[Openstack-operators] [nova] Metadata service over virtio-vsock

Daniel P. Berrange berrange at redhat.com
Tue Feb 21 10:40:02 UTC 2017


On Mon, Feb 20, 2017 at 02:36:15PM -0500, Clint Byrum wrote:
> What exactly is the security concern of the metadata service? Perhaps
> those concerns can be addressed directly?
> 
> I ask because anything that requires special software on the guest is
> a non-starter IMO. virtio is a Linux thing, so what does this do for
> users of Windows?  FreeBSD? etc.

Red Hat is investing in creating virtio vsock drivers for Windows
but I don't have an ETA for that yet. There's no work in *BSD in
this area that I know of, but BSD does have support for virtio
in general, so if virtio-vsock becomes used in any important
places I would not be suprised if some BSD developers implemented
vsock too.

In any case, I don't think it neccessarily needs to be supported
in every single possible scenario. The config drive provides the
same data in a highly portable manner, albeit with the caveat
about it being read-only. The use of metadata service (whether
TCP or vsock based) is useful for cases needing the info from
config drive to be dynamically updated - eg the role device
tagging metadata. Only a very small subset of guests running on
openstack actually use that data today. So it would not be the
end of the world if some guests don't support vsock in the short
to medium term - if the facility proves to be critically important
to a wider range of guests that'll motivate developers of those
OS to support it.


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|



More information about the OpenStack-operators mailing list