[Openstack-operators] [nova] More file injection woes

Matt Riedemann mriedem at linux.vnet.ibm.com
Sat Nov 12 01:11:51 UTC 2016


Chris Friesen reported a bug [1] where injected files on a server aren't 
in the guest after it's evacuated to another compute host. This is 
because the injected files aren't persisted in the nova database at all. 
Evacuate and rebuild use similar code paths, but rebuild is a user 
operation and the command line is similar to boot, but evacuate is an 
admin operation and the admin doesn't have the original injected files.

We've talked about issues with file injection before [2] - in that case 
not being able to tell if it can be honored and it just silently doesn't 
inject the files but the server build doesn't fail. We could eventually 
resolve that with capabilities discovery in the API.

There are other issues with file injection, like potential security 
issues, and we've talked about getting rid of it for years because you 
can use the config drive.

The metadata service is not a replacement, as noted in the code [3], 
because the files aren't persisted in nova so they can't be served up later.

I'm sure we've talked about this before, but if we were to seriously 
consider deprecating file injection, what does that look like?  Thoughts 
off the top of my head are:

1. Add a microversion to the server create and rebuild REST APIs such 
that the personality files aren't accepted unless:

a) you're also building the server with a config drive
b) or CONF.force_config_drive is True
c) or the image has the 'img_config_drive=mandatory' property

2. Deprecate VFSLocalFS in Ocata for removal in Pike. That means 
libguestfs is required. We'd do this because I think VFSLocalFS is the 
one with potential security issues.

----

Am I missing anything? Does this sound like a reasonable path forward? 
Are there other use cases out there for file injection that we don't 
have alternatives for like config drive?

Note I'm cross-posting to the operators list for operator feedback there 
too.

[1] https://bugs.launchpad.net/nova/+bug/1638961
[2] http://lists.openstack.org/pipermail/openstack-dev/2016-July/098703.html
[3] 
https://github.com/openstack/nova/blob/b761ea47b97c6df09e21755f7fbaaa2061290fbb/nova/api/metadata/base.py#L179-L187

-- 

Thanks,

Matt Riedemann




More information about the OpenStack-operators mailing list