Hi,
Under "normal" circumstances, anyone has access to a VM's metadata. It'd
be nice to restrict access to it for only the VM (ie: do not accept
forwarding) and only from root. This could be done this way:
iptables -A FORWARD -d 169.254.169.254/32 \
-j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -d 169.254.169.254/32 \
-m owner ! --uid-owner 0 -j REJECT \
--reject-with icmp-port-unreachable
Would the team agree to add this by default?
Also, we need to check if only root has access to the config drive.
Your thoughts?
Cheers,
Thomas Goirand (zigo)
