It sounds like they might be – but the complaint is perhaps that once kolla-ansible generates the config, that config has the passwords in plain text (i.e. if you SSH into the machine, docker exec into the container, the /etc/nova/nova.conf has the keys built from the ansible-vault password.yml)

 

I do not think there is a way around this, nor do I think there needs to be – if the passwords are only in “plain text” in the config on the container only accessibly by root, then privilege escalation to root is the vulnerability you should be protecting against anyway – even if you somehow worked out a way to have secrets separate in a way that wasn’t just a big house of cards, if there’s a privilege-escalation to root on your host nodes, you’re going to have massive problems, and some configuration passwords are going to be the least of them.

 

@elnazcloud@gmail.com can you confirm you’re using the ansible-vault password encryption for your passwords.yml?

Kolla-ansible has supported it for like 8 years: https://opendev.org/openstack/kolla-ansible/commit/684194ff9dbd442a93278bec2cef95a21fa62811

Here is the link to the ansible documentation: https://docs.ansible.com/ansible/latest/vault_guide/vault_encrypting_content.html

 

Let us know if you need more information.

 

Kind Regards,

 

Joel McLean – Micron21 Pty Ltd