[openstack-dev] [Infra] Generic solution for bare metal testing
Jeremy Stanley
fungi at yuggoth.org
Thu Apr 7 02:42:09 UTC 2016
On 2016-04-06 18:33:06 +0300 (+0300), Igor Belikov wrote:
[...]
> I suppose there are security issues when we talk about running
> custom code on bare metal slaves, but I'm not sure I understand
> the difference from running custom code on a virtual machine if
> bare metal nodes are isolated, don't contain any sensitive data
> and follow a regular redeployment procedure.
[...]
With a virtual machine, you can delete it and create a new one.
Nothing remains behind.
With a physical machine, arbitrary code running in the scope of a
test with root access can do _nasty_ things like backdoor your
server firmware with shims that even masquerade as the firmware
updater and persist through redeployments that include firmware
refreshes.
Physical servers persist, and are therefore vulnerable in this
scenario in ways which virtual servers are not.
--
Jeremy Stanley
More information about the OpenStack-dev
mailing list