There is an assumption that you've got solid network security on the path between your guests and your nova-API. Either because you've got a secure network path, or you run the neutron proxy server on the host itself, and so this is a no hop call. Because this is a bootstrapping problem, and the guests are coming up blank and *asking* the service how they should be configured, it's kind of hard to have generically better security than that. A lot of how that path is configured is very specific to deployment's networking setup and topology, so the options are on the table without a specific recommendation.
If you still have concerns about that, it's always possible to bake your own config management daemon into your images, and do more sensitive data pulled via a certificate secured model. You do then have to manage certificate rotation in guest images, but that moves the bootstrapping problem elsewhere. -Sean On 10/03/2017 06:00 PM, Giuseppe de Candia wrote: > Hi Folks, > > > Are there any documented conventions regarding the security model for > MetaData? > > > Note that CloudInit allows passing user and ssh service public/private > keys via MetaData service (or ConfigDrive). One assumes it must be > secure, but I have not found a security model or documentation. > > > My understanding of the Neutron reference implementation is that > MetaData requests are HTTP (not HTTPS) and go from the VM to the > MetaData proxy on the Network Node (after which they are proxied to Nova > meta-data API server). The path from VM to Network Node using HTTP > cannot guarantee confidentiality and is also susceptible to > Man-in-the-Middle attacks. > > > > Some Neutron drivers proxy Metadata requests locally from the node > hosting the VM that makes the query. I have mostly seen this > presented/motivated as a way of removing dependency on the Network node, > but it should also increase security. Yet, I have not seen explicit > discussions of the security model, nor any attempt to set a standard for > security of the meta-data. > > Finally, there do not seem to be granular controls over what meta-data > is presented over ConfigDrive (when enabled) vs. meta-data REST API. As > an example, Nova vendor data is presented over both, if both are > enabled; config drive is presumably more secure. > > thanks, > Pino > > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Sean Dague http://dague.net __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev