[virt-tools-list] virt-install and cloud-init, feedback wanted
Daniel P. Berrangé
berrange at redhat.com
Thu Nov 21 11:23:47 UTC 2019
On Thu, Nov 21, 2019 at 12:06:49PM +0100, Florian Weimer wrote:
> * Daniel P. Berrangé:
>
> > On Thu, Nov 21, 2019 at 11:52:26AM +0100, Florian Weimer wrote:
> >> * Daniel P. Berrangé:
> >>
> >> >> This goes probably in a different direction of what has been implement
> >> >> so far, but would it actually harm to enable the network-based
> >> >> instance-data injection by default? The advantage would be that it also
> >> >> blocks these requests from leaking to untrusted parties, which could
> >> >> then serve bogus data to compromise the virtual machine.
> >> >
> >> > I don't understand what you mean by leaking data to untrusted parties
> >> > here in contetx of config drive ? I've considerd the config drive to
> >> > be more secure / less risky than network service.
> >>
> >> I'm assuming that cloud-init will try all sources in parallel, given
> >> that there's a delay for both the network coming about and hardware
> >> being detected.
> >
> > IIRC, the network sources all use link-local addresses, so by default
> > you would need to have configured the 169.254.169.254 on one of the
> > NICs on the host that the guest can reach. It connects to port 80 on
> > this address.
>
> Too many IPv4 deployment treat 169.254.0.0/16 as global unicast
> addresses and forward them via the default route. Only once they reach
> the DFZ, these packets get dropped, but only if no one has announced a
> route for it.
Ah, I see what you mean now.
> The instance-data DNS lookup is typically forwarded to the DNS root
> servers. Local resolvers will only filter it if they are
> DNSSEC-enabled.
>
> I have argued for a long time that separate cloud and local KVM images
> are needed because the cloud images are dangerous in a non-cloud
> environment, but so far without success.
Libvirt has support for per-guest NIC network filters and ships with
a "clean-traffic" filter that blocks ARP, IP & MAC spoofing. We could
use this feature as a way to block access to the cloud-init metadata
service IP address if desired.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the virt-tools-list
mailing list