cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: [DISCUSS] Changing the way password reset works, or allowing the cloud-init way
Date Wed, 27 Aug 2014 16:11:02 GMT
Is that open source? I’ve been eyeing doing something with that virtio serial path for a
long time…seems like it’d be a great improvement.

On Aug 26, 2014, at 7:47 PM, Marcus <shadowsor@gmail.com<mailto:shadowsor@gmail.com>>
wrote:

We had set up an agent in the VM that listens on the virtio serial port,
similar to how the virtual router gets its configurations now in KVM. Host
to guest communication is an option, and is fairly standardized (qemu guest
agent, VMware tools, xen tools). It takes a little more work to write a
daemon, but you could do a lot more with it.

 I'm not entirely convinced the current design is broken enough to warrant
a redesign (or at least I wouldn't want to see compatibility go away).
On Aug 26, 2014 6:51 PM, "Chiradeep Vittal" <Chiradeep.Vittal@citrix.com<mailto:Chiradeep.Vittal@citrix.com>>
wrote:

The current design is “OK”, not great. Looking for suggestions to make it
more secure. E.g.,:

 *   HTTPS
 *   Client authentication

Another idea might be to attach a volume to the VM with the password, but
hot plug detection varies widely from OS/Hypervisor combinations.
HTTP(s) is the lowest common denominator, but it has some trade-offs.

From: John Kinsella <jlk@stratosec.co<mailto:jlk@stratosec.co><mailto:jlk@stratosec.co>>
Reply-To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>"
<
dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>>
Date: Tuesday, August 26, 2014 at 4:04 PM
To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>"
<
dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>>
Subject: Re: [DISCUSS] Changing the way password reset works, or allowing
the cloud-init way


On Aug 26, 2014, at 1:34 PM, Erik Weber <terbolous@gmail.com<mailto:terbolous@gmail.com><mailto:
terbolous@gmail.com<mailto:terbolous@gmail.com>>> wrote:
If I understand correctly, we currently deploy a web server on port 8080 on

Slight correction: A processes on the VR listens on port 8080, and hands
any connections to a UNIX script. Calling it a "web server" is way too kind.

Also, you’re just looking at the unix use-case. The Windows agent is close
sourced the last I checked.

Cloud-init doesn’t feel like the best solution, as the one good thing the
current setup does is remove the password from the VR after it’s fetched.

Thought there was a bug filed on this, but I don’t see it?




Stratosec - Secure Finance and Heathcare Clouds
http://stratosec.co
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message