[openstack-dev] [Ironic] File Injection (and the lack thereof)
robertc at robertcollins.net
Fri Jan 24 23:31:58 UTC 2014
On 25 January 2014 03:15, Devananda van der Veen
<devananda.vdv at gmail.com> wrote:
> In going through the bug list, I spotted this one and would like to discuss
> "can't disable file injection for bare metal"
> There's a #TODO in Ironic's PXE driver to *add* support for file injection,
> but I don't think we should do that. For the various reasons that Robert
> raised a while ago
> file injection for Ironic instances is neither scalable nor secure. I'd just
> as soon leave support for it completely out.
> However, Michael raised an interesting counter-point
> that some deployments may not be able to use cloud-init due to their
> security policy.
If they can't use cloud-init, they probably can't PXE deploy either,
because today, both have the same security characteristics.
> As we don't have support for config drives in Ironic yet, and we won't until
> there is a way to control either virtual media or network volumes on ironic
> nodes. So, I'd like to ask -- do folks still feel that we need to support
> file injection?
Unless the network volume is out of band secured/verifiable, it will
be equivalent to cloud-init and thus fail this security policy.
I would use SSL metadata - yay joshuah - and consider that sufficient
until we have a specific security policy in front of us that we can
review, and see *all* the wholes that we'll have, rather than
cherrypicking issues: what passes such a policy for nova-KVM is likely
not sufficient for ironic.
Robert Collins <rbtcollins at hp.com>
HP Converged Cloud
More information about the OpenStack-dev