On 25 January 2014 03:15, Devananda van der Veen <devananda....@gmail.com> wrote: > In going through the bug list, I spotted this one and would like to discuss > it: > > "can't disable file injection for bare metal" > https://bugs.launchpad.net/ironic/+bug/1178103 > > There's a #TODO in Ironic's PXE driver to *add* support for file injection, > but I don't think we should do that. For the various reasons that Robert > raised a while ago > (http://lists.openstack.org/pipermail/openstack-dev/2013-May/008728.html), > file injection for Ironic instances is neither scalable nor secure. I'd just > as soon leave support for it completely out. > > However, Michael raised an interesting counter-point > (http://lists.openstack.org/pipermail/openstack-dev/2013-May/008735.html) > that some deployments may not be able to use cloud-init due to their > security policy.
If they can't use cloud-init, they probably can't PXE deploy either, because today, both have the same security characteristics. > As we don't have support for config drives in Ironic yet, and we won't until > there is a way to control either virtual media or network volumes on ironic > nodes. So, I'd like to ask -- do folks still feel that we need to support > file injection? Unless the network volume is out of band secured/verifiable, it will be equivalent to cloud-init and thus fail this security policy. I would use SSL metadata - yay joshuah - and consider that sufficient until we have a specific security policy in front of us that we can review, and see *all* the wholes that we'll have, rather than cherrypicking issues: what passes such a policy for nova-KVM is likely not sufficient for ironic. -Rob -- Robert Collins <rbtcoll...@hp.com> Distinguished Technologist HP Converged Cloud _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
