[openstack-dev] [nova][libvirt] Should file injection work for boot from volume images?

Thierry Carrez thierry at openstack.org
Wed Sep 25 10:02:03 UTC 2013


Christopher Yeoh wrote:
> On Mon, Sep 23, 2013 at 10:56 PM, Russell Bryant <rbryant at redhat.com
> <mailto:rbryant at redhat.com>> wrote:
>     I agree with Monty and Thierry that ideally file injection should DIAF
>     everywhere.  On that note, have we done anything with that in the v3
>     API?  I propose we remove it completely.
> 
> It was separated from core as the os-personalities extension. So its very
> easy to drop completely from the V3 API if we want to. Do you want me to
> submit a changeset do do this
> now (given the feature freeze) or wait until icehouse?

I actually would like to have a discussion at next summit of how to
bring Nova's security to the next step. This will involve getting rid of
risky operations when they are not so needed (like injecting files into
mounted image filesystems), but we need to have an overall view (no
point in removing that specific weak chain link if another remains as
weak) to see where we can actually improve things significantly.

So I would wait for icehouse to do anything. If it's separated from the
core V3 API already, I guess it's still easy to get rid of it in
icehouse if that's the outcome of that discussion session.

-- 
Thierry Carrez (ttx)



More information about the OpenStack-dev mailing list