[openstack-dev] [nova][ironic] making file injection optional / removing it
Russell Bryant
rbryant at redhat.com
Wed May 8 14:09:48 UTC 2013
On 05/08/2013 03:32 AM, Robert Collins wrote:
> On 8 May 2013 19:03, Michael Still <mikal at stillhq.com> wrote:
>> I would not say that file injection is a requirement at the moment for
>> a nova hypervisor driver. In fact, there's been discussion for a
>> couple of releases about turning it off for everyone. I'd like to see
>> it deprecated in Havana for removal in Incarceration [1] if at all
>> possible. Some more discussion of if that's possible would be nice.
+1 from me.
>> However, I do think you need to support configdrive if you're not
>> doing file injection. I say this because some deployments cannot use
>> metadata server (for example, network policy may not allow instances
>> to talk to infrastructure nodes). So, I think having that would be
>> good.
>
> I don't think that is particularly relevant for bare metal: you can't
> trust arbitrary code on baremetal, because it can root your hardware
> pretty permanently. That said, if someone wanted to do the work to
> support it, I doubt Devananda would object :). For my part, I'd want
> to see it done well, which is going to be tricky when you have no
> virtual devices to work with. (And putting it on iscsi would just come
> back to the same security issues). Much better IMO to do HTTPS to the
> metadata API server.
Makes sense for baremetal.
grep says libvirt, xenapi, and hyperv all support configdrive. Is that
right?
That just leaves powervm and vmware drivers that do not support it yet.
It doesn't appear that powervm does injection, anyway. I see
inject_network_info() in the vmware driver. I think a plan to remove
injection completely in 'I' gives *plenty* of time to add it.
--
Russell Bryant
More information about the OpenStack-dev
mailing list