* Daniel P. Berrangé: >> The instance-data DNS lookup is typically forwarded to the DNS root >> servers. Local resolvers will only filter it if they are >> DNSSEC-enabled. >> >> I have argued for a long time that separate cloud and local KVM images >> are needed because the cloud images are dangerous in a non-cloud >> environment, but so far without success. > > Libvirt has support for per-guest NIC network filters and ships with > a "clean-traffic" filter that blocks ARP, IP & MAC spoofing. We could > use this feature as a way to block access to the cloud-init metadata > service IP address if desired. And also teach dnsmasq about instance-data somehow. (I would have thought that the HTTP-based injection would have been easier to implement than the ISO-based approach, by the way, with additional future functionality being possible, such as notifications in the virt-manager UI when a new VM has configured itself.) Thanks, Florian _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
