[openstack-dev] [Ironic] File Injection (and the lack thereof)
Joshua Harlow
harlowja at yahoo-inc.com
Sat Jan 25 03:16:21 UTC 2014
Also just to note; file-injection seems unneeded when cloud-init can use
this:
http://cloudinit.readthedocs.org/en/latest/topics/examples.html#writing-out
-arbitrary-files
That I believe is in most modern versions of cloud-init (forgot when I
implemented that).
Just FYI :)
-Josh
On 1/24/14, 3:31 PM, "Robert Collins" <robertc at robertcollins.net> wrote:
>On 25 January 2014 03:15, Devananda van der Veen
><devananda.vdv at gmail.com> wrote:
>> In going through the bug list, I spotted this one and would like to
>>discuss
>> it:
>>
>> "can't disable file injection for bare metal"
>> https://bugs.launchpad.net/ironic/+bug/1178103
>>
>> There's a #TODO in Ironic's PXE driver to *add* support for file
>>injection,
>> but I don't think we should do that. For the various reasons that Robert
>> raised a while ago
>>
>>(http://lists.openstack.org/pipermail/openstack-dev/2013-May/008728.html)
>>,
>> file injection for Ironic instances is neither scalable nor secure. I'd
>>just
>> as soon leave support for it completely out.
>>
>> However, Michael raised an interesting counter-point
>>
>>(http://lists.openstack.org/pipermail/openstack-dev/2013-May/008735.html)
>> that some deployments may not be able to use cloud-init due to their
>> security policy.
>
>If they can't use cloud-init, they probably can't PXE deploy either,
>because today, both have the same security characteristics.
>
>> As we don't have support for config drives in Ironic yet, and we won't
>>until
>> there is a way to control either virtual media or network volumes on
>>ironic
>> nodes. So, I'd like to ask -- do folks still feel that we need to
>>support
>> file injection?
>
>Unless the network volume is out of band secured/verifiable, it will
>be equivalent to cloud-init and thus fail this security policy.
>
>I would use SSL metadata - yay joshuah - and consider that sufficient
>until we have a specific security policy in front of us that we can
>review, and see *all* the wholes that we'll have, rather than
>cherrypicking issues: what passes such a policy for nova-KVM is likely
>not sufficient for ironic.
>
>-Rob
>
>
>
>--
>Robert Collins <rbtcollins at hp.com>
>Distinguished Technologist
>HP Converged Cloud
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list