[openstack-dev] Disabling file injection *by default*

Robert Collins robertc at robertcollins.net
Tue Jan 21 21:57:29 UTC 2014

On 22 January 2014 10:50, Kashyap Chamarthy <kchamart at redhat.com> wrote:
> [CC'ed libguestfs author, Rich Jones]
> Heya,
> On 01/21/2014 07:59 AM, Robert Collins wrote:
>> I was reminded of this while I cleaned up failed file injection nbd
>> devices on ci-overcloud.tripleo.org :/ - what needs to happen for us
>> to change the defaults around file injection so that it's disabled?
> I presume you're talking about libguestfs based file injection. I
> remember recently debugging/testing by disabling it to isolate a
> different problem:
>    inject_partition=-2

No, the default is nbd based injection, which is terrible on two counts:
 - its got horrible security ramifications
 - its a horrible thing to be doing

libguestfs based injection is only terrible on one count:
 - its a horrible thing to be doing

> That said, I'm trying to understand the rationale of your proposal in
> this case. Can you point me to a URL or some such? I'm just curious as a
> heavy user of libguestfs.

There's nothing wrong with libguestfs, this is about the feature which
has been discussed, here, a lot :) - for delivering metadata to
images, config-drive || metadata service are much better. Hypervisors
shouldn't be in the business of tinkering inside VM file systems at


Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud

More information about the OpenStack-dev mailing list