[nova][tripleo][rpm-packaging][kolla][puppet][debian][osa] Nova enforces that no DB credentials are allowed for the nova-compute service

Thomas Goirand zigo at debian.org
Mon Nov 23 17:34:50 UTC 2020 

Hi Sean,

Thanks for your post.

On 11/23/20 2:32 PM, Sean Mooney wrote:
> nova need to enforce it as we use the absense or present of the db creads to know
> if common code is running in the compute agent or in controller services

I'm a bit shocked to read what I've read in this thread, about the
double-guess that Nova is doing.

The way the Nova team has been describing, this really looks like hacks
to hide the internals of Nova, and what the team is asking, is more
band-aid for it. Probably things have been done this way to make it
easier for the users, but at this point, it feels like we shouldn't
attempt to hide facts anymore, and try to have everything explicit,
which is going the opposite way of what you describe.

Why don't we go the other way around, and get things like a
superconductor=true configuration directive, for example?

On 11/23/20 2:32 PM, Sean Mooney wrote:
> it is a bug to have the db cred in the set fo configs passed to
> nova-comptue and it has been for years.

In such case, detect that it's the nova-compute agent that's running,
detect that it has access to db creds, and either:
- display a big warning (I would prefer that)
- display an error and quit (maybe bad in the case of an all-in-one setup)

This is orthogonal to the fact that Nova code is doing a hack (which
should be fixed) to check which daemon is currently running in what mode.

On 11/23/20 2:32 PM, Sean Mooney wrote:
> we could make this just a ERROR log without the hard fail but that
> would still not change the fact there is a bug in packages or
> deployment tools that should be fixed.

Probably. But that shouldn't be upstream author's business on how things
are deployed. IMO, in the case of an all-in-one, nova-compute should
continue to work and just ignore the db params, and at worse display a
huge warning on the logs.

With the light of this thread, my opinion now has shifted to *not* have
special files for the db credential, to give Nova a chance to tell the
users what to do if nova-compute detects a mistake.

If we push the creds in /etc/nova/nova-db.conf, it wont be loaded by
nova-compute, and it wont be able to warn the user that the file
shouldn't be there on a compute node. Checking for the file existence
only would be wrong (because it could have empty values and just be
there ... just because it's there! :) ).

Hoping sharing my view is constructive and adding value to the thread,
Cheers,

Thomas Goirand (zigo)

More information about the openstack-discuss mailing list