[openstack-dev] [nova] Minimal secure identification of a new VM

Fox, Kevin M Kevin.Fox at pnnl.gov
Wed Apr 6 15:47:25 UTC 2016


Nova Instance user spec.....
https://review.openstack.org/222293

We really really need to solve this. it is affecting almost every project in one way or another.

Can we please get a summit session dedicated to the topic? Last summit we had only 10 minutes. :/

Thanks,
Kevin

________________________________________
From: Adam Young [ayoung at redhat.com]
Sent: Tuesday, April 05, 2016 3:00 PM
To: OpenStack Development Mailing List
Subject: [openstack-dev] [nova] Minimal secure identification of a new VM

We have a use case where we want to register a newly spawned Virtual
machine with an identity provider.

Heat also has a need to provide some form of Identity for a new VM.


Looking at the set of utilities right now, there does not seem to be a
secure way to do this.  Injecting files does not provide a path that
cannot be seen by other VMs or machines in the system.

For our use case, a short lived One-Time-Password is sufficient, but for
others, I think asymmetric key generation makes more sense.

Is the following possible:

1.  In cloud-init, the VM generates a Keypair, then notifies the No0va
infrastructure (somehow) that it has done so.

2.  Nova Compute reads the public Key off the device and sends it to
conductor, which would then associate the public key with the server?

3.  A third party system could then validate the association of the
public key and the server, and build a work flow based on some signed
document from the VM?





__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list