On Tue, Jul 16, 2013 at 10:47:28AM +0200, Florian Weimer wrote: > On 07/15/2013 12:22 PM, Jaroslav Reznik wrote: > > >1. Refactoring of the Fedora web site to put the cloud image on equal footing > >with the desktop image download. The new F19 cloud images page [2] is very > >nice thanks to the hard work of the web team, but unfortunately, in order to > >find it, one has to go down into the cellar, into a disused lavatory with a > >sign on the door saying Beware of the Leopard. Let's put it on display in the > >metaphorical front lobby. > > Do these images support instance data injection by default? cloud-init, in case anyone else was wondering. > Then we need to make absolutely clear that it's unsafe to run them > outside an environment that filters instance data injection > requests. For example, these images must not be installed on a > bare-metal system connected to the public Internet, or used to set > up guests on a regular hypervisor. Cloud-init is reasonably careful about where it gets the data from. By default it looks first for a config drive (a specially formatted block device which has to be explicitly added to the VM), and then secondly for a webserver on a link-local IPv4 address (usually 169.254.169.254). Also, if configured, a specially formatted virtual floppy or virtual CD-ROM drive can be used. None of these can be used to remotely exploit a VM "connected to the public Internet [etc]." Do you have a specific scenario where a cloud-init enabled image is exploitable when set up by a naive user? Rich. More about cloud-init data sources: http://cloudinit.readthedocs.org/en/latest/topics/datasources.html -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
