What exactly is the security concern of the metadata service? Perhaps those concerns can be addressed directly?
I ask because anything that requires special software on the guest is a non-starter IMO. virtio is a Linux thing, so what does this do for users of Windows? FreeBSD? etc. Excerpts from Artom Lifshitz's message of 2017-02-20 13:22:36 -0500: > We've been having a discussion [1] in openstack-dev about how to best > expose dynamic metadata that changes over a server's lifetime to the > server. The specific use case is device role tagging with hotplugged > devices, where a network interface or volume is attached with a role > tag, and the guest would like to know what that role tag is right > away. > > The metadata API currently fulfills this function, but my > understanding is that it's not hugely popular amongst operators and is > therefore not universally deployed. > > Dan Berrange came up with an idea [2] to add virtio-vsock support to > Nova. To quote his explanation, " think of this as UNIX domain sockets > between the host and guest. [...] It'd likely address at least some > people's security concerns wrt metadata service. It would also fix the > ability to use the metadata service in IPv6-only environments, as we > would not be using IP at all." > > So to those operators who are not deploying the metadata service - > what are your reasons for doing so, and would those concerns be > addressed by Dan's idea? > > Cheers! > > [1] > http://lists.openstack.org/pipermail/openstack-dev/2017-February/112490.html > [2] > http://lists.openstack.org/pipermail/openstack-dev/2017-February/112602.html > _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
