Cloud-init 0.7.5 (not yet released) will have the ability to read from an ec2-metadata server using SSL.
In a recent change I did we now use requests which correctly does SSL for the ec2-metadata/ec2-userdata reading. - http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/revision/910 For ssl-certs that it will use by default (if not provided) will be looked for in the following locations. - /var/lib/cloud/data/ssl - cert.pem - key - /var/lib/cloud/instance/data/ssl - cert.pem - key - ... Other custom paths (typically datasource dependent) So I think in 0.7.5 for cloud-init this support will be improved and as long as there is a supporting ssl ec2 metadata endpoint then this should all work out fine... -Josh On 1/24/14, 11:35 AM, "Clint Byrum" <cl...@fewbar.com> wrote: >Excerpts from Devananda van der Veen's message of 2014-01-24 06:15:12 >-0800: >> In going through the bug list, I spotted this one and would like to >>discuss >> it: >> >> "can't disable file injection for bare metal" >> https://bugs.launchpad.net/ironic/+bug/1178103 >> >> There's a #TODO in Ironic's PXE driver to *add* support for file >>injection, >> but I don't think we should do that. For the various reasons that Robert >> raised a while ago ( >> >>http://lists.openstack.org/pipermail/openstack-dev/2013-May/008728.html), >> file injection for Ironic instances is neither scalable nor secure. I'd >> just as soon leave support for it completely out. >> >> However, Michael raised an interesting counter-point ( >> http://lists.openstack.org/pipermail/openstack-dev/2013-May/008735.html) >> that some deployments may not be able to use cloud-init due to their >> security policy. >> > >I'm not sure how careful we are about security while copying the image. >Given that we currently just use tftp and iSCSI, it seems like putting >another requirement on that for security (user-data, network config, >etc) is like pushing the throttle forward on the Titanic. > >I'd much rather see cloud-init/ec2-metadata made to work better than >see us over complicate an already haphazard process with per-node >customization. Perhaps We could make EC2 metadata work with SSL and bake >CA certs into the images? > >_______________________________________________ >OpenStack-dev mailing list >OpenStack-dev@lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
