On Wed, Oct 31, 2012 at 06:17:29PM -0700, Joshua Harlow wrote: > Just fyi, the cloud-init format 'spec' has something similar that bypasses > the file injection (which is a bad/insecure/incompatible concept that > needs to be gotten rid of imho) by having the following syntax it > understands: > > http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/view/head:/doc > /examples/cloud-config-user-groups.txt
The cloud-init stuff works via the user-data attribute available from the metadata server. This makes it unsuitable for security credentials, since *anyone* on the instance can query the metadata server. Injection via files on a configuration disk seems to me the best way to handle security credentials like this, because disks in many cases require privileges to mount on a system and the configuration script can delete the credentials file after processing it. > Is there anyway a windows version of cloud-init could be done, either > ported, or patched, or a service like cloud-init could be added to windows > images (using a startup program in the windows image that could just be a > call-out to a python interpreter or something different...). As I said, this is pretty much what we're doing to provision an ssh key for administrator access to our windows host. -- Lars Kellogg-Stedman <l...@seas.harvard.edu> | Senior Technologist | http://ac.seas.harvard.edu/ Academic Computing | http://code.seas.harvard.edu/ Harvard School of Engineering | and Applied Sciences | _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
