tripleo

nova-compute must not configure api database

Bug #1871482 reported by Oliver Walsh on 2020-04-07

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Oliver Walsh	tripleo wallaby-1

Bug Description

Currently all nova database sections are configured for all nova services (inherited from nova-base). I assume this an historical relic from the days when nova compute accessed the db directly.

This is long deprecated and removed. Code has already merged in nova that assumes the api db is not configured on computes. Devstack [1] and kolla-ansible[2] have already hit this.

From investigation by the nova devs it appears that tripleo was just fortunate not to hit the same issue. Setting upgrade level 'auto' would have triggered it.

[1] https://bugs.launchpad.net/devstack/+bug/1812398
[2] https://bugs.launchpad.net/kolla-ansible/+bug/1829705

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-08: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/718552

wes hayutin (weshayutin) on 2020-04-13

Changed in tripleo:
milestone:	ussuri-3 → ussuri-rc3

wes hayutin (weshayutin) on 2020-05-26

Changed in tripleo:
milestone:	ussuri-rc3 → victoria-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-26: Related fix merged to tripleo-heat-templates (stable/train)

Reviewed: https://review.opendev.org/737287
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1495ced5c1ef7216f5c3db491d52866b0eb15341
Submitter: Zuul
Branch: stable/train

commit 1495ced5c1ef7216f5c3db491d52866b0eb15341
Author: Lukas Bezdicka <email address hidden>
Date: Mon Jun 22 17:14:09 2020 +0200

[train-only] Make sure UpgradeLevelNovaCompute is empty string for upgrade

This value causes issues with live migration that will be
addressed later (see related launchpad bug).

    This patch assigns the empty string value to the parameter
    to make sure it doesn't have any other value assigned before
    performing an upgrade.

    Co-Authored-By: Jose Luis Franco Arza <email address hidden>
    Closes-Bug: rhbz#1849235
    Related-Bug: rhbz#1851239
    Related-Bug: #1871482

Change-Id: If5f8c3391efa9d283bcbbde388f6e1b8143f2db5

tags:

added: in-stable-train

Emilien Macchi (emilienm) on 2020-07-28

Changed in tripleo:
milestone:	victoria-1 → victoria-3

Marios Andreou (marios-b) on 2020-11-03

Changed in tripleo:
milestone:	victoria-3 → wallaby-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-11: Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/762415

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-19: Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/762579
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/629485dde5d6b96d38688f362362fac45392ece9
Submitter: Zuul
Branch: master

commit 629485dde5d6b96d38688f362362fac45392ece9
Author: Oliver Walsh <email address hidden>
Date: Thu Nov 12 20:38:26 2020 +0000

Move cell_v2 discovery off compute hosts

    In I12a02f636f31985bc1b71bff5b744d346286a95f cell_v2 discovery was
    originally moved from the nova-api container to the
    nova-compute|nova-ironic containers in order to run cell
    discovery during a scale up where the controllers are omitted
    (e.g to exclude the controllers from a maintenance window).

    This requires api database credentials on the compute node, which is
    forbidden, so it must move back to a nova-api host as a pre-requisite
    for removing these credentials in a follow-up patch.

    Scale-up while omitting the controllers will no longer work out of the
    box. Either a manual cell_v2 discovery can be run after scale up, or an
    additional node can be deployed using the NovaManager tripleo role.

    Related-bug: #1786961
    Related-bug: #1871482
    Change-Id: I47b95ad46e2d4e5b1f370a2f840826e87da2d703

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-19: Related fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/762415
Committed: https://opendev.org/openstack/puppet-tripleo/commit/287b1b6ce77fe143d781ccd1b900c3bdbe6ada87
Submitter: Zuul
Branch: master

commit 287b1b6ce77fe143d781ccd1b900c3bdbe6ada87
Author: Oliver Walsh <email address hidden>
Date: Wed Nov 11 20:42:14 2020 +0000

Stop including nova::metadata on computes

    I5da1e67684f8317eec8c499c3534977e00a63098 include nova::metadata on computes
    however this includes nova::db which we must not do on computes.
    Push the fix up to puppet-nova and nova.

    Depends-On: If6a26527a737a7184ebddd5b4bc346d64827e9e3
    Depends-On: I47b95ad46e2d4e5b1f370a2f840826e87da2d703
    Change-Id: I07caa3185427b48e6e7d60965fa3e6157457018c
    Related-bug: #1871482
    Related-bug: #1903908
    Related-bug: #1832537

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-19: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/718552
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/9d82364de8d6d1fba083993e085fb8cafcc08268
Submitter: Zuul
Branch: master

commit 9d82364de8d6d1fba083993e085fb8cafcc08268
Author: Oliver Walsh <email address hidden>
Date: Wed Apr 8 21:04:49 2020 +0100

Refactor nova db config

    It is best to avoid placing db creds on the compute nodes to limit the
    exposure if an attacker succeeds in gaining access to the hypervisor
    host.

    Related patches in puppet-nova remove the credentials from nova.conf
    however the current scope of db credential hieradata is all nova tripleo
    services - so it will but written to the hieradata keys on compute
    nodes.

    This patch refactors the nova hieradata structure, splitting the
    nova-api/nova database hieradata out into individual templates and
    selectively including only where necessary, ensuring we have no db
    creds on a compute node (unless it is an all-in-one api+compute node).

    Depends-On: I07caa3185427b48e6e7d60965fa3e6157457018c
    Change-Id: Ia4a29bdd2cd8e894bcc7c0078cf0f0ab0f97de0a
    Closes-bug: #1871482

Changed in tripleo:
status:	In Progress → Fix Released

Oliver Walsh (owalsh) on 2020-11-20

tags:

removed: in-stable-train

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-01-28: Fix included in openstack/tripleo-heat-templates 14.0.0

This issue was fixed in the openstack/tripleo-heat-templates 14.0.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-04-01: Fix included in openstack/tripleo-heat-templates 13.2.0

This issue was fixed in the openstack/tripleo-heat-templates 13.2.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-04-05: Fix included in openstack/tripleo-heat-templates 11.5.0

This issue was fixed in the openstack/tripleo-heat-templates 11.5.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-04-14: Fix included in openstack/tripleo-heat-templates 12.4.3

#10

This issue was fixed in the openstack/tripleo-heat-templates 12.4.3 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.