Open Stack

On Tue, Jul 19, 2016 at 12:51:07AM +0000, Daniel Russell wrote:
> Hi Erno,
> 
> For the size of team I am in I think it would work well but it feels like
> I am putting the security of Nova in the hands of Glance.

Yep, from an architectural pov it is not very good. Particularly in a
multi-hypervisor compute deployment you can have the situation where yoyu
want to allow a property for one type of hypervisor but forbid it for another.

What we really need is the exact same image property security restrictions
implemented by nova-compute, so we can setup compute nodes to blacklist
certain properties.

> 
> What I was more after was a setting in Nova that says 'this hypervisor
> does not allow guest sockets and will ignore any attempt to create them',
> 'this hypervisor always creates guest sockets regardless of your choice',
> 'this hypervisor will respect whatever you throw in hw_qemu_guest_agent
> with a default of no', or 'this hypervisor will respect whatever you throw
> in hw_qemu_guest_agent with a default of yes'.  It feels like a more
> appropriate place to control and manage that kind of configuration.

Nope, there's no such facility right now - glance property protection
is the only real option. I'd be very much against adding a lockdown
which was specific to the guest agent too - if we did anything it would
be to have a generic property protection model in nova that mirrors what
glance supports.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|