I've added a link to this thread on the agenda for tomorrow's Security SIG meeting
This happened [1]. TL;DR: it does more potential good than harm to expose these traits ("scheduler roulette is not a security measure" --fungi).
Others have said this (at least Dan): This seems like something where something other than nova ought to handle it. A host which shouldn't be scheduled to should be disabled (as a service).
WFM. Scrap strawman. Given that it's not considered a security issue, we could expose the (low-level, CPU flag) traits so that "other than nova" can use them. If we think there's demand.
How do people feel about the idea of forming a core group for those two repos that includes placement cores but has additions from nova (Dan, Kashyap and Sean would make good candidates) and other projects that consume them?
++ efried [1] http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-mee...