[openstack-dev] [TripleO] FreeIPA integration

Fox, Kevin M Kevin.Fox at pnnl.gov
Wed Apr 6 15:55:34 UTC 2016


Yeah. I'm all for something like that.  The solution just needs to meet the requirements listed in https://review.openstack.org/222293

That solution could also probably be reused for an ssh key. The security of openssh vms + nova is pretty bad.

There should be some kind of way for the vm to post its ssh pubkey to nova, and then have a nova ssh command on the client that pulls the key out of nova api and updates your known hosts with it, to prevent all the man in the middle potential we've lived with for a long time.

Thanks,
Kevin


________________________________
From: Adam Young [ayoung at redhat.com]
Sent: Tuesday, April 05, 2016 7:02 PM
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] [TripleO] FreeIPA integration

On 04/05/2016 11:42 AM, Fox, Kevin M wrote:
Yeah, and they just deprecated vendor data plugins too, which eliminates my other workaround. :/

We need to really discuss this problem at the summit and get a viable path forward. Its just getting worse. :/

Thanks,
Kevin
________________________________
From: Juan Antonio Osorio [jaosorior at gmail.com<mailto:jaosorior at gmail.com>]
Sent: Tuesday, April 05, 2016 5:16 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [TripleO] FreeIPA integration



On Tue, Apr 5, 2016 at 2:45 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov<mailto:Kevin.Fox at pnnl.gov>> wrote:
This sounds suspiciously like, "how do you get a secret to the instance to get a secret from the secret store" issue.... :)
Yeah, sounds pretty familiar. We were using the nova hooks mechanism for this means, but it was deprecated recently. So bummer :/

Nova instance user spec again?

Thanks,
Kevin

Yep, and we need a solution.  I think the right solution is a keypair generated on the instance, public key posted by the instace to the hypervisor and stored with the instance data in the database.  I wrote that to the mailing list earlier today.

A basic rule of a private key is that it never leaves the machine on which it is generated.  The rest falls out from there.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160406/fbf3fd32/attachment.html>


More information about the OpenStack-dev mailing list