[openstack-dev] [Ironic] File Injection (and the lack thereof)
harlowja at yahoo-inc.com
Fri Jan 24 22:17:38 UTC 2014
Cloud-init 0.7.5 (not yet released) will have the ability to read from an
ec2-metadata server using SSL.
In a recent change I did we now use requests which correctly does SSL for
the ec2-metadata/ec2-userdata reading.
For ssl-certs that it will use by default (if not provided) will be looked
for in the following locations.
- ... Other custom paths (typically datasource dependent)
So I think in 0.7.5 for cloud-init this support will be improved and as
long as there is a supporting ssl ec2 metadata endpoint then this should
all work out fine...
On 1/24/14, 11:35 AM, "Clint Byrum" <clint at fewbar.com> wrote:
>Excerpts from Devananda van der Veen's message of 2014-01-24 06:15:12
>> In going through the bug list, I spotted this one and would like to
>> "can't disable file injection for bare metal"
>> There's a #TODO in Ironic's PXE driver to *add* support for file
>> but I don't think we should do that. For the various reasons that Robert
>> raised a while ago (
>> file injection for Ironic instances is neither scalable nor secure. I'd
>> just as soon leave support for it completely out.
>> However, Michael raised an interesting counter-point (
>> that some deployments may not be able to use cloud-init due to their
>> security policy.
>I'm not sure how careful we are about security while copying the image.
>Given that we currently just use tftp and iSCSI, it seems like putting
>another requirement on that for security (user-data, network config,
>etc) is like pushing the throttle forward on the Titanic.
>I'd much rather see cloud-init/ec2-metadata made to work better than
>see us over complicate an already haphazard process with per-node
>customization. Perhaps We could make EC2 metadata work with SSL and bake
>CA certs into the images?
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
More information about the OpenStack-dev