On Mon, Sep 26, 2016 at 3:03 PM, Christian Berendt < berendt at betacloud-solutions.de> wrote: > > On 26 Sep 2016, at 16:43, Sam Yaple <samuel at yaple.net> wrote: > > > > So this actually makes it _less_ secure. The 0600 permissions were > chosen for a reason. The nova.conf file has passwords to the DB and > rabbitmq. If the configuration files are world readable then those > passwords could leak to an unprivileged user on the host. > > Confirmed. Please do not make configuration files world readable. > > We use volumes for the configuration file directories. Why do we not > simply use read only volumes? This way we do not have to touch the current > implementation (files are owned by the service user with 0600 permissions) > and can make the configuration files read only. > This is already done. When I first setup the config bind mounting we did make sure it was read only. See [1]. The way configs work in Kolla is the files from that readonly bind mount are copied into the appropriate directory in the container on container startup. [1] https://github.com/openstack/kolla/blob/b1f986c3492faa2d5386fc7baabbd6d8e370554a/ansible/roles/nova/tasks/start_compute.yml#L11 > > Christian. > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160926/3a94c41a/attachment.html>