OpenStack Nova Compute Charm

nova-compute can start when instances mount not yet available

Bug #1863259 reported by Edward Hope-Morley on 2020-02-14

This bug report is a duplicate of: Bug #1863358: Prevent nova-compute starting if vaultlocker is not started succesfully. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Nova Compute Charm	New	High	Unassigned	OpenStack Nova Compute Charm 20.02

Bug Description

Raising this bug on the charm for now but i'm guessing it will need package attention as well.

We have a use case where the nova instances path e.g. /var/lib/nova/instances is an encrypted mount as provided by Vault (charm-vault). What we have seen in the field is that this mount sometimes fails to appear before nova-compute is started (or even at all) due to known bugs (1838607, 1804261, +others) and this results in existing vm data being non-existent and also nova-compute creating new vms/data on the local/root (unencrypted) filesystem at that location.

One way to at least mitigate the security risk of having nova-compute blindly creating VMs on an unencrypted disk would be to set instances-path to a location that doesn't exist unless it has been successfully mounted but I know that several deployments are not doing this, perhaps for specific reasons. Therefore we need a way to safeguard against this possibility.

Edward Hope-Morley (hopem) on 2020-02-14

summary:

- nova-compute starts when instances mount not yet available
+ nova-compute can start when instances mount not yet available

Revision history for this message

Edward Hope-Morley (hopem) wrote on 2020-02-14:

It has been highlighted that using a path that is not the default (/var/lib/nova/instances) would conflict with having apparmor profiles enabled in the charm but since the charm is managing those profiles it should be able to adapt to the configured path.

Changed in charm-nova-compute:
importance:	Undecided → High
milestone:	none → 20.02

Revision history for this message

Edward Hope-Morley (hopem) wrote on 2020-02-14:

vaultlocker patch has been submitted to https://bugs.launchpad.net/vaultlocker/+bug/1863358

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1863358 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.