[nova][tripleo][rpm-packaging][kolla][puppet][debian][osa] Nova enforces that no DB credentials are allowed for the nova-compute service

Balázs Gibizer balazs.gibizer at est.tech
Mon Nov 23 12:31:00 UTC 2020 


On Mon, Nov 23, 2020 at 13:21, Thomas Goirand <zigo at debian.org> wrote:
> On 11/23/20 11:42 AM, Balázs Gibizer wrote:
>> 
>> 
>>  On Mon, Nov 23, 2020 at 11:18, Thomas Goirand <zigo at debian.org> 
>> wrote:
>>>  On 11/23/20 9:30 AM, Tobias Urdin wrote:
>>>>   Hello,
>>>> 
>>>> 
>>>>   Just to clarify that this is already possible when using
>>>>   puppet-nova, it's up to the deployment to
>>>> 
>>>>   make sure the database parameters for the classes is set.
>>>> 
>>>> 
>>>>   We've been running without database credentials in nova.conf on 
>>>> our
>>>>   compute nodes for years.
>>>> 
>>>> 
>>>>   Best regards
>>>> 
>>>>   Tobias
>>> 
>>>  Hi Tobias,
>>> 
>>>  That's not what I'm suggesting.
>>> 
>>>  I'm suggesting that nova-compute code from upstream simply ignores
>>>  completely anything related to db connection, so we're done with 
>>> the
>>>  topic. That is, if nova-compute process having access to the db is 
>>> the
>>>  issue we're trying to fix.
>>> 
>>>  Or is it that the security problem is having the db credentials 
>>> written
>>>  in a file on the compute node? If so, isn't having hacked root (or 
>>> nova)
>>>  access to a compute node already game-over?
>>> 
>>>  What are we trying to secure here? If that's what I'm thinking 
>>> (ie: some
>>>  VM code to escape from guest, and potentially the hacker can gain 
>>> access
>>>  to the db), then IMO that's not the way to enforce things. It's 
>>> not the
>>>  role of upstream Nova to do this apart from a well enough written
>>>  documentation.
>> 
>>  I always understood this as having a goal to limit the attack 
>> surface.
>>  So if a VM escapes out of the sandbox and access the hypervisor then
>>  limit how may other services get compromised outside of the 
>> compromised
>>  compute host.
>> 
>>  Cheers,
>>  gibi
> 
> In general, I would agree with this. However, because of the way cold
> migrations are working, nova compute boxes are authenticated between
> each other through ssh. You'd be limiting access to the db, but 
> someone
> with nova or root ssh access could destroy all compute nodes. So, like
> it or not, it's game-over anyways. If you want to fix things, make it 
> so
> that Nova doesn't require such ssh authentication anymore, because
> that's more urgent, *THEN* we can revisit this topic.

While I agree that we should do changes, if possible, to avoid the need 
of ssh between the computes, I don't agree that a compromised compute 
is a game over for the whole cloud. If the deployment is split up to 
cells, then the game over is limited to the cell the compromised 
compute is in.

Cheers,
gibi

> 
> Cheers,
> 
> Thomas Goirand (zigo)
>

More information about the openstack-discuss mailing list