[openstack-dev] [TripleO] FreeIPA integration
Fox, Kevin M
Kevin.Fox at pnnl.gov
Wed Apr 6 15:55:34 UTC 2016
Yeah. I'm all for something like that. The solution just needs to meet the requirements listed in https://review.openstack.org/222293
That solution could also probably be reused for an ssh key. The security of openssh vms + nova is pretty bad.
There should be some kind of way for the vm to post its ssh pubkey to nova, and then have a nova ssh command on the client that pulls the key out of nova api and updates your known hosts with it, to prevent all the man in the middle potential we've lived with for a long time.
Thanks,
Kevin
________________________________
From: Adam Young [ayoung at redhat.com]
Sent: Tuesday, April 05, 2016 7:02 PM
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] [TripleO] FreeIPA integration
On 04/05/2016 11:42 AM, Fox, Kevin M wrote:
Yeah, and they just deprecated vendor data plugins too, which eliminates my other workaround. :/
We need to really discuss this problem at the summit and get a viable path forward. Its just getting worse. :/
Thanks,
Kevin
________________________________
From: Juan Antonio Osorio [jaosorior at gmail.com<mailto:jaosorior at gmail.com>]
Sent: Tuesday, April 05, 2016 5:16 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [TripleO] FreeIPA integration
On Tue, Apr 5, 2016 at 2:45 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov<mailto:Kevin.Fox at pnnl.gov>> wrote:
This sounds suspiciously like, "how do you get a secret to the instance to get a secret from the secret store" issue.... :)
Yeah, sounds pretty familiar. We were using the nova hooks mechanism for this means, but it was deprecated recently. So bummer :/
Nova instance user spec again?
Thanks,
Kevin
Yep, and we need a solution. I think the right solution is a keypair generated on the instance, public key posted by the instace to the hypervisor and stored with the instance data in the database. I wrote that to the mailing list earlier today.
A basic rule of a private key is that it never leaves the machine on which it is generated. The rest falls out from there.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160406/fbf3fd32/attachment.html>
More information about the OpenStack-dev
mailing list