Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

2016-07-28 Thread Tim Bell
niel P. Berrange [mailto:berra...@redhat.com] Sent: Tuesday, 19 July 2016 6:39 PM To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support On Tue, Jul 19, 20

Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

2016-07-19 Thread Daniel Russell
ct: Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support On Tue, Jul 19, 2016 at 12:51:07AM +, Daniel Russell wrote: > Hi Erno, > > For the size of team I am in I think it would work well but it feels > like I am putting the security of Nova in the hands of

Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

2016-07-19 Thread Daniel P. Berrange
On Tue, Jul 19, 2016 at 12:51:07AM +, Daniel Russell wrote: > Hi Erno, > > For the size of team I am in I think it would work well but it feels like > I am putting the security of Nova in the hands of Glance. Yep, from an architectural pov it is not very good. Particularly in a

Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

2016-07-18 Thread Daniel Russell
[mailto:ekuv...@redhat.com] Sent: Tuesday, 19 July 2016 10:09 AM To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support Hi Daniel, You might want to hav

Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

2016-07-18 Thread Erno Kuvaja
Hi Daniel, You might want to have look on the Glance Property Protections [0]. I'd assume that would do it for you? [0] http://docs.openstack.org/developer/glance/property-protections.html Best, Erno On Tue, Jul 19, 2016 at 12:43 AM, Daniel Russell wrote: > Hi, > > >

Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

2016-07-18 Thread Kris G. Lindgren
I also happened to be looking at this today and was wondering about this as well. From the multi-places that talk about how to enable the qemu guest agent for quiescing drives during snapshots, they all have a warning that this should be enabled on trusted guests only. [1] [2] [3] So, I am

[openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

2016-07-18 Thread Daniel Russell
Hi, We are running a public cloud and allow customers to upload their own images. A concern we have is that a customer could set hw_qemu_guest_agent=yes in the image metadata and then get a socket to the hypervisor created when running. For us, this is a bit of a security concern and I'm not