On Fri, Sep 18, 2015 at 10:10:22AM -0400, J-P Methot wrote: > Hi, > > I have a question regarding the VFSLocalFS mechanism for password > injection. Basically, because of our infrastructure, we can't use > libguestfs for password injection and we do not want to inject password > through metadata. This leads us to use the openstack VFSLocalFS > mechanism for password injection.
NB, using VFSLocalFS is only suitable if you trust your guest disk images. Since it uses the host kernel to mount the guest filesystem, a malicious guest filesystem can exploit the host kernel. This is not just theoretical as there have been exploits in mainstream FS like ext3/4 before, not to mention all the obscure filesystem drivers linux has that few people probably audited. > Now, the issue I got is that, on some images, password injection with > VFSLocalFS will work, while on others, it won't. This is not even OS > related, as on one image of debian 8 that I made myself it won't work, > but on the official image it will work. I'd compare the way the images are partitioned, as that's most likely difference to cause some images to work and some fail. > What is the requirement for VFSLocalFS to work? The compute logs do not > show any error, so I'm thinking it can only be because of something > inside the images I'm using. It needs qemu-nbd to support qcow2 images, or loop devices to support raw files. It needs kpartx to support images containing LVM parititions. It is also sensitive to the 'inject_partition' nova.conf setting. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
