Fuel for OpenStack

Better conductor deployment

Bug #1355509 reported by Oleksii Aleksieiev on 2014-08-11

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	Won't Fix	Low	Matthew Mosesohn	Fuel for OpenStack 8.0
6.0.x	Won't Fix	Wishlist	Matthew Mosesohn	Fuel for OpenStack 6.0-updates
7.0.x	Won't Fix	Wishlist	Matthew Mosesohn	Fuel for OpenStack 7.0-updates

Bug Description

Here is several issues with how MOS deploys conductor.

1 By default all deployment variants assume deployments with conductor enabled. But this requires to remove sql_connection option in nova.conf on compute nodes. MOS does not do this. it keeps sql_connection option in nova.conf on compute nodes while all compute services are configured to use conductor.
One of the reason for creating conductor service was to provide security level for nova.

2 by default it not possible to disable conductor using MOS tools. Customers who prefer performance over security should have this options. Conductor can introduce significant delay in all actions required database access.

This two enchantments are tied together.

The following actions are required to disable usage of conductor.

On all compute nodes:

1 make use mysql port is accessible from compute nodes and all necessary grange are present.
2 add into nova.conf
[DEFAULT]
sql_connection = mysql://nova:password@mysqlhost/nova_db

[conductor]
use_local=true

3 service openstack-nova-compute restart

4 optionally stop conductor process on controllers

Monitoring tuning may be required..

Tags:

Nastya Urlapova (aurlapova) on 2014-08-12

information type:	Private Security → Public
Changed in fuel:
importance:	Undecided → Medium
assignee:	nobody → Fuel Library Team (fuel-library)
milestone:	none → 6.0

Roman Alekseenkov (ralekseenkov) on 2014-08-13

tags:

added: customer-found

Mike Durnosvistov (glacierrdev) on 2014-08-14

Changed in mos:
status:	New → Triaged
importance:	Undecided → Low
assignee:	nobody → MOS Nova (mos-nova)
milestone:	none → 6.0

Roman Podoliaka (rpodolyaka) on 2014-08-14

Changed in fuel:
status:	New → Triaged
importance:	Medium → Low

Revision history for this message

Dmitry Mescheryakov (dmitrymex) wrote on 2014-08-15:

This task requires change only in Nova deployment, no need to change anything in Nova code. So I am removing MOS as an affected project.

no longer affects:

mos

Vladimir Kuklin (vkuklin) on 2014-11-27

Changed in fuel:
milestone:	6.0 → 6.1

Revision history for this message

Vladimir Kuklin (vkuklin) wrote on 2015-02-17:

This bug requires altering of reference architecture - Won't Fix for 6.0.x

Bogdan Dobrelya (bogdando) on 2015-04-07

Changed in fuel:
milestone:	6.1 → 7.0

Matthew Mosesohn (raytrac3r) on 2015-09-01

Changed in fuel:
status:	Triaged → Won't Fix

Matthew Mosesohn (raytrac3r) on 2015-09-30

tags:

added: feature ha

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2015-09-30:

I fail to understand how nova-conductor on computes is more secure than running it on controllers. Computes have a higher likelihood of being compromised.

From nova-conductor docs, it says that nova-conductor should not be deployed on compute nodes:
http://docs.openstack.org/kilo/config-reference/content/section_conductor.html

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2015-09-30:

After talking with Roman P, we realized we have DB config in nova.conf on computes, but it should be removed since it is not in use. Conductors are run in controllers as they should be.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-30: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/229310

Changed in fuel:
status:	Won't Fix → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-02: Related fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/229310
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=7c1694dc2f573f8714f1845cf446bdcec5d01420
Submitter: Jenkins
Branch: master

commit 7c1694dc2f573f8714f1845cf446bdcec5d01420
Author: Matthew Mosesohn <email address hidden>
Date: Wed Sep 30 12:05:01 2015 +0300

Remove database_connection from compute

    Compute uses nova-conductor for communciation
    and not a direct database connection. The
    current database connection is unused and
    should be removed.

Change-Id: Ied0e04d16779abaebd821f0d65b65ddfbf71316f
Related-Bug: #1355509

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2015-10-02:

The related issue (DB connection in compute settings) is fixed, but we are not moving nova-conductor off of controllers at this time.

Alexey Shtokolov (ashtokolov) on 2015-10-06

Changed in fuel:
status:	Confirmed → Triaged

Dmitry Pyzhov (dpyzhov) on 2015-10-08

Changed in fuel:
milestone:	7.0 → 8.0
no longer affects:	fuel/8.0.x

Matthew Mosesohn (raytrac3r) on 2015-10-08

Changed in fuel:
status:	Triaged → Won't Fix

Dmitry Pyzhov (dpyzhov) on 2015-10-22

tags:

added: area-library

Vitaly Sedelnik (vsedelnik) on 2016-02-12

tags:

added: wontfix-feature

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.