[Openstack] OS API server password generation

George Reese george.reese at enstratus.com
Thu Mar 3 13:40:34 UTC 2011

Of all the boostrapping mechanisms I have encountered, the AWS model still remains the best. Specifically, with the guest OS pulling the keys from a trusted platform source.

Any mechanism that requires an agent or requires any ability of the hypervisor or cloud platform to inject a password creates trust issues. In particular, the hypervisor and platform should avoid operations that reach into the guest. The guest should have the option of complete control over its data.


On Mar 3, 2011, at 7:16 AM, Ed Leafe wrote:

> On Mar 2, 2011, at 11:41 PM, Mark Washenberger wrote:
>> To your main point, I share your desire to be able to turn off password injection during instance creation. (For clarity, I'm assuming that your preference is to create the vm with no root password and only ssh keys as a means of access.) I guess the main problem with this is that it isn't in the 1.[01] spec so we'd need to agree on a sensible way of adding it to the api.
>> Does anyone know if it would create any compatibility problems to support an optional "disable_admin_pass": "True" attribute to the /servers POST request? Are there any reasons other than compatibility to require an adminPass to always be set?
> 	Right now password injection is a function of the guest agent running under XenServer; there is no way of setting this directly from nova. So if you're not running XenServer, or not running the guest agent (still being developed), there is no password setting being done.
> 	Alternatively, you could create a separate guest agent that expects a user's public key, writes that to the VM, and disables SSH, so that your instances are created with the security scheme that you want.
> -- Ed Leafe
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

George Reese - Chief Technology Officer, enStratus
e: george.reese at enstratus.com    t: @GeorgeReese    p: +1.207.956.0217    f: +1.612.338.5041
enStratus: Governance for Public, Private, and Hybrid Clouds - @enStratus - http://www.enstratus.com
To schedule a meeting with me: http://tungle.me/GeorgeReese

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3843 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110303/d545cd78/attachment.bin>

More information about the Openstack mailing list