[virt-tools-list] virt-install and cloud-init, feedback wanted

Florian Weimer fweimer at redhat.com
Thu Nov 21 11:51:23 UTC 2019


* Daniel P. Berrangé:

>> The instance-data DNS lookup is typically forwarded to the DNS root
>> servers.  Local resolvers will only filter it if they are
>> DNSSEC-enabled.
>> 
>> I have argued for a long time that separate cloud and local KVM images
>> are needed because the cloud images are dangerous in a non-cloud
>> environment, but so far without success.
>
> Libvirt has support for per-guest NIC network filters and ships with
> a "clean-traffic" filter that blocks ARP, IP & MAC spoofing. We could
> use this feature as a way to block access to the cloud-init metadata
> service IP address if desired.

And also teach dnsmasq about instance-data somehow.

(I would have thought that the HTTP-based injection would have been
easier to implement than the ISO-based approach, by the way, with
additional future functionality being possible, such as notifications in
the virt-manager UI when a new VM has configured itself.)

Thanks,
Florian





More information about the virt-tools-list mailing list