| __ministry | I had seen commit change network of container from "host" to "bridge". Oh. Whether, anybody was noticed that, we can't connect to database (mariadb, mysql) from nova instance by user os_admin? | 12:14 |
|---|---|---|
| __ministry | Because, we was grant privileges for user os_admin with "os_admin@'localhost'", and if we connect from nova instance, it was forward through 172.17.0.1 to connect with container? | 12:16 |
| __ministry | of course, about security. but i think we can use neutron's security groups. | 12:18 |
| __ministry | Should we do an options to custom network_mode of container. such as: | 12:19 |
| __ministry | [mariadb] | 12:19 |
| __ministry | docker_network_mode = host | 12:19 |
| __ministry | ??? | 12:19 |
| lxkong | __ministry: as you said, using `host` as network node is not secure, we shouldn't provide that option even in dev environment, an extra option doesn't bring any extra value to the database management. | 20:46 |
| lxkong | If you want to connect to the database for either troubleshooting or admin operations, you need to log into the guest instance and connect to db locally. | 20:47 |
| lxkong | Additionally, using bridge network for database container makes the management task easier for cloud admins, e.g. restrict the network connection from database to mgmt control plane. | 20:54 |
| lxkong | The change is a response to a penetration testing performed by a specialist security company towards our cloud, I can share more after we finish our current release. | 21:09 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!