[openstack-dev] [Ironic] File Injection (and the lack thereof)

Joshua Harlow harlowja at yahoo-inc.com
Fri Jan 24 22:17:38 UTC 2014


Cloud-init 0.7.5 (not yet released) will have the ability to read from an
ec2-metadata server using SSL.

In a recent change I did we now use requests which correctly does SSL for
the ec2-metadata/ec2-userdata reading.

- http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/revision/910

For ssl-certs that it will use by default (if not provided) will be looked
for in the following locations.

- /var/lib/cloud/data/ssl
   - cert.pem
   - key
- /var/lib/cloud/instance/data/ssl
   - cert.pem
   - key
- ... Other custom paths (typically datasource dependent)

So I think in 0.7.5 for cloud-init this support will be improved and as
long as there is a supporting ssl ec2 metadata endpoint then this should
all work out fine...

-Josh

On 1/24/14, 11:35 AM, "Clint Byrum" <clint at fewbar.com> wrote:

>Excerpts from Devananda van der Veen's message of 2014-01-24 06:15:12
>-0800:
>> In going through the bug list, I spotted this one and would like to
>>discuss
>> it:
>> 
>> "can't disable file injection for bare metal"
>> https://bugs.launchpad.net/ironic/+bug/1178103
>> 
>> There's a #TODO in Ironic's PXE driver to *add* support for file
>>injection,
>> but I don't think we should do that. For the various reasons that Robert
>> raised a while ago (
>> 
>>http://lists.openstack.org/pipermail/openstack-dev/2013-May/008728.html),
>> file injection for Ironic instances is neither scalable nor secure. I'd
>> just as soon leave support for it completely out.
>> 
>> However, Michael raised an interesting counter-point (
>> http://lists.openstack.org/pipermail/openstack-dev/2013-May/008735.html)
>> that some deployments may not be able to use cloud-init due to their
>> security policy.
>> 
>
>I'm not sure how careful we are about security while copying the image.
>Given that we currently just use tftp and iSCSI, it seems like putting
>another requirement on that for security (user-data, network config,
>etc) is like pushing the throttle forward on the Titanic.
>
>I'd much rather see cloud-init/ec2-metadata made to work better than
>see us over complicate an already haphazard process with per-node
>customization. Perhaps We could make EC2 metadata work with SSL and bake
>CA certs into the images?
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list