Add option to do remote host SSL cert verification in nova-objectstore

Yes, is there a good reason not to set is_secure=True ?

I'd suggest perhaps the default should be is_secure=True.

It would be up to individual project architects deploying Nova to decide to set this to False. Typically this would be for perceived performance gains and the expectation would be other compensating controls would be put in place for the network.

Also this is rather mitigated by the fact that in 99% of deployment cases you would use a local S3 thing (either Swift in S3 mode or nova-objectstore) -- not a remote one. Remember this is only used when you want to enable EC2 image registration commands.

I assumed there is a reason why it was set to false by default ... (given the upstream default is true ...).
(If most people use it in a 'local setup' like you have suggested here perhaps this has something to do with it ... not that I would agree with that rational).

I believe it is set to false because nova-objectstore does not support ssl.

Vish

On Nov 14, 2011, at 7:07 AM, Thierry Carrez wrote:

> Yes, is there a good reason not to set is_secure=True ?
>
> ** Changed in: nova
> Importance: Undecided => Medium
>
> ** Changed in: nova
> Status: New => Confirmed
>
> --
> You received this bug notification because you are a member of Nova
> Core, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/885165
>
> Title:
> Disables remote host SSL certificate verification during image
> retrieval
>
> Status in OpenStack Compute (Nova):
> Confirmed
>
> Bug description:
> This bug is related to another bug which I am about to report.
> In nova/image/s3.py the _conn static method of the S3ImageService class passes in is_secure=False,
> when creating a new boto.s3.connection.S3Connection.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/885165/+subscriptions

So there are two ways of using this:

* with a local nova-objectstore, where MIM is unlikely and is_secure must be False for it to work
* with a remote S3-store, where MIM is more likely and is_secure should be set True

I suggest that we add an s3_secure flag, default to False (for compatibility and taking into account the fact that 98% of deploys will use nova-objectstore here), that should be set to True if you set up a remote S3-store. Also add documentation ("see s3_secure") around the other s3_* flags to raise awareness.

I also suggest that this bug be made public (VMT level set to Low).

David, are you OK with the above comment ?

Of course.

This is now solved with CONF.s3_use_ssl