[nova][tripleo][rpm-packaging][kolla][puppet][debian][osa] Nova enforces that no DB credentials are allowed for the nova-compute service
radoslaw.piliszek at gmail.com
Wed Nov 11 17:37:15 UTC 2020
Thank you for the heads up.
I write to confirm that Kolla has, for some time, not provided
database credentials to nova-compute.
On Wed, Nov 11, 2020 at 5:36 PM Balázs Gibizer <balazs.gibizer at est.tech> wrote:
> Dear packagers and deployment engine developers,
> Since Icehouse nova-compute service does not need any database
> configuration as it uses the message bus to access data in the database
> via the conductor service. Also, the nova configuration guide states
> that the nova-compute service should not have the
> [api_database]connection config set. Having any DB credentials
> configured for the nova-compute is a security risk as well since that
> service runs close to the hypervisor. Since Rocky nova-compute
> service fails if you configure API DB credentials and set upgrade_level
> config to 'auto'.
> Now we are proposing a patch that makes nova-compute fail at startup
> if the [database]connection or the [api_database]connection is
> configured. We know that this breaks at least the rpm packaging, debian
> packaging, and puppet-nova. The problem there is that in an all-in-on
> deployment scenario the nova.conf file generated by these tools is
> shared between all the nova services and therefore nova-compute sees DB
> credentials. As a counter-example, devstack generates a separate
> nova-cpu.conf and passes that to the nova-compute service even in an
> all-in-on setup.
> The nova team would like to merge  during Wallaby but we are OK to
> delay the patch until Wallaby Milestone 2 so that the packagers and
> deployment tools can catch up. Please let us know if you are impacted
> and provide a way to track when you are ready with the modification
> that allows  to be merged.
> There was a long discussion on #openstack-nova today around this
> topic. So you can find more detailed reasoning there.
>  https://review.opendev.org/#/c/762176
More information about the openstack-discuss