[openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

Daniel Russell DanielR at hostworks.com.au
Tue Jul 19 00:51:07 UTC 2016 

Hi Erno,

For the size of team I am in I think it would work well but it feels like I am putting the security of Nova in the hands of Glance.

What I was more after was a setting in Nova that says 'this hypervisor does not allow guest sockets and will ignore any attempt to create them', 'this hypervisor always creates guest sockets regardless of your choice', 'this hypervisor will respect whatever you throw in hw_qemu_guest_agent with a default of no', or 'this hypervisor will respect whatever you throw in hw_qemu_guest_agent with a default of yes'.  It feels like a more appropriate place to control and manage that kind of configuration.

Thanks for the pointer, and I will implement it in our environment, but I guess it opens up a larger question of '*should* I manage that kind of config in that manner?'

Regards,
Daniel.

-----Original Message-----
From: Erno Kuvaja [mailto:ekuvaja at redhat.com] 
Sent: Tuesday, 19 July 2016 10:09 AM
To: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

Hi Daniel,

You might want to have look on the Glance Property Protections [0].
I'd assume that would do it for you?

[0] http://docs.openstack.org/developer/glance/property-protections.html

Best,
Erno

On Tue, Jul 19, 2016 at 12:43 AM, Daniel Russell <DanielR at hostworks.com.au> wrote:
> Hi,
>
>
>
> We are running a public cloud and allow customers to upload their own 
> images.  A concern we have is that a customer could set 
> hw_qemu_guest_agent=yes in the image metadata and then get a socket to 
> the hypervisor created when running.  For us, this is a bit of a 
> security concern and I’m not aware of any way to globally disable this 
> feature at the moment.
>
>
>
> Is there any work going on to add the ability to enable/disable the 
> feature globally?  Would it be of interest to the project(s) to add that?
>
>
>
> I am happy to look into it and am keen to start contributing if it’s 
> deemed low enough hanging fruit for a new guy!
>
>
>
> Regards,
>
> DANIEL RUSSELL
> Solution Architect
>
>
>
>
> ______________________________________________________________________
> ____ OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list