Excerpts from huangdenghui's message of 2016-11-17 00:05:39 +0800: > hi > Currently, nova metadata service is proxy by metadata agent in dhcp agent > or l3 router agent, it is depended on whether network attach to router or > not. In essential, metadata agent implements a http proxy functionality by > computer node host protocal stack. In other words, it exposes host protocol > stack to vm. If vm is a attacker, it can launch a HTTP GET flood attacks. > then it may affect this computer node. I would like to hear you guy's > opinion. any comment is welcome. thanks.
Yes, it's an attack vector and should be protected and monitored as such. IMO the HTTP metadata service and the way it works is one of the worst ideas we borrowed from EC2. Config drive (which I didn't like when I first saw it, but now that I've operated clouds, I love) is a simpler system and does not present any real surface area to the users. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev