Live migrations should use only "nova" user to perform data transfer
Bug #2039555 reported by
Giuseppe Petralia
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Nova Compute Charm |
Invalid
|
Undecided
|
Unassigned | ||
nova-compute (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
When nova is configured to transfer data for migrations using ssh, it uses root for the scp commands.
This represents a security threat since the systems need to be configured to allow root login which should be always disabled in production environments.
To post a comment you must log in.
This isn't something that the charm controls. From "https:/ /docs.openstack .org/nova/ latest/ admin/configuri ng-migrations. html":
Enable password-less SSH so that root on one compute host can log on to any other compute host without providing a password. The libvirtd daemon, which runs as root, uses the SSH protocol to copy the instance to the destination and can’t know the passwords of all compute hosts.
e.g. it's to do with libvirtd and nova. Setting the charm bug to invalid.