On Wed, Oct 31, 2012 at 06:17:29PM -0700, Joshua Harlow wrote:
> Just fyi, the cloud-init format 'spec' has something similar that bypasses
> the file injection (which is a bad/insecure/incompatible concept that
> needs to be gotten rid of imho) by having the following syntax it
> understands:
> http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/view/head:/doc
> /examples/cloud-config-user-groups.txt

The cloud-init stuff works via the user-data attribute available from
the metadata server.  This makes it unsuitable for security
credentials, since *anyone* on the instance can query the metadata

Injection via files on a configuration disk seems to me the best way
to handle security credentials like this, because disks in many cases
require privileges to mount on a system and the configuration script
can delete the credentials file after processing it.

> Is there anyway a windows version of cloud-init could be done, either
> ported, or patched, or a service like cloud-init could be added to windows
> images (using a startup program in the windows image that could just be a
> call-out to a python interpreter or something different...).

As I said, this is pretty much what we're doing to provision an ssh
key for administrator access to our windows host.

Lars Kellogg-Stedman <l...@seas.harvard.edu>  |
Senior Technologist                           | http://ac.seas.harvard.edu/
Academic Computing                            | http://code.seas.harvard.edu/
Harvard School of Engineering                 |
  and Applied Sciences                        |

Mailing list: https://launchpad.net/~openstack
Post to     : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Reply via email to