[openstack-dev] [nova] Adding hostId to metadata

Jay Pipes jaypipes at gmail.com
Wed Jun 27 16:37:43 UTC 2018


On 06/27/2018 12:20 PM, Matt Riedemann wrote:
> On 6/27/2018 10:13 AM, Jay Pipes wrote:
>> I'm -2'd the patch in question because of these concerns about 
>> crossing the line between administrative and guest/virtual domains. It 
>> may seem like a very trivial patch, but from what I can tell, it would 
>> be a very big departure from the types of information we have 
>> traditionally allowed in the metadata API.
> 
> To be clear, this is exposing the exact same hashed host+project_id 
> value via the metadata API that you can already get, as a non-admin 
> user, from the compute REST API:
> 
> https://github.com/openstack/nova/blob/c8b93fa2493dce82ef4c0b1e7a503ba9b81c2e86/nova/api/openstack/compute/views/servers.py#L135 
> 
> So I don't think it's a security issue at all.

My sincere apologies. I did not realize that the hostId was not, in 
fact, the host identifier, but rather a SHA-224 hash of the host and 
project_id.

> The one thing I would be a bit worried about is that the value would be 
> stale from the config drive if the instance is live migrated. We also 
> expose the availability zone the instance is in from the config drive, 
> but as far as I know you can't live migrate your way into another 
> availability zone (unless of course the admin force live migrates to 
> another host in another AZ and bypasses the scheduler).

OK, I'll remove my -2. Apologies!

-jay



More information about the OpenStack-dev mailing list