[openstack-dev] Disabling file injection *by default*

Kashyap Chamarthy kchamart at redhat.com
Wed Jan 22 11:37:57 UTC 2014

On 01/22/2014 03:27 AM, Robert Collins wrote:
> On 22 January 2014 10:50, Kashyap Chamarthy <kchamart at redhat.com> wrote:
>> [CC'ed libguestfs author, Rich Jones]
>> Heya,
>> On 01/21/2014 07:59 AM, Robert Collins wrote:
>>> I was reminded of this while I cleaned up failed file injection nbd
>>> devices on ci-overcloud.tripleo.org :/ - what needs to happen for us
>>> to change the defaults around file injection so that it's disabled?
>> I presume you're talking about libguestfs based file injection. I
>> remember recently debugging/testing by disabling it to isolate a
>> different problem:
>>    inject_partition=-2
> No, the default is nbd based injection, which is terrible on two counts:
>  - its got horrible security ramifications
>  - its a horrible thing to be doing
> libguestfs based injection is only terrible on one count:
>  - its a horrible thing to be doing
>> That said, I'm trying to understand the rationale of your proposal in
>> this case. Can you point me to a URL or some such? I'm just curious as a
>> heavy user of libguestfs.
> There's nothing wrong with libguestfs, this is about the feature which
> has been discussed, here, a lot :) - for delivering metadata to
> images, config-drive || metadata service are much better. Hypervisors
> shouldn't be in the business of tinkering inside VM file systems at
> all.

Thanks for the details, Robert and Rich.


More information about the OpenStack-dev mailing list