[openstack-dev] [nova][ironic] making file injection optional / removing it

Robert Collins robertc at robertcollins.net
Mon May 13 22:25:02 UTC 2013


On 14 May 2013 09:44, Devananda van der Veen <devananda.vdv at gmail.com> wrote:

> Any hardware which doesn't support mounting virtual media and exposing it to
> the guest -- this is, afaict, not part of the IPMI specification, though
> most large hw vendors have implemented it anyway.
>
> Also, this approach would be unsuitable for high-density compute where many
> SOCs share a single management board, even if that BMC supports virtual
> media, since this would serialize the deployment process.
>
>  (caveat: I'm assuming that HDC systems whose BMC support virtual media
> would only support mounting a small number of, or just one, virtual media at
> a time. I base this assumption on the knowledge that some HDC systems have a
> limitation to the number of concurrent SOL sessions, which is considerably
> lower than the number of SOCs they contain.)

We could put the config 'drive' in as a partition, like we do swap
(though I want to delete the swap code: it's not our business to
fiddle with that).


> Perhaps we meant different things by "management network". I was including
> both the out-of-band network (eg, for IPMI) and the network used for image
> deployment under the broad heading of "Management networks", whether these
> are actually handled by one or multiple NICs, VLANs, or what ever. Instance
> provisioning requires access to both; instance management requires access to
> the out-of-band net, and tenants do not require access to either. Removing
> tenant access from the network used for image deployment should be straight
> forward, and should be fine to do once deployment is complete, but I don't
> think we shouldn't be mucking with the out-of-band network.
>
> Anyway, I think we agree on all that, and I probably just misinterpreted
> "detach from the management network" as "detach from both IPMI and PXE
> networks", which it seems is not what you meant :)

Note though that the out of band IPMI network is almost certainly
attackable by tenants. You need a chassis controller that is not
configurable or managable by the card, to be able to have any
confidence that it won't be hosed rapidly.

-Rob

-- 
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Cloud Services



More information about the OpenStack-dev mailing list