[openstack-dev] Security of Meta-Data

Sean Dague sean at dague.net
Wed Oct 4 09:55:34 UTC 2017

There is an assumption that you've got solid network security on the
path between your guests and your nova-API. Either because you've got a
secure network path, or you run the neutron proxy server on the host
itself, and so this is a no hop call. Because this is a bootstrapping
problem, and the guests are coming up blank and *asking* the service how
they should be configured, it's kind of hard to have generically better
security than that. A lot of how that path is configured is very
specific to deployment's networking setup and topology, so the options
are on the table without a specific recommendation.

If you still have concerns about that, it's always possible to bake your
own config management daemon into your images, and do more sensitive
data pulled via a certificate secured model. You do then have to manage
certificate rotation in guest images, but that moves the bootstrapping
problem elsewhere.


On 10/03/2017 06:00 PM, Giuseppe de Candia wrote:
> Hi Folks,
> Are there any documented conventions regarding the security model for
> MetaData?
> Note that CloudInit allows passing user and ssh service public/private
> keys via MetaData service (or ConfigDrive). One assumes it must be
> secure, but I have not found a security model or documentation.
> My understanding of the Neutron reference implementation is that
> MetaData requests are HTTP (not HTTPS) and go from the VM to the
> MetaData proxy on the Network Node (after which they are proxied to Nova
> meta-data API server). The path from VM to Network Node using HTTP
> cannot guarantee confidentiality and is also susceptible to
> Man-in-the-Middle attacks.
> Some Neutron drivers proxy Metadata requests locally from the node
> hosting the VM that makes the query. I have mostly seen this
> presented/motivated as a way of removing dependency on the Network node,
> but it should also increase security. Yet, I have not seen explicit
> discussions of the security model, nor any attempt to set a standard for
> security of the meta-data.
> Finally, there do not seem to be granular controls over what meta-data
> is presented over ConfigDrive (when enabled) vs. meta-data REST API. As
> an example, Nova vendor data is presented over both, if both are
> enabled; config drive is presumably more secure.
> thanks,
> Pino
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Sean Dague

More information about the OpenStack-dev mailing list