Also just to note; file-injection seems unneeded when cloud-init can use this:
http://cloudinit.readthedocs.org/en/latest/topics/examples.html#writing-out -arbitrary-files That I believe is in most modern versions of cloud-init (forgot when I implemented that). Just FYI :) -Josh On 1/24/14, 3:31 PM, "Robert Collins" <robe...@robertcollins.net> wrote: >On 25 January 2014 03:15, Devananda van der Veen ><devananda....@gmail.com> wrote: >> In going through the bug list, I spotted this one and would like to >>discuss >> it: >> >> "can't disable file injection for bare metal" >> https://bugs.launchpad.net/ironic/+bug/1178103 >> >> There's a #TODO in Ironic's PXE driver to *add* support for file >>injection, >> but I don't think we should do that. For the various reasons that Robert >> raised a while ago >> >>(http://lists.openstack.org/pipermail/openstack-dev/2013-May/008728.html) >>, >> file injection for Ironic instances is neither scalable nor secure. I'd >>just >> as soon leave support for it completely out. >> >> However, Michael raised an interesting counter-point >> >>(http://lists.openstack.org/pipermail/openstack-dev/2013-May/008735.html) >> that some deployments may not be able to use cloud-init due to their >> security policy. > >If they can't use cloud-init, they probably can't PXE deploy either, >because today, both have the same security characteristics. > >> As we don't have support for config drives in Ironic yet, and we won't >>until >> there is a way to control either virtual media or network volumes on >>ironic >> nodes. So, I'd like to ask -- do folks still feel that we need to >>support >> file injection? > >Unless the network volume is out of band secured/verifiable, it will >be equivalent to cloud-init and thus fail this security policy. > >I would use SSL metadata - yay joshuah - and consider that sufficient >until we have a specific security policy in front of us that we can >review, and see *all* the wholes that we'll have, rather than >cherrypicking issues: what passes such a policy for nova-KVM is likely >not sufficient for ironic. > >-Rob > > > >-- >Robert Collins <rbtcoll...@hp.com> >Distinguished Technologist >HP Converged Cloud > >_______________________________________________ >OpenStack-dev mailing list >OpenStack-dev@lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev