[openstack-dev] [Ironic] File Injection (and the lack thereof)

Robert Collins robertc at robertcollins.net
Fri Jan 24 23:31:58 UTC 2014


On 25 January 2014 03:15, Devananda van der Veen
<devananda.vdv at gmail.com> wrote:
> In going through the bug list, I spotted this one and would like to discuss
> it:
>
> "can't disable file injection for bare metal"
> https://bugs.launchpad.net/ironic/+bug/1178103
>
> There's a #TODO in Ironic's PXE driver to *add* support for file injection,
> but I don't think we should do that. For the various reasons that Robert
> raised a while ago
> (http://lists.openstack.org/pipermail/openstack-dev/2013-May/008728.html),
> file injection for Ironic instances is neither scalable nor secure. I'd just
> as soon leave support for it completely out.
>
> However, Michael raised an interesting counter-point
> (http://lists.openstack.org/pipermail/openstack-dev/2013-May/008735.html)
> that some deployments may not be able to use cloud-init due to their
> security policy.

If they can't use cloud-init, they probably can't PXE deploy either,
because today, both have the same security characteristics.

> As we don't have support for config drives in Ironic yet, and we won't until
> there is a way to control either virtual media or network volumes on ironic
> nodes. So, I'd like to ask -- do folks still feel that we need to support
> file injection?

Unless the network volume is out of band secured/verifiable, it will
be equivalent to cloud-init and thus fail this security policy.

I would use SSL metadata - yay joshuah - and consider that sufficient
until we have a specific security policy in front of us that we can
review, and see *all* the wholes that we'll have, rather than
cherrypicking issues: what passes such a policy for nova-KVM is likely
not sufficient for ironic.

-Rob



-- 
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud



More information about the OpenStack-dev mailing list