[nova][tripleo][rpm-packaging][kolla][puppet][debian][osa] Nova enforces that no DB credentials are allowed for the nova-compute service
Balázs Gibizer
balazs.gibizer at est.tech
Mon Nov 23 10:42:07 UTC 2020
On Mon, Nov 23, 2020 at 11:18, Thomas Goirand <zigo at debian.org> wrote:
> On 11/23/20 9:30 AM, Tobias Urdin wrote:
>> Hello,
>>
>>
>> Just to clarify that this is already possible when using
>> puppet-nova, it's up to the deployment to
>>
>> make sure the database parameters for the classes is set.
>>
>>
>> We've been running without database credentials in nova.conf on our
>> compute nodes for years.
>>
>>
>> Best regards
>>
>> Tobias
>
> Hi Tobias,
>
> That's not what I'm suggesting.
>
> I'm suggesting that nova-compute code from upstream simply ignores
> completely anything related to db connection, so we're done with the
> topic. That is, if nova-compute process having access to the db is the
> issue we're trying to fix.
>
> Or is it that the security problem is having the db credentials
> written
> in a file on the compute node? If so, isn't having hacked root (or
> nova)
> access to a compute node already game-over?
>
> What are we trying to secure here? If that's what I'm thinking (ie:
> some
> VM code to escape from guest, and potentially the hacker can gain
> access
> to the db), then IMO that's not the way to enforce things. It's not
> the
> role of upstream Nova to do this apart from a well enough written
> documentation.
I always understood this as having a goal to limit the attack surface.
So if a VM escapes out of the sandbox and access the hypervisor then
limit how may other services get compromised outside of the compromised
compute host.
Cheers,
gibi
>
> Cheers,
>
> Thomas Goirand (zigo)
>
More information about the openstack-discuss
mailing list