On Thu, Nov 21, 2019 at 12:04:11PM +0100, Christian Ehrhardt wrote: > On Thu, Nov 21, 2019 at 11:52 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: > > > > * Daniel P. Berrangé: > > > > >> This goes probably in a different direction of what has been implement > > >> so far, but would it actually harm to enable the network-based > > >> instance-data injection by default? The advantage would be that it also > > >> blocks these requests from leaking to untrusted parties, which could > > >> then serve bogus data to compromise the virtual machine. > > > > > > I don't understand what you mean by leaking data to untrusted parties > > > here in contetx of config drive ? I've considerd the config drive to > > > be more secure / less risky than network service. > > > > I'm assuming that cloud-init will try all sources in parallel, given > > that there's a delay for both the network coming about and hardware > > being detected. > > Hi, > there are many controls to that. By default it is most configurable, > but you can set it to your needs of e.g. only local data sources. > > As outlined by Daniel already this is pretty safe, but if still > concerned about it, you can control it [1]: > - image builders can disable things by a drop in file that controls > which sources are queried > - local users can control it via kernel-commandline (which most tools > provide an option to append things to) With pre-built disks images, virt-install can't directly control the kernel command line without using a tool like guestfish to get inside the image & modify grub config. Cloud-init can, however, look at SMBIOS to extract the information for the specific data source to use. Currently it is abusing the system-serial-number field for this purpose. I proposed a patch to make it use the SMBIOS OEM strings field instead https://bugs.launchpad.net/cloud-init/+bug/1753558 Either way though, virt-install can set the SMBIOS data in the guest to explicitly tell cloud-init to only use the configdrive ISO, and thus prevent it ever talking to the network metdata service. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
