Re: injecting a key into the xen images

Juerg Haefliger <juergh@xxxxxxxxx> · Mon, 31 Mar 2014 11:58:19 +0200

On Fri, Mar 28, 2014 at 2:51 PM, Karanbir Singh <mail-lists@xxxxxxxxx> wrote:
>
> On 03/28/2014 01:13 PM, Nux! wrote:

> > On 28.03.2014 12:40, Karanbir Singh wrote:
> >> hi,
> >>
> >> As a part of the test suite for xen that I've started off - I needed a
> >> way to inject a ssh key into the image [1]; so have come up with this

> >> :
> >> https://github.com/CentOS/sig-virt-t_xen/blob/master/scripts/inject_ssh.sh
> >> ; its not pretty and it wont handle lots of use cases, but it does

> >> what
> >> is needed at hand.
> >>
> >> Comments ?
> >
> > I would have first looked at libguestfs suite, virt-edit maybe. It has
> > tools specifically designed to interact with VM filesystems.

>
> I did, and I dont want to install 187 more rpms to get this
> functionality ( which is the size of that dep tree )

Why is that relevant for a test environment?

QEMU NBD has lots of potential issues:

- Security implications (the guest image can attack the host via symlinks)
- Needs root privileges
- Multiple files can be attached to the same NBD device
- Files can be detached even if the NBD device is still mounted

and possibly lots of others.

Nova used to use QEMU NBD exclusively and we ran into several of the above issues. IMHO the clean way is to use libguestfs. Take a look at 

https://git.openstack.org/cgit/openstack/nova/tree/nova/virt/disk/mount/nbd.py for the Nova implementation (as a potential starting point).

...Juerg

>
> --
> Karanbir Singh
> +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh

> GnuPG Key : http://www.karan.org/publickey.asc
> _______________________________________________
> CentOS-virt mailing list
> CentOS-virt@xxxxxxxxxx

> http://lists.centos.org/mailman/listinfo/centos-virt

_______________________________________________
CentOS-virt mailing list
CentOS-virt@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos-virt