Live migrations should use only "nova" user to perform data transfer

Bug #2039555 reported by Giuseppe Petralia
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Nova Compute Charm
Invalid
Undecided
Unassigned
nova-compute (Ubuntu)
New
Undecided
Unassigned

Bug Description

When nova is configured to transfer data for migrations using ssh, it uses root for the scp commands.

This represents a security threat since the systems need to be configured to allow root login which should be always disabled in production environments.

Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

This isn't something that the charm controls. From "https://docs.openstack.org/nova/latest/admin/configuring-migrations.html":

Enable password-less SSH so that root on one compute host can log on to any other compute host without providing a password. The libvirtd daemon, which runs as root, uses the SSH protocol to copy the instance to the destination and can’t know the passwords of all compute hosts.

e.g. it's to do with libvirtd and nova. Setting the charm bug to invalid.

Changed in charm-nova-compute:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.