[Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?
Tyler Bishop
tyler.bishop at beyondhosting.net
Sun Jan 28 01:00:48 UTC 2018
On dell DRAC you can disable IPMI/RAC control at the the device for OS configuration.
With Supermicro IPMI you just need to create a random user and random password that is not "admin".
_____________________________________________
Tyler Bishop
Founder EST 2007
O: 513-299-7108 x10
M: 513-646-5809
[ http://beyondhosting.net/ | http://BeyondHosting.net ]
This email is intended only for the recipient(s) above and/or otherwise authorized personnel. The information contained herein and attached is confidential and the property of Beyond Hosting. Any unauthorized copying, forwarding, printing, and/or disclosing any information related to this email is prohibited. If you received this message in error, please contact the sender and destroy all copies of this email and any attachment(s).
From: "Guo James" <guoyongxhzhf at outlook.com>
To: xiefp88 at sina.com, "openstack" <openstack at lists.openstack.org>
Sent: Wednesday, January 10, 2018 10:16:34 PM
Subject: Re: [Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?
Ironic user can change ipmi address so that OpenStack ironic lose control of bare mental.
I think that is unacceptable.
It seems that we should make ironic image without root privilege
From: xiefp88 at sina.com [mailto:xiefp88 at sina.com]
Sent: Thursday, January 11, 2018 9:12 AM
To: Guo James; openstack
Subject: 回复: [Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?
If you can not get the usename and password of the OS, you can not modify ipmi configuration through you got the ironic user info.
----- 原始邮件 -----
发件人: Guo James < [ mailto:guoyongxhzhf at outlook.com | guoyongxhzhf at outlook.com ] >
收件人: " [ mailto:openstack at lists.openstack.org | openstack at lists.openstack.org ] " < [ mailto:openstack at lists.openstack.org | openstack at lists.openstack.org ] >
主题: [Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?
日期: 2018 年 01 月 10 日 17 点 21 分
I notice that after an ironic user get a bare mental successfully, he can access ipmi through ipmi device although he can't access ipmi through LAN
How to prevent the situation?
If he modify ipmi configuration, that will be mess.
_______________________________________________
Mailing list: [ http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack |
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ]
Post to : [ mailto:openstack at lists.openstack.org | openstack at lists.openstack.org ]
Unsubscribe : [ http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack |
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ]
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20180127/e405ac12/attachment.html>
More information about the Openstack
mailing list