← Back to team overview

openstack team mailing list archive

Re: Comparing OpenStack to OpenNebula

 

On Monday, February 25, 2013 05:59:02 PM andi abes wrote:
> On Mon, Feb 25, 2013 at 5:46 PM, Shawn Starr <shawn.starr@xxxxxxxxxx> wrote:
> > On Monday, February 25, 2013 10:34:11 PM Jeremy Stanley wrote:
> > > On 2013-02-25 06:20 -0500 (-0500), Shawn Starr wrote:
> > > [...]
> > > 
> > > > I see no options on how to control what nova-compute nodes can be
> > > > 'provisioned' into an OpenStack cloud, I'd consider that a
> > > > security risk (potentially) if any computer could just register to
> > > > become a nova-compute?
> > > 
> > > [...]
> > > 
> > > On 2013-02-25 11:42:47 -0500 (-0500), Shawn Starr wrote:
> > > > I was hoping in future we could have a mechanism via mac address
> > > > to restrict which hypervisor/nova-computes are able to join the
> > > > cluster.
> > > 
> > > [...]
> > > 
> > > It bears mention that restricting by MAC is fairly pointless as
> > > security protections go. There are a number of tricks an adversary
> > > can play to rewrite the system's MAC address or otherwise
> > > impersonate other systems at layer 2. Even filtering by IP address
> > > doesn't provide you much protection if there are malicious actors
> > > within your local broadcast domain, but at least there disabling
> > > learning on switches or implementing 802.1x can buy some relief.
> > > 
> > > Extending the use of MAC address references from the local broadcast
> > > domain where they're intended to be relevant up into the application
> > > layer (possibly across multiple routed hops well away from their
> > > original domain of control) makes them even less effective of a
> > > system identifier from a security perspective.
> > 
> > Hi Jeremy,
> > 
> > Of course, one can modify/spoof the MAC address and or assign themselves
> > an
> > IP. It is more so that new machines aren't immediately added to the
> > cluster
> > and start launching VM instances without explicitly being enabled to do
> > so. In
> > this case, I am not concerned about impersonators on the network trying to
> > join the cluster.
> > 
> > Thanks,
> > Shawn
> > 
> > if you're deploying multiple clusters, are you using different passwords
> 
> for each? different mysql connection strings? different IP address for the
> controller and MQ?
> 
> Assuming the answer to any of those is yes, the a nova compute won't just
> "connect to the cluster".
> If you look at the nova.conf file, you'll see that there are lots of
> cluster specifics bits of info in it that should completely assure you that
> compute nodes won't just connect to the wrong cluster.

Single cluster, assuming I get a initramfs built of a nova compute to PXE boot 
it. It will have it's nova.conf configured to join the cluster. 

If I had multiple ones, i'd use dhcp.conf to choose which initramfs image 
(based on MAC if im testing something, or the network range its on) to PXE 
boot the nova compute and it would join the correct cluster.

Thanks,
Shawn

> 
> _________________________
> ______________________
> 
> > Mailing list: https://launchpad.net/~openstack
> > Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~openstack
> > More help   : https://help.launchpad.net/ListHelp


References