[Openstack-security] [Bug 1355509] Re: Better conductor deployment
Alexey Shtokolov
ashtokolov at mirantis.com
Tue Oct 6 13:54:00 UTC 2015
** Changed in: fuel
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1355509
Title:
Better conductor deployment
Status in Fuel for OpenStack:
Triaged
Status in Fuel for OpenStack 6.0.x series:
Won't Fix
Status in Fuel for OpenStack 7.0.x series:
Won't Fix
Status in Fuel for OpenStack 8.0.x series:
Won't Fix
Bug description:
Here is several issues with how MOS deploys conductor.
1 By default all deployment variants assume deployments with conductor enabled. But this requires to remove sql_connection option in nova.conf on compute nodes. MOS does not do this. it keeps sql_connection option in nova.conf on compute nodes while all compute services are configured to use conductor.
One of the reason for creating conductor service was to provide security level for nova.
2 by default it not possible to disable conductor using MOS tools.
Customers who prefer performance over security should have this
options. Conductor can introduce significant delay in all actions
required database access.
This two enchantments are tied together.
The following actions are required to disable usage of conductor.
On all compute nodes:
1 make use mysql port is accessible from compute nodes and all necessary grange are present.
2 add into nova.conf
[DEFAULT]
sql_connection = mysql://nova:password@mysqlhost/nova_db
[conductor]
use_local=true
3 service openstack-nova-compute restart
4 optionally stop conductor process on controllers
Monitoring tuning may be required..
To manage notifications about this bug go to:
https://bugs.launchpad.net/fuel/+bug/1355509/+subscriptions
More information about the Openstack-security
mailing list