On Tue, Jul 16, 2013 at 10:22:30AM -0400, Matthew Miller wrote: > On Tue, Jul 16, 2013 at 10:58:52AM +0100, Richard W.M. Jones wrote: > > Cloud-init is reasonably careful about where it gets the data from. > > By default it looks first for a config drive (a specially formatted > > block device which has to be explicitly added to the VM), and then > > secondly for a webserver on a link-local IPv4 address (usually > > 169.254.169.254). Also, if configured, a specially formatted virtual > > floppy or virtual CD-ROM drive can be used. None of these can be used > > to remotely exploit a VM "connected to the public Internet [etc]." > > The attack would be something else on the link-local network responding to > 169.254.169.254. So it's not "the public internet" in general, but > connecting to an untrusted network. I don't think I view this cloud-init scenario as a security issue really. That cloud-init pulls config off the network is well defined & intended behaviour. So I think this is mostly a case of educating users about the requirements for deploying the cloud images, so that they're aware of the implications of using them in a non-cloud environment. Probably something to be written on the download page. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
