Don't send galera root credentials file to compute hosts
Bug #1510596 reported by
Logan V
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Wishlist
|
Major Hayden | ||
Liberty |
Fix Released
|
Wishlist
|
Jesse Pretorius | ||
Trunk |
Fix Released
|
Wishlist
|
Major Hayden |
Bug Description
When galera_client runs against compute nodes, a ~/.my.cnf file is copied to the compute node with root credentials to the galera cluster. Is there a reason this needs to occur? On my compute nodes I have nova, cinder, and neutron-dhcp-agent running. Of these only cinder utilizes a database connection and it has its own 'cinder' user so it makes no use of the root login.
It seems prudent to filter this file from being sent anywhere it may not be needed. Compute hosts are an obvious candidate for this filtering.
To post a comment you must log in.
This has already been identified and although we had hoped to do the work to reduce the .my.cnf configuration distribution for Liberty, it has slipped into the Mitaka development cycle. More details here: http:// specs.openstack .org/openstack/ openstack- ansible- specs/specs/ mitaka/ limit-mysql- config- distribution. html
We welcome more hands on deck for getting this done if you're able to do so!