A few good points were made: * the config drive could be VFAT, in which case we can't trust what's on it because the guest has write access * if the config drive is ISO9660, we can't selectively write to it, we need to regenerate the whole thing - but in this case it's actually safe to read from (right?) * the point about the precedent being set that the config drive doesn't change... I'm not sure I 100% agree. There's definitely a precedent that information on the config drive will remain present for the entire instance lifetime (so the admin_pass won't disappear after a reboot, even if using that "feature" in a workflow seems ludicrous), but we've made no promises that the information itself will remain constant. For example, nothing says the device metadata must remain unchanged after a reboot.
Based on that here's what I propose: If the config drive is vfat, we can just update the information on it that we need to update. In the device metadata case, we write a new JSON file, overwriting the old one. If the config drive is ISO9660, we can safely read from it to fill in what information isn't persisted anywhere else, then update it with the new stuff we want to change. Then write out the new image. On Sat, Feb 18, 2017 at 12:36 PM, Dean Troyer <dtro...@gmail.com> wrote: > On Sat, Feb 18, 2017 at 10:23 AM, Clint Byrum <cl...@fewbar.com> wrote: >> But I believe Michael is not saying "it's unsafe to read the json >> files" but rather "it's unsafe to read the whole config drive". It's >> an ISO filesystem, so you can't write to it. You have to read the whole >> contents back into a directory and regenerate it. I'm guessing Michael >> is concerned that there is some danger in doing this, though I can't >> imagine what it is. > > Nova can be configured for config drive to be a VFAT filesystem, which > can not be trusted. Unfortunately this is (was??) required for > libvirt live migration to work so is likely to not be an edge case in > deployments. > > The safest read-back approach would be to generate both ISO9660 and > VFAT (if configured) and only read back from the ISO version. But > yuck, two config drive images...still better than passwords in the > database. > > dt > > -- > > Dean Troyer > dtro...@gmail.com > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -- Artom Lifshitz __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev