On 11/1/12 9:36 AM, "Lars Kellogg-Stedman" <l...@seas.harvard.edu> wrote:

>> Honestly I think the entire idea of passing a password in to the
>>instance at boot
>> time is insecure and flawed.
>I think that the use of a configuration drive is a reasonably way to
>provide configuration information to an instance, and it's more secure
>than the metadata server.
>In any case, the problem extends beyond passwords; the way injected
>network configuration and ssh keys are handled also make unreasonable
>assumptions about the target operating system and suffer from the same
>problems as password provisioning.
>I've put together a patch that solves my needs, available here:
>  https://github.com/seas-computing/nova/commits/lars/admin_pass
>That branch incorporates also changes from the EPEL packages for
>2012.1.3 (since this is what we're running).
>It seems to work so far, although now we're facing a new problem: the
>adminPass generated by OpenStack is provided to people running the
>"nova boot ..." command line clients but (a) isn't exposed in the web
>ui and (b) doesn't appear to be otherwise accessible (e.g., via

Hey Lars,

(a) sounds like a bug in Horizon if that's not viewable immediately after
creating the instance.  If we can confirm that is the case and file a bug,
that'd be good.  It just comes back via the API so it should be available
to any client.

(b) is definitely not going to work - we don't store the password at all,
an intentional decision.


>Lars Kellogg-Stedman <l...@seas.harvard.edu>  |
>Senior Technologist                           |
>Academic Computing                            |
>Harvard School of Engineering                 |
>  and Applied Sciences                        |
>Mailing list: https://launchpad.net/~openstack
>Post to     : openstack@lists.launchpad.net
>Unsubscribe : https://launchpad.net/~openstack
>More help   : https://help.launchpad.net/ListHelp

Mailing list: https://launchpad.net/~openstack
Post to     : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Reply via email to