settingsLogin | Registersettings

[openstack-dev] [nova] File injection, config drive and cloud-init

0 votes

Hello,

I've been doing some research about file injection in VM instances at boot
time, I found[1] that there are several ways of doing it, including
mounting images[2] (using guestfs, loops and nbd), using config drive
(creating a device and making it available to mount it in the instance) and
using the metadata service (cloud-init).

However I also found that file injection was disabled by default in the
Icehouse release[3]:
"File injection is now disabled by default in OpenStack Compute. Instead it
is recommended that the ConfigDrive and metadata server facilities are used
to modify guests at launch. To enable file injection modify the injectkey
and inject
partition configuration keys in /etc/nova/nova.conf and restart
the Compute services. The file injection mechanism is likely to be disabled
in a future release."

In addition, the blueprint[4] about this mentions that this could be
deprecated in the future:

"With ConfigDrive and Metadata service combined there is no need for
fiddling inside VM images at deployment time - images can consult metadata
locally (configdrive) or network (metadata service).
Disabling it by default is thus sane, and we can review whether to
deprecate and remove it entirely in future."

I've also asked in #openstack-operators (thanks to folks there for pointing
out all this useful information) for the most used way for injecting files
in instances and (IIRC) they said that cloud-init + config drive were the
common methods.

Now my questions are:

  • Is this (file injection using image mounting) likely to be deprecated at
    some point in the future?
  • What functionality is missing (if any) in config drive / metadata service
    solutions to completely replace file injection?
  • Which of them is the fastest and most secure?

I would appreciate any comment or corrections in my research about this
topic, I'm still learning about Openstack :-)

[1] -
https://kimizhang.wordpress.com/2014/03/18/how-to-inject-filemetassh-keyroot-passworduserdataconfig-drive-to-a-vm-during-nova-boot/
[2] - https://www.berrange.com/posts/2012/11/15/692/
[3] -
https://wiki.openstack.org/wiki/ReleaseNotes/Icehouse#OpenStack_Compute_.28Nova.29
[4] -
https://blueprints.launchpad.net/nova/+spec/disable-file-injection-by-default

--
Simental Magana Marcos
GPG unsigned


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Jun 11, 2015 in openstack-dev by Mark_Boo (120 points)   1 1 1

2 Responses

0 votes

Hi!

On Fri, Jun 12, 2015 at 7:07 AM, Mark Boo mrkzmrkz@gmail.com wrote:

[snip]

Now my questions are:

  • Is this (file injection using image mounting) likely to be deprecated at
    some point in the future?

Yes, we've been building up to that for a long time and I can't see is
not doing it. Its important because file injection is much harder to
make secure. We've had security vulnerabilities around file injection
in the past, and while I don't know of any at the moment we've decided
its best just to move to the other two mechanisms.

  • What functionality is missing (if any) in config drive / metadata service
    solutions to completely replace file injection?

None that I am aware of. In fact, these two other options provide you
with more data than you'd get with file injection.

  • Which of them is the fastest and most secure?

I don't think there's a speed difference between the two of them --
they both use the same backend to gather the data to expose. That
said, I think config drive is popular because its simple -- everyone
knows how to use a local disks.

Cheers,
Michael

--
Rackspace Australia


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Jun 11, 2015 by Michael_Still (16,180 points)   3 6 13
0 votes

On 11 June 2015 at 15:34, Michael Still mikal@stillhq.com wrote:

On Fri, Jun 12, 2015 at 7:07 AM, Mark Boo mrkzmrkz@gmail.com wrote:

  • What functionality is missing (if any) in config drive / metadata
    service
    solutions to completely replace file injection?

None that I am aware of. In fact, these two other options provide you
with more data than you'd get with file injection.

A config drive is useful if and only if you know to read it and have
software that does so (for packaged Linux, you install the cloud-init
package, usually). File injection works even if you don't adapt your VM
image.

Conversely, file injection only works on a limited range of disk formats.
--
Ian.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Jun 12, 2015 by Ian_Wells (5,300 points)   1 2 5
...