I think that people are scared of the rootkit-like behavior of an arbitrary file injection mechanism. Compromise nova-compute, and now you can trivially compromise every guest in the whole cloud.
In some sense that's irrational - I'm sure that there are lots of ways that you can gain control of a guest, once you've compromised nova-compute. That said, we shouldn't make it easy for people, and what you're proposing would be one of the easiest of the lot. I think that someone should think long and hard about security before we add a simple way to inject arbitrary files into a guest. Cheers, Ewan. From: openstack-bounces+ewan.mellor=citrix....@lists.launchpad.net [mailto:openstack-bounces+ewan.mellor=citrix....@lists.launchpad.net] On Behalf Of McNally, Dave Sent: 14 December 2011 06:04 To: openstack@lists.launchpad.net Subject: [Openstack] Metadata and File Injection Hi, I've recently been looking at file and metadata injection in Nova and I have a question relating to it. (BTW this is based off what I have seen in nova/virt/disk.py) I notice that for key/value pairs specified as metadata during boot of an instance these values are injected into a file /meta.js in the instance. However if a file (and corresponding injection location) are specified when booting the instance the file does not get injected. I was wondering if there was an intentional decision not to use a similar method to that used when injecting meta.js to inject other files? Because it seems to me the addition of such functionality would be fairly straightforward. Also on a vaguely related note why is the metadata injected into a file rather than stored in a location where it can be retrieved from the metadata service? Thanks, Dave
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
