[Openstack-security] [Bug 1355509] Re: Better conductor deployment

Matthew Mosesohn mmosesohn at mirantis.com
Tue Sep 1 11:13:36 UTC 2015


** Changed in: fuel
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1355509

Title:
  Better conductor deployment

Status in Fuel for OpenStack:
  Won't Fix
Status in Fuel for OpenStack 6.0.x series:
  Won't Fix
Status in Fuel for OpenStack 7.0.x series:
  Won't Fix
Status in Fuel for OpenStack 8.0.x series:
  Triaged

Bug description:
  Here is several issues with how MOS deploys conductor.

  1 By default all deployment variants assume deployments with conductor enabled. But this requires  to remove sql_connection option in nova.conf on compute nodes. MOS does not do this. it keeps  sql_connection option in nova.conf on compute nodes while all compute services are configured to use conductor.
  One of the reason for creating  conductor service was to provide security level for nova.  

  2 by default it not possible to disable conductor using MOS tools.
  Customers who prefer performance over security should have  this
  options. Conductor can introduce significant delay in all actions
  required database access.

  
  This two enchantments are tied together.

  The following actions are required to  disable usage of conductor.

  On all compute nodes:

  1 make use mysql port is accessible from compute nodes and all necessary grange are present.
  2 add into nova.conf 
  [DEFAULT]
  sql_connection = mysql://nova:password@mysqlhost/nova_db

  [conductor]
  use_local=true

   3 service openstack-nova-compute restart

  4 optionally stop conductor process on controllers

  Monitoring tuning may be required..

To manage notifications about this bug go to:
https://bugs.launchpad.net/fuel/+bug/1355509/+subscriptions




More information about the Openstack-security mailing list