[openstack-dev] [nova] Minimal secure identification of a new VM

Hayes, Graham graham.hayes at hpe.com
Wed Apr 6 17:11:52 UTC 2016


On 06/04/2016 17:38, Fox, Kevin M wrote:
> A lot of the problems are documented here in the problem description section:
> https://review.openstack.org/#/c/222293/
>
> Thanks,
> Kevin

I am very much ++ on instance users.

> ________________________________________
> From: Daniel P. Berrange [berrange at redhat.com]
> Sent: Wednesday, April 06, 2016 9:04 AM
> To: Hayes, Graham
> Cc: OpenStack Development Mailing List (not for usage questions)
> Subject: Re: [openstack-dev] [nova] Minimal secure identification of a new VM
>
> On Wed, Apr 06, 2016 at 04:03:18PM +0000, Hayes, Graham wrote:
>> On 06/04/2016 16:54, Gary Kotton wrote:
>>>
>>>
>>> On 4/6/16, 12:42 PM, "Daniel P. Berrange" <berrange at redhat.com> wrote:
>>>
>>>> On Tue, Apr 05, 2016 at 06:00:55PM -0400, Adam Young wrote:
>>>>> We have a use case where we want to register a newly spawned Virtual
>>>>> machine
>>>>> with an identity provider.
>>>>>
>>>>> Heat also has a need to provide some form of Identity for a new VM.
>>>>>
>>>>>
>>>>> Looking at the set of utilities right now, there does not seem to be a
>>>>> secure way to do this.  Injecting files does not provide a path that
>>>>> cannot
>>>>> be seen by other VMs or machines in the system.
>>>>>
>>>>> For our use case, a short lived One-Time-Password is sufficient, but for
>>>>> others, I think asymmetric key generation makes more sense.
>>>>>
>>>>> Is the following possible:
>>>>>
>>>>> 1.  In cloud-init, the VM generates a Keypair, then notifies the No0va
>>>>> infrastructure (somehow) that it has done so.
>>>>
>>>> There's no currently secure channel for the guest to push information
>>>> to Nova. The best we have is the metadata service, but we'd need to
>>>> secure that with https, because the metadata server cannot be assumed
>>>> to be running on the same host as the VM & so the channel is not protected
>>>> against MITM attacks.
>>
>> I thought the metadata API traffic was taken off the network by the
>> compute node? Or is that just under the old nova-network?
>
> Nope, there's no guarantee that the metadata server will be on the
> local compute node - it might be co-located, but it equally might
> be anywhere else.
>
> Regards,
> Daniel
> --
> |: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org              -o-             http://virt-manager.org :|
> |: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>




More information about the OpenStack-dev mailing list