[openstack-dev] Nova config drive rebuilding
Scott Moser
smoser at ubuntu.com
Wed Aug 7 07:36:30 UTC 2013
On Wed, 7 Aug 2013, Uri Simchoni wrote:
> ----------------------------------------
> > Date: Wed, 7 Aug 2013 18:25:47 +1200
> > From: robertc at robertcollins.net
> > To: openstack-dev at lists.openstack.org
> > Subject: Re: [openstack-dev] Nova config drive rebuilding
> >
> > On 7 August 2013 18:08, Uri Simchoni <uri_simchoni at hotmail.com> wrote:
> >> Hi,
> >>
> >> As far as I can tell (from testing and looking at the code, at least for libvirt driver), the config drive is not rebuilt after initial spawning (except for some migration scenarios), which means the guest cannot see updates to its metadata.
> >>
> >> Is this a valid statement, and would it make sense to have the disk rebuilt on events such as suspend/resume or stop/start?
> >
> > Thats certainly my understanding and one of the reasons I dislike it :).
> >
>
> Looking at the http-based alternative, can it be made to be more secure?
> On my OVS-based system I was able to easily steal the metadata of
> another instance on the same network by changing my instance's IP
> address. It appears to be suitable only for publishing things to
> instances, but not for sharing secrets.
That would appear to be a security issue.
AFAIK, that is not intended. Please open a bug.
More information about the OpenStack-dev
mailing list