----------------------------------------
> Date: Wed, 7 Aug 2013 21:15:26 +1200
> From: [email protected]
> To: [email protected]
> Subject: Re: [openstack-dev] Nova config drive rebuilding
>
> On 7 August 2013 18:42, Uri Simchoni <[email protected]> wrote:
>
>>
>> Looking at the http-based alternative, can it be made to be more secure? On
>> my OVS-based system I was able to easily steal the metadata of another
>> instance on the same network by changing my instance's IP address. It
>> appears to be suitable only for publishing things to instances, but not for
>> sharing secrets.
>
> The instance anti-spoofing rules should have prevented that - the fact
> you were able to change your instance ip (unless you fiddled behind
> nova's back in the neutron db) is a very unexpected and serious bug.
> As Scott says - file a bug.
>
OK I get it now - I was using a Noop FW driver on the compute nodes - didn't
realize FW driver is also in charge of anti-spoofing (I thought it only
enforces security groups)
If it's reasonably secure (anti-spoofing on the same network, L2 seperation
between networks) then I don't think I need the disk rebuild...
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
