[openstack-dev] [nova] Minimal secure identification of a new VM

Joshua Harlow harlowja at fastmail.com
Wed Apr 6 00:58:27 UTC 2016


Adam Young wrote:
> We have a use case where we want to register a newly spawned Virtual
> machine with an identity provider.
>
> Heat also has a need to provide some form of Identity for a new VM.
>
>
> Looking at the set of utilities right now, there does not seem to be a
> secure way to do this. Injecting files does not provide a path that
> cannot be seen by other VMs or machines in the system.
>
> For our use case, a short lived One-Time-Password is sufficient, but for
> others, I think asymmetric key generation makes more sense.
>
> Is the following possible:
>
> 1. In cloud-init, the VM generates a Keypair, then notifies the No0va
> infrastructure (somehow) that it has done so.

So this can be somewhat done already:

https://cloudinit.readthedocs.org/en/latest/topics/examples.html#call-a-url-when-finished

But unsure what endpoint u want that thing to call (and the data it 
sends might need to be tweaked); and said calling a URL might need 
https, which then begs the question of what certs and stuff is https 
using to ensure its calling a URL that is 'really nova'.

>
> 2. Nova Compute reads the public Key off the device and sends it to
> conductor, which would then associate the public key with the server?
>
> 3. A third party system could then validate the association of the
> public key and the server, and build a work flow based on some signed
> document from the VM?

Seems like a useful idea, if we can figure out how to do it.

-Josh

>
>
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list