[openstack-dev] Nova config drive rebuilding
uri_simchoni at hotmail.com
Wed Aug 7 11:04:28 UTC 2013
> Date: Wed, 7 Aug 2013 21:15:26 +1200
> From: robertc at robertcollins.net
> To: openstack-dev at lists.openstack.org
> Subject: Re: [openstack-dev] Nova config drive rebuilding
> On 7 August 2013 18:42, Uri Simchoni <uri_simchoni at hotmail.com> wrote:
>> Looking at the http-based alternative, can it be made to be more secure? On my OVS-based system I was able to easily steal the metadata of another instance on the same network by changing my instance's IP address. It appears to be suitable only for publishing things to instances, but not for sharing secrets.
> The instance anti-spoofing rules should have prevented that - the fact
> you were able to change your instance ip (unless you fiddled behind
> nova's back in the neutron db) is a very unexpected and serious bug.
> As Scott says - file a bug.
OK I get it now - I was using a Noop FW driver on the compute nodes - didn't realize FW driver is also in charge of anti-spoofing (I thought it only enforces security groups)
If it's reasonably secure (anti-spoofing on the same network, L2 seperation between networks) then I don't think I need the disk rebuild...
More information about the OpenStack-dev