[openstack-dev] Security of Meta-Data

Giuseppe de Candia giuseppe.decandia at gmail.com
Tue Oct 3 22:00:27 UTC 2017

Hi Folks,

Are there any documented conventions regarding the security model for

Note that CloudInit allows passing user and ssh service public/private keys
via MetaData service (or ConfigDrive). One assumes it must be secure, but I
have not found a security model or documentation.

My understanding of the Neutron reference implementation is that MetaData
requests are HTTP (not HTTPS) and go from the VM to the MetaData proxy on
the Network Node (after which they are proxied to Nova meta-data API
server). The path from VM to Network Node using HTTP cannot guarantee
confidentiality and is also susceptible to Man-in-the-Middle attacks.

Some Neutron drivers proxy Metadata requests locally from the node hosting
the VM that makes the query. I have mostly seen this presented/motivated as
a way of removing dependency on the Network node, but it should also
increase security. Yet, I have not seen explicit discussions of the
security model, nor any attempt to set a standard for security of the

Finally, there do not seem to be granular controls over what meta-data is
presented over ConfigDrive (when enabled) vs. meta-data REST API. As an
example, Nova vendor data is presented over both, if both are enabled;
config drive is presumably more secure.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171003/28a27263/attachment.html>

More information about the OpenStack-dev mailing list