[nova][tripleo][rpm-packaging][kolla][puppet][debian][osa] Nova enforces that no DB credentials are allowed for the nova-compute service
balazs.gibizer at est.tech
Mon Nov 23 10:42:07 UTC 2020
On Mon, Nov 23, 2020 at 11:18, Thomas Goirand <zigo at debian.org> wrote:
> On 11/23/20 9:30 AM, Tobias Urdin wrote:
>> Just to clarify that this is already possible when using
>> puppet-nova, it's up to the deployment to
>> make sure the database parameters for the classes is set.
>> We've been running without database credentials in nova.conf on our
>> compute nodes for years.
>> Best regards
> Hi Tobias,
> That's not what I'm suggesting.
> I'm suggesting that nova-compute code from upstream simply ignores
> completely anything related to db connection, so we're done with the
> topic. That is, if nova-compute process having access to the db is the
> issue we're trying to fix.
> Or is it that the security problem is having the db credentials
> in a file on the compute node? If so, isn't having hacked root (or
> access to a compute node already game-over?
> What are we trying to secure here? If that's what I'm thinking (ie:
> VM code to escape from guest, and potentially the hacker can gain
> to the db), then IMO that's not the way to enforce things. It's not
> role of upstream Nova to do this apart from a well enough written
I always understood this as having a goal to limit the attack surface.
So if a VM escapes out of the sandbox and access the hypervisor then
limit how may other services get compromised outside of the compromised
> Thomas Goirand (zigo)
More information about the openstack-discuss