Hi Folks, I'm still processing all this information - thanks for your help! --Pino On Wed, Oct 4, 2017 at 7:58 AM, Jeremy Stanley <fungi at yuggoth.org> wrote: > On 2017-10-04 10:47:02 +0100 (+0100), Luke Hinds wrote: > [...] > > The recommendation is not to use metadata for security sensitive > > data (its possible to spoof by setting a X-Forwarded header), > > please see the following OpenStack Security Note on the topic: > > > > https://wiki.openstack.org/wiki/OSSN/OSSN-0074 > > Well, it's possible as long as the environment is badly > designed/configured: you deployed nova to expect a proxy, but then > gave guest instances a way to reach the metadata API without going > through that proxy. So while it's definitely a risk to be aware of, > it come pretty close to the need Sean mentions for "solid network > security on the path between your guests and your nova-API." > -- > Jeremy Stanley > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171004/3eaa2df2/attachment.html>