Yeah. I'm all for something like that. The solution just needs to meet the requirements listed in https://review.openstack.org/222293
That solution could also probably be reused for an ssh key. The security of openssh vms + nova is pretty bad. There should be some kind of way for the vm to post its ssh pubkey to nova, and then have a nova ssh command on the client that pulls the key out of nova api and updates your known hosts with it, to prevent all the man in the middle potential we've lived with for a long time. Thanks, Kevin ________________________________ From: Adam Young [ayo...@redhat.com] Sent: Tuesday, April 05, 2016 7:02 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [TripleO] FreeIPA integration On 04/05/2016 11:42 AM, Fox, Kevin M wrote: Yeah, and they just deprecated vendor data plugins too, which eliminates my other workaround. :/ We need to really discuss this problem at the summit and get a viable path forward. Its just getting worse. :/ Thanks, Kevin ________________________________ From: Juan Antonio Osorio [jaosor...@gmail.com<mailto:jaosor...@gmail.com>] Sent: Tuesday, April 05, 2016 5:16 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [TripleO] FreeIPA integration On Tue, Apr 5, 2016 at 2:45 PM, Fox, Kevin M <kevin....@pnnl.gov<mailto:kevin....@pnnl.gov>> wrote: This sounds suspiciously like, "how do you get a secret to the instance to get a secret from the secret store" issue.... :) Yeah, sounds pretty familiar. We were using the nova hooks mechanism for this means, but it was deprecated recently. So bummer :/ Nova instance user spec again? Thanks, Kevin Yep, and we need a solution. I think the right solution is a keypair generated on the instance, public key posted by the instace to the hypervisor and stored with the instance data in the database. I wrote that to the mailing list earlier today. A basic rule of a private key is that it never leaves the machine on which it is generated. The rest falls out from there.
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
