[openstack-dev] Unified Guest Agent proposal
smoser at ubuntu.com
Fri Dec 13 20:02:52 UTC 2013
On Fri, 13 Dec 2013, Fox, Kevin M wrote:
> Hmm.. so If I understand right, the concern you started is something like:
> * You start up a vm
> * You make it available to your users to ssh into
> * They could grab the machine's metadata
> I hadn't thought about that use case, but that does sound like it would be a problem.
> Ok, so... the problem there is that you need a secrets passed to the vm
> but the network trick isn't secure enough to pass the secret, hence the
> config drive like trick since only root/admin can read the data.
> Now, that does not sound like it excludes the possibility of using the
> metadata server idea in combination with cloud drive to make things
> secure. You could use cloud drive to pass a cert, and then have the
> metadata server require that cert in order to ensure only the vm itself
> can pull any additional metadata.
> The unified guest agent could use the same cert/server to establish trust too.
For what its worth, the same general problem is solved by just putting a
null route to the metadata service. cloud-init has a config option for
doing this. After route has put such a route in place, you should
effectively be done.
# remove access to the ec2 metadata service early in boot via null route
# the null route can be removed (by root) with:
# route del -host 169.254.169.254 reject
# default: false (service available)
I've also considered before that it might be useful for the instance to
make a request to the metadata service that its done and that the data can
now be deleted.
More information about the OpenStack-dev