Excerpts from Devananda van der Veen's message of 2014-01-24 06:15:12 -0800: > In going through the bug list, I spotted this one and would like to discuss > it: > > "can't disable file injection for bare metal" > https://bugs.launchpad.net/ironic/+bug/1178103 > > There's a #TODO in Ironic's PXE driver to *add* support for file injection, > but I don't think we should do that. For the various reasons that Robert > raised a while ago ( > http://lists.openstack.org/pipermail/openstack-dev/2013-May/008728.html), > file injection for Ironic instances is neither scalable nor secure. I'd > just as soon leave support for it completely out. > > However, Michael raised an interesting counter-point ( > http://lists.openstack.org/pipermail/openstack-dev/2013-May/008735.html) > that some deployments may not be able to use cloud-init due to their > security policy. >
I'm not sure how careful we are about security while copying the image. Given that we currently just use tftp and iSCSI, it seems like putting another requirement on that for security (user-data, network config, etc) is like pushing the throttle forward on the Titanic. I'd much rather see cloud-init/ec2-metadata made to work better than see us over complicate an already haphazard process with per-node customization. Perhaps We could make EC2 metadata work with SSL and bake CA certs into the images? _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
