[Openstack-security] [Bug 1355509] Re: Better conductor deployment

Matthew Mosesohn mmosesohn at mirantis.com
Wed Sep 30 08:46:49 UTC 2015 

I fail to understand how nova-conductor on computes is more secure than
running it on controllers. Computes have a higher likelihood of being
compromised.

>From nova-conductor docs, it says that nova-conductor should not be deployed on compute nodes:
http://docs.openstack.org/kilo/config-reference/content/section_conductor.html

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1355509

Title:
  Better conductor deployment

Status in Fuel for OpenStack:
  Won't Fix
Status in Fuel for OpenStack 6.0.x series:
  Won't Fix
Status in Fuel for OpenStack 7.0.x series:
  Won't Fix
Status in Fuel for OpenStack 8.0.x series:
  Triaged

Bug description:
  Here is several issues with how MOS deploys conductor.

  1 By default all deployment variants assume deployments with conductor enabled. But this requires  to remove sql_connection option in nova.conf on compute nodes. MOS does not do this. it keeps  sql_connection option in nova.conf on compute nodes while all compute services are configured to use conductor.
  One of the reason for creating  conductor service was to provide security level for nova.  

  2 by default it not possible to disable conductor using MOS tools.
  Customers who prefer performance over security should have  this
  options. Conductor can introduce significant delay in all actions
  required database access.

  
  This two enchantments are tied together.

  The following actions are required to  disable usage of conductor.

  On all compute nodes:

  1 make use mysql port is accessible from compute nodes and all necessary grange are present.
  2 add into nova.conf 
  [DEFAULT]
  sql_connection = mysql://nova:password@mysqlhost/nova_db

  [conductor]
  use_local=true

   3 service openstack-nova-compute restart

  4 optionally stop conductor process on controllers

  Monitoring tuning may be required..

To manage notifications about this bug go to:
https://bugs.launchpad.net/fuel/+bug/1355509/+subscriptions

More information about the Openstack-security mailing list