[openstack-dev] [Ironic] File Injection (and the lack thereof)
Clint Byrum
clint at fewbar.com
Fri Jan 24 19:35:51 UTC 2014
Excerpts from Devananda van der Veen's message of 2014-01-24 06:15:12 -0800:
> In going through the bug list, I spotted this one and would like to discuss
> it:
>
> "can't disable file injection for bare metal"
> https://bugs.launchpad.net/ironic/+bug/1178103
>
> There's a #TODO in Ironic's PXE driver to *add* support for file injection,
> but I don't think we should do that. For the various reasons that Robert
> raised a while ago (
> http://lists.openstack.org/pipermail/openstack-dev/2013-May/008728.html),
> file injection for Ironic instances is neither scalable nor secure. I'd
> just as soon leave support for it completely out.
>
> However, Michael raised an interesting counter-point (
> http://lists.openstack.org/pipermail/openstack-dev/2013-May/008735.html)
> that some deployments may not be able to use cloud-init due to their
> security policy.
>
I'm not sure how careful we are about security while copying the image.
Given that we currently just use tftp and iSCSI, it seems like putting
another requirement on that for security (user-data, network config,
etc) is like pushing the throttle forward on the Titanic.
I'd much rather see cloud-init/ec2-metadata made to work better than
see us over complicate an already haphazard process with per-node
customization. Perhaps We could make EC2 metadata work with SSL and bake
CA certs into the images?
More information about the OpenStack-dev
mailing list