[openstack-dev] [nova] Adding hostId to metadata

Jeremy Stanley fungi at yuggoth.org
Wed Jun 27 16:26:59 UTC 2018


On 2018-06-27 11:13:04 -0400 (-0400), Jay Pipes wrote:
[...]
> Virtual machines and the software running in them should not need
> to know what particular piece of hardware they are running on. VMs
> having knowledge of the underlying hardware and host violates the
> principle of least privilege and introduces attack vectors that
> I'm pretty sure you (as an operator) don't want to open up.
[...]

I saw similar security red flags with the proposal, but didn't weigh
in at the time because I was confident Nova core reviewers would
arrive at the same quite quickly on their own.

While it would be "nice" to have this for the Infra team to be able
to give providers a heads up when we see instances crashing
consistently on a particular compute node, we're not the
administrators of those compute nodes and so it is not information
for which we should expect to have access. It may be a pain to
collect up instance UUIDs and them pass those along to the provider
so they can correlate to compute nodes in their service logs, but
that's ultimately the right way to go about it so that separation of
concerns is preserved.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180627/c66d9914/attachment.sig>


More information about the OpenStack-dev mailing list