[nova][tripleo][rpm-packaging][kolla][puppet][debian][osa] Nova enforces that no DB credentials are allowed for the nova-compute service

Balázs Gibizer balazs.gibizer at est.tech
Wed Nov 25 10:13:23 UTC 2020

On Mon, Nov 23, 2020 at 13:47, Thomas Goirand <zigo at debian.org> wrote:
> On 11/23/20 11:31 AM, Balázs Gibizer wrote:
>>  It is still a security problem if nova-compute ignores the config 
>> as the
>>  config still exists on the hypervisor node (in some deployment 
>> scenarios)
> Let's say we apply the patch you're proposing, and that nova-compute
> isn't loaded anymore with the db credentials, because it's on a 
> separate
> file, and nova-compute doesn't load it.
> In such scenario, the /etc/nova/nova-db.conf could still be present 
> with
> db credentials filled-in. So, the patch you're proposing is still not
> effective for wrong configuration of nova-compute hosts.

Obviously we cannot prevent that the deployer stores the DB creds on a 
compute host as we cannot detect it in general. But we can detect it if 
it is stored in the config the nova-compute reads. I don't know why 
should we not make sure to tell the deployer not to do that as it is 
generally considered unsafe.

>>  From the nova-compute perspective we might be able to
>>  replace the [api_database]connection dependency with some hack. E.g 
>> to
>>  put the service name to the global CONF object at the start of the
>>  service binary and depend on that instead of other part of the 
>> config.
>>  But I feel pretty bad about this hack.
> Because of the above, I very much think it'd be the best way to go, 
> but
> I understand your point of view. Going to the /etc/nova/nova-db.conf 
> and
> nova-api-db.conf thing is probably good anyways.
> As for the nova-conductor thing, I very much would prefer if we had a
> clean and explicit "superconductor=true" directive, with possibly some
> checks to display big warnings in the nova-conductor.log file in case 
> of
> a wrong configuration. If we don't have that, then at least things 
> must
> be extensively documented, because that's really not obvious what's
> going on.

I agree that superconductor=true would be a more explicit config option 
than [api_database]connection. However this would also enforce that 
deployers need a separate config file for nova-compute as there neither 
superconductor=true nor superconductor=false (meaning it is a cell 
conductor) make sense.

> Cheers,
> Thomas Goirand (zigo)

More information about the openstack-discuss mailing list