[Openstack] Metadata and File Injection

Ewan Mellor Ewan.Mellor at eu.citrix.com
Mon Jan 2 21:31:19 UTC 2012


> -----Original Message-----
> From: Soren Hansen [mailto:soren at linux2go.dk]
>
> [Snip]
> 
> > In the context of this discussion, that means that OpenStack needs to
> > work in DHCP-free environments, because we already know of many.
> 
> The only one I'm familiar with is Rackspace where I think (and please
> do
> correct me if I'm wrong) DHCP isn't used only because Windows instances
> can't be configured with DHCP if they have multiple interfaces.

DHCP may be forbidden because:
* it has been deemed less reliable than pushing fixed IP addresses from an asset database.  If you already have a comprehensive asset database, why push the addresses to a DHCP server to have it push them to your hosts when you can push them to the host directly?

* it has been deemed less reliable than pushing addresses from the virt layer.  Why go to the effort of making a DHCP service highly available, and making sure that the failover is quicker than the timeout that causes guests to decide to take zeroconf addresses instead?

* it has been deemed a security risk.  Compromising the DHCP server gives you all sorts of easy attacks.  This one actually seems like a very reasonable concern in the case of tenant networks in a cloud.  Pushing the address from the virt layer takes away that attack vector altogether.

* the guy who is installing the cloud doesn't control the network, and so the DHCP server isn't his and/or he's not allowed to run one of his own.  This seems likely in an academic environment or pilots within an enterprise.

Note that none of these has to be specifically a decision about OpenStack or clouds in general.  They might just be blanket policies from simpler times.  That doesn't make them any easier to change.

Regardless of those four, your one seems like a complete deal-breaker to me.  If that's true (and it's not something that I'm aware of one way or another) then we shouldn't even be having this discussion.  We can't build a solution that can't reliably configure Windows VMs.

Ewan.



More information about the Openstack mailing list