Public bug reported:
We'd like to support configdrive in Libvirt+LXC so that we can use
cloud-init to configure guest networking, inject SSH keys, etc.
Currently configdrive uses block devices which are attached to VM and
then are mounted by the guest.
For LXC our requirements are:
* We'd like to avoid using blockdevices (CAP_SYS_MOUNT maybe dropped
within a guest...not stock Libvirt, but it's possible we'd like to
support that use case eventually)
* We'd like avoid bind-mounts. Recent security concerns around bind-
mount have surfaced where a user could traverse to the top of a bind-
mounted FS. (User namespaces mitigated this, but we'd like to be extra-
safe)
The proposed implementation:
* Adds a `fs` configdrive type, that just drops the config-drive
information into a directory on the host, avoiding the creation of a
blockdevice
* Moves that config-drive directory into the root filesystem of the
guest at spawn time.
** Affects: nova
Importance: Undecided
Assignee: Rick Harris (rconradharris)
Status: In Progress
** Changed in: nova
Assignee: (unassigned) => Rick Harris (rconradharris)
** Changed in: nova
Status: New => In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1340834
Title:
Support configdrive in LXC
Status in OpenStack Compute (Nova):
In Progress
Bug description:
We'd like to support configdrive in Libvirt+LXC so that we can use
cloud-init to configure guest networking, inject SSH keys, etc.
Currently configdrive uses block devices which are attached to VM and
then are mounted by the guest.
For LXC our requirements are:
* We'd like to avoid using blockdevices (CAP_SYS_MOUNT maybe dropped
within a guest...not stock Libvirt, but it's possible we'd like to
support that use case eventually)
* We'd like avoid bind-mounts. Recent security concerns around bind-
mount have surfaced where a user could traverse to the top of a bind-
mounted FS. (User namespaces mitigated this, but we'd like to be
extra-safe)
The proposed implementation:
* Adds a `fs` configdrive type, that just drops the config-drive
information into a directory on the host, avoiding the creation of a
blockdevice
* Moves that config-drive directory into the root filesystem of the
guest at spawn time.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1340834/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
