openstack team mailing list archive

[George Reese <george.reese@xxxxxxxxxxxxx>]

Of all the boostrapping mechanisms I have encountered, the AWS model still remains the best. Specifically, with the guest OS pulling the keys from a trusted platform source.

Any mechanism that requires an agent or requires any ability of the hypervisor or cloud platform to inject a password creates trust issues. In particular, the hypervisor and platform should avoid operations that reach into the guest. The guest should have the option of complete control over its data.

-George

On Mar 3, 2011, at 7:16 AM, Ed Leafe wrote:

> On Mar 2, 2011, at 11:41 PM, Mark Washenberger wrote:
> 
>> To your main point, I share your desire to be able to turn off password injection during instance creation. (For clarity, I'm assuming that your preference is to create the vm with no root password and only ssh keys as a means of access.) I guess the main problem with this is that it isn't in the 1.[01] spec so we'd need to agree on a sensible way of adding it to the api.
>> 
>> Does anyone know if it would create any compatibility problems to support an optional "disable_admin_pass": "True" attribute to the /servers POST request? Are there any reasons other than compatibility to require an adminPass to always be set?
> 
> 	Right now password injection is a function of the guest agent running under XenServer; there is no way of setting this directly from nova. So if you're not running XenServer, or not running the guest agent (still being developed), there is no password setting being done.
> 
> 	Alternatively, you could create a separate guest agent that expects a user's public key, writes that to the VM, and disables SSH, so that your instances are created with the security scheme that you want.
> 
> 
> 
> -- Ed Leafe
> 
> 
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

--
George Reese - Chief Technology Officer, enStratus
e: george.reese@xxxxxxxxxxxxx    t: @GeorgeReese    p: +1.207.956.0217    f: +1.612.338.5041
enStratus: Governance for Public, Private, and Hybrid Clouds - @enStratus - http://www.enstratus.com
To schedule a meeting with me: http://tungle.me/GeorgeReese

Attachment: smime.p7s
Description: S/MIME cryptographic signature