Of all the boostrapping mechanisms I have encountered, the AWS model still remains the best. Specifically, with the guest OS pulling the keys from a trusted platform source.
Any mechanism that requires an agent or requires any ability of the hypervisor or cloud platform to inject a password creates trust issues. In particular, the hypervisor and platform should avoid operations that reach into the guest. The guest should have the option of complete control over its data. -George On Mar 3, 2011, at 7:16 AM, Ed Leafe wrote: > On Mar 2, 2011, at 11:41 PM, Mark Washenberger wrote: > >> To your main point, I share your desire to be able to turn off password >> injection during instance creation. (For clarity, I'm assuming that your >> preference is to create the vm with no root password and only ssh keys as a >> means of access.) I guess the main problem with this is that it isn't in the >> 1.[01] spec so we'd need to agree on a sensible way of adding it to the api. >> >> Does anyone know if it would create any compatibility problems to support an >> optional "disable_admin_pass": "True" attribute to the /servers POST >> request? Are there any reasons other than compatibility to require an >> adminPass to always be set? > > Right now password injection is a function of the guest agent running > under XenServer; there is no way of setting this directly from nova. So if > you're not running XenServer, or not running the guest agent (still being > developed), there is no password setting being done. > > Alternatively, you could create a separate guest agent that expects a > user's public key, writes that to the VM, and disables SSH, so that your > instances are created with the security scheme that you want. > > > > -- Ed Leafe > > > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp -- George Reese - Chief Technology Officer, enStratus e: george.re...@enstratus.com t: @GeorgeReese p: +1.207.956.0217 f: +1.612.338.5041 enStratus: Governance for Public, Private, and Hybrid Clouds - @enStratus - http://www.enstratus.com To schedule a meeting with me: http://tungle.me/GeorgeReese
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp