Ok, sorry for my lack of knowledge of windows + passwords. Windows passwords are based on a hashed format correct (LM or NTLM?). Would it be possible to send this as user-data over the metadata service (either via the webservice or the cfg-drive), then provide a way to get that hash into the windows security service (not sure what its called). Even though this hash might be viewable a hash shouldn't be easily cracked (assuming good password choosing here).
If that¹s not the case, I think others were proposing of methods to get more 'data' on the config-drive, which it seems like yours is a case of (although I'm not sure if the cfg-drive should be 'r/w', but this can just be a option). Would u want to take that on with your proposal as well? Something that removes the restrictions of 'inject_data_into_fs' and instead could just be a set of simple modular classes that can be given a instance + metadata for that instance and a mount location and can write in whatever format they want. I could see there being a 'LegacyFilesystemInjector' that writes the current format to a filesystem, a 'ConfigDriveInjector' and a subclass of the later to handle your case. The injector to use could be another plugin (with the given 2 stated being included by default in openstack). Thoughts? On 10/31/12 7:04 PM, "Lars Kellogg-Stedman" <l...@seas.harvard.edu> wrote: >On Wed, Oct 31, 2012 at 06:17:29PM -0700, Joshua Harlow wrote: >> Just fyi, the cloud-init format 'spec' has something similar that >>bypasses >> the file injection (which is a bad/insecure/incompatible concept that >> needs to be gotten rid of imho) by having the following syntax it >> understands: >> >> >>http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/view/head:/d >>oc >> /examples/cloud-config-user-groups.txt > >The cloud-init stuff works via the user-data attribute available from >the metadata server. This makes it unsuitable for security >credentials, since *anyone* on the instance can query the metadata >server. > >Injection via files on a configuration disk seems to me the best way >to handle security credentials like this, because disks in many cases >require privileges to mount on a system and the configuration script >can delete the credentials file after processing it. > >> Is there anyway a windows version of cloud-init could be done, either >> ported, or patched, or a service like cloud-init could be added to >>windows >> images (using a startup program in the windows image that could just be >>a >> call-out to a python interpreter or something different...). > >As I said, this is pretty much what we're doing to provision an ssh >key for administrator access to our windows host. > >-- >Lars Kellogg-Stedman <l...@seas.harvard.edu> | >Senior Technologist | >http://ac.seas.harvard.edu/ >Academic Computing | >http://code.seas.harvard.edu/ >Harvard School of Engineering | > and Applied Sciences | > _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp