Open Stack

On 8 May 2013 19:03, Michael Still <mikal at stillhq.com> wrote:
> I would not say that file injection is a requirement at the moment for
> a nova hypervisor driver. In fact, there's been discussion for a
> couple of releases about turning it off for everyone. I'd like to see
> it deprecated in Havana for removal in Incarceration [1] if at all
> possible. Some more discussion of if that's possible would be nice.
>
> However, I do think you need to support configdrive if you're not
> doing file injection. I say this because some deployments cannot use
> metadata server (for example, network policy may not allow instances
> to talk to infrastructure nodes). So, I think having that would be
> good.

I don't think that is particularly relevant for bare metal: you can't
trust arbitrary code on baremetal, because it can root your hardware
pretty permanently. That said, if someone wanted to do the work to
support it, I doubt Devananda would object :). For my part, I'd want
to see it done well, which is going to be tricky when you have no
virtual devices to work with. (And putting it on iscsi would just come
back to the same security issues). Much better IMO to do HTTPS to the
metadata API server.

-Rob

-- 
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Cloud Services