Open Source OpenStack Grizzly Cloud Set for Major Nova Compute Security Overhaul
From the 'Database De-Integration' files:
At the core of the OpenStack cloud platform is the Nova compute project. Nova (which began it's life at Nebula at NASA) is set for what I see as its biggest evolution yet in the upcoming Grizzly release.
Since its creation, Nova has had its own direct database access, which has left OpenStack with an unacceptable level of risk. Since at least August of 2011, a bug has been publicly known and listed in Nova that is so critical, that if exploited it could corrupt an entire cloud.
"Although the nova.conf file's permissions are restricted to 640, giving every compute server the MySQL root password, as according to the cactus documentation, does not follow the principle of least privilege," bug #823000 warns. "If an attacker successfully exploits a flaw in the hypervisor (as have been found in KVM and XEN in the past), the attacker can easily tamper with the MySQL database, wreaking havoc on the OpenStack Cloud."
The answer is to de-couple the database from direct Nova access, which is no easy task. It's a task however that was officially completed on February 8th and will be a core part of the OpenStack Grizzly release in April.
What enables the database decoupling is the new Nova conductor component which was first proposed by Red Hat developer Russell Bryant in November of 2012. Bryant proposed that the basic idea for the conductor service is for nova-compute to use it as a a proxy to accomplish certain tasks, such as targeted operations that need database access.
"The nova-conductor service is key to completing no-db-compute," Bryant blogged. "Conceptually, it implements a new layer on top of nova-compute. It should *not* be deployed on compute nodes, or else the security benefits of removing database access from nova-compute will be negated."
Make no mistake about it - this is a major architectural shift and one that has profound security, scalability and performance benefits for OpenStack.