[openstack-dev] [nova] Device tagging: rebuild config drive upon instance reboot to refresh metadata on it
Dean Troyer
dtroyer at gmail.com
Sat Feb 18 17:36:54 UTC 2017
On Sat, Feb 18, 2017 at 10:23 AM, Clint Byrum <clint at fewbar.com> wrote:
> But I believe Michael is not saying "it's unsafe to read the json
> files" but rather "it's unsafe to read the whole config drive". It's
> an ISO filesystem, so you can't write to it. You have to read the whole
> contents back into a directory and regenerate it. I'm guessing Michael
> is concerned that there is some danger in doing this, though I can't
> imagine what it is.
Nova can be configured for config drive to be a VFAT filesystem, which
can not be trusted. Unfortunately this is (was??) required for
libvirt live migration to work so is likely to not be an edge case in
deployments.
The safest read-back approach would be to generate both ISO9660 and
VFAT (if configured) and only read back from the ISO version. But
yuck, two config drive images...still better than passwords in the
database.
dt
--
Dean Troyer
dtroyer at gmail.com
More information about the OpenStack-dev
mailing list