Open Stack

On Wed, Feb 18, 2015 at 07:23:52PM +0100, Raphael Glon wrote:
> Hi,
> 
> This is about review:
> https://review.openstack.org/#/c/156633/
> 
> 1 line, can be controversial
> 
> Its purpose is to add the possibility not to use libguestfs for data
> injection in nova, even when installed.
> 
> Not discussing about the fact that libguestfs should be preferred over fuse
> mounts for data injection as much as possible because mounts are more
> subject to causing security issues (and already have in the past nova
> releases).
> 
> However, there are a lot of potential cases when libguestfs won't be usable
> for data injection
> 
> This was the case here (fixed):
> https://bugzilla.redhat.com/show_bug.cgi?id=984409
> 
> I entcountered a similar case more recently on powerkvm 2.1.0 (defect with
> the libguestfs)
> 
> So just saying it could be good adding a simple config flag (set to True by
> default, to keep the current behaviour untouched) to force nova not using
> libguestfs without having to uninstall it and thus prevent other users on
> the host from using it.

The bug you quote above was easily fixed. If you have problems with
powerkvm then file a bug about them so they can be investigated &
fixed too. Just disabling its use is simply not at all helpful as the
alternative impl is horribly insecure against malicious disk images
which can cause host kernel crash.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|