[virt-tools-list] virt-install and cloud-init, feedback wanted
Christian Ehrhardt
christian.ehrhardt at canonical.com
Thu Nov 21 11:04:11 UTC 2019
On Thu, Nov 21, 2019 at 11:52 AM Florian Weimer <fweimer at redhat.com> wrote:
>
> * Daniel P. Berrangé:
>
> >> This goes probably in a different direction of what has been implement
> >> so far, but would it actually harm to enable the network-based
> >> instance-data injection by default? The advantage would be that it also
> >> blocks these requests from leaking to untrusted parties, which could
> >> then serve bogus data to compromise the virtual machine.
> >
> > I don't understand what you mean by leaking data to untrusted parties
> > here in contetx of config drive ? I've considerd the config drive to
> > be more secure / less risky than network service.
>
> I'm assuming that cloud-init will try all sources in parallel, given
> that there's a delay for both the network coming about and hardware
> being detected.
Hi,
there are many controls to that. By default it is most configurable,
but you can set it to your needs of e.g. only local data sources.
As outlined by Daniel already this is pretty safe, but if still
concerned about it, you can control it [1]:
- image builders can disable things by a drop in file that controls
which sources are queried
- local users can control it via kernel-commandline (which most tools
provide an option to append things to)
You can also use this to speed up boots skipping the otherwise
required network probing timeouts.
[1]: https://github.com/canonical/cloud-init/blob/master/tools/ds-identify
> Thanks,
> Florian
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
More information about the virt-tools-list
mailing list