[openstack-dev] [Infra] Generic solution for bare metal testing

Jeremy Stanley fungi at yuggoth.org
Thu Apr 7 02:42:09 UTC 2016


On 2016-04-06 18:33:06 +0300 (+0300), Igor Belikov wrote:
[...]
> I suppose there are security issues when we talk about running
> custom code on bare metal slaves, but I'm not sure I understand
> the difference from running custom code on a virtual machine if
> bare metal nodes are isolated, don't contain any sensitive data
> and follow a regular redeployment procedure.
[...]

With a virtual machine, you can delete it and create a new one.
Nothing remains behind.

With a physical machine, arbitrary code running in the scope of a
test with root access can do _nasty_ things like backdoor your
server firmware with shims that even masquerade as the firmware
updater and persist through redeployments that include firmware
refreshes.

Physical servers persist, and are therefore vulnerable in this
scenario in ways which virtual servers are not.
-- 
Jeremy Stanley



More information about the OpenStack-dev mailing list