class="gmail_msg">
><br class="gmail_msg">
> I have a working implementation of Trove but the instance is created in the same project as the user requesting the database. This is a problem for me because the user can create a snapshot of the instance and capture the RabbitMQ password.<br class="gmail_msg">
><br class="gmail_msg">
> Cheers.<br class="gmail_msg">
> _______________________________________________<br class="gmail_msg">
> OpenStack-operators mailing list<br class="gmail_msg">
> mailto:<a href="mailto:OpenStack-operators@lists.openstack.org" class="gmail_msg" target="_blank">OpenStack-operators@lists.openstack.org</a><br class="gmail_msg">
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br class="gmail_msg">
</blockquote></div>