[nova][tripleo][rpm-packaging][kolla][puppet][debian][osa] Nova enforces that no DB credentials are allowed for the nova-compute service

Balázs Gibizer balazs.gibizer at est.tech
Wed Nov 11 16:35:56 UTC 2020

Dear packagers and deployment engine developers,

Since Icehouse nova-compute service does not need any database 
configuration as it uses the message bus to access data in the database 
via the conductor service. Also, the nova configuration guide states 
that the nova-compute service should not have the 
[api_database]connection config set. Having any DB credentials 
configured for the nova-compute is a security risk as well since that 
service runs close to the hypervisor. Since Rocky[1] nova-compute 
service fails if you configure API DB credentials and set upgrade_level 
config to 'auto'.

Now we are proposing a patch[2] that makes nova-compute fail at startup 
if the [database]connection or the [api_database]connection is 
configured. We know that this breaks at least the rpm packaging, debian 
packaging, and puppet-nova. The problem there is that in an all-in-on 
deployment scenario the nova.conf file generated by these tools is 
shared between all the nova services and therefore nova-compute sees DB 
credentials. As a counter-example, devstack generates a separate 
nova-cpu.conf and passes that to the nova-compute service even in an 
all-in-on setup.

The nova team would like to merge [2] during Wallaby but we are OK to 
delay the patch until Wallaby Milestone 2 so that the packagers and 
deployment tools can catch up. Please let us know if you are impacted 
and provide a way to track when you are ready with the modification 
that allows [2] to be merged.

There was a long discussion on #openstack-nova today[3] around this 
topic. So you can find more detailed reasoning there[3].


[2] https://review.opendev.org/#/c/762176

More information about the openstack-discuss mailing list