OpenStack-Ansible

Don't send galera root credentials file to compute hosts

Bug #1510596 reported by Logan V
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Wishlist
Major Hayden
OpenStack-Ansible mitaka-1
Liberty
Fix Released
Wishlist
Jesse Pretorius
OpenStack-Ansible 12.0.3
Trunk
Fix Released
Wishlist
Major Hayden
OpenStack-Ansible mitaka-1

Bug Description

When galera_client runs against compute nodes, a ~/.my.cnf file is copied to the compute node with root credentials to the galera cluster. Is there a reason this needs to occur? On my compute nodes I have nova, cinder, and neutron-dhcp-agent running. Of these only cinder utilizes a database connection and it has its own 'cinder' user so it makes no use of the root login.

It seems prudent to filter this file from being sent anywhere it may not be needed. Compute hosts are an obvious candidate for this filtering.

Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

This has already been identified and although we had hoped to do the work to reduce the .my.cnf configuration distribution for Liberty, it has slipped into the Mitaka development cycle. More details here: http://specs.openstack.org/openstack/openstack-ansible-specs/specs/mitaka/limit-mysql-config-distribution.html

We welcome more hands on deck for getting this done if you're able to do so!

Revision history for this message
Major Hayden (rackerhacker) wrote :

I'm going on the assumption that only the galera server containers need these .my.cnf files. I don't really see a need to add it to every container that has the galera_client role applied.

Am I right on this assumption?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/241382

Changed in openstack-ansible:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/241382
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=e0d58a99debd017ec063b71f290c373892f8b0a3
Submitter: Jenkins
Branch: master

commit e0d58a99debd017ec063b71f290c373892f8b0a3
Author: Major Hayden <email address hidden>
Date: Tue Nov 3 19:44:56 2015 -0600

    Only deploy .my.cnf file on galera/utility containers

    The original bug was opened because .my.cnf (with sensitive root credentials)
    was being deployed on compute hosts without needing to be there. This patch
    restricts the deployment of .my.cnf files to the galera/utility containers
    only. This improves security while still allowing deployers to diagnose galera
    server issues on the galera server containers themselves, and to access the
    database from the utility containers for diagnostic purposes.

    Closes-bug: 1510596
    Implements: blueprint limit-mysql-config-distribution
    Change-Id: I42f39cbfcb02b97846894592d642ac0c58a82b02

Changed in openstack-ansible:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (liberty)

Reviewed: https://review.openstack.org/253122
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=f530301fbfe76bf12679f80f7db9377a25dc3f2c
Submitter: Jenkins
Branch: liberty

commit f530301fbfe76bf12679f80f7db9377a25dc3f2c
Author: Major Hayden <email address hidden>
Date: Tue Nov 3 19:44:56 2015 -0600

    Only deploy .my.cnf file on galera/utility containers

    The original bug was opened because .my.cnf (with sensitive root credentials)
    was being deployed on compute hosts without needing to be there. This patch
    restricts the deployment of .my.cnf files to the galera/utility containers
    only. This improves security while still allowing deployers to diagnose galera
    server issues on the galera server containers themselves, and to access the
    database from the utility containers for diagnostic purposes.

    Closes-bug: 1510596
    Implements: blueprint limit-mysql-config-distribution
    Change-Id: I42f39cbfcb02b97846894592d642ac0c58a82b02
    (cherry picked from commit e0d58a99debd017ec063b71f290c373892f8b0a3)

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/openstack-ansible 13.0.0

This issue was fixed in the openstack/openstack-ansible 13.0.0 release.

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/openstack-ansible 12.0.11

This issue was fixed in the openstack/openstack-ansible 12.0.11 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.