On Mon, Feb 20, 2017 at 02:36:15PM -0500, Clint Byrum wrote: > What exactly is the security concern of the metadata service? Perhaps > those concerns can be addressed directly? > > I ask because anything that requires special software on the guest is > a non-starter IMO. virtio is a Linux thing, so what does this do for > users of Windows? FreeBSD? etc.
Red Hat is investing in creating virtio vsock drivers for Windows but I don't have an ETA for that yet. There's no work in *BSD in this area that I know of, but BSD does have support for virtio in general, so if virtio-vsock becomes used in any important places I would not be suprised if some BSD developers implemented vsock too. In any case, I don't think it neccessarily needs to be supported in every single possible scenario. The config drive provides the same data in a highly portable manner, albeit with the caveat about it being read-only. The use of metadata service (whether TCP or vsock based) is useful for cases needing the info from config drive to be dynamically updated - eg the role device tagging metadata. Only a very small subset of guests running on openstack actually use that data today. So it would not be the end of the world if some guests don't support vsock in the short to medium term - if the facility proves to be critically important to a wider range of guests that'll motivate developers of those OS to support it. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :| _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
