Bug 966325

Summary: sql_connection appears in /etc/nova/nova.conf on compute node.
Product: Red Hat OpenStack Reporter: Brandon Perkins <bperkins>
Component: openstack-packstackAssignee: Martin Magr <mmagr>
Status: CLOSED ERRATA QA Contact: Brandon Perkins <bperkins>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 3.0CC: aortega, apevec, derekh, mmagr, ndipanov, sclewis, sgordon, ykaul
Target Milestone: snapshot2   
Target Release: 3.0   
Hardware: Unspecified   
OS: Unspecified   
URL: https://tcms.engineering.redhat.com/case/269383/
Whiteboard:
Fixed In Version: openstack-packstack-2013.1.1-0.15.dev625 Doc Type: Bug Fix
Doc Text:
The sql_connection configuration key in /etc/nova/nova.conf on compute nodes was previously being populated with the full MySQL connection details. This is no longer required as compute nodes now access the database via the nova-conductor service. PackStack has been updated to only set the sql_connection string on nodes that require it.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-11 18:51:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 972365    
Bug Blocks: 894819    

Description Brandon Perkins 2013-05-23 04:30:33 UTC 
Description of problem:
sql_connection appears in /etc/nova/nova.conf on compute node.

Version-Release number of selected component (if applicable):
openstack-nova-common-2013.1.1-2.el6ost.noarch


How reproducible:
Always.

Steps to Reproduce:
1. Install a remote (to cloud controller) nova compute node via packstack.
2. # grep ^sql_connection /etc/nova/nova.conf


Actual results:
Shows full connection parameters:
sql_connection=mysql://nova:[PASSWORD]@[MySQL IP]/nova


Expected results:
Password should NOT appear on a compute node.

Additional info:
This violates the purpose of Grizzly feature: Remove database access from Nova Compute Nodes (no-db-compute)
Comment 3 Martin Magr 2013-06-03 15:16:42 UTC 
Is it the only thing which should be changed on computed nodes or is there something else required to change from Folsom "with-DB" behaviour?
Comment 6 Russell Bryant 2013-06-04 18:02:28 UTC 
Yes, that's all there is to it.  The only thing you *have* to do is have the nova-conductor service running.
Comment 11 Martin Magr 2013-06-10 10:11:09 UTC 
The implementation was reverted due to bug #972365.
Comment 12 Perry Myers 2013-06-10 12:53:52 UTC 
Just talked to mmagr on irc about this.

"in nova puppet module catalog application fails when there's not DB password in sql_connection ... so currently all-in-one installation works, but controller+1compute_node installation fails"

Given that this is a regression that prevents a multi-node setup from succeeding in Packstack, I think this should block snap2 actually.
Comment 15 Scott Lewis 2013-06-10 19:26:07 UTC 
back in snap2
Comment 18 errata-xmlrpc 2013-06-11 18:51:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0938.html