On 2016-04-06 18:33:06 +0300 (+0300), Igor Belikov wrote: [...] > I suppose there are security issues when we talk about running > custom code on bare metal slaves, but I'm not sure I understand > the difference from running custom code on a virtual machine if > bare metal nodes are isolated, don't contain any sensitive data > and follow a regular redeployment procedure. [...]
With a virtual machine, you can delete it and create a new one. Nothing remains behind. With a physical machine, arbitrary code running in the scope of a test with root access can do _nasty_ things like backdoor your server firmware with shims that even masquerade as the firmware updater and persist through redeployments that include firmware refreshes. Physical servers persist, and are therefore vulnerable in this scenario in ways which virtual servers are not. -- Jeremy Stanley __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
