[nova][tripleo][rpm-packaging][kolla][puppet][debian][osa] Nova enforces that no DB credentials are allowed for the nova-compute service
Balázs Gibizer
balazs.gibizer at est.tech
Wed Nov 25 10:13:23 UTC 2020
On Mon, Nov 23, 2020 at 13:47, Thomas Goirand <zigo at debian.org> wrote:
> On 11/23/20 11:31 AM, Balázs Gibizer wrote:
>> It is still a security problem if nova-compute ignores the config
>> as the
>> config still exists on the hypervisor node (in some deployment
>> scenarios)
>
> Let's say we apply the patch you're proposing, and that nova-compute
> isn't loaded anymore with the db credentials, because it's on a
> separate
> file, and nova-compute doesn't load it.
>
> In such scenario, the /etc/nova/nova-db.conf could still be present
> with
> db credentials filled-in. So, the patch you're proposing is still not
> effective for wrong configuration of nova-compute hosts.
Obviously we cannot prevent that the deployer stores the DB creds on a
compute host as we cannot detect it in general. But we can detect it if
it is stored in the config the nova-compute reads. I don't know why
should we not make sure to tell the deployer not to do that as it is
generally considered unsafe.
>
>> From the nova-compute perspective we might be able to
>> replace the [api_database]connection dependency with some hack. E.g
>> to
>> put the service name to the global CONF object at the start of the
>> service binary and depend on that instead of other part of the
>> config.
>> But I feel pretty bad about this hack.
>
> Because of the above, I very much think it'd be the best way to go,
> but
> I understand your point of view. Going to the /etc/nova/nova-db.conf
> and
> nova-api-db.conf thing is probably good anyways.
>
> As for the nova-conductor thing, I very much would prefer if we had a
> clean and explicit "superconductor=true" directive, with possibly some
> checks to display big warnings in the nova-conductor.log file in case
> of
> a wrong configuration. If we don't have that, then at least things
> must
> be extensively documented, because that's really not obvious what's
> going on.
I agree that superconductor=true would be a more explicit config option
than [api_database]connection. However this would also enforce that
deployers need a separate config file for nova-compute as there neither
superconductor=true nor superconductor=false (meaning it is a cell
conductor) make sense.
>
> Cheers,
>
> Thomas Goirand (zigo)
>
More information about the openstack-discuss
mailing list