[openstack-dev] [nova][ironic] making file injection optional / removing it

Robert Collins robertc at robertcollins.net
Wed May 8 02:09:47 UTC 2013


For baremetal, file injection is a scalability, security and
performance headache.

With virtual nodes, the overheads of injection are spread around many
hypervisors; for baremetal each nova-compute can potentially run
1000's of instances, so you have far fewer compute processes, and the
relative overhead is much higher.

The image cache for nova compute doesn't help baremetal at all, as we
have to copy the content to the node every time : we're planning on
mitigating that with something to avoid bottlenecking on either glance
or nova-compute - sharing the load between machines that are deploying
the same image - e.g. bittorrent. File injection means we have a
unique image or we have to transfer the content to be injected to the
node being deployed on...

And from a security perspective, copying secrets - in particular the
replacement root password - over the network in an insecure fashion is
troubling. TFTP isn't encrypted, and that's the boot process for
baremetal. A salted password is substantially safer, but that would
mean a significant layering violation if we pass that separate to the
image, and if we pass it by injecting on the nova-compute node, we now
have a different image.

We could in principle generate a binary patch file to the image to
apply after the identical base image, but we'd still need substantial
complexity to ensure that scaled well and avoid issues when partition
sizes are different etc.

So - we'd like to make file injection either optional, or ideally just
make it not exist for bare metal.

Are there reasons we shouldn't/can't do that (e.g. is file injection a
mandatory feature for a nova hypervisor driver?).

-Rob

-- 
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Cloud Services



More information about the OpenStack-dev mailing list