[openstack-dev] [nova] Minimal secure identification of a new VM

Adam Young ayoung at redhat.com
Tue Apr 5 22:00:55 UTC 2016

We have a use case where we want to register a newly spawned Virtual 
machine with an identity provider.

Heat also has a need to provide some form of Identity for a new VM.

Looking at the set of utilities right now, there does not seem to be a 
secure way to do this.  Injecting files does not provide a path that 
cannot be seen by other VMs or machines in the system.

For our use case, a short lived One-Time-Password is sufficient, but for 
others, I think asymmetric key generation makes more sense.

Is the following possible:

1.  In cloud-init, the VM generates a Keypair, then notifies the No0va 
infrastructure (somehow) that it has done so.

2.  Nova Compute reads the public Key off the device and sends it to 
conductor, which would then associate the public key with the server?

3.  A third party system could then validate the association of the 
public key and the server, and build a work flow based on some signed 
document from the VM?

More information about the OpenStack-dev mailing list