[Openstack-security] [Bug 1355509] Related fix merged to fuel-library (master)

OpenStack Infra 1355509 at bugs.launchpad.net
Fri Oct 2 12:06:17 UTC 2015 

Reviewed:  https://review.openstack.org/229310
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=7c1694dc2f573f8714f1845cf446bdcec5d01420
Submitter: Jenkins
Branch:    master

commit 7c1694dc2f573f8714f1845cf446bdcec5d01420
Author: Matthew Mosesohn <mmosesohn at mirantis.com>
Date:   Wed Sep 30 12:05:01 2015 +0300

    Remove database_connection from compute
    
    Compute uses nova-conductor for communciation
    and not a direct database connection. The
    current database connection is unused and
    should be removed.
    
    Change-Id: Ied0e04d16779abaebd821f0d65b65ddfbf71316f
    Related-Bug: #1355509

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1355509

Title:
  Better conductor deployment

Status in Fuel for OpenStack:
  Confirmed
Status in Fuel for OpenStack 6.0.x series:
  Won't Fix
Status in Fuel for OpenStack 7.0.x series:
  Won't Fix
Status in Fuel for OpenStack 8.0.x series:
  Confirmed

Bug description:
  Here is several issues with how MOS deploys conductor.

  1 By default all deployment variants assume deployments with conductor enabled. But this requires  to remove sql_connection option in nova.conf on compute nodes. MOS does not do this. it keeps  sql_connection option in nova.conf on compute nodes while all compute services are configured to use conductor.
  One of the reason for creating  conductor service was to provide security level for nova.  

  2 by default it not possible to disable conductor using MOS tools.
  Customers who prefer performance over security should have  this
  options. Conductor can introduce significant delay in all actions
  required database access.

  
  This two enchantments are tied together.

  The following actions are required to  disable usage of conductor.

  On all compute nodes:

  1 make use mysql port is accessible from compute nodes and all necessary grange are present.
  2 add into nova.conf 
  [DEFAULT]
  sql_connection = mysql://nova:password@mysqlhost/nova_db

  [conductor]
  use_local=true

   3 service openstack-nova-compute restart

  4 optionally stop conductor process on controllers

  Monitoring tuning may be required..

To manage notifications about this bug go to:
https://bugs.launchpad.net/fuel/+bug/1355509/+subscriptions

More information about the Openstack-security mailing list